|Summary:||The overlapping hosts with a wildcard host should be claimed across namespace|
|Product:||OpenShift Container Platform||Reporter:||zhaozhanqi <zzhao>|
|Component:||Routing||Assignee:||Ram Ranganathan <ramr>|
|Status:||CLOSED NOTABUG||QA Contact:||zhaozhanqi <zzhao>|
|Version:||3.5.0||CC:||aos-bugs, bbennett, ramr|
|Fixed In Version:||Doc Type:||If docs needed, set a value|
|Doc Text:||Story Points:||---|
|Last Closed:||2017-02-08 20:14:50 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description zhaozhanqi 2017-02-07 10:10:09 UTC
Description of problem: Create two namespace z1 and z2 z1 have a wildcard route foo.example.com z2 have a normal passthrough route foo.example.com the route foo.example.com of z2 can NOT be claimed. Version-Release number of selected component (if applicable): openshift version openshift v184.108.40.206+c55cf2b kubernetes v1.5.2+43a9be4 etcd 3.1.0 registry.ops.openshift.com/openshift3/ose-haproxy-router v220.127.116.11 6a86c1d87ea7 How reproducible: always Steps to Reproduce: 1. Make the router enable wildcard route and disable namespace ownership check oc env dc router ROUTER_ALLOW_WILDCARD_ROUTES=true ROUTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK=true 2. create two namespace z1 and z2 3. create pod/service/ in z1 $oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/caddy-docker.json -n z1 $oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/unsecure/service_unsecure.json 4. Create a wildcard route in z1 $ oc expose svc service-unsecure --hostname=foo.example.com --name=test --wildcardpolicy='Subdomain' 5. Create pod/service in z2 $oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/caddy-docker.json -n z2 $oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/passthrough/service_secure.json -n z2 6. Create normal passthrough route in z2 $ oc create route passthrough foo --hostname=foo.example.com --service=service-secure -n z2 7. check all route in z1 and z2 Actual results: step 7: the route foo.example.com of z2 can NOT be claimed. $oc get route -n z1 NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD service-unsecure foo.example.com service-unsecure http Subdomain $ oc get route -n z2 NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD foo HostAlreadyClaimed service-secure https passthrough None Expected results: step 7 the route of namespaces in z2 should be claimed. Additional info:
Comment 1 Ben Bennett 2017-02-07 15:21:25 UTC
This is as designed. If *.example.com precedes foo.example.com, then foo.example.com can not be claimed. Similarly, if foo. precedes *. then *. can not be claimed. This is so that you can not steal a host I am using if I have a wildcard.
Comment 2 zhaozhanqi 2017-02-08 01:44:49 UTC
@Ben Bennett the below is the comment from Ram in this card https://trello.com/c/jd6RksVX @zhaozhanqi Thanks. Think it might be good to also add a wildcard test across 2 different namespaces - as the namespace check restriction is being lifted - oldest route should still win but the overlapping hosts with a wildcard host can be claimed across namespace. Example: namespace n1 has a wildcard route *.example.test and a regular route to foo.example.test and another namespace ns2 can claim www.example.test but not foo.example.test so I'd like to confirm this again.
Comment 3 Ram Ranganathan 2017-02-08 02:17:08 UTC
@zhaozhanqi, the test uses the same names foo.example.com for both the wildcard and passthrough route. That will fail because foo.example.com is claimed by the wildcard route (explicit name claim). Try using a different host name for step 6 ala: passme.example.com (instead of foo.example.com) 6. Create normal passthrough route in z2 $ oc create route passthrough foo --hostname=passme.example.com --service=service-secure -n z2 Does that work as intended? Thanks.
Comment 4 zhaozhanqi 2017-02-08 03:20:38 UTC
@Ram thanks. yes, it will work well if updating the word 'foo' to others. That's mean the wildcard route eg. the foo.example.com. The first word 'foo' is only for validation for route and unmeaningful for the haproxy forward?
Comment 5 Ram Ranganathan 2017-02-08 20:14:50 UTC
@zhaozhanqi, then this is working as intended. Yes, the name foo.example.com (even though it is a wildcard for *.example.com) is important for the router name reservation scheme - it defines the namespace ownership even though its not referenced from an haproxy config perspective.