Bug 1964112 - route SimpleAllocationPlugin: host name validation errors: spec.host: Invalid value: ... must be no more than 63 characters
Summary: route SimpleAllocationPlugin: host name validation errors: spec.host: Invalid...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.7
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 4.10.0
Assignee: Luigi Mario Zuccarelli
QA Contact: Arvind iyengar
URL:
Whiteboard:
Depends On: 1896977
Blocks: 1924996
TreeView+ depends on / blocked
 
Reported: 2021-05-24 18:19 UTC by Candace Holman
Modified: 2022-08-04 22:32 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: If a Route is created where the combined name and namespace the DNS segment that exceeds 63 characters in length, the route will be rejected. Consequence: The route is rejected. This is expected behaviour, however if upgrading to newer versions of openshift, if the older route was allowed to have non comformant DNS hostname, there should be an override that allows this. Fix: Add the logic to check for older route validation and with the use of the annotation "AllowNonDNSCompliantHostAnnotation" set to "true" (default is "false") i.e in the yaml the annotation would be "route.openshift.io/allow-non-dns-compliant-host": "true") Result: With annotation "AllowNonDNSCompliantHostAnnotation" set to "true" the non comformant DNS hostname (segments greater than 63 characters) will be allowed.
Clone Of: 1896977
Environment:
Last Closed: 2022-03-12 04:35:20 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift api pull 976 0 None open Bug 1964112: Fix for host name validator error 2021-11-05 13:53:59 UTC
Github openshift openshift-apiserver pull 248 0 None Merged Bug 1964112: Fix for host name validation error 2021-11-05 13:54:08 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-12 04:35:40 UTC

Comment 4 Arvind iyengar 2021-08-25 04:20:36 UTC
Verified in "4.9.0-0.ci.test-2021-08-24-065133-ci-ln-k3iid0k-latest" release version.  With this payload, adding the "route.openshift.io/allow-non-dns-compliant-host: true" annotation, causes the long route names to be accepted during creation but will eventually be marked invalid:
-----
Without annotation:
cat route-test.yaml                                                                                             
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee
spec:
  port:
    targetPort: http
  to:
    kind: Service
    name: service-unsecure
    weight: null
  wildcardPolicy: None


oc create -f route-test.yaml        
The Route "service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee" is invalid: spec.host: Invalid value: "service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee-test2.apps.ci-ln-k3iid0k-f76d1.origin-ci-int-gce.dev.openshift.com": host (label) must conform to DNS 1123 label conventions must be no more than 63 characters


With annotation:
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee
  annotations:
    route.openshift.io/allow-non-dns-compliant-host: "true"
spec:
  port:
    targetPort: http
  to:
    kind: Service
    name: service-unsecure
    weight: null
  wildcardPolicy: None

oc create -f route-test.yaml        
route.route.openshift.io/service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee created

oc get route                         
NAME                                                         HOST/PORT     PATH   SERVICES           PORT   TERMINATION   WILDCARD
service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee   InvalidHost          service-unsecure   http                 None

oc get route service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee -o yaml
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    openshift.io/host.generated: "true"
...
status:
  ingress:
  - conditions:
    - lastTransitionTime: "2021-08-24T07:48:43Z"
      message: 'host name validation errors: spec.host: Invalid value: "service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee-test2.apps.ci-ln-k3iid0k-f76d1.origin-ci-int-gce.dev.openshift.com":
        must be no more than 63 characters'
      reason: InvalidHost
      status: "False"
      type: Admitted
-----

Comment 5 Miciah Dashiel Butler Masters 2021-08-31 16:32:03 UTC
This is low severity with some risk, so pushing to 4.10.

Comment 9 Miciah Dashiel Butler Masters 2021-11-05 15:14:11 UTC
We should get https://github.com/openshift/api/pull/976 merged to ensure the API godoc matches the new behavior.

Comment 11 Arvind iyengar 2021-12-13 08:44:45 UTC
Verified in "4.10.0-0.nightly-2021-12-12-232810" release version.  With this payload, adding the "route.openshift.io/allow-non-dns-compliant-host: true" annotation, causes the long route names to be accepted during creation but will eventually be marked invalid:
-----
oc get clusterversion                           
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.nightly-2021-12-12-232810   True        False         76m     Cluster version is 4.10.0-0.nightly-2021-12-12-232810

Test route file without the annotation:
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee
spec:
  port:
    targetPort: http
  to:
    kind: Service
    name: service-unsecure
    weight: null
  wildcardPolicy: None


oc create -f route-test-1964112.yaml            
The Route "service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee" is invalid: spec.host: Invalid value: "service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee-test2.apps.aiyengar410aw.qe.devcluster.openshift.com": must be no more than 63 characters


With the annotation added:
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee
  annotations:
    route.openshift.io/allow-non-dns-compliant-host: "true"
spec:
  port:
    targetPort: http
  to:
    kind: Service
    name: service-unsecure
    weight: null
  wildcardPolicy: None

oc create -f route-test-1964112.yaml           
route.route.openshift.io/service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee created

oc get route  service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee -o yaml
status:
  ingress:
  - conditions:
    - lastTransitionTime: "2021-12-13T08:40:47Z"
      message: 'host name validation errors: spec.host: Invalid value: "service-unsecure-test2-reallylonnnnnnnnng-nameeeeeeeeeeeee-test2.apps.aiyengar410aw.qe.devcluster.openshift.com":
        must be no more than 63 characters'
      reason: InvalidHost
      status: "False"
      type: Admitted

-----

Comment 14 errata-xmlrpc 2022-03-12 04:35:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.