github.com/projectcontour/contour@v1.28.2/site/content/docs/1.20/config/virtual-hosts.md

github.com/projectcontour/contour@v1.28.2/site/content/docs/1.20/config/virtual-hosts.md (about)

     1  # Virtual Hosts
     2  
     3  
     4  Similar to Ingress, HTTPProxy support name-based virtual hosting.
     5  Name-based virtual hosts use multiple host names with the same IP address.
     6  
     7  ```
     8  foo.bar.com --|                 |-> foo.bar.com s1:80
     9                | 178.91.123.132  |
    10  bar.foo.com --|                 |-> bar.foo.com s2:80
    11  ```
    12  
    13  Unlike Ingress however, HTTPProxy only support a single root domain per HTTPProxy object.
    14  As an example, this Ingress object:
    15  
    16  ```yaml
    17  # ingress-name.yaml
    18  apiVersion: networking.k8s.io/v1
    19  kind: Ingress
    20  metadata:
    21    name: name-example
    22  spec:
    23    rules:
    24    - host: foo1.bar.com
    25      http:
    26        paths:
    27        - backend:
    28            service:
    29              name: s1
    30              port:
    31                number: 80
    32          pathType: Prefix
    33    - host: bar1.bar.com
    34      http:
    35        paths:
    36        - backend:
    37            service:
    38              name: s2
    39              port:
    40                number: 80
    41          pathType: Prefix
    42  ```
    43  
    44  must be represented by two different HTTPProxy objects:
    45  
    46  ```yaml
    47  # httpproxy-name.yaml
    48  apiVersion: projectcontour.io/v1
    49  kind: HTTPProxy
    50  metadata:
    51    name: name-example-foo
    52    namespace: default
    53  spec:
    54    virtualhost:
    55      fqdn: foo1.bar.com
    56    routes:
    57      - services:
    58        - name: s1
    59          port: 80
    60  ---
    61  apiVersion: projectcontour.io/v1
    62  kind: HTTPProxy
    63  metadata:
    64    name: name-example-bar
    65    namespace: default
    66  spec:
    67    virtualhost:
    68      fqdn: bar1.bar.com
    69    routes:
    70      - services:
    71          - name: s2
    72            port: 80
    73  ```
    74  
    75  A HTTPProxy object that contains a [`virtualhost`][2] field is known as a "root proxy".
    76  
    77  ## Virtualhost aliases
    78  
    79  To present the same set of routes under multiple DNS entries (e.g. `www.example.com` and `example.com`), including a service with a `prefix` condition of `/` can be used.
    80  
    81  ```yaml
    82  # httpproxy-inclusion-multipleroots.yaml
    83  ---
    84  apiVersion: projectcontour.io/v1
    85  kind: HTTPProxy
    86  metadata:
    87    name: multiple-root
    88    namespace: default
    89  spec:
    90    virtualhost:
    91      fqdn: bar.com
    92    includes:
    93    - name: main
    94      namespace: default
    95  ---
    96  apiVersion: projectcontour.io/v1
    97  kind: HTTPProxy
    98  metadata:
    99    name: multiple-root-www
   100    namespace: default
   101  spec:
   102    virtualhost:
   103      fqdn: www.bar.com
   104    includes:
   105    - name: main
   106      namespace: default
   107  ---
   108  apiVersion: projectcontour.io/v1
   109  kind: HTTPProxy
   110  metadata:
   111    name: main
   112    namespace: default
   113  spec:
   114    routes:
   115    - services:
   116      - name: s2
   117        port: 80
   118  ```
   119  
   120  ## Restricted root namespaces
   121  
   122  HTTPProxy inclusion allows Administrators to limit which users/namespaces may configure routes for a given domain, but it does not restrict where root HTTPProxies may be created.
   123  Contour has an enforcing mode which accepts a list of namespaces where root HTTPProxy are valid.
   124  Only users permitted to operate in those namespaces can therefore create HTTPProxy with the [`virtualhost`] field ([see API docs][2]).
   125  
   126  This restricted mode is enabled in Contour by specifying a command line flag, `--root-namespaces`, which will restrict Contour to only searching the defined namespaces for root HTTPProxy. This CLI flag accepts a comma separated list of namespaces where HTTPProxy are valid (e.g. `--root-namespaces=default,kube-system,my-admin-namespace`).
   127  
   128  HTTPProxy with a defined [virtualhost][2] field that are not in one of the allowed root namespaces will be flagged as `invalid` and will be ignored by Contour.
   129  
   130  Additionally, when defined, Contour will only watch for Kubernetes secrets in these namespaces ignoring changes in all other namespaces.
   131  Proper RBAC rules should also be created to restrict what namespaces Contour has access matching the namespaces passed to the command line flag.
   132  An example of this is included in the [examples directory][1] and shows how you might create a namespace called `root-httproxy`.
   133  
   134  _**Note:** The restricted root namespace feature is only supported for HTTPProxy CRDs.
   135  `--root-namespaces` does not affect the operation of Ingress objects._
   136  
   137  [1]: {{< param github_url>}}/tree/{{< param branch >}}/examples/root-rbac
   138  [2]: api/#projectcontour.io/v1.VirtualHost