Description of problem: Context - ${name}-${namespace}.internal.example.com - is default RouterConfig subdomain set in master-config, ROUTE_LABELS="shard notin (public, trusted)". ${name}-${namespace}.public.example.com. - public router shard is created with ROUTE_LABELS="shard=public". While using router sharding - If ROUTER_OVERRIDE_HOSTNAME="true" is set on the routers, everything work as expected. But if ROUTER_OVERRIDE_HOSTNAME="false" is on the routers, all "empty" routes are admitted as ${name}-${namespace}.internal.example.com on the routers. Setting a route label to "shard=public" is creating the route on the public router but with a hostname of ${name}-${namespace}.internal.example.com, therefore not respecting the ROUTER_SUBDOMAIN, thus making it impossible to direct traffic to the route. Expected behaviour should be that the route controller respects the ROUTER_SUBDOMAIN of the router when admitting empty routes claimed by a router shard when ROUTER_OVERRIDE_HOSTNAME="false" is set. An upstream issue has already been created - https://github.com/openshift/origin/issues/16797 And someone has already posted his code with introducing --ignore-domain option, but no PR has be filed yet for the same. Version-Release number of selected component (if applicable): 3.7
There's two router options that control blacklisting and whitelisting route domains. Documentation at: https://docs.openshift.org/latest/architecture/networking/routes.html#architecture-core-concepts-routes-deny-allow So doing something like: oc set env dc/public-router-dc ROUTER_DENIED_DOMAINS="internal.example.com" should work on the public and/or trusted router. Its doing the same check as ignore domains - just on a set of domains. In a similar vein, there's also domain whitelist (allowed domains) that one can use if you know the list of domains on routes that you want a specific router to serve. Does that work for you? Thanks.
Okay, there was correspondence with the customer on the github issue and that clarified what they were asking for. Or my misunderstanding of it anyway! There's an in-progress PR for this: https://github.com/openshift/origin/pull/19418 if that works, will add some tests to it and push it.
found this bug still can be reproduced on v3.10.0-0.47.0 steps: 1. Create two routers with different ROUTER_SUBDOMAIN and ROUTE_LABELS oc env dc router ROUTER_SUBDOMAIN='${name}-${namespace}.inter.example.com' ROUTE_LABELS="shard=inter" oc env dc r2 ROUTER_SUBDOMAIN='${name}-${namespace}.public.example.com' ROUTE_LABELS="shard=public 2. update router r2 with oc env dc r2 ROUTER_OVERRIDE_HOSTNAME=false ROUTER_OVERRIDE_DOMAINS='public.example.com' 3. Create one service with userA oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/header-test/insecure-service.json 4. Create route with label shard=public oc expose svc header-test-insecure -l shard=public --name=zhao2 5. Check the route oc get route zhao2 NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD zhao2 zhao2-z1.apps.0517-llp.qe.rhcloud.com header-test-insecure http None 6. oc describe route zhao2 Name: zhao2 Namespace: z1 Created: 15 minutes ago Labels: shard=public Annotations: openshift.io/host.generated=true Requested Host: zhao2-z1.apps.0517-llp.qe.rhcloud.com exposed on router r2 9 minutes ago Path: <none> TLS Termination: <none> Insecure Policy: <none> Endpoint Port: http Service: header-test-insecure Weight: 100 (100%) Endpoints: <none> FYI: the subdomin of in master-config.yaml is 'apps.0517-llp.qe.rhcloud.com'
I'm not sure what you expect to have happened. That all looks correct to me. By setting ROUTER_OVERRIDE_HOSTNAME=false and ROUTER_OVERRIDE_DOMAINS='public.example.com' you are requesting that the router not override all hostnames, only the ones in public.example.com. BUT your route hostname is zhao2-z1.apps.0517-llp.qe.rhcloud.com. It needs to be in the domain public.example.com for it to get overriden.