Bug 1571133

Summary: Ingress backend should use service port instead of service targetPort
Product: OpenShift Container Platform Reporter: Hongan Li <hongli>
Component: NetworkingAssignee: Rajat Chopra <rchopra>
Networking sub component: router QA Contact: zhaozhanqi <zzhao>
Status: CLOSED WONTFIX Docs Contact:
Severity: low    
Priority: medium CC: aos-bugs, bbennett, rchopra
Version: 3.9.0   
Target Milestone: ---   
Target Release: 3.9.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-30 19:20:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hongan Li 2018-04-24 07:26:43 UTC
Description of problem:
The Ingress doesn't work if its backend.servicePort use service port, but it works if use service targetPort.


Version-Release number of selected component (if applicable):
openshift v3.9.24
kubernetes v1.9.1+a0ce1bc657


How reproducible:
always

Steps to Reproduce:
1. enable Ingress and add related cluster role to router
    #oc adm policy add-cluster-role-to-user system:openshift:controller:service-serving-cert-controller system:serviceaccount:default:router
    #oc env dc/router -e ROUTER_ENABLE_INGRESS=true

2. create your project, pod and svc
   #oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/caddy-docker.json
   #oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/unsecure/service_unsecure.json

3. ensure the service port is 27017 and targetPort is 8080.
# oc get svc -o yaml
<---snip--->
  spec:
    clusterIP: 172.30.139.190
    ports:
    - name: http
      port: 27017
      protocol: TCP
      targetPort: 8080
    selector:
      name: caddy-docker
    sessionAffinity: None
    type: ClusterIP
  status:
    loadBalancer: {}

4. create ingress and its backend.servicePort use service port 27017, then curl the host "foo.bar.com".
# oc create -f test-ingress.json 
# cat test-ingress.json
{
    "apiVersion": "extensions/v1beta1",
    "kind": "Ingress",
    "metadata": {
        "name": "test-ingress"
    },
    "spec": {
        "rules": [
            {
                "host": "foo.bar.com",
                "http": {
                    "paths": [
                        {
                            "backend": {
                                "serviceName": "service-unsecure",
                                "servicePort": 27017
                            }
                        }
                    ]
                }
            }
        ]
    }
}
5. edit the ingress and change the backend.servicePort to use 8080, then curl the host.


Actual results:
In step 4, Ingress doesn't work, execute "curl --resolve foo.bar.com:80:$router_ip http://foo.bar.com" will get "503 Service Unavailable".
In step 5, Ingress works and can curl the host successfully. 

Expected results:
Ingress backend should use service port instead of targetPort.

Additional info:
1. in OCP 3.10, Ingress works well if backend use service port and cannot work if use targetPort.
2. this issue exists in 3.9 and previous release.

Comment 2 Ben Bennett 2018-04-30 19:20:18 UTC
This works in 3.10, and ingress support was in tech preview in 3.9.  There is a  work-around (use the same target port for the service and endpoints) for 3.9.