Bug 1452700

Summary: [RFE] only restrict routes DNS name to a subdomain based on project name regardless of route name
Product: OpenShift Online Reporter: Aleksandar Kostadinov <akostadi>
Component: RFEAssignee: Abhishek Gupta <abhgupta>
Status: NEW --- QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.xCC: eparis
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-12 15:59:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Aleksandar Kostadinov 2017-05-19 13:39:15 UTC 
Description of problem:
Hi, as a user I would like to have a backend API and a frontend angular/whatever based running in separate pods. To avoid the need for special CORS setup it would be very hand if I can create two routes with same domain name but different paths.

In default configuration the hostname is bound to match route's name. Given that two routes cannot share the same name, it is impossible to do that.

IMO it would be safe to allow hostname to match any of the existing other route names in the project.

Version-Release number of selected component (if applicable):
3.4.x

How reproducible:
always

Steps to Reproduce:
$ oc expose svc testapp-ui --hostname=testapp-ns.example.com --path=/ui
route "testapp-ui" exposed
$ oc expose svc testapp --hostname=testapp-ns.example.com
route "testapp" exposed

Actual results:

$ oc get route
NAME             HOST/PORT                                       PATH      SERVICES         PORT      TERMINATION   WILDCARD
testapp   testapp-ns.example.com             testapp   http                    None
testapp-ui    testapp-ui-ns.example.com    /ui       testapp-ui    80                      None

Expected results:

$ oc get route
NAME             HOST/PORT                                       PATH      SERVICES         PORT      TERMINATION   WILDCARD
testapp   testapp-ns.example.com             testapp   http                    None
testapp-ui    testapp-ns.example.com    /ui       testapp-ui    80                      None
Comment 1 Ben Bennett 2017-07-12 15:59:38 UTC 
You can disable the claims today: https://trello.com/c/jd6RksVX

But this is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1344746

*** This bug has been marked as a duplicate of bug 1344746 ***
Comment 2 Aleksandar Kostadinov 2017-07-12 19:49:39 UTC 
I don't think this is a duplicate. The other issue is to let multiple projects share a dns name with different paths.

This much simpler. It is about one project to restrict routes according to project name and probably route name but allow two or more routes to share same DNS name with different paths. This is without cluster admins getting involved.

In my opinion restricting routes to the project subdomain would be secure enough for the cluster. Let users control their sub-domains as they wish.
Comment 3 zhaozhanqi 2017-07-13 00:53:46 UTC 
@ Aleksandar

you can enable ROUTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK=true, like:

oc env dc router ROUTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK=true

thus, you can create the route with same hostname and with different path in one project.
Comment 4 zhaozhanqi 2017-07-13 00:57:55 UTC 
FYI, above feature only can work from 3.5 version since I saw you reported this bug on 3.4.
Comment 5 Aleksandar Kostadinov 2017-07-13 09:03:12 UTC 
Oh, I see what you mean. Actually my request is to allow same domain different paths even when ROUTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK is not used.

For example in Online environment, you cannot control that setting. And it would be stupid for administrators to disable the checks.

I see no value in restricting the subdomain name of routes to the route name. Restricting to be a subdomain of the project project is totally reasonable. But within the project subdomain, I see no value in restricting the users.

I hope this clarifies my request [1] and I don't think it is a duplicate of bug 1344746  so I'm reopening. If you believe this will be fixed as part of bug 1344746 though, feel free to close again.

[1] initially I asked for some mechanism to allow subdomain usage with different paths, but thinking more about it, I believe checking only project name vs DNS name makes more sense to me.

i.e.
> route_name = 'someroute'
> project_name = 'myproject'
> requested_dns_allowed = 'mysubdomain.myproject.default.domain.example.com'
> requested_dns_denied = 'mysubdomain.notmyproject.default.domain.example.com'