Merge pull request #45265 from jldohmann/OSDOCS-3539

OSDOCS-3539: add maxConnections parameter

Author: ahardin-rh

modules/nw-ingress-controller-configuration-parameters.adoc

@@ -216,6 +216,19 @@ supports up to `64` threads. If this field is empty, the Ingress Controller uses
 
 * `tunnelTimeout` specifies how long a tunnel connection, including websockets, remains open while the tunnel is idle. If unset, the default timeout is `1h`.
 
+* `maxConnections` specifies the maximum number of simultaneous connections that can be established per HAProxy process. Increasing this value allows each ingress controller pod handle more connections at the cost of additional system resources. Permitted values are `0`, `-1`, any value within the range `2000` and `2000000`, or the field can be left empty. 
+
+** If this field is left empty or has the value `0`, the ingress controller will use the default value of `20000`. This value is subject to change in future releases.
+
+** If the field has the value of `-1`, then HAProxy will dynamically compute a maximum value based on the available `ulimits` in the running container. This process results in a large computed value that will incur significant memory usage compared to the current default value of `20000`.
+
+** If the field has a value that is greater than the current operating system limit, the HAProxy process will not start.
+
+** If you choose a discrete value and the router pod is migrated to a new node, it is possible the new node does not have an identical `ulimit` configured. In such cases, the pod fails to start.
+
+** If you have nodes with different `ulimits` configured, and you choose a discrete value, it is recommended to use the value of `-1` for this field so that the maximum number of connections is calculated at runtime.
+
+
 |`logEmptyRequests`
 |`logEmptyRequests` specifies connections for which no request is received and logged. These empty requests come from load balancer health probes or web browser speculative connections (preconnect) and logging these requests can be undesirable. However, these requests can be caused by network errors, in which case logging empty requests can be useful for diagnosing the errors. These requests can be caused by port scans, and logging empty requests can aid in detecting intrusion attempts. Allowed values for this field are `Log` and `Ignore`. The default value is `Log`.
 

modules/nw-ingress-setting-max-connections.adoc

@@ -0,0 +1,24 @@
+// Modules included in the following assemblies:
+//
+// * ingress/configure-ingress-operator.adoc
+
+:_content-type: PROCEDURE
+[id="nw-ingress-setting-max-connections_{context}"]
+= Setting the Ingress Controller maximum connections
+A cluster administrator can set the maximum number of simultaneous connections for OpenShift router deployments. You can patch an existing Ingress Controller to increase the maximum number of connections.
+
+.Prerequisites
+* The following assumes that you already created an Ingress Controller
+
+.Procedure
+* Update the Ingress Controller to change the maximum number of connections for HAProxy:
++
+[source,terminal]
+----
+$ oc -n openshift-ingress-operator patch ingresscontroller/default --type=merge -p '{"spec":{"tuningOptions": {"maxConnections": 7500}}}'
+----
++
+[WARNING]
+====
+If you set the `spec.tuningOptions.maxConnections` value greater than the current operating system limit, the HAProxy process will not start. See the table in the "Ingress Controller configuration parameters" section for more information about this parameter.
+====

networking/ingress-operator.adoc

@@ -76,6 +76,8 @@ include::modules/nw-configuring-router-compression.adoc[leveloffset=+2]
 include::modules/nw-customize-ingress-error-pages.adoc[leveloffset=+2]
 //include::modules/nw-ingress-select-route.adoc[leveloffset=+2]
 
+include::modules/nw-ingress-setting-max-connections.adoc[leveloffset=+2]
+
 [role="_additional-resources"]
 == Additional resources