+++ This bug was initially created as a clone of Bug #1534488 +++ Description of problem: If you mix 2 Routes (edge terminated) one with InsecureEdgeTerminationPolicy Redirect and the other one with Allow, path based routing doesn't work and the redirect Route always wins. Version-Release number of selected component (if applicable): All current versions are broken. How reproducible: Always. Actual results: All traffic goes to Redirect Route. Expected results: Traffic goes by the rules of path based routing as declared in: https://docs.openshift.org/latest/architecture/networking/routes.html#path-based-routes Additional info: related issues: - https://github.com/openshift/origin/issues/14950 - https://github.com/tnozicka/openshift-acme/issues/16 There is already a pull from community to fix it https://github.com/openshift/origin/pull/15847 waiting for a review from networking team since Aug 18, 2017.
After testing this, found the issue still cannot be fixed yet Tested this on version oc v3.9.0-0.23.0 kubernetes v1.9.1+a0ce1bc657 features: Basic-Auth GSSAPI Kerberos SPNEGO steps: 1. Create pod1/svc/route $oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/networking/list_for_pods.json $ oc create route edge edge1 --service=test-service --insecure-policy=Allow 2. Create another pod2/svc and with same route hostname $ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/caddy-docker.json $ oc create -f oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/unsecure/service_unsecure.json $ oc expose svc service-unsecure --hostname='edge1-z1.apps.0124-uvc.qe.rhcloud.com' --path=/test 3. Check the route # oc get route NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD edge1 edge1-z1.apps.0124-uvc.qe.rhcloud.com test-service http edge/Allow None service-unsecure edge1-z1.apps.0124-uvc.qe.rhcloud.com /test service-unsecure http None 4. When I access the route w and w/o path one,they are both refer to pod1 $ # curl edge1-z1.apps.0124-uvc.qe.rhcloud.com Hello OpenShift! $ curl edge1-z1.apps.0124-uvc.qe.rhcloud.com/test/ Hello OpenShift! 5. let's delete the 'edge1' route to prove the route with path one can work $ oc delete route edge1 $ oc get route NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD service-unsecure edge1-z1.apps.0124-uvc.qe.rhcloud.com /test service-unsecure http None $ curl edge1-z1.apps.0124-uvc.qe.rhcloud.com/test/ Hello-OpenShift-Path-Test http-8080
Could you test with a router built from the source tree?
@jtanehba I'm not sure why we need to rebuilt the router from the source tree.. since I already checked the our testing env router and the related fixed PR https://github.com/openshift/origin/pull/15847 already in. I can give you the env if you need
more info: $ oc get route NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD edge1 edge1-z1.apps.0201-8nl.qe.rhcloud.com test-service http edge/Allow None service-unsecure edge1-z1.apps.0201-8nl.qe.rhcloud.com /test service-unsecure http None *************Test the route************** $ curl edge1-z1.apps.0201-8nl.qe.rhcloud.com Hello OpenShift! $ curl edge1-z1.apps.0201-8nl.qe.rhcloud.com/test/ Hello OpenShift! **************Check the map file**************** $ cat os_http_be.map ^edge1-z1\.apps\.0201-8nl\.qe\.rhcloud\.com(:[0-9]+)?/test(/.*)?$ z1:service-unsecure sh-4.2$ cat os_edge_http_be.map ^edge1-z1\.apps\.0201-8nl\.qe\.rhcloud\.com(:[0-9]+)?(/.*)?$ z1:edge1 sh-4.2$ cat os_route_http_insecure.map ^edge1-z1\.apps\.0201-8nl\.qe\.rhcloud\.com(:[0-9]+)?(/.*)?$ be_edge_http:z1:edge1 *************************** From the content of the map file and haproxy.config. I guess 'edge1-z1.apps.0201-8nl.qe.rhcloud.com/test/' should also can be matched toos_route_http_insecure.map with high priority than os_http_be.map
Could you give me access to the env?
Upon further investigation it is found that an issue with the map files match incorrectly and a different setup of map files needs to exist to correctly match the backends
Can QA please verify that it also works correctly in environments where the Router is backed by something else than HA proxy, like F5?
This behavior has not changed from earlier releases... so I think we need to revert the earlier attempt at a fix, and then we need to consider what we expect to happen here. My advice is not to mix different termination types for the same host at this point. We'll see if we can make the router handle different terminations or reject routes if they don't match. But that will be a later release.
bbennett please note that it's desired to mix the termination types -here is a use case: User has a regular Route with insecureEdgeTerminationPolicy=(None,Redirect) and he needs to redirect traffic for ACME verification as a subpath (/.well-known/...) with insecureEdgeTerminationPolicy==Allow. (We'll soon to have a controller in the OpenShift org using just that which is kind of hacky to work around this bug.)
Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/8d5346ea3e189502bd3f95ccdfa4c570729409fa Combine backend map files to fix bath based routing combined the two maps for insecure routes os_edge_http_be.map and os_route_http_expose.map and the two maps for secure routes os_reencrypt.map and os_edge_http_be.map reducing the number of map files and fixing path based routing Bug 1534816
Verified this bug on v3.10.0-0.15.0 with haproxy images id (5bcd6b8168cc) using comment 6 steps.