OSDOCS-14578: adds ingress control options to MicroShift

Author: ShaunaDiaz

microshift_configuring/microshift-ingress-controller.adoc

@@ -22,4 +22,4 @@ include::modules/microshift-ingress-controller-tls-config.adoc[leveloffset=+2]
 
 * xref:../microshift_configuring/microshift-using-config-yaml.adoc#microshift-config-snippets_microshift-configuring[Using configuration snippets]
 
-* link:https://docs.redhat.com/container-platform/latest/networking/networking_operators/ingress-operator.html#nw-http2-haproxy_configuring-ingress[Enabling HTTP/2 Ingress connectivity] (OpenShift Container Platform documentation)
+* link:https://docs.redhat.com/container-platform/latest/networking/networking_operators/ingress-operator.html#nw-http2-haproxy_configuring-ingress[Enabling HTTP/2 Ingress connectivity] ({OCP} documentation)

modules/microshift-config-yaml-custom.adoc

@@ -5,6 +5,7 @@
 :_mod-docs-content-type: CONCEPT
 [id="microshift-yaml-custom_{context}"]
 = Using custom settings
+
 To create custom configurations, make a copy of the `config.yaml.default` file that is provided in the `/etc/microshift/` directory, renaming it `config.yaml`. Keep this file in the `/etc/microshift/` directory, and then you can change supported settings that are expected to override the defaults before starting or restarting {microshift-short}.
 
 [IMPORTANT]

modules/microshift-default-settings.adoc

@@ -33,7 +33,15 @@ apiServer:
   subjectAltNames: []
   tls:
     cipherSuites:
-            - ""
+    - TLS_AES_128_GCM_SHA256
+    - TLS_AES_256_GCM_SHA384
+    - TLS_CHACHA20_POLY1305_SHA256
+    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
     minVersion: VersionTLS12
 debugging:
   logLevel: "Normal"
@@ -42,6 +50,31 @@ dns:
 etcd:
   memoryLimitMB: 0
 ingress:
+  accessLogging:
+    destination:
+      type:
+      container:
+        maxLength: 1024
+      syslog:
+        address: ""
+        facility: ""
+        maxLength: 1024
+        port: 0
+      type: ""
+    httpCaptureCookies:
+      - matchType: ""
+        maxLength: 0
+        name: ""
+        namePrefix: ""
+    httpCaptureHeaders:
+      request:
+        - maxLength: 0
+          name: ""
+      response:
+        - maxLength: 0
+          name: ""
+    httpLogFormat: ""
+    status: Disabled
   certificateSecret: router-certs-default
   clientTLS:
     allowedSubjectPatterns:
@@ -54,8 +87,9 @@ ingress:
     mimeTypes:
       - ""
   httpEmptyRequestsPolicy: Respond
-  listenAddress:
-    - ""
+  httpErrorCodePages:
+      name: ""
+  listenAddress: []
   logEmptyRequests: Log
   ports:
     http: 80
@@ -65,14 +99,7 @@ ingress:
     wildcardPolicy: WildcardPolicyAllowed
   status: Managed
   tlsSecurityProfile:
-    type: Custom
-    custom:
-      ciphers:
-        - ECDHE-ECDSA-CHACHA20-POLY1305
-        - ECDHE-RSA-CHACHA20-POLY1305
-        - ECDHE-RSA-AES128-GCM-SHA256
-        - ECDHE-ECDSA-AES128-GCM-SHA256
-      minTLSVersion: VersionTLS12
+    type: Intermediate
   tuningOptions:
       clientFinTimeout: "1s"
       clientTimeout: "30s"

modules/microshift-ingress-controller-conc.adoc

@@ -6,18 +6,31 @@
 [id="microshift-ingress-control-concept_{context}"]
 = Using ingress control in {microshift-short}
 
-When you create your {microshift-short} cluster, each pod and service running on the cluster is allocated an IP address. These IP addresses are accessible to other pods and services running nearby by default, but are not accessible to external clients. {microshift-short} uses a minimal implementation of the {ocp} `IngressController` API to enable external access to cluster services.
+When you create your {microshift-short} cluster, each pod and service running on the cluster is allocated an IP address. These IP addresses are accessible to other pods and services running nearby by default, but are not accessible to external clients. {microshift-short} uses a minimal implementation of the {OCP} `IngressController` API to enable external access to cluster services.
 
-With more configuration options, you can fine-tune ingress to meet your specific needs. To use enhanced ingress control, update the parameters in the {microshift-short} configuration file and restart the service. Ingress configuration is useful in a variety of ways, for example:
+With more configuration options, you can fine-tune ingress to meet your specific needs. To use enhanced ingress control, update the parameters in the {microshift-short} configuration file and restart the service.
 
+Ingress configuration is useful in a variety of ways, for example:
+
+Accommodate server response speed::
 * If your application starts processing requests from clients but the connection is
 closed before it can respond, you can set the `ingress.tuningOptions.serverTimeout` parameter in the configuration file to a higher value to accommodate the speed of the response from the server.
 
+Closing router connections::
 * If the router has many connections open because an application running on the cluster does not close connections properly, you can set the `ingress.tuningOptions.serverTimeout` and `spec.tuningOptions.serverFinTimeout` parameters to a lower value, forcing those connections to close sooner.
 
-* If you need to configure the ingress controller to verify client certificates, you can use the `ingress.clientTLS` parameter to set a clientCA value, which is a reference to a config map. The config map contains the PEM-encoded CA certificate bundle that is used to verify a client's certificate. Optionally, you can also configure a list of certificate subject filters. 
+Verify client certificates::
+* If you need to configure the ingress controller to verify client certificates, you can use the `ingress.clientTLS` parameter to set a clientCA value, which is a reference to a config map. The config map contains the PEM-encoded CA certificate bundle that is used to verify a client's certificate. Optionally, you can also configure a list of certificate subject filters.
 
+Configure a TLS security profile::
 * If you need to configure a TLS security profile for an ingress controller, you can use the `ingress.tlsSecurityProfile` parameter to specify a default or custom individual TLS security profiles. The TLS security profile defines the minimum TLS version and the TLS ciphers for TLS connections for the ingress controllers.
 If a TLS security profile is not configured, the default value is based on the TLS security profile set for the API server.
 
-* If you need to define a policy for handling new route claims, you can use the `routeAdmission` parameter to allow or deny claims across namespaces. You set the `routeAdmission` parameter to describe how hostname claims across namespaces should be handled and to describe how routes with wildcard policies are handled by the ingress controller. 
+Create policies for new route claims::
+* If you need to define a policy for handling new route claims, you can use the `routeAdmission` parameter to allow or deny claims across namespaces. You set the `routeAdmission` parameter to describe how hostname claims across namespaces should be handled and to describe how routes with wildcard policies are handled by the ingress controller.
+
+Customize error pages::
+* If you want more than the default error pages, which are usually empty and only return the http status code, configure custom error pages.
+
+Capture HTTP headers or cookies::
+* If you want to include the capture of HTTP headers or cookies, configure access logging.