Merge pull request #21974 from bmcelvee/OSDOCS-1034-wildcard-route

bmcelvee · web-flow · commit ab4e407f257e · 2020-06-19T11:34:56.000-04:00
OSDOCS-1034 document wildcard route
diff --git a/modules/nw-ingress-controller-configuration-parameters.adoc b/modules/nw-ingress-controller-configuration-parameters.adoc
@@ -110,6 +110,12 @@ Ciphers and the minimum TLS version of the configured security profile are refle
 * `Strict`: does not allow routes to claim the same host name across namespaces.
 * `InterNamespaceAllowed`: allows routes to claim different paths of the same host name across namespaces.
 
+`wildcardPolicy` describes how routes with wildcard policies are handled by the Ingress Controller.
+
+* `WildcardsAllowed`: Indicates routes with any wildcard policy are admitted by the Ingress Controller.
+
+* `WildcardsDisallowed`: Indicates only routes with a wildcard policy of `None` are admitted by the Ingress Controller. Updating `wildcardPolicy` from `WildcardsAllowed` to `WildcardsDisallowed` causes admitted routes with a wildcard policy of `Subdomain` to stop working. These routes must be recreated to a wildcard policy of `None` to be readmitted by the Ingress Controller. `WildcardsDisallowed` is the default setting.
+
 |===
 
 
diff --git a/modules/using-wildcard-routes.adoc b/modules/using-wildcard-routes.adoc
@@ -0,0 +1,287 @@
+// Module included in the following assemblies:
+//
+// * networking/configuring-ingress-controller
+
+[id="using-wildcard-routes_{context}"]
+= Using wildcard routes
+
+The HAProxy Ingress Controller has support for wildcard routes. The Ingress Operator uses `wildcardPolicy` to configure the `ROUTER_ALLOW_WILDCARD_ROUTES` environment variable of the Ingress Controller.
+
+The default behavior of the Ingress Controller is to admit routes with a wildcard policy of `None`, which is backwards compatible with existing `IngressController` resources.
+
+.Procedure
+
+. Configure the wildcard policy.
+.. Use the following command to edit the `IngressController` resource:
++
+----
+$ oc edit IngressController
+----
++
+.. Under `spec`, set the `wildcardPolicy` field to `WildcardsDisallowed` or `WildcardsAllowed`:
++
+[source,yaml]
+----
+spec:
+  routeAdmission:
+    wildcardPolicy: WildcardsDisallowed # or WildcardsAllowed
+----
+
+////
+.Samples for using a secure wildcard edge terminated route
+
+This example reflects TLS termination occurring on the Ingress Controller before traffic is proxied to the destination. Traffic sent to any hosts in the subdomain
+`example.test` (`*.example.test`) is proxied to the exposed service.
+
+The secure edge terminated route specifies the TLS certificate and key
+information. The TLS certificate is served by the Ingress Controller front end for all hosts that match the subdomain (`*.example.test`).
+
+. Configure the wildcard policy.
+
+. Create a private key, certificate signing request (CSR), and certificate for the
+edge secured route.
++
+The instructions on how to do this are specific to your certificate authority and provider. The following example is a simple self-signed certificate for a domain named `*.example.test`:
++
+----
+# sudo openssl genrsa -out example-test.key 2048
+#
+# sudo openssl req -new -key example-test.key -out example-test.csr  \
+  -subj "/C=US/ST=CA/L=Mountain View/O=OS3/OU=Eng/CN=*.example.test"
+#
+# sudo openssl x509 -req -days 366 -in example-test.csr  \
+      -signkey example-test.key -out example-test.crt
+----
+
+. Generate a wildcard route using the certificate and key:
++
+----
+$ cat > route.yaml  <<REOF
+apiVersion: v1
+kind: Route
+metadata:
+  name:  my-service
+spec:
+  host: www.example.test
+  wildcardPolicy: Subdomain
+  to:
+    kind: Service
+    name: my-service
+  tls:
+    termination: edge
+    key: "$(perl -pe 's/\n/\\n/' example-test.key)"
+    certificate: "$(perl -pe 's/\n/\\n/' example-test.cert)"
+REOF
+$ oc create -f route.yaml
+----
++
+Ensure your DNS entry for `*.example.test` points to your Ingress Controller instances and the route to your domain is available.
++
+This example uses `curl` with a local resolver to simulate the DNS lookup:
++
+----
+# routerip="4.1.1.1"  #  replace with IP address of one of your router instances.
+# curl -k --resolve www.example.test:443:$routerip https://www.example.test/
+# curl -k --resolve abc.example.test:443:$routerip https://abc.example.test/
+# curl -k --resolve anyname.example.test:443:$routerip https://anyname.example.test/
+----
+
+For Ingress Controllers that allow wildcard routes, configure the wildcard policy, there are some caveats to the ownership of a subdomain associated with a wildcard route.
+
+Prior to wildcard routes, ownership was based on the claims made for a host name with the namespace with the oldest route winning against any other claimants.
+For example, route `r1` in namespace `ns1` with a claim for `one.example.test`
+would win over another route `r2` in namespace `ns2` for the same host name
+`one.example.test` if route `r1` was older than route `r2`.
+
+In addition, routes in other namespaces were allowed to claim non-overlapping
+hostnames. For example, route `rone` in namespace `ns1` could claim
+`www.example.test` and another route `rtwo` in namespace `d2` could claim
+`c3po.example.test`.
+
+This is still the case if there are _no_ wildcard routes claiming that same
+subdomain, such as `example.test` in the previous example.
+
+However, a wildcard route needs to claim all of the host names within a
+subdomain, host names of the form `\*.example.test`. A wildcard route's claim
+is allowed or denied based on whether or not the oldest route for that subdomain
+(`example.test`) is in the same namespace as the wildcard route. The oldest
+route can be either a regular route or a wildcard route.
+
+For example, if there is already a route `eldest` that exists in the `ns1`
+namespace that claimed a host named `owner.example.test` and, if at a later
+point in time, a new wildcard route `wildthing` requesting for routes in that
+subdomain (`example.test`) is added, the claim by the wildcard route will only
+be allowed if it is the same namespace (`ns1`) as the owning route.
+
+The following examples illustrate various scenarios in which claims for wildcard
+routes will succeed or fail.
+
+In the following example, a Ingress Controller that allows wildcard routes will allow non-overlapping claims for hosts in the subdomain `example.test` as long as a
+wildcard route has not claimed a subdomain.
+
+----
+$ oc project ns1
+$ oc expose service myservice --hostname=owner.example.test
+$ oc expose service myservice --hostname=aname.example.test
+$ oc expose service myservice --hostname=bname.example.test
+
+$ oc project ns2
+$ oc expose service anotherservice --hostname=second.example.test
+$ oc expose service anotherservice --hostname=cname.example.test
+
+$ oc project otherns
+$ oc expose service thirdservice --hostname=emmy.example.test
+$ oc expose service thirdservice --hostname=webby.example.test
+----
+
+In the following example, a Ingress Controller that allows wildcard routes will not allow the claim for `owner.example.test` or `aname.example.test` to succeed since the owning namespace is `ns1`.
+
+----
+$ oc project ns1
+$ oc expose service myservice --hostname=owner.example.test
+$ oc expose service myservice --hostname=aname.example.test
+
+$ oc project ns2
+$ oc expose service secondservice --hostname=bname.example.test
+$ oc expose service secondservice --hostname=cname.example.test
+
+$ # Router will not allow this claim with a different path name `/p1` as
+$ # namespace `ns1` has an older route claiming host `aname.example.test`.
+$ oc expose service secondservice --hostname=aname.example.test --path="/p1"
+
+$ # Router will not allow this claim as namespace `ns1` has an older route
+$ # claiming host name `owner.example.test`.
+$ oc expose service secondservice --hostname=owner.example.test
+
+$ oc project otherns
+
+$ # Router will not allow this claim as namespace `ns1` has an older route
+$ # claiming host name `aname.example.test`.
+$ oc expose service thirdservice --hostname=aname.example.test
+----
+
+In the following example, a Ingress Controller that allows wildcard routes will allow the claim for `\*.example.test` to succeed since the owning namespace is `ns1` and the wildcard route belongs to that same namespace.
+
+----
+$ oc project ns1
+$ oc expose service myservice --hostname=owner.example.test
+
+$ # Reusing the route.yaml from the previous example.
+$ # spec:
+$ #   host: www.example.test
+$ #   wildcardPolicy: Subdomain
+
+$ oc create -f route.yaml   #  router will allow this claim.
+----
+
+In the following example, a Ingress Controller that allows wildcard routes will not allow the claim for \*.example.test` to succeed since the owning namespace is `ns1` and the wildcard route belongs to another namespace `cyclone`.
+
+----
+$ oc project ns1
+$ oc expose service myservice --hostname=owner.example.test
+
+$ # Switch to a different namespace/project.
+$ oc project cyclone
+
+$ # Reusing the route.yaml from a prior example.
+$ # spec:
+$ #   host: www.example.test
+$ #   wildcardPolicy: Subdomain
+
+$ oc create -f route.yaml   #  router will deny (_NOT_ allow) this claim.
+----
+
+Similarly, once a namespace with a wildcard route claims a subdomain, only
+routes within that namespace can claim any hosts in that same subdomain.
+
+In the following example, once a route in namespace `ns1` with a wildcard route
+claims subdomain `example.test`, only routes in the namespace `ns1` are allowed
+to claim any hosts in that same subdomain.
+
+----
+$ oc project ns1
+$ oc expose service myservice --hostname=owner.example.test
+
+$ oc project otherns
+
+$ # namespace `otherns` is allowed to claim for other.example.test
+$ oc expose service otherservice --hostname=other.example.test
+
+$ oc project ns1
+
+$ # Reusing the route.yaml from the previous example.
+$ # spec:
+$ #   host: www.example.test
+$ #   wildcardPolicy: Subdomain
+
+$ oc create -f route.yaml   #  Router will allow this claim.
+
+$ #  In addition, route in namespace otherns will lose its claim to host
+$ #  `other.example.test` due to the wildcard route claiming the subdomain.
+
+$ # namespace `ns1` is allowed to claim for deux.example.test
+$ oc expose service mysecondservice --hostname=deux.example.test
+
+$ # namespace `ns1` is allowed to claim for deux.example.test with path /p1
+$ oc expose service mythirdservice --hostname=deux.example.test --path="/p1"
+
+$ oc project otherns
+
+$ # namespace `otherns` is not allowed to claim for deux.example.test
+$ # with a different path '/otherpath'
+$ oc expose service otherservice --hostname=deux.example.test --path="/otherpath"
+
+$ # namespace `otherns` is not allowed to claim for owner.example.test
+$ oc expose service yetanotherservice --hostname=owner.example.test
+
+$ # namespace `otherns` is not allowed to claim for unclaimed.example.test
+$ oc expose service yetanotherservice --hostname=unclaimed.example.test
+----
+
+In the following example, different scenarios are shown in which the owner routes
+are deleted and ownership is passed within and across namespaces. While a route
+claiming host `eldest.example.test` in the namespace `ns1` exists, wildcard
+routes in that namespace can claim subdomain `example.test`. When the route for
+host `eldest.example.test` is deleted, the next oldest route
+`senior.example.test` would become the oldest route and would not affect any
+other routes. Once the route for host `senior.example.test` is deleted, the next
+oldest route `junior.example.test` becomes the oldest route and block the
+wildcard route claimant.
+
+----
+$ oc project ns1
+$ oc expose service myservice --hostname=eldest.example.test
+$ oc expose service seniorservice --hostname=senior.example.test
+
+$ oc project otherns
+
+$ # namespace `otherns` is allowed to claim for other.example.test
+$ oc expose service juniorservice --hostname=junior.example.test
+
+$ oc project ns1
+
+$ # Reusing the route.yaml from the previous example.
+$ # spec:
+$ #   host: www.example.test
+$ #   wildcardPolicy: Subdomain
+
+$ oc create -f route.yaml   #  Router will allow this claim.
+
+$ #  In addition, route in namespace otherns will lose its claim to host
+$ #  `junior.example.test` due to the wildcard route claiming the subdomain.
+
+$ # namespace `ns1` is allowed to claim for dos.example.test
+$ oc expose service mysecondservice --hostname=dos.example.test
+
+$ # Delete route for host `eldest.example.test`, the next oldest route is
+$ # the one claiming `senior.example.test`, so route claims are unaffacted.
+$ oc delete route myservice
+
+$ # Delete route for host `senior.example.test`, the next oldest route is
+$ # the one claiming `junior.example.test` in another namespace, so claims
+$ # for a wildcard route would be affected. The route for the host
+$ # `dos.example.test` would be unaffected as there are no other wildcard
+$ # claimants blocking it.
+$ oc delete route seniorservice
+----
+////
diff --git a/networking/ingress-operator.adoc b/networking/ingress-operator.adoc
@@ -29,6 +29,9 @@ include::modules/nw-ingress-operator-logs.adoc[leveloffset=+1]
 
 include::modules/nw-ingress-controller-status.adoc[leveloffset=+1]
 
+[id="configuring-ingress-controller"]
+= Configuring the Ingress Controller
+
 include::modules/nw-ingress-setting-a-custom-default-certificate.adoc[leveloffset=+1]
 
 include::modules/nw-scaling-ingress-controller.adoc[leveloffset=+1]
@@ -43,6 +46,8 @@ include::modules/nw-ingress-default-internal.adoc[leveloffset=+1]
 
 include::modules/nw-route-admission-policy.adoc[leveloffset=+1]
 
+include::modules/using-wildcard-routes.adoc[leveloffset=+1]
+
 //include::modules/nw-ingress-select-route.adoc[leveloffset=+1]
 
 == Additional resources
