You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
.Ingress controller operations and performance configuration fields definitions
61
75
[cols="3a,8a",options="header"]
62
76
|===
63
77
|Parameter |Description
64
78
65
-
|`clientTLS`
66
-
|`clientTLS` authenticates client access to the cluster and services; as a result, mutual TLS authentication is enabled. If not set, then client TLS is not enabled.
67
-
68
-
`clientTLS` has the required subfields, `spec.clientTLS.clientCertificatePolicy` and `spec.clientTLS.ClientCA`.
69
-
70
-
The `ClientCertificatePolicy` subfield accepts one of the two values: `Required` or `Optional`. The `ClientCA` subfield specifies a config map that is in the openshift-config namespace. The config map should contain a CA certificate bundle.
71
-
72
-
The `AllowedSubjectPatterns` is an optional value that specifies a list of regular expressions, which are matched against the distinguished name on a valid client certificate to filter requests. The regular expressions must use PCRE syntax. At least one pattern must match a client certificate's distinguished name; otherwise, the Ingress Controller rejects the certificate and denies the connection. If not specified, the Ingress Controller does not reject certificates based on the distinguished name.
79
+
|`certificateSecret`
80
+
|The `certificateSecret` value is a reference to a secret that contains the default certificate that is served by the Ingress Controller. When Routes do not specify their own certificate, `certificateSecret` is used.atehe Ingress Controller.
73
81
74
-
|`defaultCertificate`
75
-
|The `defaultCertificate` value is a reference to a secret that contains the default certificate that is served by the Ingress Controller. When Routes do not specify their own certificate, `defaultCertificate` is used.
76
-
77
-
The secret must contain the following keys and data:
78
-
* `tls.crt`: certificate file contents
79
-
* `tls.key`: key file contents
82
+
For information about creating a secret, see https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/security_and_compliance/configuring-certificates#replacing-default-ingress_replacing-default-ingress [Replacing the default ingress certificate].
80
83
81
84
If not set, a wildcard certificate is automatically generated and used. The certificate is valid for the Ingress Controller `domain` and `subdomains`, and
82
85
the generated certificate's CA is automatically integrated with the
83
86
cluster's trust store.
84
87
85
88
The in-use certificate, whether generated or user-specified, is automatically integrated with {product-title} built-in OAuth server.
86
89
90
+
|`clientTLS`
91
+
|`clientTLS` authenticates client access to the cluster and services; as a result, mutual TLS authentication is enabled. If not set, then client TLS is not enabled.
92
+
93
+
`clientTLS` has the required subfields, `spec.clientTLS.clientCertificatePolicy` and `spec.clientTLS.ClientCA`.
94
+
95
+
The `ClientCertificatePolicy` subfield accepts one of the two values: `Required` or `Optional`. Note that the ingress controller only checks client certificates for edge-terminated and reencrypt TLS routes; it cannot check certificates for cleartext HTTP or passthrough TLS routes. The `ClientCA` subfield specifies a config map that is in the openshift-ingress namespace. The config map should contain a CA certificate bundle. A config map is required for this field.
96
+
97
+
The `AllowedSubjectPatterns` is an optional value that specifies a list of regular expressions, which are matched against the distinguished name on a valid client certificate to filter requests. The regular expressions must use PCRE syntax. This field must contain a valid expression or the MicroShift service will fail. At least one pattern must match a client certificate's distinguished name; otherwise, the Ingress Controller rejects the certificate and denies the connection. If not specified, the Ingress Controller does not reject certificates based on the distinguished name.
98
+
87
99
|`defaultHTTPVersion`
88
100
|Sets the HTTP version for the ingress controller. Default value is `1` for HTTP 1.1.
89
101
//Q: do we need to configure a load balancer for 2 and 3?
@@ -96,76 +108,18 @@ The in-use certificate, whether generated or user-specified, is automatically in
96
108
* `IfNone` sets the headers set by specifying that the ingress controller sets the headers if they are not already set.
97
109
* `Never`, preserves any existing headers by specifying that the ingress controller never sets the headers.
98
110
99
-
|`httpCaptureCookies`
100
-
|`httpCaptureCookies` specifies HTTP cookies that you want to capture in access logs. If the `httpCaptureCookies` field is empty, the access logs do not capture the cookies.
101
-
102
-
For any cookie that you want to capture, the following parameters must be in your `IngressController` configuration:
103
-
104
-
* `name` specifies the name of the cookie.
105
-
* `maxLength` specifies tha maximum length of the cookie.
106
-
* `matchType` specifies if the field `name` of the cookie exactly matches the capture cookie setting or is a prefix of the capture cookie setting. The `matchType` field uses the `Exact` and `Prefix` parameters.
107
-
108
-
For example:
109
-
[source,yaml]
110
-
----
111
-
httpCaptureCookies:
112
-
- matchType: Exact
113
-
maxLength: 128
114
-
name: MYCOOKIE
115
-
----
116
-
117
-
|`httpCaptureHeaders`
118
-
|`httpCaptureHeaders` specifies the HTTP headers that you want to capture in the access logs. If the `httpCaptureHeaders` field is empty, the access logs do not capture the headers.
119
-
120
-
`httpCaptureHeaders` contains two lists of headers to capture in the access logs. The two lists of header fields are `request` and `response`. In both lists, the `name` field must specify the header name and the `maxlength` field must specify the maximum length of the header. For example:
121
-
122
-
[source,yaml]
123
-
----
124
-
httpCaptureHeaders:
125
-
request:
126
-
- maxLength: 256
127
-
name: Connection
128
-
- maxLength: 128
129
-
name: User-Agent
130
-
response:
131
-
- maxLength: 256
132
-
name: Content-Type
133
-
- maxLength: 256
134
-
name: Content-Length
135
-
----
136
-
137
111
|`httpCompression`
138
112
|Defines the policy for HTTP traffic compression.
139
113
140
-
* `httpCompression.mimeTypes` defines a list of or a single MIME type to which compression is applied. For example, `text/css; charset=utf-8`, `text/html`, `text/*`, `image/svg+xml`, `application/octet-stream`, `X-custom/customsub`, using the format pattern, `type/subtype; [;attribute=value]`. The `types` are: application, image, message, multipart, text, video, or a custom type prefaced by `X-`. To see the full notation for MIME types and subtypes, see link:https://datatracker.ietf.org/doc/html/rfc1341#page-7[RFC1341] (IETF Datatracker documentation).
141
-
142
-
|`httpEmptyRequestsPolicy`
114
+
* `httpCompression.mimeTypes` defines a list of or a single MIME type to which compression is applied. For example, `text/css; charset=utf-8`, `text/html`, `text/*`, `image/svg+xml`, `application/octet-stream`, `X-custom/customsub`, using the format pattern, `type/subtype; [;attribute=value]`. The `types` are: application, image, message, multipart, text, video, or a custom type prefaced by `X-`. To see the full notation for MIME types and subtypes, see link:hate
115
+
|`httpEmptyRequestsPolicy`ate
143
116
|Describes how HTTP connections are handled if the connection times out before a request is received. Allowed values for this field are `Respond` and `Ignore`. The default value is `Respond`. The following are valid values:
144
117
145
118
* `Respond`, causes the ingress controller to send an HTTP `400` or `408` response, logs the connection if access logging is enabled, and counts the connection in the appropriate metrics.
146
119
* `Ignore`, adds the `http-ignore-probes` parameter in the `HAproxy` configuration. If the field is set to `Ignore`, the ingress controller closes the connection without sending a response, then logs the connection or incrementing metrics.
147
120
148
121
Usually, empty request connections come from load balancer health probes or web browser preconnects and can be safely ignored. However, network errors and port scans can also create these empty requests, so setting this field to `Ignore` can impede detecting or diagnosing problems and also impede the detection of intrusion attempts.
149
122
150
-
|`httpErrorCodePages`
151
-
|`httpErrorCodePages` specifies custom HTTP error code response pages. By default, an IngressController uses error pages built into the IngressController image.
152
-
153
-
|`IngressControllerLogging`
154
-
|`logging` defines parameters for what is logged where. If this field is empty, operational logs are enabled but access logs are disabled.
155
-
156
-
* `access` describes how client requests are logged. If this field is empty, access logging is disabled.
157
-
** `destination` describes a destination for log messages.
158
-
*** `type` is the type of destination for logs:
159
-
**** `Container` specifies that logs should go to a sidecar container. The Ingress Operator configures the container, named *logs*, on the Ingress Controller pod and configures the Ingress Controller to write logs to the container. The expectation is that the administrator configures a custom logging solution that reads logs from this container. Using container logs means that logs may be dropped if the rate of logs exceeds the container runtime capacity or the custom logging solution capacity.
160
-
**** `Syslog` specifies that logs are sent to a Syslog endpoint. The administrator must specify an endpoint that can receive Syslog messages. The expectation is that the administrator has configured a custom Syslog instance.
161
-
*** `container` describes parameters for the `Container` logging destination type. Currently there are no parameters for container logging, so this field must be empty.
162
-
*** `syslog` describes parameters for the `Syslog` logging destination type:
163
-
**** `address` is the IP address of the syslog endpoint that receives log messages.
164
-
**** `port` is the UDP port number of the syslog endpoint that receives log messages.
165
-
**** `maxLength` is the maximum length of the syslog message. It must be between `480` and `4096` bytes. If this field is empty, the maximum length is set to the default value of `1024` bytes.
166
-
**** `facility` specifies the syslog facility of log messages. If this field is empty, the facility is `local1`. Otherwise, it must specify a valid syslog facility: `kern`, `user`, `mail`, `daemon`, `auth`, `syslog`, `lpr`, `news`, `uucp`, `cron`, `auth2`, `ftp`, `ntp`, `audit`, `alert`, `cron2`, `local0`, `local1`, `local2`, `local3`. `local4`, `local5`, `local6`, or `local7`.
167
-
** `httpLogFormat` specifies the format of the log message for an HTTP request. If this field is empty, log messages use the implementation's default HTTP log format. For HAProxy's default HTTP log format, see link:http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3[the HAProxy documentation].
168
-
169
123
|`logEmptyRequests`
170
124
|Specifies connections for which no request is received and logged. Usually, these empty requests come from load balancer health probes or web browser speculative connections such as preconnects. Logging these types of empty requests can be undesirable. However, network errors and port scans can also create empty requests, so setting this field to `Ignore` can impede detecting or diagnosing problems and also impede the detection of intrusion attempts.
171
125
@@ -193,7 +147,7 @@ The following are valid values:
193
147
194
148
If not set, the default value is based on the `apiservers.config.openshift.io/cluster` resource.
195
149
196
-
When using the `Old`, `Intermediate`, and `Modern` profile types, the effective profile configuration is subject to change between releases. For example, given a specification to use the `Intermediate` profile deployed on release `X.Y.Z`, an upgrade to release `X.Y.Z+1` may cause a new profile configuration to be applied to the Ingress Controller, resulting in a rollout.
150
+
When using the `Old`, `Intermediate`, and `Modern` profile types, the effective profile configuration is subject to change between releases. For example, given a specification to use the `Intermediate` profile deployed on release `X.Y.Z`, an upgrade to release `X.Y.Z+1` may cause a new profile configuration to be applied to the Ingress Controller, resulting in a rollout.`Intermediate` is the default setting.
197
151
198
152
The minimum TLS version for Ingress Controllers is `1.1`, and the maximum TLS version is `1.3`.
199
153
@@ -245,6 +199,7 @@ Setting this field is not recommended because increasing the number of `HAProxy`
245
199
* The `tuningOptions.tlsInspectDelay` parameter specifies how long the router can hold data to find a matching route. Setting this value too short can cause the router to fall back to the default certificate for edge-terminated, re-encrypted, or passthrough routes, even when using a better-matched certificate. The default inspect delay is `5s`.
246
200
247
201
* The `tuningOptions.tunnelTimeout` parameter specifies how long a tunnel connection, including websockets, remains open while the tunnel is idle. The default timeout is `1h`.
202
+
248
203
|===
249
204
250
205
. Complete any other configurations you require, then start or restart {microshift-short} by running one the following commands:
0 commit comments