|
domain is a DNS name serviced by the Ingress Controller and is used to configure multiple features:
-
For the LoadBalancerService endpoint publishing strategy, domain is used to configure DNS records. See endpointPublishingStrategy .
-
When using a generated default certificate, the certificate is valid for domain and its subdomains . See defaultCertificate .
-
The value is published to individual Route statuses so that users know where to target external DNS records.
The domain value must be unique among all Ingress Controllers and cannot be updated.
If empty, the default value is ingress.config.openshift.io/cluster .spec.domain .
|
|
replicas is the desired number of Ingress Controller replicas. If not set, the default value is 2 .
|
endpointPublishingStrategy
|
endpointPublishingStrategy is used to publish the Ingress Controller endpoints to other networks, enable load balancer integrations, and provide access to other systems.
If not set, the default value is based on infrastructure.config.openshift.io/cluster .status.platform :
-
Amazon Web Services (AWS): LoadBalancerService (with External scope)
-
Azure: LoadBalancerService (with External scope)
-
Google Cloud Platform (GCP): LoadBalancerService (with External scope)
-
Bare metal: NodePortService
-
Other: HostNetwork
|
HostNetwork has a hostNetwork field with the following default values for the optional binding ports: httpPort: 80 , httpsPort: 443 , and statsPort: 1936 .
With the binding ports, you can deploy multiple Ingress Controllers on the same node for the HostNetwork strategy.
Example
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: internal
namespace: openshift-ingress-operator
spec:
domain: example.com
endpointPublishingStrategy:
type: HostNetwork
hostNetwork:
httpPort: 80
httpsPort: 443
statsPort: 1936
|
|
On Red Hat OpenStack Platform (RHOSP), the LoadBalancerService endpoint publishing strategy is only supported if a cloud provider is configured to create health monitors. For RHOSP 16.1 and 16.2, this strategy is only possible if you use the Amphora Octavia provider.
For more information, see the "Setting cloud provider options" section of the RHOSP installation documentation.
|
For most platforms, the endpointPublishingStrategy value can be updated. On GCP, you can configure the following endpointPublishingStrategy fields:
|
|
The defaultCertificate value is a reference to a secret that contains the default certificate that is served by the Ingress Controller. When Routes do not specify their own certificate, defaultCertificate is used.
The secret must contain the following keys and data:
* tls.crt : certificate file contents
* tls.key : key file contents
If not set, a wildcard certificate is automatically generated and used. The certificate is valid for the Ingress Controller domain and subdomains , and
the generated certificate’s CA is automatically integrated with the
cluster’s trust store.
The in-use certificate, whether generated or user-specified, is automatically integrated with OpenShift Container Platform built-in OAuth server.
|
|
namespaceSelector is used to filter the set of namespaces serviced by the
Ingress Controller. This is useful for implementing shards.
|
|
routeSelector is used to filter the set of Routes serviced by the Ingress Controller. This is useful for implementing shards.
|
|
nodePlacement enables explicit control over the scheduling of the Ingress Controller.
If not set, the defaults values are used.
|
The nodePlacement parameter includes two parts, nodeSelector and tolerations . For example:
nodePlacement:
nodeSelector:
matchLabels:
kubernetes.io/os: linux
tolerations:
- effect: NoSchedule
operator: Exists
|
|
|
tlsSecurityProfile specifies settings for TLS connections for Ingress Controllers.
If not set, the default value is based on the apiservers.config.openshift.io/cluster resource.
When using the Old , Intermediate , and Modern profile types, the effective profile configuration is subject to change between releases. For example, given a specification to use the Intermediate profile deployed on release X.Y.Z , an upgrade to release X.Y.Z+1 may cause a new profile configuration to be applied to the Ingress Controller, resulting in a rollout.
The minimum TLS version for Ingress Controllers is 1.1 , and the maximum TLS version is 1.3 .
|
Ciphers and the minimum TLS version of the configured security profile are reflected in the TLSProfile status.
|
|
The Ingress Operator converts the TLS 1.0 of an Old or Custom profile to 1.1 .
|
|
|
clientTLS authenticates client access to the cluster and services; as a result, mutual TLS authentication is enabled. If not set, then client TLS is not enabled.
clientTLS has the required subfields, spec.clientTLS.clientCertificatePolicy and spec.clientTLS.ClientCA .
The ClientCertificatePolicy subfield accepts one of the two values: Required or Optional . The ClientCA subfield specifies a config map that is in the openshift-config namespace. The config map should contain a CA certificate bundle.
The AllowedSubjectPatterns is an optional value that specifies a list of regular expressions, which are matched against the distinguished name on a valid client certificate to filter requests. The regular expressions must use PCRE syntax. At least one pattern must match a client certificate’s distinguished name; otherwise, the Ingress Controller rejects the certificate and denies the connection. If not specified, the Ingress Controller does not reject certificates based on the distinguished name.
|
|
routeAdmission defines a policy for handling new route claims, such as allowing or denying claims across namespaces.
namespaceOwnership describes how hostname claims across namespaces should be handled. The default is Strict .
wildcardPolicy describes how routes with wildcard policies are handled by the Ingress Controller.
-
WildcardsAllowed : Indicates routes with any wildcard policy are admitted by the Ingress Controller.
-
WildcardsDisallowed : Indicates only routes with a wildcard policy of None are admitted by the Ingress Controller. Updating wildcardPolicy from WildcardsAllowed to WildcardsDisallowed causes admitted routes with a wildcard policy of Subdomain to stop working. These routes must be recreated to a wildcard policy of None to be readmitted by the Ingress Controller. WildcardsDisallowed is the default setting.
|
|
logging defines parameters for what is logged where. If this field is empty, operational logs are enabled but access logs are disabled.
|
|
httpHeaders defines the policy for HTTP headers.
By setting the forwardedHeaderPolicy for the IngressControllerHTTPHeaders , you specify when and how the Ingress Controller sets the Forwarded , X-Forwarded-For , X-Forwarded-Host , X-Forwarded-Port , X-Forwarded-Proto , and X-Forwarded-Proto-Version HTTP headers.
By default, the policy is set to Append .
-
Append specifies that the Ingress Controller appends the headers, preserving any existing headers.
-
Replace specifies that the Ingress Controller sets the headers, removing any existing headers.
-
IfNone specifies that the Ingress Controller sets the headers if they are not already set.
-
Never specifies that the Ingress Controller never sets the headers, preserving any existing headers.
By setting headerNameCaseAdjustments , you can specify case adjustments that can be applied to HTTP header names. Each adjustment is specified as an HTTP header name with the desired capitalization. For example, specifying X-Forwarded-For indicates that the x-forwarded-for HTTP header should be adjusted to have the specified capitalization.
These adjustments are only applied to cleartext, edge-terminated, and re-encrypt routes, and only when using HTTP/1.
For request headers, these adjustments are applied only for routes that have the haproxy.router.openshift.io/h1-adjust-case=true annotation. For response headers, these adjustments are applied to all HTTP responses. If this field is empty, no request headers are adjusted.
|
|
httpCompression defines the policy for HTTP traffic compression.
-
mimeTypes defines a list of MIME types to which compression should be applied. For example, text/css; charset=utf-8 , text/html , text/* , image/svg+xml , application/octet-stream , X-custom/customsub , using the format pattern, type/subtype; [;attribute=value] . The types are: application, image, message, multipart, text, video, or a custom type prefaced by X- ; e.g. To see the full notation for MIME types and subtypes, see RFC1341
|
|
httpErrorCodePages specifies custom HTTP error code response pages. By default, an IngressController uses error pages built into the IngressController image.
|
|
tuningOptions specifies options for tuning the performance of Ingress Controller pods.
-
clientFinTimeout specifies how long a connection is held open while waiting for the client response to the server closing the connection. The default timeout is 1s .
-
clientTimeout specifies how long a connection is held open while waiting for a client response. The default timeout is 30s .
-
headerBufferBytes specifies how much memory is reserved, in bytes, for Ingress Controller connection sessions. This value must be at least 16384 if HTTP/2 is enabled for the Ingress Controller. If not set, the default
|