apiVersion: config.openshift.io/v1
kind: Ingress
metadata:
name: cluster
spec:
domain: apps.openshiftdemos.comWhen you create your OpenShift Container Platform cluster, pods and services running on the cluster are each allocated their own IP addresses. The IP addresses are accessible to other pods and services running nearby but are not accessible to outside clients. The Ingress Operator implements the IngressController API and is the component responsible for enabling external access to OpenShift Container Platform cluster services.
The Ingress Operator makes it possible for external clients to access your service by deploying and managing one or more HAProxy-based
Ingress Controllers to handle routing. You can use the Ingress Operator to route traffic by specifying OpenShift Container Platform Route and Kubernetes Ingress resources. Configurations within the Ingress Controller, such as the ability to define endpointPublishingStrategy type and internal load balancing, provide ways to publish Ingress Controller endpoints.
The installation program generates an asset with an Ingress resource in the config.openshift.io API group, cluster-ingress-02-config.yml.
Ingress resourceapiVersion: config.openshift.io/v1
kind: Ingress
metadata:
name: cluster
spec:
domain: apps.openshiftdemos.comThe installation program stores this asset in the cluster-ingress-02-config.yml file in the manifests/ directory. This Ingress resource defines the cluster-wide configuration for Ingress. This Ingress configuration is used as follows:
The Ingress Operator uses the domain from the cluster Ingress configuration as the domain for the default Ingress Controller.
The OpenShift API Server Operator uses the domain from the cluster Ingress configuration. This domain is also used when generating a default host for a Route resource that does not specify an explicit host.
The ingresscontrollers.operator.openshift.io resource offers the following
configuration parameters.
| Parameter | Description | ||||
|---|---|---|---|---|---|
|
The If empty, the default value is |
||||
|
|
||||
|
|
||||
|
If not set, the default value is based on
For most platforms, the |
||||
|
The The secret must contain the following keys and data:
* If not set, a wildcard certificate is automatically generated and used. The certificate is valid for the Ingress Controller The in-use certificate, whether generated or user-specified, is automatically integrated with OpenShift Container Platform built-in OAuth server. |
||||
|
|
||||
|
|
||||
|
If not set, the defaults values are used.
|
||||
|
If not set, the default value is based on the When using the The minimum TLS version for Ingress Controllers is
|
||||
|
The |
||||
|
|
||||
|
|
||||
|
By setting the By default, the policy is set to
By setting These adjustments are only applied to cleartext, edge-terminated, and re-encrypt routes, and only when using HTTP/1. For request headers, these adjustments are applied only for routes that have the |
||||
|
|
||||
|
|
||||
|
The
|
||||
|
The
These connections come from load balancer health probes or web browser speculative connections (preconnect) and can be safely ignored. However, these requests can be caused by network errors, so setting this field to |
|
All parameters are optional. |
TLS security profiles provide a way for servers to regulate which ciphers a connecting client can use when connecting to the server.
You can use a TLS (Transport Layer Security) security profile to define which TLS ciphers are required by various OpenShift Container Platform components. The OpenShift Container Platform TLS security profiles are based on Mozilla recommended configurations.
You can specify one of the following TLS security profiles for each component:
| Profile | Description | ||
|---|---|---|---|
|
This profile is intended for use with legacy clients or libraries. The profile is based on the Old backward compatibility recommended configuration. The
|
||
|
This profile is the recommended configuration for the majority of clients. It is the default TLS security profile for the Ingress Controller, kubelet, and control plane. The profile is based on the Intermediate compatibility recommended configuration. The |
||
|
This profile is intended for use with modern clients that have no need for backwards compatibility. This profile is based on the Modern compatibility recommended configuration. The |
||
|
This profile allows you to define the TLS version and ciphers to use.
|
|
When using one of the predefined profile types, the effective profile configuration is subject to change between releases. For example, given a specification to use the Intermediate profile deployed on release X.Y.Z, an upgrade to release X.Y.Z+1 might cause a new profile configuration to be applied, resulting in a rollout. |
To configure a TLS security profile for an Ingress Controller, edit the IngressController custom resource (CR) to specify a predefined or custom TLS security profile. If a TLS security profile is not configured, the default value is based on the TLS security profile set for the API server.
IngressController CR that configures the Old TLS security profileapiVersion: config.openshift.io/v1
kind: IngressController
...
spec:
tlsSecurityProfile:
old: {}
type: Old
...The TLS security profile defines the minimum TLS version and the TLS ciphers for TLS connections for Ingress Controllers.
You can see the ciphers and the minimum TLS version of the configured TLS security profile in the IngressController custom resource (CR) under Status.Tls Profile and the configured TLS security profile under Spec.Tls Security Profile. For the Custom TLS security profile, the specific ciphers and minimum TLS version are listed under both parameters.
|
The HAProxy Ingress Controller image supports TLS The Ingress Operator also converts the TLS |
You have access to the cluster as a user with the cluster-admin role.
Edit the IngressController CR in the openshift-ingress-operator project to configure the TLS security profile:
$ oc edit IngressController default -n openshift-ingress-operatorAdd the spec.tlsSecurityProfile field:
IngressController CR for a Custom profileapiVersion: operator.openshift.io/v1
kind: IngressController
...
spec:
tlsSecurityProfile:
type: Custom (1)
custom: (2)
ciphers: (3)
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-GCM-SHA256
minTLSVersion: VersionTLS11
...| 1 | Specify the TLS security profile type (Old, Intermediate, or Custom). The default is Intermediate. |
| 2 | Specify the appropriate field for the selected type:
|
| 3 | For the custom type, specify a list of TLS ciphers and minimum accepted TLS version. |
Save the file to apply the changes.
Verify that the profile is set in the IngressController CR:
$ oc describe IngressController default -n openshift-ingress-operatorName: default
Namespace: openshift-ingress-operator
Labels: <none>
Annotations: <none>
API Version: operator.openshift.io/v1
Kind: IngressController
...
Spec:
...
Tls Security Profile:
Custom:
Ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
Min TLS Version: VersionTLS11
Type: Custom
...You can configure the Ingress Controller to enable mutual TLS (mTLS) authentication by setting a spec.clientTLS value. The clientTLS value configures the Ingress Controller to verify client certificates. This configuration includes setting a clientCA value, which is a reference to a config map. The config map contains the PEM-encoded CA certificate bundle that is used to verify a client’s certificate. Optionally, you can configure a list of certificate subject filters.
If the clientCA value specifies an X509v3 certificate revocation list (CRL) distribution point, the Ingress Operator downloads the CRL and configures the Ingress Controller to acknowledge it. Requests that do not provide valid certificates are rejected.
You have access to the cluster as a user with the cluster-admin role.
Create a config map that is in the openshift-config namespace:
$ oc create configmap router-ca-certs-default --from-file=ca-bundle.pem=client-ca.crt -n openshift-config|
The config map data key must be |
Edit the IngressController resource in the openshift-ingress-operator project:
$ oc edit IngressController default -n openshift-ingress-operatorAdd the spec.clientTLS field and subfields to configure mutual TLS:
IngressController CR for a clientTLS profile that specifies filtering patterns apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: default
namespace: openshift-ingress-operator
spec:
clientTLS:
clientCertificatePolicy: Required
clientCA:
name: router-ca-certs-default
allowedSubjectPatterns:
- "^/CN=example.com/ST=NC/C=US/O=Security/OU=OpenShift$"NodePortService endpoint publishing strategy
The NodePortService endpoint publishing strategy publishes the Ingress Controller using a Kubernetes NodePort service.
In this configuration, the Ingress Controller deployment uses container networking. A NodePortService is created to publish the deployment. The specific node ports are dynamically allocated by OpenShift Container Platform; however, to support static port allocations, your changes to the node port field of the managed NodePortService are preserved.
|
The Ingress Operator ignores any updates to By default, ports are allocated automatically and you can access the port allocations for integrations. However, sometimes static port allocations are necessary to integrate with existing infrastructure which may not be easily reconfigured in response to dynamic ports. To achieve integrations with static node ports, you can update the managed service resource directly. |
For more information, see the Kubernetes Services documentation on NodePort.
HostNetwork endpoint publishing strategy
The HostNetwork endpoint publishing strategy publishes the Ingress Controller on node ports where the Ingress Controller is deployed.
An Ingress controller with the HostNetwork endpoint publishing strategy can have only one pod replica per node. If you want n replicas, you must use at least n nodes where those replicas can be scheduled. Because each pod replica requests ports 80 and 443 on the node host where it is scheduled, a replica cannot be scheduled to a node if another pod on the same node is using those ports.
The Ingress Operator is a core feature of OpenShift Container Platform and is enabled out of the box.
Every new OpenShift Container Platform installation has an ingresscontroller named default. It
can be supplemented with additional Ingress Controllers. If the default
ingresscontroller is deleted, the Ingress Operator will automatically recreate it
within a minute.
View the default Ingress Controller:
$ oc describe --namespace=openshift-ingress-operator ingresscontroller/defaultYou can view and inspect the status of your Ingress Operator.
View your Ingress Operator status:
$ oc describe clusteroperators/ingressYou can view your Ingress Controller logs.
View your Ingress Controller logs:
$ oc logs --namespace=openshift-ingress-operator deployments/ingress-operatorYour can view the status of a particular Ingress Controller.
View the status of an Ingress Controller:
$ oc describe --namespace=openshift-ingress-operator ingresscontroller/<name>As an administrator, you can configure an Ingress Controller to use a custom
certificate by creating a Secret resource and editing the IngressController
custom resource (CR).
You must have a certificate/key pair in PEM-encoded files, where the certificate is signed by a trusted certificate authority or by a private trusted certificate authority that you configured in a custom PKI.
Your certificate meets the following requirements:
The certificate is valid for the ingress domain.
The certificate uses the subjectAltName extension to specify a wildcard domain, such as *.apps.ocp4.example.com.
You must have an IngressController CR. You may use the default one:
$ oc --namespace openshift-ingress-operator get ingresscontrollersNAME AGE
default 10m|
If you have intermediate certificates, they must be included in the |
The following assumes that the custom certificate and key pair are in the
tls.crt and tls.key files in the current working directory. Substitute the
actual path names for tls.crt and tls.key. You also may substitute another
name for custom-certs-default when creating the Secret resource and
referencing it in the IngressController CR.
|
This action will cause the Ingress Controller to be redeployed, using a rolling deployment strategy. |
Create a Secret resource containing the custom certificate in the
openshift-ingress namespace using the tls.crt and tls.key files.
$ oc --namespace openshift-ingress create secret tls custom-certs-default --cert=tls.crt --key=tls.keyUpdate the IngressController CR to reference the new certificate secret:
$ oc patch --type=merge --namespace openshift-ingress-operator ingresscontrollers/default \
--patch '{"spec":{"defaultCertificate":{"name":"custom-certs-default"}}}'Verify the update was effective:
$ oc get --namespace openshift-ingress-operator ingresscontrollers/default \
--output jsonpath='{.spec.defaultCertificate}'map[name:custom-certs-default]|
You can alternatively apply the following YAML to set a custom default certificate: |
The certificate secret name should match the value used to update the CR.
Once the IngressController CR has been modified, the Ingress Operator updates the Ingress Controller’s deployment to use the custom certificate.
Manually scale an Ingress Controller to meeting routing performance or
availability requirements such as the requirement to increase throughput. oc
commands are used to scale the IngressController resource. The following
procedure provides an example for scaling up the default IngressController.
|
Scaling is not an immediate action, as it takes time to create the desired number of replicas. |
View the current number of available replicas for the default IngressController:
$ oc get -n openshift-ingress-operator ingresscontrollers/default -o jsonpath='{$.status.availableReplicas}'2Scale the default IngressController to the desired number of replicas using
the oc patch command. The following example scales the default IngressController
to 3 replicas:
$ oc patch -n openshift-ingress-operator ingresscontroller/default --patch '{"spec":{"replicas": 3}}' --type=mergeingresscontroller.operator.openshift.io/default patchedVerify that the default IngressController scaled to the number of replicas
that you specified:
$ oc get -n openshift-ingress-operator ingresscontrollers/default -o jsonpath='{$.status.availableReplicas}'3|
You can alternatively apply the following YAML to scale an Ingress Controller to three replicas: |
| 1 | If you need a different amount of replicas, change the replicas value. |
You can configure the Ingress Controller to enable access logs. If you have clusters that do not receive much traffic, then you can log to a sidecar. If you have high traffic clusters, to avoid exceeding the capacity of the logging stack or to integrate with a logging infrastructure outside of OpenShift Container Platform, you can forward logs to a custom syslog endpoint. You can also specify the format for access logs.
Container logging is useful to enable access logs on low-traffic clusters when there is no existing Syslog logging infrastructure, or for short-term use while diagnosing problems with the Ingress Controller.
Syslog is needed for high-traffic clusters where access logs could exceed the OpenShift Logging stack’s capacity, or for environments where any logging solution needs to integrate with an existing Syslog logging infrastructure. The Syslog use-cases can overlap.
Log in as a user with cluster-admin privileges.
Configure Ingress access logging to a sidecar.
To configure Ingress access logging, you must specify a destination using spec.logging.access.destination. To specify logging to a sidecar container, you must specify Container spec.logging.access.destination.type. The following example is an Ingress Controller definition that logs to a Container destination:
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: default
namespace: openshift-ingress-operator
spec:
replicas: 2
endpointPublishingStrategy:
type: NodePortService (1)
logging:
access:
destination:
type: Container| 1 | NodePortService is not required to configure Ingress access logging to a sidecar. Ingress logging is compatible with any endpointPublishingStrategy. |
When you configure the Ingress Controller to log to a sidecar, the operator creates a container named logs inside the Ingress Controller Pod:
$ oc -n openshift-ingress logs deployment.apps/router-default -c logs2020-05-11T19:11:50.135710+00:00 router-default-57dfc6cd95-bpmk6 router-default-57dfc6cd95-bpmk6 haproxy[108]: 174.19.21.82:39654 [11/May/2020:19:11:50.133] public be_http:hello-openshift:hello-openshift/pod:hello-openshift:hello-openshift:10.128.2.12:8080 0/0/1/0/1 200 142 - - --NI 1/1/0/0/0 0/0 "GET / HTTP/1.1"Configure Ingress access logging to a Syslog endpoint.
To configure Ingress access logging, you must specify a destination using spec.logging.access.destination. To specify logging to a Syslog endpoint destination, you must specify Syslog for spec.logging.access.destination.type. If the destination type is Syslog, you must also specify a destination endpoint using spec.logging.access.destination.syslog.endpoint and you can specify a facility using spec.logging.access.destination.syslog.facility. The following example is an Ingress Controller definition that logs to a Syslog destination:
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: default
namespace: openshift-ingress-operator
spec:
replicas: 2
endpointPublishingStrategy:
type: NodePortService
logging:
access:
destination:
type: Syslog
syslog:
address: 1.2.3.4
port: 10514|
The |
Configure Ingress access logging with a specific log format.
You can specify spec.logging.access.httpLogFormat to customize the log format. The following example is an Ingress Controller definition that logs to a syslog endpoint with IP address 1.2.3.4 and port 10514:
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: default
namespace: openshift-ingress-operator
spec:
replicas: 2
endpointPublishingStrategy:
type: NodePortService
logging:
access:
destination:
type: Syslog
syslog:
address: 1.2.3.4
port: 10514
httpLogFormat: '%ci:%cp [%t] %ft %b/%s %B %bq %HM %HU %HV'Disable Ingress access logging.
To disable Ingress access logging, leave spec.logging or spec.logging.access empty:
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: default
namespace: openshift-ingress-operator
spec:
replicas: 2
endpointPublishingStrategy:
type: NodePortService
logging:
access: nullA cluster administrator can set the thread count to increase the amount of incoming connections a cluster can handle. You can patch an existing Ingress Controller to increase the amount of threads.
The following assumes that you already created an Ingress Controller.
Update the Ingress Controller to increase the number of threads:
$ oc -n openshift-ingress-operator patch ingresscontroller/default --type=merge -p '{"spec":{"tuningOptions": {"threadCount": 8}}}'|
If you have a node that is capable of running large amounts of resources, you can configure |
As the primary mechanism for traffic to enter the cluster, the demands on the Ingress Controller, or router, can be significant. As a cluster administrator, you can shard the routes to:
Balance Ingress Controllers, or routers, with several routes to speed up responses to changes.
Allocate certain routes to have different reliability guarantees than other routes.
Allow certain Ingress Controllers to have different policies defined.
Allow only specific routes to use additional features.
Expose different routes on different addresses so that internal and external users can see different routes, for example.
Ingress Controller can use either route labels or namespace labels as a sharding method.
Ingress Controller sharding by using route labels means that the Ingress Controller serves any route in any namespace that is selected by the route selector.
Ingress Controller sharding is useful when balancing incoming traffic load among a set of Ingress Controllers and when isolating traffic to a specific Ingress Controller. For example, company A goes to one Ingress Controller and company B to another.
Edit the router-internal.yaml file:
# cat router-internal.yaml
apiVersion: v1
items:
- apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: sharded
namespace: openshift-ingress-operator
spec:
domain: <apps-sharded.basedomain.example.net>
nodePlacement:
nodeSelector:
matchLabels:
node-role.kubernetes.io/worker: ""
routeSelector:
matchLabels:
type: sharded
status: {}
kind: List
metadata:
resourceVersion: ""
selfLink: ""Apply the Ingress Controller router-internal.yaml file:
# oc apply -f router-internal.yamlThe Ingress Controller selects routes in any namespace that have the label
type: sharded.
Ingress Controller sharding by using namespace labels means that the Ingress Controller serves any route in any namespace that is selected by the namespace selector.
Ingress Controller sharding is useful when balancing incoming traffic load among a set of Ingress Controllers and when isolating traffic to a specific Ingress Controller. For example, company A goes to one Ingress Controller and company B to another.
Edit the router-internal.yaml file:
# cat router-internal.yamlapiVersion: v1
items:
- apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: sharded
namespace: openshift-ingress-operator
spec:
domain: <apps-sharded.basedomain.example.net>
nodePlacement:
nodeSelector:
matchLabels:
node-role.kubernetes.io/worker: ""
namespaceSelector:
matchLabels:
type: sharded
status: {}
kind: List
metadata:
resourceVersion: ""
selfLink: ""Apply the Ingress Controller router-internal.yaml file:
# oc apply -f router-internal.yamlThe Ingress Controller selects routes in any namespace that is selected by the
namespace selector that have the label type: sharded.
When creating an Ingress Controller on cloud platforms, the Ingress Controller is published by a public cloud load balancer by default. As an administrator, you can create an Ingress Controller that uses an internal cloud load balancer.
|
If your cloud provider is Microsoft Azure, you must have at least one public load balancer that points to your nodes. If you do not, all of your nodes will lose egress connectivity to the internet. |
|
If you want to change the |
See the Kubernetes Services documentation for implementation details.
Install the OpenShift CLI (oc).
Log in as a user with cluster-admin privileges.
Create an IngressController custom resource (CR) in a file named <name>-ingress-controller.yaml, such as in the following example:
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
namespace: openshift-ingress-operator
name: <name> (1)
spec:
domain: <domain> (2)
endpointPublishingStrategy:
type: LoadBalancerService
loadBalancer:
scope: Internal (3)| 1 | Replace <name> with a name for the IngressController object. |
| 2 | Specify the domain for the application published by the controller. |
| 3 | Specify a value of Internal to use an internal load balancer. |
Create the Ingress Controller defined in the previous step by running the following command:
$ oc create -f <name>-ingress-controller.yaml (1)| 1 | Replace <name> with the name of the IngressController object. |
Optional: Confirm that the Ingress Controller was created by running the following command:
$ oc --all-namespaces=true get ingresscontrollersAn Ingress Controller created on GCP with an internal load balancer generates an internal IP address for the service. A cluster administrator can specify the global access option, which enables clients in any region within the same VPC network and compute region as the load balancer, to reach the workloads running on your cluster.
For more information, see the GCP documentation for global access.
You deployed an OpenShift Container Platform cluster on GCP infrastructure.
You configured an Ingress Controller to use an internal load balancer.
You installed the OpenShift CLI (oc).
Configure the Ingress Controller resource to allow global access.
|
You can also create an Ingress Controller and specify the global access option. |
Configure the Ingress Controller resource:
$ oc -n openshift-ingress-operator edit ingresscontroller/defaultEdit the YAML file:
clientAccess configuration to Global spec:
endpointPublishingStrategy:
loadBalancer:
providerParameters:
gcp:
clientAccess: Global (1)
type: GCP
scope: Internal
type: LoadBalancerService| 1 | Set gcp.clientAccess to Global. |
Save the file to apply the changes.
Run the following command to verify that the service allows global access:
$ oc -n openshift-ingress edit svc/router-default -o yamlThe output shows that global access is enabled for GCP with the annotation, networking.gke.io/internal-load-balancer-allow-global-access.
You can configure the default Ingress Controller for your cluster to be internal by deleting and recreating it.
|
If your cloud provider is Microsoft Azure, you must have at least one public load balancer that points to your nodes. If you do not, all of your nodes will lose egress connectivity to the internet. |
|
If you want to change the |
Install the OpenShift CLI (oc).
Log in as a user with cluster-admin privileges.
Configure the default Ingress Controller for your cluster to be internal by deleting and recreating it.
$ oc replace --force --wait --filename - <<EOF
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
namespace: openshift-ingress-operator
name: default
spec:
endpointPublishingStrategy:
type: LoadBalancerService
loadBalancer:
scope: Internal
EOFAdministrators and application developers can run applications in multiple namespaces with the same domain name. This is for organizations where multiple teams develop microservices that are exposed on the same hostname.
|
Allowing claims across namespaces should only be enabled for clusters with trust between namespaces, otherwise a malicious user could take over a hostname. For this reason, the default admission policy disallows hostname claims across namespaces. |
Cluster administrator privileges.
Edit the .spec.routeAdmission field of the ingresscontroller resource variable using the following command:
$ oc -n openshift-ingress-operator patch ingresscontroller/default --patch '{"spec":{"routeAdmission":{"namespaceOwnership":"InterNamespaceAllowed"}}}' --type=mergespec:
routeAdmission:
namespaceOwnership: InterNamespaceAllowed
...|
You can alternatively apply the following YAML to configure the route admission policy: |
The HAProxy Ingress Controller has support for wildcard routes. The Ingress Operator uses wildcardPolicy to configure the ROUTER_ALLOW_WILDCARD_ROUTES environment variable of the Ingress Controller.
The default behavior of the Ingress Controller is to admit routes with a wildcard policy of None, which is backwards compatible with existing IngressController resources.
Configure the wildcard policy.
Use the following command to edit the IngressController resource:
$ oc edit IngressControllerUnder spec, set the wildcardPolicy field to WildcardsDisallowed or WildcardsAllowed:
spec:
routeAdmission:
wildcardPolicy: WildcardsDisallowed # or WildcardsAllowedYou configure the HAProxy Ingress Controller to specify a policy for how to handle HTTP headers including Forwarded and X-Forwarded-For. The Ingress Operator uses the HTTPHeaders field to configure the ROUTER_SET_FORWARDED_HEADERS environment variable of the Ingress Controller.
Configure the HTTPHeaders field for the Ingress Controller.
Use the following command to edit the IngressController resource:
$ oc edit IngressControllerUnder spec, set the HTTPHeaders policy field to Append, Replace, IfNone, or Never:
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: default
namespace: openshift-ingress-operator
spec:
httpHeaders:
forwardedHeaderPolicy: AppendAs a cluster administrator, you can:
Configure an external proxy that injects the X-Forwarded-For header into each request before forwarding it to an Ingress Controller.
To configure the Ingress Controller to pass the header through unmodified, you specify the never policy. The Ingress Controller then never sets the headers, and applications receive only the headers that the external proxy provides.
Configure the Ingress Controller to pass the X-Forwarded-For header that your external proxy sets on external cluster requests through unmodified.
To configure the Ingress Controller to set the X-Forwarded-For header on internal cluster requests, which do not go through the external proxy, specify the if-none policy. If an HTTP request already has the header set through the external proxy, then the Ingress Controller preserves it. If the header is absent because the request did not come through the proxy, then the Ingress Controller adds the header.
As an application developer, you can:
Configure an application-specific external proxy that injects the X-Forwarded-For header.
To configure an Ingress Controller to pass the header through unmodified for an application’s Route, without affecting the policy for other Routes, add an annotation haproxy.router.openshift.io/set-forwarded-headers: if-none or haproxy.router.openshift.io/set-forwarded-headers: never on the Route for the application.
|
You can set the |
You can enable transparent end-to-end HTTP/2 connectivity in HAProxy. It allows application owners to make use of HTTP/2 protocol capabilities, including single connection, header compression, binary streams, and more.
You can enable HTTP/2 connectivity for an individual Ingress Controller or for the entire cluster.
To enable the use of HTTP/2 for the connection from the client to HAProxy, a route must specify a custom certificate. A route that uses the default certificate cannot use HTTP/2. This restriction is necessary to avoid problems from connection coalescing, where the client re-uses a connection for different routes that use the same certificate.
The connection from HAProxy to the application pod can use HTTP/2 only for re-encrypt routes and not for edge-terminated or insecure routes. This restriction is because HAProxy uses Application-Level Protocol Negotiation (ALPN), which is a TLS extension, to negotiate the use of HTTP/2 with the back-end. The implication is that end-to-end HTTP/2 is possible with passthrough and re-encrypt and not with insecure or edge-terminated routes.
|
For non-passthrough routes, the Ingress Controller negotiates its connection to the application independently of the connection from the client. This means a client may connect to the Ingress Controller and negotiate HTTP/1.1, and the Ingress Controller may then connect to the application, negotiate HTTP/2, and forward the request from the client HTTP/1.1 connection using the HTTP/2 connection to the application. This poses a problem if the client subsequently tries to upgrade its connection from HTTP/1.1 to the WebSocket protocol, because the Ingress Controller cannot forward WebSocket to HTTP/2 and cannot upgrade its HTTP/2 connection to WebSocket. Consequently, if you have an application that is intended to accept WebSocket connections, it must not allow negotiating the HTTP/2 protocol or else clients will fail to upgrade to the WebSocket protocol. |
Enable HTTP/2 on a single Ingress Controller.
To enable HTTP/2 on an Ingress Controller, enter the oc annotate command:
$ oc -n openshift-ingress-operator annotate ingresscontrollers/<ingresscontroller_name> ingress.operator.openshift.io/default-enable-http2=trueReplace <ingresscontroller_name> with the name of the Ingress Controller to annotate.
Enable HTTP/2 on the entire cluster.
To enable HTTP/2 for the entire cluster, enter the oc annotate command:
$ oc annotate ingresses.config/cluster ingress.operator.openshift.io/default-enable-http2=true|
You can alternatively apply the following YAML to add the annotation: |
A cluster administrator can configure the PROXY protocol when an Ingress Controller uses either the HostNetwork or NodePortService endpoint publishing strategy types. The PROXY protocol enables the load balancer to preserve the original client addresses for connections that the Ingress Controller receives. The original client addresses are useful for logging, filtering, and injecting HTTP headers. In the default configuration, the connections that the Ingress Controller receives only contain the source address that is associated with the load balancer.
This feature is not supported in cloud deployments. This restriction is because when OpenShift Container Platform runs in a cloud platform, and an IngressController specifies that a service load balancer should be used, the Ingress Operator configures the load balancer service and enables the PROXY protocol based on the platform requirement for preserving source addresses.
|
To prevent connection failure, configure both the Ingress Controller and the load balancer to use the PROXY protocol. |
You created an Ingress Controller.
Edit the Ingress Controller resource:
$ oc -n openshift-ingress-operator edit ingresscontroller/defaultSet the PROXY configuration:
If your Ingress Controller uses the hostNetwork endpoint publishing strategy type, set the spec.endpointPublishingStrategy.hostNetwork.protocol subfield to PROXY:
hostNetwork configuration to PROXY spec:
endpointPublishingStrategy:
hostNetwork:
protocol: PROXY
type: HostNetworkIf your Ingress Controller uses the NodePortService endpoint publishing strategy type, set the spec.endpointPublishingStrategy.nodePort.protocol subfield to PROXY:
nodePort configuration to PROXY spec:
endpointPublishingStrategy:
nodePort:
protocol: PROXY
type: NodePortServiceAs a cluster administrator, you can specify an alternative to the default cluster domain for user-created routes by configuring the appsDomain field. The appsDomain field is an optional domain for AWS infrastructure to use instead of the default, which is specified in the domain field. If you specify an alternative domain, it overrides the default cluster domain for the purpose of determining the default host for a new route.
For example, you can use the DNS domain for your company as the default domain for routes and ingresses for applications running on your cluster.
You deployed an OpenShift Container Platform cluster on AWS infrastructure.
You installed the oc command line interface.
Configure the appsDomain field by specifying an alternative default domain for user-created routes.
Edit the Ingress Controller Operator:
$ oc edit ingresses.config/cluster -o yamlEdit the YAML file:
appsDomain configuration to test.example.comapiVersion: config.openshift.io/v1
kind: Ingress
metadata:
name: cluster
spec:
domain: apps.example.com (1)
appsDomain: <test.example.com> (2)| 1 | Default domain |
| 2 | Optional: Domain for AWS infrastructure to use for application routes. Instead of the default prefix, apps, you can use an alternative prefix like test. |
Verify that an existing route contains the domain name specified in the appsDomain field by exposing the route and verifying the route domain change:
|
Wait for the |
Expose the route:
$ oc expose service hello-openshift
route.route.openshift.io/hello-openshift exposed$ oc get routes
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
hello-openshift hello_openshift-<my_project>.test.example.com
hello-openshift 8080-tcp NoneHAProxy 2.2 lowercases HTTP header names by default, for example, changing Host: xyz.com to host: xyz.com. If legacy applications are sensitive to the capitalization of HTTP header names, use the Ingress Controller spec.httpHeaders.headerNameCaseAdjustments API field for a solution to accommodate legacy applications until they can be fixed.
|
Because OpenShift Container Platform 4.9 includes HAProxy 2.2, make sure to add the necessary configuration by using |
You have installed the OpenShift CLI (oc).
You have access to the cluster as a user with the cluster-admin role.
As a cluster administrator, you can convert the HTTP header case by entering the oc patch command or by setting the HeaderNameCaseAdjustments field in the Ingress Controller YAML file.
Specify an HTTP header to be capitalized by entering the oc patch command.
Enter the oc patch command to change the HTTP host header to Host:
$ oc -n openshift-ingress-operator patch ingresscontrollers/default --type=merge --patch='{"spec":{"httpHeaders":{"headerNameCaseAdjustments":["Host"]}}}'Annotate the route of the application:
$ oc annotate routes/my-application haproxy.router.openshift.io/h1-adjust-case=trueThe Ingress Controller then adjusts the host request header as specified.
Specify adjustments using the HeaderNameCaseAdjustments field by configuring the Ingress Controller YAML file.
The following example Ingress Controller YAML adjusts the host header to Host for HTTP/1 requests to appropriately annotated routes:
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: default
namespace: openshift-ingress-operator
spec:
httpHeaders:
headerNameCaseAdjustments:
- HostThe following example route enables HTTP response header name case adjustments using the haproxy.router.openshift.io/h1-adjust-case annotation:
apiVersion: route.openshift.io/v1
kind: Route
metadata:
annotations:
haproxy.router.openshift.io/h1-adjust-case: true (1)
name: my-application
namespace: my-application
spec:
to:
kind: Service
name: my-application| 1 | Set haproxy.router.openshift.io/h1-adjust-case to true. |
As a cluster administrator, you can specify a custom error code response page for either 503, 404, or both error pages. The HAProxy router serves a 503 error page when the application pod is not running or a 404 error page when the requested URL does not exist. For example, if you customize the 503 error code response page, then the page is served when the application pod is not running, and the default 404 error code HTTP response page is served by the HAProxy router for an incorrect route or a non-existing route.
Custom error code response pages are specified in a config map then patched to the Ingress Controller. The config map keys have two available file names as follows:
error-page-503.http and error-page-404.http.
Custom HTTP error code response pages must follow the HAProxy HTTP error page configuration guidelines. Here is an example of the default OpenShift Container Platform HAProxy router http 503 error code response page. You can use the default content as a template for creating your own custom page.
By default, the HAProxy router serves only a 503 error page when the application is not running or when the route is incorrect or non-existent. This default behavior is the same as the behavior on OpenShift Container Platform 4.8 and earlier. If a config map for the customization of an HTTP error code response is not provided, and you are using a custom HTTP error code response page, the router serves a default 404 or 503 error code response page.
|
If you use the OpenShift Container Platform default 503 error code page as a template for your customizations, the headers in the file require an editor that can use CRLF line endings. |
Create a config map named my-custom-error-code-pages in the openshift-config namespace:
$ oc -n openshift-config create configmap my-custom-error-code-pages \
--from-file=error-page-503.http \
--from-file=error-page-404.http|
If you do not specify the correct format for the custom error code response page, a router pod outage occurs. To resolve this outage, you must delete or correct the config map and delete the affected router pods so they can be recreated with the correct information. |
Patch the Ingress Controller to reference the my-custom-error-code-pages config map by name:
$ oc patch -n openshift-ingress ingresscontroller/default --patch '{"spec":{"httpErrorCodePages": "my-custom-error-code-pages"}}' --type=mergeThe Ingress Operator copies the my-custom-error-code-pages config map from the openshift-config namespace to the openshift-ingress namespace. The Operator names the config map according to the pattern, <your_ingresscontroller_name>-errorpages, in the openshift-ingress namespace.
Display the copy:
$ oc get cm default-errorpages -n openshift-ingressNAME DATA AGE default-errorpages 2 25s (1)
| 1 | The example config map name is default-errorpages because the default Ingress Controller custom resource (CR) was patched. |
Confirm that the config map containing the custom error response page mounts on the router volume where the config map key is the filename that has the custom HTTP error code response:
For 503 custom HTTP custom error code response:
$ oc -n openshift-ingress rsh <router_pod> cat /var/lib/haproxy/conf/error_code_pages/error-page-503.httpFor 404 custom HTTP custom error code response:
$ oc -n openshift-ingress rsh <router_pod> cat /var/lib/haproxy/conf/error_code_pages/error-page-404.httpVerify your custom error code HTTP response:
Create a test project and application:
$ oc new-project test-ingress$ oc new-app django-psql-exampleFor 503 custom http error code response:
Stop all the pods for the application.
Run the following curl command or visit the route hostname in the browser:
$ curl -vk <route_hostname>For 404 custom http error code response:
Visit a non-existent route or an incorrect route.
Run the following curl command or visit the route hostname in the browser:
$ curl -vk <route_hostname>Check if the errorfile attribute is properly in the haproxy.config file:
$ oc -n openshift-ingress rsh <router> cat /var/lib/haproxy/conf/haproxy.config | grep errorfile