You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The `ingresscontrollers.operator.openshift.io` resource offers the following
9
9
configuration parameters.
@@ -13,26 +13,26 @@ configuration parameters.
13
13
|Parameter |Description
14
14
15
15
|`domain`
16
-
|`domain` is a DNS name serviced by the Ingress controller and is used to configure multiple features:
16
+
|`domain` is a DNS name serviced by the Ingress Controller and is used to configure multiple features:
17
17
18
18
* For the `LoadBalancerService` endpoint publishing strategy, `domain` is used to configure DNS records. See `endpointPublishingStrategy`.
19
19
20
20
* When using a generated default certificate, the certificate is valid for `domain` and its `subdomains`. See `defaultCertificate`.
21
21
22
22
* The value is published to individual Route statuses so that users know where to target external DNS records.
23
23
24
-
The `domain` value must be unique among all Ingress controllers and cannot be updated.
24
+
The `domain` value must be unique among all Ingress Controllers and cannot be updated.
25
25
26
26
If empty, the default value is `ingress.config.openshift.io/cluster` `.spec.domain`.
27
27
28
28
|`appsDomain`
29
29
|`appsDomain` is an optional domain for AWS infrastructure to use instead of the one specified in the `domain` field when a Route is created without specifying an explicit host. If a value is entered for `appsDomain`, this value is used to generate default host values for the Route. Unlike `domain`, `appsDomain` can be modified after installation. You can use this parameter only if you set up a new Ingress Controller that uses a wildcard certificate.
30
30
31
31
|`replicas`
32
-
|`replicas` is the desired number of Ingress controller replicas. If not set, the default value is `2`.
32
+
|`replicas` is the desired number of Ingress Controller replicas. If not set, the default value is `2`.
33
33
34
34
|`endpointPublishingStrategy`
35
-
|`endpointPublishingStrategy` is used to publish the Ingress controller endpoints to other networks, enable load balancer integrations, and provide access to other systems.
35
+
|`endpointPublishingStrategy` is used to publish the Ingress Controller endpoints to other networks, enable load balancer integrations, and provide access to other systems.
36
36
37
37
If not set, the default value is based on `infrastructure.config.openshift.io/cluster` `.status.platform`:
38
38
@@ -45,27 +45,27 @@ If not set, the default value is based on `infrastructure.config.openshift.io/cl
45
45
For most platforms, the `endpointPublishingStrategy` value cannot be updated. However, on GCP, you can configure the `loadbalancer.providerParameters.gcp.clientAccess` subfield.
46
46
47
47
|`defaultCertificate`
48
-
|The `defaultCertificate` value is a reference to a secret that contains the default certificate that is served by the Ingress controller. When Routes do not specify their own certificate, `defaultCertificate` is used.
48
+
|The `defaultCertificate` value is a reference to a secret that contains the default certificate that is served by the Ingress Controller. When Routes do not specify their own certificate, `defaultCertificate` is used.
49
49
50
50
The secret must contain the following keys and data:
51
51
* `tls.crt`: certificate file contents
52
52
* `tls.key`: key file contents
53
53
54
-
If not set, a wildcard certificate is automatically generated and used. The certificate is valid for the Ingress controller `domain` and `subdomains`, and
54
+
If not set, a wildcard certificate is automatically generated and used. The certificate is valid for the Ingress Controller `domain` and `subdomains`, and
55
55
the generated certificate's CA is automatically integrated with the
56
56
cluster's trust store.
57
57
58
58
The in-use certificate, whether generated or user-specified, is automatically integrated with {product-title} built-in OAuth server.
59
59
60
60
|`namespaceSelector`
61
61
|`namespaceSelector` is used to filter the set of namespaces serviced by the
62
-
Ingress controller. This is useful for implementing shards.
62
+
Ingress Controller. This is useful for implementing shards.
63
63
64
64
|`routeSelector`
65
-
|`routeSelector` is used to filter the set of Routes serviced by the Ingress controller. This is useful for implementing shards.
65
+
|`routeSelector` is used to filter the set of Routes serviced by the Ingress Controller. This is useful for implementing shards.
66
66
67
67
|`nodePlacement`
68
-
|`nodePlacement` enables explicit control over the scheduling of the Ingress controller.
68
+
|`nodePlacement` enables explicit control over the scheduling of the Ingress Controller.
69
69
70
70
If not set, the defaults values are used.
71
71
@@ -86,17 +86,17 @@ nodePlacement:
86
86
====
87
87
88
88
|`tlsSecurityProfile`
89
-
|`tlsSecurityProfile` specifies settings for TLS connections for Ingress controllers.
89
+
|`tlsSecurityProfile` specifies settings for TLS connections for Ingress Controllers.
90
90
91
91
If not set, the default value is based on the `apiservers.config.openshift.io/cluster` resource.
92
92
93
-
When using the `Old`, `Intermediate`, and `Modern` profile types, the effective profile configuration is subject to change between releases. For example, given a specification to use the `Intermediate` profile deployed on release `X.Y.Z`, an upgrade to release `X.Y.Z+1` may cause a new profile configuration to be applied to the Ingress controller, resulting in a rollout.
93
+
When using the `Old`, `Intermediate`, and `Modern` profile types, the effective profile configuration is subject to change between releases. For example, given a specification to use the `Intermediate` profile deployed on release `X.Y.Z`, an upgrade to release `X.Y.Z+1` may cause a new profile configuration to be applied to the Ingress Controller, resulting in a rollout.
94
94
95
-
The minimum TLS version for Ingress controllers is `1.1`, and the maximum TLS version is `1.2`.
95
+
The minimum TLS version for Ingress Controllers is `1.1`, and the maximum TLS version is `1.2`.
96
96
97
97
[IMPORTANT]
98
98
====
99
-
The HAProxy Ingress controller image does not support TLS `1.3` and because the `Modern` profile requires TLS `1.3`, it is not supported. The Ingress Operator converts the `Modern` profile to `Intermediate`.
99
+
The HAProxy Ingress Controller image does not support TLS `1.3` and because the `Modern` profile requires TLS `1.3`, it is not supported. The Ingress Operator converts the `Modern` profile to `Intermediate`.
100
100
101
101
The Ingress Operator also converts the TLS `1.0` of an `Old` or `Custom` profile to `1.1`, and TLS `1.3` of a `Custom` profile to `1.2`.
102
102
====
@@ -153,6 +153,16 @@ These adjustments are only applied to cleartext, edge-terminated, and re-encrypt
153
153
154
154
For request headers, these adjustments are applied only for routes that have the `haproxy.router.openshift.io/h1-adjust-case=true` annotation. For response headers, these adjustments are applied to all HTTP responses. If this field is empty, no request headers are adjusted.
155
155
156
+
|`tuningOptions`
157
+
|`tuningOptions` specifies options for tuning the performance of Ingress Controller pods.
158
+
159
+
* `headerBufferBytes` specifies how much memory is reserved, in bytes, for Ingress Controller connection sessions. This value must be at least `16384` if HTTP/2 is enabled for the Ingress Controller. If not set, the default value is `32768` bytes. Setting this field not recommended because `headerBufferBytes` values that are too small can break the Ingress Controller, and `headerBufferBytes` values that are too large could cause the Ingress Controller to use significantly more memory than necessary.
160
+
161
+
* `headerBufferMaxRewriteBytes` specifies how much memory should be reserved, in bytes, from `headerBufferBytes` for HTTP header rewriting and appending for Ingress Controller connection sessions. The minimum value for `headerBufferMaxRewriteBytes` is `4096`. `headerBufferBytes` must be greater than `headerBufferMaxRewriteBytes` for incoming HTTP requests. If not set, the default value is `8192` bytes. Setting this field not recommended because `headerBufferMaxRewriteBytes` values that are too small can break the Ingress Controller and `headerBufferMaxRewriteBytes` values that are too large could cause the Ingress Controller to use significantly more memory than necessary.
162
+
163
+
* `threadCount` specifies the number of threads to create per HAProxy process. Creating more threads allows each Ingress Controller pod to handle more connections, at the cost of more system resources being used. HAProxy
164
+
supports up to `64` threads. If this field is empty, the Ingress Controller uses the default value of `4` threads. The default value can change in future releases. Setting this field is not recommended because increasing the number of HAProxy threads allows Ingress Controller pods to use more CPU time under load, and prevent other pods from receiving the CPU resources they need to perform. Reducing the number of threads can cause the Ingress Controller to perform poorly.
0 commit comments