clientTLS
|
object
|
clientTLS specifies settings for requesting and verifying client certificates, which can be used to enable mutual TLS for edge-terminated and reencrypt routes. |
defaultCertificate
|
object
|
defaultCertificate is a reference to a secret containing the default certificate served by the ingress controller. When routes don’t specify their own certificate, defaultCertificate is used.
The secret must contain the following keys and data:
tls.crt: certificate file contents tls.key: key file contents
If unset, a wildcard certificate is automatically generated and used. The certificate is valid for the ingress controller domain (and subdomains) and the generated certificate’s CA will be automatically integrated with the cluster’s trust store.
If a wildcard certificate is used and shared by multiple HTTP/2 enabled routes (which implies ALPN) then clients (i.e., notably browsers) are at liberty to reuse open connections. This means a client can reuse a connection to another route and that is likely to fail. This behaviour is generally known as connection coalescing.
The in-use certificate (whether generated or user-specified) will be automatically integrated with OpenShift’s built-in OAuth server. |
domain
|
string
|
domain is a DNS name serviced by the ingress controller and is used to configure multiple features:
* For the LoadBalancerService endpoint publishing strategy, domain is used to configure DNS records. See endpointPublishingStrategy.
* When using a generated default certificate, the certificate will be valid for domain and its subdomains. See defaultCertificate.
* The value is published to individual route statuses so that end-users know where to target external DNS records.
domain must be unique among all IngressControllers, and cannot be updated.
If empty, defaults to ingress.config.openshift.io/cluster .spec.domain. |
endpointPublishingStrategy
|
object
|
endpointPublishingStrategy is used to publish the ingress controller endpoints to other networks, enable load balancer integrations, etc.
If unset, the default is based on infrastructure.config.openshift.io/cluster .status.platform:
AWS: LoadBalancerService (with External scope) Azure: LoadBalancerService (with External scope) GCP: LoadBalancerService (with External scope) IBMCloud: LoadBalancerService (with External scope) AlibabaCloud: LoadBalancerService (with External scope) Libvirt: HostNetwork
Any other platform types (including None) default to HostNetwork.
endpointPublishingStrategy cannot be updated. |
httpCompression
|
object
|
httpCompression defines a policy for HTTP traffic compression. By default, there is no HTTP compression. |
httpEmptyRequestsPolicy
|
string
|
httpEmptyRequestsPolicy describes how HTTP connections should be handled if the connection times out before a request is received. Allowed values for this field are "Respond" and "Ignore". If the field is set to "Respond", the ingress controller sends an HTTP 400 or 408 response, logs the connection (if access logging is enabled), and counts the connection in the appropriate metrics. If the field is set to "Ignore", the ingress controller closes the connection without sending a response, logging the connection, or incrementing metrics. The default value is "Respond".
Typically, these connections come from load balancers' health probes or Web browsers' speculative connections ("preconnect") and can be safely ignored. However, these requests may also be caused by network errors, and so setting this field to "Ignore" may impede detection and diagnosis of problems. In addition, these requests may be caused by port scans, in which case logging empty requests may aid in detecting intrusion attempts. |
httpErrorCodePages
|
object
|
httpErrorCodePages specifies a configmap with custom error pages. The administrator must create this configmap in the openshift-config namespace. This configmap should have keys in the format "error-page-<error code>.http", where <error code> is an HTTP error code. For example, "error-page-503.http" defines an error page for HTTP 503 responses. Currently only error pages for 503 and 404 responses can be customized. Each value in the configmap should be the full response, including HTTP headers. Eg- https://raw.githubusercontent.com/openshift/router/fadab45747a9b30cc3f0a4b41ad2871f95827a93/images/router/haproxy/conf/error-page-503.http If this field is empty, the ingress controller uses the default error pages. |
httpHeaders
|
object
|
httpHeaders defines policy for HTTP headers.
If this field is empty, the default values are used. |
logging
|
object
|
logging defines parameters for what should be logged where. If this field is empty, operational logs are enabled but access logs are disabled. |
namespaceSelector
|
object
|
namespaceSelector is used to filter the set of namespaces serviced by the ingress controller. This is useful for implementing shards.
If unset, the default is no filtering. |
nodePlacement
|
object
|
nodePlacement enables explicit control over the scheduling of the ingress controller.
If unset, defaults are used. See NodePlacement for more details. |
replicas
|
integer
|
replicas is the desired number of ingress controller replicas. If unset, the default depends on the value of the defaultPlacement field in the cluster config.openshift.io/v1/ingresses status.
The value of replicas is set based on the value of a chosen field in the Infrastructure CR. If defaultPlacement is set to ControlPlane, the chosen field will be controlPlaneTopology. If it is set to Workers the chosen field will be infrastructureTopology. Replicas will then be set to 1 or 2 based whether the chosen field’s value is SingleReplica or HighlyAvailable, respectively.
These defaults are subject to change. |
routeAdmission
|
object
|
routeAdmission defines a policy for handling new route claims (for example, to allow or deny claims across namespaces).
If empty, defaults will be applied. See specific routeAdmission fields for details about their defaults. |
routeSelector
|
object
|
routeSelector is used to filter the set of routes serviced by the ingress controller. This is useful for implementing shards.
If unset, the default is no filtering. |
tlsSecurityProfile
|
object
|
tlsSecurityProfile specifies settings for TLS connections for ingresscontrollers.
If unset, the default is based on the apiservers.config.openshift.io/cluster resource.
Note that when using the Old, Intermediate, and Modern profile types, the effective profile configuration is subject to change between releases. For example, given a specification to use the Intermediate profile deployed on release X.Y.Z, an upgrade to release X.Y.Z+1 may cause a new profile configuration to be applied to the ingress controller, resulting in a rollout. |
tuningOptions
|
object
|
tuningOptions defines parameters for adjusting the performance of ingress controller pods. All fields are optional and will use their respective defaults if not set. See specific tuningOptions fields for more details.
Setting fields within tuningOptions is generally not recommended. The default values are suitable for most configurations. |
unsupportedConfigOverrides
|
`` |
unsupportedConfigOverrides allows specifying unsupported configuration options. Its use is unsupported. |