apiVersion: config.openshift.io/v1
kind: Ingress
metadata:
name: cluster
spec:
domain: apps.openshiftdemos.com
The Ingress Operator implements the ingresscontroller
API and is the
component responsible for enabling external access to OpenShift Container Platform
cluster services. The Operator makes this possible by deploying and
managing one or more HAProxy-based
Ingress Controllers
to handle routing. You can use the Ingress Operator to route traffic by
specifying OpenShift Container Platform Route
and Kubernetes Ingress
resources.
The installation program generates an asset with an Ingress
resource in the
config.openshift.io
API group, cluster-ingress-02-config.yml
.
Ingress
resourceapiVersion: config.openshift.io/v1
kind: Ingress
metadata:
name: cluster
spec:
domain: apps.openshiftdemos.com
The installation program stores this asset in the
cluster-ingress-02-config.yml
file in
the manifests/
directory. This Ingress
resource defines the cluster-wide
configuration for Ingress. This Ingress configuration is used as follows:
The Ingress Operator uses the domain from the cluster Ingress configuration as the domain for the default Ingress Controller.
The OpenShift API server operator uses the domain from the cluster Ingress
configuration as the domain used when generating a default host for a Route
resource that does not specify an explicit host.
The ingresscontrollers.operator.openshift.io
resource offers the following
configuration parameters.
Parameter | Description | ||||
---|---|---|---|---|---|
|
The If empty, the default value is |
||||
|
|
||||
|
If not set, the default value is based on
The |
||||
|
The The secret must contain the following keys and data:
* If not set, a wildcard certificate is automatically generated and used. The certificate is valid for the Ingress controller The in-use certificate, whether generated or user-specified, is automatically integrated with OpenShift Container Platform built-in OAuth server. |
||||
|
|
||||
|
|
||||
|
If not set, the defaults values are used.
|
||||
|
If not set, the default value is based on the When using the The minimum TLS version for Ingress controllers is
|
||||
|
|
All parameters are optional. |
The tlsSecurityProfile
parameter defines the schema for a TLS security profile. This object is used by operators to apply TLS security settings to operands.
There are four TLS security profile types:
Old
Intermediate
Modern
Custom
The Old
, Intermediate
, and Modern
profiles are based on recommended configurations. The Custom
profile provides the ability to specify individual TLS security profile parameters.
Old
profile configurationspec:
tlsSecurityProfile:
type: Old
Intermediate
profile configurationspec:
tlsSecurityProfile:
type: Intermediate
Modern
profile configurationspec:
tlsSecurityProfile:
type: Modern
The Custom
profile is a user-defined TLS security profile.
You must be careful using a |
Custom
profilespec:
tlsSecurityProfile:
type: Custom
custom:
ciphers:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
minTLSVersion: VersionTLS11
NodePortService
endpoint publishing strategy
The NodePortService
endpoint publishing strategy publishes the Ingress Controller using a Kubernetes NodePort service.
In this configuration, the Ingress Controller deployment uses container networking. A NodePortService
is created to publish the deployment. The specific node ports are dynamically allocated by OpenShift Container Platform; however, to support static port allocations, your changes to the node port field of the managed NodePortService
are preserved.
The Ingress Operator ignores any updates to By default, ports are allocated automatically and you can access the port allocations for integrations. However, sometimes static port allocations are necessary to integrate with existing infrastructure which may not be easily reconfigured in response to dynamic ports. To achieve integrations with static node ports, you can update the managed service resource directly. |
For more information, see the Kubernetes Services documentation on NodePort
.
HostNetwork
endpoint publishing strategy
The HostNetwork
endpoint publishing strategy publishes the Ingress Controller on node ports where the Ingress Controller is deployed.
An Ingress controller with the HostNetwork
endpoint publishing strategy can have only one pod replica per node. If you want n replicas, you must use at least n nodes where those replicas can be scheduled. Because each pod replica requests ports 80
and 443
on the node host where it is scheduled, a replica cannot be scheduled to a node if another pod on the same node is using those ports.
The Ingress Operator is a core feature of OpenShift Container Platform and is enabled out of the box.
Every new OpenShift Container Platform installation has an ingresscontroller
named default. It
can be supplemented with additional Ingress Controllers. If the default
ingresscontroller
is deleted, the Ingress Operator will automatically recreate it
within a minute.
View the default Ingress Controller:
$ oc describe --namespace=openshift-ingress-operator ingresscontroller/default
You can view and inspect the status of your Ingress Operator.
View your Ingress Operator status:
$ oc describe clusteroperators/ingress
You can view your Ingress Controller logs.
View your Ingress Controller logs:
$ oc logs --namespace=openshift-ingress-operator deployments/ingress-operator
Your can view the status of a particular Ingress Controller.
View the status of an Ingress Controller:
$ oc describe --namespace=openshift-ingress-operator ingresscontroller/<name>
As an administrator, you can configure an Ingress Controller to use a custom
certificate by creating a secret resource and editing the IngressController
custom resource (CR).
You must have a certificate/key pair in PEM-encoded files, where the certificate is signed by a trusted certificate authority or by a private trusted certificate authority that you configured in a custom PKI.
Your certificate is valid for the Ingress domain.
You must have an IngressController
CR. You may use the default one:
$ oc --namespace openshift-ingress-operator get ingresscontrollers
NAME AGE
default 10m
If you have intermediate certificates, they must be included in the |
The following assumes that the custom certificate and key pair are in the
tls.crt
and tls.key
files in the current working directory. Substitute the
actual path names for tls.crt
and tls.key
. You also may substitute another
name for custom-certs-default
when creating the secret resource and
referencing it in the IngressController CR.
This action will cause the Ingress Controller to be redeployed, using a rolling deployment strategy. |
Create a secret resource containing the custom certificate in the
openshift-ingress
namespace using the tls.crt
and tls.key
files.
$ oc --namespace openshift-ingress create secret tls custom-certs-default --cert=tls.crt --key=tls.key
Update the IngressController CR to reference the new certificate secret:
$ oc patch --type=merge --namespace openshift-ingress-operator ingresscontrollers/default \
--patch '{"spec":{"defaultCertificate":{"name":"custom-certs-default"}}}'
Verify the update was effective:
$ oc get --namespace openshift-ingress-operator ingresscontrollers/default \
--output jsonpath='{.spec.defaultCertificate}'
map[name:custom-certs-default]
The certificate secret name should match the value used to update the CR.
Once the IngressController CR has been modified, the Ingress Operator updates the Ingress Controller’s deployment to use the custom certificate.
Manually scale an Ingress Controller to meeting routing performance or
availability requirements such as the requirement to increase throughput. oc
commands are used to scale the IngressController
resource. The following
procedure provides an example for scaling up the default IngressController
.
View the current number of available replicas for the default IngressController
:
$ oc get -n openshift-ingress-operator ingresscontrollers/default -o jsonpath='{$.status.availableReplicas}'
2
Scale the default IngressController
to the desired number of replicas using
the oc patch
command. The following example scales the default IngressController
to 3 replicas:
$ oc patch -n openshift-ingress-operator ingresscontroller/default --patch '{"spec":{"replicas": 3}}' --type=merge
ingresscontroller.operator.openshift.io/default patched
Verify that the default IngressController
scaled to the number of replicas
that you specified:
$ oc get -n openshift-ingress-operator ingresscontrollers/default -o jsonpath='{$.status.availableReplicas}'
3
Scaling is not an immediate action, as it takes time to create the desired number of replicas. |
Ingress Controller sharding by using route labels means that the Ingress Controller serves any route in any namespace that is selected by the route selector.
Ingress Controller sharding is useful when balancing incoming traffic load among a set of Ingress Controllers and when isolating traffic to a specific Ingress Controller. For example, company A goes to one Ingress Controller and company B to another.
Edit the router-internal.yaml
file:
# cat router-internal.yaml
apiVersion: v1
items:
- apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: sharded
namespace: openshift-ingress-operator
spec:
domain: <apps-sharded.basedomain.example.net>
nodePlacement:
nodeSelector:
matchLabels:
node-role.kubernetes.io/worker: ""
routeSelector:
matchLabels:
type: sharded
status: {}
kind: List
metadata:
resourceVersion: ""
selfLink: ""
Apply the Ingress Controller router-internal.yaml
file:
# oc apply -f router-internal.yaml
The Ingress Controller selects routes in any namespace that have the label
type: sharded
.
Ingress Controller sharding by using namespace labels means that the Ingress Controller serves any route in any namespace that is selected by the namespace selector.
Ingress Controller sharding is useful when balancing incoming traffic load among a set of Ingress Controllers and when isolating traffic to a specific Ingress Controller. For example, company A goes to one Ingress Controller and company B to another.
Edit the router-internal.yaml
file:
# cat router-internal.yaml
apiVersion: v1
items:
- apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: sharded
namespace: openshift-ingress-operator
spec:
domain: <apps-sharded.basedomain.example.net>
nodePlacement:
nodeSelector:
matchLabels:
node-role.kubernetes.io/worker: ""
namespaceSelector:
matchLabels:
type: sharded
status: {}
kind: List
metadata:
resourceVersion: ""
selfLink: ""
Apply the Ingress Controller router-internal.yaml
file:
# oc apply -f router-internal.yaml
The Ingress Controller selects routes in any namespace that is selected by the
namespace selector that have the label type: sharded
.
When creating an Ingress Controller on cloud platforms, the Ingress Controller is published by a public cloud load balancer by default. As an administrator, you can create an Ingress Controller that uses an internal cloud load balancer.
If your cloud provider is Microsoft Azure, you must have at least one public load balancer that points to your nodes. If you do not, all of your nodes will lose egress connectivity to the internet. |
If you want to change the |
See the Kubernetes Services documentation for implementation details.
Install the OpenShift CLI (oc
).
Log in as a user with cluster-admin
privileges.
Create an IngressController
custom resource (CR) in a file named <name>-ingress-controller.yaml
, such as in the following example:
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
namespace: openshift-ingress-operator
name: <name> (1)
spec:
domain: <domain> (2)
endpointPublishingStrategy:
type: LoadBalancerService
loadBalancer:
scope: Internal (3)
1 | Replace <name> with a name for the IngressController object. |
2 | Specify the domain for the application published by the controller. |
3 | Specify a value of Internal to use an internal load balancer. |
Create the Ingress Controller defined in the previous step by running the following command:
$ oc create -f <name>-ingress-controller.yaml (1)
1 | Replace <name> with the name of the IngressController object. |
Optional: Confirm that the Ingress Controller was created by running the following command:
$ oc --all-namespaces=true get ingresscontrollers
You can configure the default
Ingress Controller for your cluster to be internal by deleting and recreating it.
If your cloud provider is Microsoft Azure, you must have at least one public load balancer that points to your nodes. If you do not, all of your nodes will lose egress connectivity to the internet. |
If you want to change the |
Install the OpenShift CLI (oc
).
Log in as a user with cluster-admin
privileges.
Configure the default
Ingress Controller for your cluster to be internal by deleting and recreating it.
$ oc replace --force --wait --filename - <<EOF
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
namespace: openshift-ingress-operator
name: default
spec:
endpointPublishingStrategy:
type: LoadBalancerService
loadBalancer:
scope: Internal
EOF
Administrators and application developers can run applications in multiple namespaces with the same domain name. This is for organizations where multiple teams develop microservices that are exposed on the same host name.
Allowing claims across namespaces should only be enabled for clusters with trust between namespaces, otherwise a malicious user could take over a host name. For this reason, the default admission policy disallows host name claims across namespaces. |
Cluster administrator privileges.
Edit the .spec.routeAdmission
field of the ingresscontroller
resource variable using the following command:
$ oc -n openshift-ingress-operator patch ingresscontroller/default --patch '{"spec":{"routeAdmission":{"namespaceOwnership":"InterNamespaceAllowed"}}}' --type=merge
spec:
routeAdmission:
namespaceOwnership: InterNamespaceAllowed
...