2004273 – Wrong Ingress to Route conversion for wildcard hostnames

Bug 2004273 - Wrong Ingress to Route conversion for wildcard hostnames

Summary: Wrong Ingress to Route conversion for wildcard hostnames

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.6.z
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	4.8.z
Assignee:	Miheer Salunke
QA Contact:	Melvin Joseph
Docs Contact:
URL:
Whiteboard:
Depends On:	1903519
Blocks:	2004274
TreeView+	depends on / blocked

Reported:	2021-09-14 21:30 UTC by OpenShift BugZilla Robot
Modified:	2022-11-01 08:00 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: Setting . entry in spec.rules.host of ingress is not supported by Route. Consequence: controller fails with Route.route.openshift.io "route-wildcard-2-zkcdj" is invalid: spec.host: Invalid value: Fix: If user sets . in the ingress object having the intention for ingress to route conversion then we set wildcard. instead if . for the route host as route hostname does not suppport . Backport warning- * A user has an ingress with a wildcard host name. * The ingress is exposed using a third-party ingress controller. * The user does not want the ingress exposed by OpenShift router (for example, maybe OpenShift router is exposed on the Internet, and the third-party ingress controller is internal only; or maybe having a status entry from OpenShift router on the ingress would confuse the third-party ingress controller, as in bug 1935808). * The router is configured to allow wildcard routes (as described in comment 8). * The user upgrades to a version of OpenShift with this backported fix. In this sceneario, the ingress is now exposed by the router when the user only wants it exposed by the third-party ingress controller. This is an admittedly extremely contrived situation, but sometimes users do unexpected things or have different expectations, and exposing an ingress when the user doesn't expect it could be problematic. Therefore we need to document this new behavior very explicitly in a release note to reduce the risk that users will be caught unawares. Result: With this fix the ingress controller does not throw the error described in the Consequence.
Clone Of:
Environment:
Last Closed:	2022-11-01 08:00:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Comment 1 Arvind iyengar 2021-09-28 07:22:00 UTC

Verified in "4.8.0-0.ci.test-2021-09-28-060613-ci-ln-98208g2-latest" release version, this time. With this payload the ingress resource could be seen getting translated correctly to the route resource with the required wildcard mapping:
---------
oc get clusterversion                
NAME      VERSION                                                  AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.ci.test-2021-09-28-060613-ci-ln-98208g2-latest   True        False         41m     Cluster version is 4.8.0-0.ci.test-2021-09-28-060613-ci-ln-98208g2-latest

$ oc patch -n openshift-ingress-operator ingresscontroller/default --patch '{"spec":{"routeAdmission":{"wildcardPolicy": "WildcardsAllowed"}}}' --type=merge
ingresscontroller.operator.openshift.io/default patched

$ cat test-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: unsecure-route
spec:
  rules:
  - host: '*.test1.apps.ci-ln-98208g2-f76d1.origin-ci-int-gce.dev.openshift.com'
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: service-unsecure
            port: 
              number: 27017


oc get route                         
NAME                   HOST/PORT                                                                     PATH   SERVICES           PORT   TERMINATION   WILDCARD
unsecure-route-rx6m7   wildcard.test1.apps.ci-ln-98208g2-f76d1.origin-ci-int-gce.dev.openshift.com   /      service-unsecure   http                 Subdomain

oc get ingress             
NAME             CLASS    HOSTS                                                                  ADDRESS   PORTS   AGE
unsecure-route   <none>   *.test1.apps.ci-ln-98208g2-f76d1.origin-ci-int-gce.dev.openshift.com             80      2m54s



curl http://wildcard.test1.apps.ci-ln-98208g2-f76d1.origin-ci-int-gce.dev.openshift.com -I       
HTTP/1.1 200 OK
server: nginx/1.20.1
date: Tue, 28 Sep 2021 07:13:54 GMT
content-type: text/html
content-length: 46
last-modified: Tue, 28 Sep 2021 07:07:21 GMT
etag: "6152bf29-2e"
accept-ranges: bytes
set-cookie: ac55a58593e60bbba2b21ed261472979=b09f8e2a72a66cdfde4c0f9821ea8548; path=/; HttpOnly
cache-control: private
---------

Comment 6 Miheer Salunke 2022-11-01 08:00:02 UTC

Closing this as we don't support 4.8 so backport to it won't be accepted.

Note You need to log in before you can comment on or make changes to this bug.