Bug 1214243 - Should validate HOST/PORT when creating route if has been used
Summary: Should validate HOST/PORT when creating route if has been used
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OKD
Classification: Red Hat
Component: Routing
Version: 3.x
Hardware: All
OS: All
medium
medium
Target Milestone: ---
: ---
Assignee: Ram Ranganathan
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-04-22 09:50 UTC by zhaozhanqi
Modified: 2019-09-12 08:24 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-23 21:17:08 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description zhaozhanqi 2015-04-22 09:50:56 UTC
Description of problem:
Create two same route name with different serviceName, the route name would be always traffic to the latest pod, the old one will never be accessed.

Version-Release number of selected component (if applicable):
$ openshift version
openshift v0.4.3-285-geffa12c
kubernetes v0.14.1-582-gb12d75d


How reproducible:
always

Steps to Reproduce:
1. Create the pod/service/route with namespace zzhao
2. Check the route if can be worked.
3. Create same route name but service different with step1 with another namespace zzhao2 
4. Check the route again

Actual results:
step2:
$osc get pod -n zzhao
POD                  IP           CONTAINER(S)             IMAGE(S)                   HOST                                            LABELS                    STATUS    CREATED
hello-nginx-docker   172.17.0.4   hello-nginx-docker-pod   pweil/hello-nginx-docker   ip-10-111-178-146.ec2.internal/10.111.178.146   name=hello-nginx-docker   Running   11 minutes
$ osc get service -n zzhao
NAME          LABELS    SELECTOR                  IP               PORT(S)
hello-nginx   <none>    name=hello-nginx-docker   172.30.148.128   27017/tcp
$ osc get route -n zzhao
NAME             HOST/PORT         PATH      SERVICE       LABELS
route-unsecure   www.example.com             hello-nginx   

$ curl --resolve www.example.com:80:10.111.178.146 http://www.example.com
Hello World

step 3:
$ osc get route -n zzhao2
NAME             HOST/PORT         PATH      SERVICE        LABELS
route-unsecure   www.example.com             hello2-nginx

step 4, the route name will always traffic to www.example.com zzhao2-hello2-nginx and the www.example.com zzhao-hello-nginx will nerver be accessed.
$ curl --resolve www.example.com:80:10.111.178.146 http://www.example.com
hello openshift

Expected results:
Should not create same route

Additional info:
 #cat /var/lib/haproxy/conf/os_http_be.map
www.example.com zzhao2-hello2-nginx
www.example.com zzhao-hello-nginx

Comment 1 Paul Weil 2015-04-22 13:52:59 UTC
ack.  Host uniqueness validation has not been addressed yet.  The current plan is that we will enforce uniqueness per shard.  Related card: https://trello.com/c/DtPlixdb/592-8-router-sharding-routing-future.  Perhaps there is a simple short term validation we can put in place since we know we are in a single shard setup.

Comment 2 Jordan Liggitt 2015-05-28 15:39:08 UTC
Discussed with Dan and Paul.

Short term plan:

1. Add admission controller to prevent exact duplicate routes (scheme + host:port + path) from being added (scheme and host should be case-insensitive, path should be case-sensitive?)

2. Allow routes with the same host that differ by scheme or by path


Post-GA, we can look at enhancing restrictions. For example:

1. Only allow routes with the same host in the same namespace
2. Disallow routes that override subpaths
etc.

Comment 3 Paul Weil 2015-05-29 17:48:54 UTC
PR https://github.com/openshift/origin/pull/2606

For Testing:  

Please test scenarios in the same namespace and across namespaces.  This applies to both add and updates (for instance updating an existing route to a scheme/host/path that already exists, even in another namespace).

An example of an update being denied:

[vagrant@openshiftdev openshift]$ osc create -f route.json 
routes/route-unsecure
[vagrant@openshiftdev openshift]$ osc create -f route_path.json 
routes/route-unsecure-path
[vagrant@openshiftdev openshift]$ osc get routes
NAME                  HOST/PORT         PATH      SERVICE       LABELS
route-unsecure        www.example.com             hello-nginx   
route-unsecure-path   www.example.com   /test     hello-nginx   
[vagrant@openshiftdev openshift]$ vi route_path.json <edit to match route-unsecure>
[vagrant@openshiftdev openshift]$ osc update -f route_path.json 
Error from server: Route "route-unsecure-path" is forbidden: Route http://www.example.com already exists in namespace default.  If you are the owner of this domain please contact support.

Comment 4 Paul Weil 2015-05-29 20:04:10 UTC
Update: Based on the discussion in GH this is probably not going to be a 3.0 piece and will be in a different form post 3.0.  Setting back to assigned for now.

Comment 5 Paul Weil 2015-07-16 19:58:36 UTC
*** Bug 1243664 has been marked as a duplicate of this bug. ***

Comment 6 zhaozhanqi 2015-09-10 08:09:29 UTC
This issue should be fixed in devenv_fedora-2323 with the latest route images, Could you help change the status to ON_QA to verify this bug. thanks

Comment 7 Ram Ranganathan 2015-09-10 23:15:22 UTC
@zhaozhanqi done - thx.

Comment 8 zhaozhanqi 2015-09-11 02:33:34 UTC
This bug has been fixed with the latest haproxy router images, when those same route, the later one will refer to the oldest one.


Note You need to log in before you can comment on or make changes to this bug.