[WIP] OSDOCS-13371-2: Ingress security parameters MicroShift #91560
Conversation
|
@tedaveryredhat: This pull request references OSDOCS-13371 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-reference
openshift-ci
bot
added
do-not-merge/work-in-progress
|
🤖 Mon May 19 18:32:00 - Prow CI generated the docs preview: |
|
|
||
| If not set, a wildcard certificate is automatically generated and used. The certificate is valid for the Ingress Controller `domain` and `subdomains`, and | ||
| the generated certificate's CA is automatically integrated with the | ||
| cluster's trust store. |
There was a problem hiding this comment.
🤖 [error] RedHat.TermsErrors: Use 'truststore' rather than 'trust store'. For more information, see RedHat.TermsErrors.
|
@tedaveryredhat: This pull request references OSDOCS-13371 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
size/M
|
|
||
| `clientTLS` has the required subfields, `spec.clientTLS.clientCertificatePolicy` and `spec.clientTLS.ClientCA`. | ||
|
|
||
| The `ClientCertificatePolicy` subfield accepts one of the two values: `Required` or `Optional`. Note that the ingress controller only checks client certificates for edge-terminated and reencrypt TLS routes; it cannot check certificates for cleartext HTTP or passthrough TLS routes. The `ClientCA` subfield specifies a config map that is in the openshift-ingress namespace. The config map should contain a CA certificate bundle. A config map is required for this field. |
There was a problem hiding this comment.
🤖 [error] RedHat.TermsErrors: Use 'plain text' rather than 'cleartext'. For more information, see RedHat.TermsErrors.
tedaveryredhat
force-pushed
the
OSDOCS-13371-2
branch
from
5352e9d to
fa1d60b
Compare
| @@ -57,11 +71,31 @@ ingress: | |||
| # ... | |||
| ---- | |||
| + | |||
| .Ingress controller configuration fields definitions table | |||
| .Ingress controller operations and performance configuration fields definitions | |||
There was a problem hiding this comment.
@tedaveryredhat , if we are going to keep it in the same page , can we separate this into new table called "Ingress controller security configuration fields definitions" , this is not related to operations and performance
| [cols="3a,8a",options="header"] | ||
| |=== | ||
| |Parameter |Description | ||
|
|
||
| |`certificateSecret` | ||
| |The `certificateSecret` value is a reference to a secret that contains the default certificate that is served by the Ingress Controller. When Routes do not specify their own certificate, `certificateSecret` is used.atehe Ingress Controller. |
There was a problem hiding this comment.
| |The `certificateSecret` value is a reference to a secret that contains the default certificate that is served by the Ingress Controller. When Routes do not specify their own certificate, `certificateSecret` is used.atehe Ingress Controller. | |
| |The `certificateSecret` value is a reference to a secret that contains the default certificate that is served by the Ingress Controller. When Routes do not specify their own certificate, `certificateSecret` is used.**atehe** Ingress Controller. |
typo?
| |`certificateSecret` | ||
| |The `certificateSecret` value is a reference to a secret that contains the default certificate that is served by the Ingress Controller. When Routes do not specify their own certificate, `certificateSecret` is used.atehe Ingress Controller. | ||
|
|
||
| For information about creating a secret, see https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/security_and_compliance/configuring-certificates#replacing-default-ingress_replacing-default-ingress [Replacing the default ingress certificate]. |
There was a problem hiding this comment.
this doc is for openshift, the main difference is the namespace name,
we dont use openshift-config namespace, we use openshift-ingress , so the secret has to be created there.
|
|
||
| If not set, the default value is based on the `apiservers.config.openshift.io/cluster` resource. | ||
|
|
||
| When using the `Old`, `Intermediate`, and `Modern` profile types, the effective profile configuration is subject to change between releases. For example, given a specification to use the `Intermediate` profile deployed on release `X.Y.Z`, an upgrade to release `X.Y.Z+1` may cause a new profile configuration to be applied to the Ingress Controller, resulting in a rollout. `Intermediate` is the default setting. |
There was a problem hiding this comment.
we dont have a concept of rollouts (its for operators only ) so this upgrade comment is not relevant.
tedaveryredhat
force-pushed
the
OSDOCS-13371-2
branch
from
fa1d60b to
46f5366
Compare
ShaunaDiaz
changed the title
ShaunaDiaz
changed the title
| @@ -57,11 +71,36 @@ ingress: | |||
| # ... | |||
| ---- | |||
| + | |||
| .Ingress controller configuration fields definitions table | |||
| .Ingress controller configuration fields definitions | |||
There was a problem hiding this comment.
| .Ingress controller configuration fields definitions | |
| .Ingress controller configuration fields definitions table |
let's leave "table" in for accessibility
tedaveryredhat
force-pushed
the
OSDOCS-13371-2
branch
from
46f5366 to
2f16f99
Compare
openshift-ci
bot
added
size/L
tedaveryredhat
force-pushed
the
OSDOCS-13371-2
branch
2 times, most recently
from
772c8f8 to
81efdcf
Compare
|
@tedaveryredhat: This pull request references OSDOCS-13371 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
|
||
| |`logEmptyRequests` | ||
| |Specifies connections for which no request is received and logged. Usually, these empty requests come from load balancer health probes or web browser speculative connections such as preconnects. Logging these types of empty requests can be undesirable. However, network errors and port scans can also create empty requests, so setting this field to `Ignore` can impede detecting or diagnosing problems and also impede the detection of intrusion attempts. | ||
| |'logEmptyRequests` specifies connections for which no request is received and logged. These empty requests come from load balancer health probes or web browser speculative connections (preconnect) and logging these requests can be undesirable. However, these requests can be caused by network errors, in which case logging empty requests can be useful for diagnosing the errors. These requests can be caused by port scans, and logging empty requests can aid in detecting intrusion attempts. Allowed values for this field are `Log` and `Ignore`. The default is `Log`. |
There was a problem hiding this comment.
| |'logEmptyRequests` specifies connections for which no request is received and logged. These empty requests come from load balancer health probes or web browser speculative connections (preconnect) and logging these requests can be undesirable. However, these requests can be caused by network errors, in which case logging empty requests can be useful for diagnosing the errors. These requests can be caused by port scans, and logging empty requests can aid in detecting intrusion attempts. Allowed values for this field are `Log` and `Ignore`. The default is `Log`. | |
| |`logEmptyRequests` specifies connections for which no request is received and logged. These empty requests come from load balancer health probes or web browser speculative connections (preconnect) and logging these requests can be undesirable. However, these requests can be caused by network errors, in which case logging empty requests can be useful for diagnosing the errors. These requests can be caused by port scans, and logging empty requests can aid in detecting intrusion attempts. Allowed values for this field are `Log` and `Ignore`. The default is `Log`. |
tedaveryredhat
force-pushed
the
OSDOCS-13371-2
branch
from
81efdcf to
d1610b7
Compare
|
|
||
| . Verify that all certificates which include `-----END CERTIFICATE-----` also end with one carriage return after that line. | ||
|
|
||
| . Create a configuration map that includes only the root CA certificate that is used to sign the wildcard certificate: |
There was a problem hiding this comment.
🤖 [error] Vale.Avoid: Avoid using 'configuration map'.
| ---- | ||
| <1> `</path/to/example-ca.crt>` is the path to the root CA certificate file on your local file system. For example, `/etc/pki/ca-trust/source/anchors`. | ||
|
|
||
| . Update the cluster-wide proxy configuration with the newly created configuration map: |
There was a problem hiding this comment.
🤖 [error] Vale.Avoid: Avoid using 'configuration map'.
tedaveryredhat
force-pushed
the
OSDOCS-13371-2
branch
from
d1610b7 to
6c2d921
Compare
tedaveryredhat
force-pushed
the
OSDOCS-13371-2
branch
2 times, most recently
from
20d72af to
d84f014
Compare
tedaveryredhat
force-pushed
the
OSDOCS-13371-2
branch
3 times, most recently
from
7aab754 to
3ac01c1
Compare
openshift-ci
bot
added
size/XL
tedaveryredhat
force-pushed
the
OSDOCS-13371-2
branch
from
3ac01c1 to
dce6749
Compare
openshift-ci
bot
added
size/L
|
@tedaveryredhat: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Version(s):
4.19+
Issue:
https://issues.redhat.com/browse/OSDOCS-13371
Link to docs preview:
https://91560--ocpdocs-pr.netlify.app/microshift/latest/microshift_configuring/microshift-ingress-controller.html
QE review: