Bug 1419875

Summary: The overlapping hosts with a wildcard host should be claimed across namespace
Product: OpenShift Container Platform Reporter: zhaozhanqi <zzhao>
Component: RoutingAssignee: Ram Ranganathan <ramr>
Status: CLOSED NOTABUG QA Contact: zhaozhanqi <zzhao>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.5.0CC: aos-bugs, bbennett, ramr
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: All   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-08 20:14:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description zhaozhanqi 2017-02-07 10:10:09 UTC
Description of problem:
Create two namespace z1 and z2

z1 have a wildcard route foo.example.com
z2 have a normal passthrough route foo.example.com

the route foo.example.com of z2 can NOT be claimed.

Version-Release number of selected component (if applicable):
openshift version
openshift v3.5.0.17+c55cf2b
kubernetes v1.5.2+43a9be4
etcd 3.1.0
registry.ops.openshift.com/openshift3/ose-haproxy-router    v3.5.0.17           6a86c1d87ea7 

How reproducible:

Steps to Reproduce:
1. Make the router enable wildcard route and disable namespace ownership check 
2.  create two namespace z1 and z2
3.  create pod/service/ in z1
   $oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/caddy-docker.json -n z1
   $oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/unsecure/service_unsecure.json

4. Create a wildcard route in z1
   $ oc expose svc service-unsecure --hostname=foo.example.com --name=test --wildcardpolicy='Subdomain'

5. Create pod/service in z2
  $oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/caddy-docker.json -n z2
  $oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/passthrough/service_secure.json -n z2

6. Create normal passthrough route in z2

  $ oc create route passthrough foo --hostname=foo.example.com --service=service-secure -n z2

7. check all route in z1 and z2


Actual results:

step 7: the route foo.example.com of z2 can NOT be claimed.

$oc get route -n z1
NAME               HOST/PORT         PATH      SERVICES           PORT      TERMINATION   WILDCARD
service-unsecure   foo.example.com             service-unsecure   http                    Subdomain

$ oc get route -n z2
foo       HostAlreadyClaimed             service-secure   https     passthrough   None

Expected results:

step 7 the route of namespaces in z2 should be claimed.

Additional info:

Comment 1 Ben Bennett 2017-02-07 15:21:25 UTC
This is as designed.

If *.example.com precedes foo.example.com, then foo.example.com can not be claimed.

Similarly, if foo. precedes *. then *. can not be claimed.

This is so that you can not steal a host I am using if I have a wildcard.

Comment 2 zhaozhanqi 2017-02-08 01:44:49 UTC
@Ben Bennett

the below is the comment from Ram in this card https://trello.com/c/jd6RksVX

@zhaozhanqi Thanks. Think it might be good to also add a wildcard test across 2 different namespaces - as the namespace check restriction is being lifted - oldest route should still win but the overlapping hosts with a wildcard host can be claimed across namespace.
Example: namespace n1 has a wildcard route *.example.test and a regular route to foo.example.test and another namespace ns2 can claim www.example.test but not foo.example.test

so I'd like to confirm this again.

Comment 3 Ram Ranganathan 2017-02-08 02:17:08 UTC
@zhaozhanqi, the test uses the same names foo.example.com for both the wildcard and 
passthrough route. That will fail because foo.example.com is claimed by the wildcard
route (explicit name claim). Try using a different host name for step 6 ala:
   passme.example.com  (instead of foo.example.com)
6. Create normal passthrough route in z2

  $ oc create route passthrough foo --hostname=passme.example.com --service=service-secure -n z2

Does that work as intended?  Thanks.

Comment 4 zhaozhanqi 2017-02-08 03:20:38 UTC

thanks. yes, it will work well if updating the word 'foo' to others.

That's mean the wildcard route eg.  the foo.example.com. The first word 'foo' is only for validation for route and unmeaningful for the haproxy forward?

Comment 5 Ram Ranganathan 2017-02-08 20:14:50 UTC
@zhaozhanqi, then this is working as intended.
Yes, the name foo.example.com (even though it is a wildcard for *.example.com)
is important for the router name reservation scheme - it defines the namespace ownership even though its not referenced from an haproxy config perspective.