github.com/projectcontour/contour@v1.28.2/site/content/docs/v1.18.2/config/virtual-hosts.md

github.com/projectcontour/contour@v1.28.2/site/content/docs/v1.18.2/config/virtual-hosts.md (about)

     1  # Virtual Hosts
     2  
     3  
     4  Similar to Ingress, HTTPProxy support name-based virtual hosting.
     5  Name-based virtual hosts use multiple host names with the same IP address.
     6  
     7  ```
     8  foo.bar.com --|                 |-> foo.bar.com s1:80
     9                | 178.91.123.132  |
    10  bar.foo.com --|                 |-> bar.foo.com s2:80
    11  ```
    12  
    13  Unlike Ingress however, HTTPProxy only support a single root domain per HTTPProxy object.
    14  As an example, this Ingress object:
    15  
    16  ```yaml
    17  # ingress-name.yaml
    18  apiVersion: networking.k8s.io/v1
    19  kind: Ingress
    20  metadata:
    21    name: name-example
    22  spec:
    23    rules:
    24    - host: foo1.bar.com
    25      http:
    26        paths:
    27        - backend:
    28            service:
    29              name: s1
    30              port:
    31                number: 80
    32    - host: bar1.bar.com
    33      http:
    34        paths:
    35        - backend:
    36            service:
    37              name: s2
    38              port:
    39                number: 80
    40  ```
    41  
    42  must be represented by two different HTTPProxy objects:
    43  
    44  ```yaml
    45  # httpproxy-name.yaml
    46  apiVersion: projectcontour.io/v1
    47  kind: HTTPProxy
    48  metadata:
    49    name: name-example-foo
    50    namespace: default
    51  spec:
    52    virtualhost:
    53      fqdn: foo1.bar.com
    54    routes:
    55      - services:
    56        - name: s1
    57          port: 80
    58  ---
    59  apiVersion: projectcontour.io/v1
    60  kind: HTTPProxy
    61  metadata:
    62    name: name-example-bar
    63    namespace: default
    64  spec:
    65    virtualhost:
    66      fqdn: bar1.bar.com
    67    routes:
    68      - services:
    69          - name: s2
    70            port: 80
    71  ```
    72  
    73  A HTTPProxy object that contains a [`virtualhost`][2] field is known as a "root proxy".
    74  
    75  ## Virtualhost aliases
    76  
    77  To present the same set of routes under multiple DNS entries (e.g. `www.example.com` and `example.com`), including a service with a `prefix` condition of `/` can be used.
    78  
    79  ```yaml
    80  # httpproxy-inclusion-multipleroots.yaml
    81  ---
    82  apiVersion: projectcontour.io/v1
    83  kind: HTTPProxy
    84  metadata:
    85    name: multiple-root
    86    namespace: default
    87  spec:
    88    virtualhost:
    89      fqdn: bar.com
    90    includes:
    91    - name: main
    92      namespace: default
    93  ---
    94  apiVersion: projectcontour.io/v1
    95  kind: HTTPProxy
    96  metadata:
    97    name: multiple-root-www
    98    namespace: default
    99  spec:
   100    virtualhost:
   101      fqdn: www.bar.com
   102    includes:
   103    - name: main
   104      namespace: default
   105  ---
   106  apiVersion: projectcontour.io/v1
   107  kind: HTTPProxy
   108  metadata:
   109    name: main
   110    namespace: default
   111  spec:
   112    routes:
   113    - services:
   114      - name: s2
   115        port: 80
   116  ```
   117  
   118  ## Restricted root namespaces
   119  
   120  HTTPProxy inclusion allows Administrators to limit which users/namespaces may configure routes for a given domain, but it does not restrict where root HTTPProxies may be created.
   121  Contour has an enforcing mode which accepts a list of namespaces where root HTTPProxy are valid.
   122  Only users permitted to operate in those namespaces can therefore create HTTPProxy with the [`virtualhost`] field ([see API docs][2]).
   123  
   124  This restricted mode is enabled in Contour by specifying a command line flag, `--root-namespaces`, which will restrict Contour to only searching the defined namespaces for root HTTPProxy. This CLI flag accepts a comma separated list of namespaces where HTTPProxy are valid (e.g. `--root-namespaces=default,kube-system,my-admin-namespace`).
   125  
   126  HTTPProxy with a defined [virtualhost][2] field that are not in one of the allowed root namespaces will be flagged as `invalid` and will be ignored by Contour.
   127  
   128  Additionally, when defined, Contour will only watch for Kubernetes secrets in these namespaces ignoring changes in all other namespaces.
   129  Proper RBAC rules should also be created to restrict what namespaces Contour has access matching the namespaces passed to the command line flag.
   130  An example of this is included in the [examples directory][1] and shows how you might create a namespace called `root-httproxy`.
   131  
   132  _**Note:** The restricted root namespace feature is only supported for HTTPProxy CRDs.
   133  `--root-namespaces` does not affect the operation of Ingress objects._
   134  
   135  [1]: {{< param github_url>}}/tree/{{< param version >}}/examples/root-rbac
   136  [2]: api/#projectcontour.io/v1.VirtualHost