Bug 1419875 - The overlapping hosts with a wildcard host should be claimed across namespace
Summary: The overlapping hosts with a wildcard host should be claimed across namespace
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing
Version: 3.5.0
Hardware: All
OS: All
medium
medium
Target Milestone: ---
: ---
Assignee: Ram Ranganathan
QA Contact: zhaozhanqi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-07 10:10 UTC by zhaozhanqi
Modified: 2017-02-08 20:14 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-08 20:14:50 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description zhaozhanqi 2017-02-07 10:10:09 UTC
Description of problem:
Create two namespace z1 and z2

z1 have a wildcard route foo.example.com
z2 have a normal passthrough route foo.example.com

the route foo.example.com of z2 can NOT be claimed.

Version-Release number of selected component (if applicable):
openshift version
openshift v3.5.0.17+c55cf2b
kubernetes v1.5.2+43a9be4
etcd 3.1.0
registry.ops.openshift.com/openshift3/ose-haproxy-router    v3.5.0.17           6a86c1d87ea7 

How reproducible:
always

Steps to Reproduce:
1. Make the router enable wildcard route and disable namespace ownership check 
   oc env dc router ROUTER_ALLOW_WILDCARD_ROUTES=true ROUTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK=true
     
2.  create two namespace z1 and z2
3.  create pod/service/ in z1
   $oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/caddy-docker.json -n z1
   $oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/unsecure/service_unsecure.json

4. Create a wildcard route in z1
     
   $ oc expose svc service-unsecure --hostname=foo.example.com --name=test --wildcardpolicy='Subdomain'

5. Create pod/service in z2
  $oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/caddy-docker.json -n z2
  $oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/passthrough/service_secure.json -n z2

6. Create normal passthrough route in z2

  $ oc create route passthrough foo --hostname=foo.example.com --service=service-secure -n z2

7. check all route in z1 and z2

   

Actual results:

step 7: the route foo.example.com of z2 can NOT be claimed.

$oc get route -n z1
NAME               HOST/PORT         PATH      SERVICES           PORT      TERMINATION   WILDCARD
service-unsecure   foo.example.com             service-unsecure   http                    Subdomain

$ oc get route -n z2
NAME      HOST/PORT            PATH      SERVICES         PORT      TERMINATION   WILDCARD
foo       HostAlreadyClaimed             service-secure   https     passthrough   None

Expected results:

step 7 the route of namespaces in z2 should be claimed.

Additional info:

Comment 1 Ben Bennett 2017-02-07 15:21:25 UTC
This is as designed.

If *.example.com precedes foo.example.com, then foo.example.com can not be claimed.

Similarly, if foo. precedes *. then *. can not be claimed.

This is so that you can not steal a host I am using if I have a wildcard.

Comment 2 zhaozhanqi 2017-02-08 01:44:49 UTC
@Ben Bennett

the below is the comment from Ram in this card https://trello.com/c/jd6RksVX

@zhaozhanqi Thanks. Think it might be good to also add a wildcard test across 2 different namespaces - as the namespace check restriction is being lifted - oldest route should still win but the overlapping hosts with a wildcard host can be claimed across namespace.
Example: namespace n1 has a wildcard route *.example.test and a regular route to foo.example.test and another namespace ns2 can claim www.example.test but not foo.example.test

so I'd like to confirm this again.

Comment 3 Ram Ranganathan 2017-02-08 02:17:08 UTC
@zhaozhanqi, the test uses the same names foo.example.com for both the wildcard and 
passthrough route. That will fail because foo.example.com is claimed by the wildcard
route (explicit name claim). Try using a different host name for step 6 ala:
   passme.example.com  (instead of foo.example.com)
 
6. Create normal passthrough route in z2

  $ oc create route passthrough foo --hostname=passme.example.com --service=service-secure -n z2


Does that work as intended?  Thanks.

Comment 4 zhaozhanqi 2017-02-08 03:20:38 UTC
@Ram 

thanks. yes, it will work well if updating the word 'foo' to others.

That's mean the wildcard route eg.  the foo.example.com. The first word 'foo' is only for validation for route and unmeaningful for the haproxy forward?

Comment 5 Ram Ranganathan 2017-02-08 20:14:50 UTC
@zhaozhanqi, then this is working as intended.
Yes, the name foo.example.com (even though it is a wildcard for *.example.com)
is important for the router name reservation scheme - it defines the namespace ownership even though its not referenced from an haproxy config perspective.


Note You need to log in before you can comment on or make changes to this bug.