Bug 1964112

Summary: route SimpleAllocationPlugin: host name validation errors: spec.host: Invalid value: ... must be no more than 63 characters
Product: OpenShift Container Platform Reporter: Candace Holman <cholman>
Component: NetworkingAssignee: Luigi Mario Zuccarelli <luzuccar>
Networking sub component: router QA Contact: Arvind iyengar <aiyengar>
Status: CLOSED ERRATA Docs Contact:
Severity: low    
Priority: low CC: aiyengar, amcdermo, aos-bugs, hongli, mfojtik, mmasters, wking, yanyang
Version: 4.7   
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: If a Route is created where the combined name and namespace the DNS segment that exceeds 63 characters in length, the route will be rejected. Consequence: The route is rejected. This is expected behaviour, however if upgrading to newer versions of openshift, if the older route was allowed to have non comformant DNS hostname, there should be an override that allows this. Fix: Add the logic to check for older route validation and with the use of the annotation "AllowNonDNSCompliantHostAnnotation" set to "true" (default is "false") i.e in the yaml the annotation would be "route.openshift.io/allow-non-dns-compliant-host": "true") Result: With annotation "AllowNonDNSCompliantHostAnnotation" set to "true" the non comformant DNS hostname (segments greater than 63 characters) will be allowed.
 Story Points: ---
Clone Of: 1896977 Environment:
Last Closed: 2022-03-12 04:35:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1896977    
Bug Blocks: 1924996    

Comment 4 Arvind iyengar 2021-08-25 04:20:36 UTC 
Verified in "4.9.0-0.ci.test-2021-08-24-065133-ci-ln-k3iid0k-latest" release version.  With this payload, adding the "route.openshift.io/allow-non-dns-compliant-host: true" annotation, causes the long route names to be accepted during creation but will eventually be marked invalid:
-----
Without annotation:
cat route-test.yaml                                                                                             
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee
spec:
  port:
    targetPort: http
  to:
    kind: Service
    name: service-unsecure
    weight: null
  wildcardPolicy: None


oc create -f route-test.yaml        
The Route "service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee" is invalid: spec.host: Invalid value: "service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee-test2.apps.ci-ln-k3iid0k-f76d1.origin-ci-int-gce.dev.openshift.com": host (label) must conform to DNS 1123 label conventions must be no more than 63 characters


With annotation:
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee
  annotations:
    route.openshift.io/allow-non-dns-compliant-host: "true"
spec:
  port:
    targetPort: http
  to:
    kind: Service
    name: service-unsecure
    weight: null
  wildcardPolicy: None

oc create -f route-test.yaml        
route.route.openshift.io/service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee created

oc get route                         
NAME                                                         HOST/PORT     PATH   SERVICES           PORT   TERMINATION   WILDCARD
service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee   InvalidHost          service-unsecure   http                 None

oc get route service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee -o yaml
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    openshift.io/host.generated: "true"
...
status:
  ingress:
  - conditions:
    - lastTransitionTime: "2021-08-24T07:48:43Z"
      message: 'host name validation errors: spec.host: Invalid value: "service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee-test2.apps.ci-ln-k3iid0k-f76d1.origin-ci-int-gce.dev.openshift.com":
        must be no more than 63 characters'
      reason: InvalidHost
      status: "False"
      type: Admitted
-----
Comment 5 Miciah Dashiel Butler Masters 2021-08-31 16:32:03 UTC 
This is low severity with some risk, so pushing to 4.10.
Comment 9 Miciah Dashiel Butler Masters 2021-11-05 15:14:11 UTC 
We should get https://github.com/openshift/api/pull/976 merged to ensure the API godoc matches the new behavior.
Comment 11 Arvind iyengar 2021-12-13 08:44:45 UTC 
Verified in "4.10.0-0.nightly-2021-12-12-232810" release version.  With this payload, adding the "route.openshift.io/allow-non-dns-compliant-host: true" annotation, causes the long route names to be accepted during creation but will eventually be marked invalid:
-----
oc get clusterversion                           
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.nightly-2021-12-12-232810   True        False         76m     Cluster version is 4.10.0-0.nightly-2021-12-12-232810

Test route file without the annotation:
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee
spec:
  port:
    targetPort: http
  to:
    kind: Service
    name: service-unsecure
    weight: null
  wildcardPolicy: None


oc create -f route-test-1964112.yaml            
The Route "service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee" is invalid: spec.host: Invalid value: "service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee-test2.apps.aiyengar410aw.qe.devcluster.openshift.com": must be no more than 63 characters


With the annotation added:
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee
  annotations:
    route.openshift.io/allow-non-dns-compliant-host: "true"
spec:
  port:
    targetPort: http
  to:
    kind: Service
    name: service-unsecure
    weight: null
  wildcardPolicy: None

oc create -f route-test-1964112.yaml           
route.route.openshift.io/service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee created

oc get route  service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee -o yaml
status:
  ingress:
  - conditions:
    - lastTransitionTime: "2021-12-13T08:40:47Z"
      message: 'host name validation errors: spec.host: Invalid value: "service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee-test2.apps.aiyengar410aw.qe.devcluster.openshift.com":
        must be no more than 63 characters'
      reason: InvalidHost
      status: "False"
      type: Admitted

-----
Comment 14 errata-xmlrpc 2022-03-12 04:35:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056