ingress controller

kmcolli · bmcelvee · commit 4b5491f2b392 · 2023-09-27T09:59:01.000-04:00
diff --git a/_topic_maps/_topic_map_rosa.yml b/_topic_maps/_topic_map_rosa.yml
@@ -85,7 +85,7 @@ Topics:
 - Name: ROSA prerequisites
   File: rosa-mobb-prerequisites-tutorial
 - Name: Configuring ROSA/OSD to use custom TLS ciphers on the ingress controllers
-  File: rosa-mobb-configure-custom-tls-ciphers
+  File: cloud-experts-configure-custom-tls-ciphers
 - Name: Verifying Permissions for a ROSA STS Deployment
   File: rosa-mobb-verify-permissions-sts-deployment
 ---
diff --git a/cloud_experts_tutorials/cloud-experts-configure-custom-tls-ciphers.adoc b/cloud_experts_tutorials/cloud-experts-configure-custom-tls-ciphers.adoc
@@ -1,28 +1,31 @@
 :_content-type: ASSEMBLY
-[id="rosa-mobb-configure-cutsom-tls-ciphers"]
-= Tutorial: Configuring ROSA/OSD to use custom TLS ciphers on the ingress controllers
+[id="cloud-experts-configure-custom-tls-ciphers"]
+= Tutorial: Configuring ROSA/OSD to use custom TLS ciphers on the Ingress Controller
 include::_attributes/attributes-openshift-dedicated.adoc[]
-:context: rosa-mobb-configure-cutsom-tls-ciphers
+:context: cloud-experts-configure-custom-tls-ciphers
 
 toc::[]
 
 // ---
 // date: '2022-08-24'
-// title: Configure ROSA/OSD to use custom TLS ciphers on the ingress controllers
+// title: Configure ROSA/OSD to use custom TLS ciphers on the Ingress Controller
 // aliases: ['/docs/ingress/tls-cipher-customization']
 // tags: ["ROSA", "AWS", "OSD"]
 // authors:
 //   - Michael McNeill
 //   - Connor Wooley
 // ---
 
-This guide demonstrates how to properly patch the cluster ingress controllers, as well as ingress controllers created by the Custom Domain Operator.
-This functionality allows customers to modify the `tlsSecurityProfile` value on cluster ingress controllers.
-This guide will demonstrate how to apply a custom `tlsSecurityProfile`, a scoped service account (with the associated role and role binding), and a CronJob that the cipher changes are reapplied with 60 minutes (in the event that an ingress controller is recreated or modified).
+include::snippets/mobb-support-statement.adoc[leveloffset=+1]
+//Adding the support statement based on a conversation with Michael McNeill
+
+This guide demonstrates how to properly patch the cluster Ingress Controllers, as well as Ingress Controllers created by the Custom Domain Operator.
+This functionality allows customers to modify the `tlsSecurityProfile` value on cluster Ingress Controllers.
+This guide demonstrates how to apply a custom `tlsSecurityProfile`, a scoped service account with the associated role and role binding, and a CronJob that the cipher changes are reapplied with 60 minutes in the event that an Ingress Controller is recreated or modified.
 
 .Prerequisites
 
-* Review the link:https://docs.openshift.com/container-platform/4.13/networking/ingress-operator.html#configuring-ingress-controller-tls[OpenShift Documentation that explains the options for the `tlsSecurityProfile`]. By default, ingress controllers are configured to use the `Intermediate` profile, which corresponds to the link:https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29[Intermediate Mozilla profile].
+* Review the link:https://docs.openshift.com/container-platform/4.13/networking/ingress-operator.html#configuring-ingress-controller-tls[OpenShift Documentation that explains the options for the `tlsSecurityProfile`]. By default, Ingress Controllers are configured to use the `Intermediate` profile, which corresponds to the link:https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29[Intermediate Mozilla profile].
 
 .Procedure
 
@@ -36,47 +39,47 @@ To create a service account, run the following command:
 $ oc create sa cron-ingress-patch-sa -n openshift-ingress-operator
 ----
 
-. Create a role and role binding that allows limited access to patch the ingress controllers.
+. Create a role and role binding that allows limited access to patch the Ingress Controllers.
 +
 Role-based access control (RBAC) is critical to ensuring security inside your cluster.
-Creating a role allows us to provide scoped access to only the API resources we need within the cluster. To create the role, run the following command:
+Creating a role allows us to provide scoped access to only the API resources needed within the cluster. To create the role, run the following command:
 +
 [source,terminal]
 ----
 $ oc create role cron-ingress-patch-role --verb=get,patch,update --resource=ingresscontroller.operator.openshift.io -n openshift-ingress-operator
 ----
 +
-Once the role has been created, you need to bind the role to the service account using a role binding.
+Once the role has been created, you must bind the role to the service account using a role binding.
 To create the role binding, run the following command:
 +
 [source,terminal]
 ----
 $ oc create rolebinding cron-ingress-patch-rolebinding --role=cron-ingress-patch-role --serviceaccount=openshift-ingress-operator:cron-ingress-patch-sa -n openshift-ingress-operator
 ----
 
-. Patch the ingress controller.
+. Patch the Ingress Controllers.
 +
 [IMPORTANT]
 ====
-The examples provided below add an additional cipher to the ingress controller's `tlsSecurityProfile` to allow IE 11 access from Windows Server 2008 R2.
-You should modify this command to meet your specific business requirements.
+The examples provided below add an additional cipher to the Ingress Controller's `tlsSecurityProfile` to allow IE 11 access from Windows Server 2008 R2.
+Modify this command to meet your specific business requirements.
 ====
 +
-Before we create the CronJob, we first want to apply the `tlsSecurityProfile` configuration to validate our changes.
+Before creating the CronJob, apply the `tlsSecurityProfile` configuration to validate changes.
 This process depends on if you are using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator].
 +
 .. Clusters not using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator]:
 +
-If you are only using the default ingress controller, and not using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator], run the following command to patch the ingress controller:
+If you are only using the default Ingress Controller, and not using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator], run the following command to patch the Ingress Controller:
 +
 [source,terminal]
 ----
 $ oc patch ingresscontroller/default -n openshift-ingress-operator --type=merge -p '{"spec":{"tlsSecurityProfile":{"type":"Custom","custom":{"ciphers":["TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"],"minTLSVersion":"VersionTLS12"}}}}'
 ----
 +
-This patch will add the `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` cipher which allows access from IE 11 on Windows Server 2008 R2 when using RSA certificates.
+This patch adds the `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` cipher which allows access from IE 11 on Windows Server 2008 R2 when using RSA certificates.
 +
-Once you have run the command, you will receive a response that looks like this:
+Once you run the command, you will receive a response that looks like this:
 +
 .Example output
 [source,terminal]
@@ -86,15 +89,15 @@ ingresscontroller.operator.openshift.io/default patched
 +
 .. Clusters using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator]:
 +
-Customers who are using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator] will need to loop through each of their ingress controllers to patch each one.
-To patch all of your cluster's ingress controllers, run the following command:
+Customers who are using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator] need to loop through each of their Ingress Controllers to patch each one.
+To patch all of your cluster's Ingress Controllers, run the following command:
 +
 [source,terminal]
 ----
 $ for ic in $(oc get ingresscontroller -o name -n openshift-ingress-operator); do oc patch ${ic} -n openshift-ingress-operator --type=merge -p '{"spec":{"tlsSecurityProfile":{"type":"Custom","custom":{"ciphers":["TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"],"minTLSVersion":"VersionTLS12"}}}}'; done
 ----
 +
-Once you have run the command, you will receive a response that looks like this:
+Once you run the command, you will receive a response that looks like this:
 +
 .Example output
 [source,terminal]
@@ -106,13 +109,13 @@ ingresscontroller.operator.openshift.io/custom2 patched
 
 . Create the CronJob to ensure that the TLS configuration is not overwritten.
 +
-Occasionally, the cluster's ingress controller can get recreated. In these cases, the ingress controller will likely not retain the `tlsSecurityProfile` changes that we have made.
-To ensure this does not happen, we will create a CronJob that goes through and updates the cluster's ingress controller(s).
+Occasionally, the cluster's Ingress Controllers can get recreated. In these cases, the Ingress Controller will likely not retain the `tlsSecurityProfile` changes that were applied.
+To ensure this does not happen, create a CronJob that goes through and updates the cluster's Ingress Controllers.
 This process depends on if you are using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator].
 +
 .. Clusters not using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator]:
 +
-If you are not using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator], creating the CronJob is as simple as running the following command:
+If you are not using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator], create the CronJob by running the following command:
 +
 [source,terminal]
 ----
@@ -142,9 +145,9 @@ EOF
 +
 [NOTE]
 ====
-This CronJob will run every hour, and will patch the ingress controller, if necessary.
+This CronJob runs every hour and patches the Ingress Controllers, if necessary.
 It is important that this CronJob does not run constantly, as it can trigger reconciles that could overload the OpenShift Ingress Operator.
-Most of the time, the logs of the CronJob pod will look something like this, as it will not be changing anything:
+Most of the time, the logs of the CronJob pod looks like the following example, as it will not be changing anything:
 
 .Example output
 [source,terminal]
@@ -155,7 +158,7 @@ ingresscontroller.operator.openshift.io/default patched (no change)
 +
 .. Clusters using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator]:
 +
-If you are using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator], the CronJob will need to loop through and patch each ingress controller.
+If you are using the xref:../applications/deployments/osd-config-custom-domains-applications.adoc#osd-config-custom-domains-applications[Custom Domain Operator], the CronJob needs to loop through and patch each Ingress Controller.
 To create this CronJob, run the following command:
 +
 [source,terminal]
@@ -186,7 +189,7 @@ EOF
 +
 [NOTE]
 ====
-This CronJob will run every hour, and will patch the ingress controller, if necessary. It is important that this CronJob does not run constantly, as it can trigger reconciles that could overload the OpenShift Ingress Operator. Most of the time, the logs of the CronJob pod will look something like this, as it will not be changing anything:
+This CronJob runs every hour and patches the Ingress Controllers, if necessary. It is important that this CronJob does not run constantly, as it can trigger reconciles that could overload the OpenShift Ingress Operator. Most of the time, the logs of the CronJob pod will look something like this, as it will not be changing anything:
 
 .Example output
 [source,terminal]
