Cause: Setting *. entry in spec.rules.host of ingress is not supported by Route.
Consequence: controller fails with Route.route.openshift.io "route-wildcard-2-zkcdj" is invalid: spec.host: Invalid value:
Fix: If user sets *. in the ingress object having the intention for ingress to route conversion then we set wildcard. instead if *. for the route host as route hostname does not suppport *.
Backport warning-
* A user has an ingress with a wildcard host name.
* The ingress is exposed using a third-party ingress controller.
* The user does *not* want the ingress exposed by OpenShift router (for example, maybe OpenShift router is exposed on the Internet, and the third-party ingress controller is internal only; or maybe having a status entry from OpenShift router on the ingress would confuse the third-party ingress controller, as in bug 1935808).
* The router is configured to allow wildcard routes (as described in comment 8).
* The user upgrades to a version of OpenShift with this backported fix.
In this sceneario, the ingress is now exposed by the router when the user only wants it exposed by the third-party ingress controller. This is an admittedly extremely contrived situation, but sometimes users do unexpected things or have different expectations, and exposing an ingress when the user doesn't expect it could be problematic.
Therefore we need to document this new behavior very explicitly in a release note to reduce the risk that users will be caught unawares.
Result: With this fix the ingress controller does not throw the error described in the Consequence.
Verified in "4.8.0-0.ci.test-2021-09-28-060613-ci-ln-98208g2-latest" release version, this time. With this payload the ingress resource could be seen getting translated correctly to the route resource with the required wildcard mapping: --------- oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.8.0-0.ci.test-2021-09-28-060613-ci-ln-98208g2-latest True False 41m Cluster version is 4.8.0-0.ci.test-2021-09-28-060613-ci-ln-98208g2-latest $ oc patch -n openshift-ingress-operator ingresscontroller/default --patch '{"spec":{"routeAdmission":{"wildcardPolicy": "WildcardsAllowed"}}}' --type=merge ingresscontroller.operator.openshift.io/default patched $ cat test-ingress.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: unsecure-route spec: rules: - host: '*.test1.apps.ci-ln-98208g2-f76d1.origin-ci-int-gce.dev.openshift.com' http: paths: - path: / pathType: Prefix backend: service: name: service-unsecure port: number: 27017 oc get route NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD unsecure-route-rx6m7 wildcard.test1.apps.ci-ln-98208g2-f76d1.origin-ci-int-gce.dev.openshift.com / service-unsecure http Subdomain oc get ingress NAME CLASS HOSTS ADDRESS PORTS AGE unsecure-route <none> *.test1.apps.ci-ln-98208g2-f76d1.origin-ci-int-gce.dev.openshift.com 80 2m54s curl http://wildcard.test1.apps.ci-ln-98208g2-f76d1.origin-ci-int-gce.dev.openshift.com -I HTTP/1.1 200 OK server: nginx/1.20.1 date: Tue, 28 Sep 2021 07:13:54 GMT content-type: text/html content-length: 46 last-modified: Tue, 28 Sep 2021 07:07:21 GMT etag: "6152bf29-2e" accept-ranges: bytes set-cookie: ac55a58593e60bbba2b21ed261472979=b09f8e2a72a66cdfde4c0f9821ea8548; path=/; HttpOnly cache-control: private ---------