apiVersion: config.openshift.io/v1
kind: ingress
metadata:
name: cluster
spec:
domain: apps.openshiftdemos.com
The ingress Operator implements the ingresscontroller
API and is the
component responsible for enabling external access to OpenShift Container Platform
cluster services. The operator makes this possible by deploying and
managing one or more HAProxy-based
ingress Controllers
to handle routing. You can use the ingress Operator to route traffic by
specifying OpenShift Container Platform Route
and Kubernetes ingress
resources.
The installation program generates an asset with an ingress
resource in the
config.openshift.io
API group, cluster-ingress-02-config.yml
.
ingress
resourceapiVersion: config.openshift.io/v1
kind: ingress
metadata:
name: cluster
spec:
domain: apps.openshiftdemos.com
The installation program stores this asset in the
cluster-ingress-02-config.yml
file in
the manifests/
directory. This ingress
resource defines the cluster-wide
configuration for ingress. This ingress configuration is used as follows:
The ingress Operator uses the domain from the cluster ingress configuration as the domain for the default ingress Controller.
The OpenShift API server operator uses the domain from the cluster ingress
configuration as the domain used when generating a default host for a Route
resource that does not specify an explicit host.
The ingresscontrollers.operator.openshift.io
resource offers the following
configuration parameters.
Parameter | Description | ||
---|---|---|---|
|
The If empty, the default value is |
||
|
|
||
|
If not set, the default value is based on
The |
||
|
The The secret must contain the following keys and data:
* If not set, a wildcard certificate is automatically generated and used. The certificate is valid for the ingress controller The in-use certificate, whether generated or user-specified, is automatically integrated with OpenShift Container Platform built-in OAuth server. |
||
|
|
||
|
|
||
|
If not set, the defaults values are used.
|
All parameters are optional. |
An ingress controller with the HostNetwork
endpoint publishing strategy can have only one Pod replica per node. If you want n replicas, you must use at least n nodes where those replicas can be scheduled. Because each Pod replica requests ports 80
and 443
on the node host where it is scheduled, a replica cannot be scheduled to a node if another Pod on the same node is using those ports.
The ingress Operator is a core feature of OpenShift Container Platform and is enabled out of the box.
Every new OpenShift Container Platform installation has an ingresscontroller
named default. It
can be supplemented with additional ingress Controllers. If the default
ingresscontroller
is deleted, the ingress Operator will automatically recreate it
within a minute.
View the default ingress Controller:
$ oc describe --namespace=openshift-ingress-operator ingresscontroller/default
You can view and inspect the status of your ingress Operator.
View your ingress Operator status:
$ oc describe clusteroperators/ingress
You can view your ingress Controller logs.
View your ingress Controller logs:
$ oc logs --namespace=openshift-ingress-operator deployments/ingress-operator
Your can view the status of a particular ingress Controller.
View the status of an ingress Controller:
$ oc describe --namespace=openshift-ingress-operator ingresscontroller/<name>
As an administrator, you can configure an ingress Controller to use a custom
certificate by creating a Secret
resource and editing the ingressController
custom resource (CR).
You must have a certificate/key pair in PEM-encoded files, where the certificate is signed by a trusted certificate authority and valid for the ingress domain.
You must have an ingressController
CR. You may use the default one:
$ oc --namespace openshift-ingress-operator get ingresscontrollers NAME AGE default 10m
If the default certificate is replaced, it must be signed by a public certificate authority already included in the CA bundle as provided by the container userspace. |
If you have intermediate certificates, they must be included in the |
The following assumes that the custom certificate and key pair are in the
tls.crt
and tls.key
files in the current working directory. Substitute the
actual path names for tls.crt
and tls.key
. You also may substitute another
name for custom-certs-default
when creating the Secret
resource and
referencing it in the ingressController
CR.
This action will cause the ingress Controller to be redeployed, using a rolling deployment strategy. |
Create a Secret
resource containing the custom certificate in the
openshift-ingress
namespace using the tls.crt
and tls.key
files.
$ oc --namespace openshift-ingress create secret tls custom-certs-default --cert=tls.crt --key=tls.key
Update the ingressController
CR to reference the new certificate secret:
$ oc patch --type=merge --namespace openshift-ingress-operator ingresscontrollers/default \ --patch '{"spec":{"defaultCertificate":{"name":"custom-certs-default"}}}'
Verify the update was effective:
$ oc get --namespace openshift-ingress-operator ingresscontrollers/default \ --output jsonpath='{.spec.defaultCertificate}'
The output should look like:
map[name:custom-certs-default]
The certificate secret name should match the value used to update the CR.
Once the ingressController
CR has been modified, the ingress Operator
will update the ingress Controller’s deployment to use the custom certificate.
Manually scale an ingress Controller to meeting routing performance or
availability requirements such as the requirement to increase throughput. oc
commands are used to scale the ingressController
resource. The following
procedure provides an example for scaling up the default ingressController
.
View the current number of available replicas for the default ingressController
:
$ oc get -n openshift-ingress-operator ingresscontrollers/default -o jsonpath='{$.status.availableReplicas}' 2
Scale the default ingressController
to the desired number of replicas using
the oc patch
command. The following example scales the default ingressController
to 3 replicas:
$ oc patch -n openshift-ingress-operator ingresscontroller/default --patch '{"spec":{"replicas": 3}}' --type=merge ingresscontroller.operator.openshift.io/default patched
Verify that the default ingressController
scaled to the number of replicas
that you specified:
$ oc get -n openshift-ingress-operator ingresscontrollers/default -o jsonpath='{$.status.availableReplicas}' 3
Scaling is not an immediate action, as it takes time to create the desired number of replicas. |
ingress Controller sharding by using route labels means that the ingress Controller serves any route in any namespace that is selected by the route selector.
ingress Controller sharding is useful when balancing incoming traffic load among a set of ingress Controllers and when isolating traffic to a specific ingress Controller. For example, company A goes to one ingress Controller and company B to another.
Edit the router-internal.yaml
file:
# cat router-internal.yaml apiVersion: v1 items: - apiVersion: operator.openshift.io/v1 kind: ingressController metadata: name: sharded namespace: openshift-ingress-operator spec: domain: <apps-sharded.basedomain.example.net> nodePlacement: nodeSelector: matchLabels: node-role.kubernetes.io/worker: "" routeSelector: matchLabels: type: sharded status: {} kind: List metadata: resourceVersion: "" selfLink: ""
Apply the ingress Controller router-internal.yaml
file:
# oc apply -f router-internal.yaml
The ingress Controller selects routes in any namespace that have the label
type: sharded
.
ingress Controller sharding by using namespace labels means that the ingress Controller serves any route in any namespace that is selected by the namespace selector.
ingress Controller sharding is useful when balancing incoming traffic load among a set of ingress Controllers and when isolating traffic to a specific ingress Controller. For example, company A goes to one ingress Controller and company B to another.
Edit the router-internal.yaml
file:
# cat router-internal.yaml apiVersion: v1 items: - apiVersion: operator.openshift.io/v1 kind: ingressController metadata: name: sharded namespace: openshift-ingress-operator spec: domain: <apps-sharded.basedomain.example.net> nodePlacement: nodeSelector: matchLabels: node-role.kubernetes.io/worker: "" namespaceSelector: matchLabels: type: sharded status: {} kind: List metadata: resourceVersion: "" selfLink: ""
Apply the ingress Controller router-internal.yaml
file:
# oc apply -f router-internal.yaml
The ingress Controller selects routes in any namespace that is selected by the
namespace selector that have the label type: sharded
.