github.com/projectcontour/contour@v1.28.2/site/content/docs/v1.14.0/config/virtual-hosts.md (about) 1 # Virtual Hosts 2 3 4 Similar to Ingress, HTTPProxy support name-based virtual hosting. 5 Name-based virtual hosts use multiple host names with the same IP address. 6 7 ``` 8 foo.bar.com --| |-> foo.bar.com s1:80 9 | 178.91.123.132 | 10 bar.foo.com --| |-> bar.foo.com s2:80 11 ``` 12 13 Unlike Ingress however, HTTPProxy only support a single root domain per HTTPProxy object. 14 As an example, this Ingress object: 15 16 ```yaml 17 # ingress-name.yaml 18 apiVersion: extensions/v1beta1 19 kind: Ingress 20 metadata: 21 name: name-example 22 spec: 23 rules: 24 - host: foo1.bar.com 25 http: 26 paths: 27 - backend: 28 serviceName: s1 29 servicePort: 80 30 - host: bar1.bar.com 31 http: 32 paths: 33 - backend: 34 serviceName: s2 35 servicePort: 80 36 ``` 37 38 must be represented by two different HTTPProxy objects: 39 40 ```yaml 41 # httpproxy-name.yaml 42 apiVersion: projectcontour.io/v1 43 kind: HTTPProxy 44 metadata: 45 name: name-example-foo 46 namespace: default 47 spec: 48 virtualhost: 49 fqdn: foo1.bar.com 50 routes: 51 - services: 52 - name: s1 53 port: 80 54 --- 55 apiVersion: projectcontour.io/v1 56 kind: HTTPProxy 57 metadata: 58 name: name-example-bar 59 namespace: default 60 spec: 61 virtualhost: 62 fqdn: bar1.bar.com 63 routes: 64 - services: 65 - name: s2 66 port: 80 67 ``` 68 69 A HTTPProxy object that contains a [`virtualhost`][2] field is known as a "root proxy". 70 71 ## Virtualhost aliases 72 73 To present the same set of routes under multiple DNS entries (e.g. `www.example.com` and `example.com`), including a service with a `prefix` condition of `/` can be used. 74 75 ```yaml 76 # httpproxy-inclusion-multipleroots.yaml 77 --- 78 apiVersion: projectcontour.io/v1 79 kind: HTTPProxy 80 metadata: 81 name: multiple-root 82 namespace: default 83 spec: 84 virtualhost: 85 fqdn: bar.com 86 includes: 87 - name: main 88 namespace: default 89 --- 90 apiVersion: projectcontour.io/v1 91 kind: HTTPProxy 92 metadata: 93 name: multiple-root-www 94 namespace: default 95 spec: 96 virtualhost: 97 fqdn: www.bar.com 98 includes: 99 - name: main 100 namespace: default 101 --- 102 apiVersion: projectcontour.io/v1 103 kind: HTTPProxy 104 metadata: 105 name: main 106 namespace: default 107 spec: 108 routes: 109 - services: 110 - name: s2 111 port: 80 112 ``` 113 114 ## Restricted root namespaces 115 116 HTTPProxy inclusion allows Administrators to limit which users/namespaces may configure routes for a given domain, but it does not restrict where root HTTPProxies may be created. 117 Contour has an enforcing mode which accepts a list of namespaces where root HTTPProxy are valid. 118 Only users permitted to operate in those namespaces can therefore create HTTPProxy with the [`virtualhost`][2] field. 119 120 This restricted mode is enabled in Contour by specifying a command line flag, `--root-namespaces`, which will restrict Contour to only searching the defined namespaces for root HTTPProxy. This CLI flag accepts a comma separated list of namespaces where HTTPProxy are valid (e.g. `--root-namespaces=default,kube-system,my-admin-namespace`). 121 122 HTTPProxy with a defined [virtualhost][2] field that are not in one of the allowed root namespaces will be flagged as `invalid` and will be ignored by Contour. 123 124 Additionally, when defined, Contour will only watch for Kubernetes secrets in these namespaces ignoring changes in all other namespaces. 125 Proper RBAC rules should also be created to restrict what namespaces Contour has access matching the namespaces passed to the command line flag. 126 An example of this is included in the [examples directory][1] and shows how you might create a namespace called `root-httproxy`. 127 128 _**Note:** The restricted root namespace feature is only supported for HTTPProxy CRDs. 129 `--root-namespaces` does not affect the operation of Ingress objects._ 130 131 [1]: {{< param github_url>}}/tree/{{< param version >}}/examples/root-rbac 132 [2]: api/#projectcontour.io/v1.VirtualHost