Description of problem: When trying to create route with wildcardPolicy enabled with the host which the subdomain is being used by a non-wildcard route. The wildcard route will be marked as HostAlreadyClaimed and cannot work. Version-Release number of selected component (if applicable): openshift v3.4.0.23+24b1a58 kubernetes v1.4.0+776c994 etcd 3.1.0-rc.0 ose-haproxy-router v3.4.0.23 40c9b18e47df How reproducible: always Steps to Reproduce: 1. Setup env and make the router all the wildcard routes 2. Create pod/svc in project1 $ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/caddy-docker.json $ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/unsecure/service_unsecure.json 3. Create route for the svc above with host eg. non-wild.wildcard.com and wildcardPolicy set to "None" 4. Create pod/svc in another project project2 $ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/caddy-docker-2.json $ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/unsecure/service_unsecure.json 5. Create route for the svc in project2 with host eg. www.wildcard.com and wildcardPolicy set to "Subdomain" 6. Check the route created in project2 Actual results: $ oc get route NAME HOST/PORT PATH SERVICES PORT TERMINATION route HostAlreadyClaimed service-unsecure <all> Expected results: The wildcard route should be to create since the wanted wildcard subdomain was not used by any wildcard route. Additional info: The reasonable behaviour should look like: RouteA: host aaa.test.com wildcardPolicy None point to backend php1 RouteB: host www.test.com wildcardPolicy Subdomain point to backend php2 When accessing the route with *.test.com except aaa.test.com, should return the result in php2, when accessing the route aaa.test.com, should return the result in php1.
No, the behavior is correct. The claims are exclusive. If a.foo.com is present, *.foo.com can not be claimed. If *.foo.com is present, then a.foo.com can not be claimed.
The problem here is, If an user created a route with wildcardpolicy enabled but no host specified. Then it will use the generated route with content <route_name>-<namespace_name>-<router-subdomain-suffix>. And after that any route created in this env without host specified will be failed since the configured subdomain has been used by the first route. $ oc get route -n u1p1 NAME HOST/PORT PATH SERVICES PORT TERMINATION test-route test-route-u1p1.router.default.svc.cluster.local service-unsecure <all> $ oc get route -n u1p2 NAME HOST/PORT PATH SERVICES PORT TERMINATION service-unsecure HostAlreadyClaimed service-unsecure http $ oc describe route -n u1p2 Name: service-unsecure Namespace: u1p2 Created: 5 minutes ago Labels: name=service-unsecure Annotations: openshift.io/host.generated=true Requested Host: service-unsecure-u1p2.router.default.svc.cluster.local rejected by router router: HostAlreadyClaimed (5 minutes ago) a route in another namespace holds host service-unsecure-u1p2.router.default.svc.cluster.local Path: <none> TLS Termination: <none> Insecure Policy: <none> Endpoint Port: http Service: service-unsecure Weight: 100 (100%) Endpoints: 10.128.0.40:8080 We should find a way to avoid that the pre-defined subdomain being seized by any user.
Ah, I see. This is probably just a documentation problem then. Ram, I think we need to document this case, and the ways to control it. - Using the --allowed-domains and --denied-domains to restrict it - Restrict setting the wildcard field with the Role's attributeRestriction field
Or should we forbid the user to set wildcards when the router is forcing a template? Or if they claim a name that matches the template?
If we use --denied-domains to forbid the router provided subdomain to be created for wildcard route. All the routes with generated host will be affected.
yeah, if its the generated host name - the recommendations would be to use --denied-domains containing that domain. @bmeng, this will still allow generated names to work even if the domain is denied - that check is done on admission and the generation is done post admission (depending on the router policy - override host names + use the template for generating host names). I think the fix here though should be to just not allow wildcards to be set if the host name is empty. I'll fix the validation code.
Fix in PR: https://github.com/openshift/origin/pull/11863 One thing though - if you have a router configured to override the host name and use a template, then you should also not allow wildcard hosts (set the router's policy to not allow wildcards). Will add this along w/ the other bits to the documentation tomorrow.
This has been merged into ocp and is in OCP v3.4.0.25 or newer.
Checked on openshift v3.4.0.25 and haproxy-router image d081816be024 The problem still can be reproduced. # cat route2.json { "kind": "Route", "apiVersion": "v1", "metadata": { "name": "route" }, "spec": { "wildcardPolicy": "Subdomain", "to": { "kind": "Service", "name": "service-unsecure" } } } # oc create -f route2.json route "route" created # oc get route NAME HOST/PORT PATH SERVICES PORT TERMINATION route route-bmengp1.1114-fx3.qe.rhcloud.com service-unsecure <all> # curl test.1114-fx3.qe.rhcloud.com Hello-OpenShift-1 http-8080
@bmeng, looks like you are using a hostname-template or override-hostname set? Correct? In that case, the recommendation would be to also set ROUTER_ALLOW_WILDCARD_ROUTES to false. But that said, there was a check on the api server to reject the route with no host and wildcard policy set to subdomain. See: https://github.com/openshift/origin/blob/master/pkg/route/api/validation/validation.go#L336 Did you rebuild/use a newer version of the api server as well? Let me recheck as well. Thx
Ok - I can see where the error was - it works for unspecified hosts but fails for generated host names. Fix is in PR: https://github.com/openshift/origin/pull/11924
Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/dcfe5740e9e87ae22af303185ee344169d037bf0 We should not be able to create a route when the host is not specified and wildcardpolicy is enabled. Fixes bug 1392862 - https://bugzilla.redhat.com/show_bug.cgi?id=1392862 Rework as per @liggitt review comments. Fix govet issue.
Issue has been fixed in OCP v3.4.0.27 # oc create -f route2.json The Route "route" is invalid: spec.wildcardPolicy: Invalid value: "Subdomain": host name not specified for wildcard policy
Move to verified according to Comment#14
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0066