OSDOCS-14578: adds ingress control options to MicroShift

Author: ShaunaDiaz

modules/microshift-config-yaml-custom.adoc

@@ -5,6 +5,7 @@
 :_mod-docs-content-type: CONCEPT
 [id="microshift-yaml-custom_{context}"]
 = Using custom settings
+
 To create custom configurations, make a copy of the `config.yaml.default` file that is provided in the `/etc/microshift/` directory, renaming it `config.yaml`. Keep this file in the `/etc/microshift/` directory, and then you can change supported settings that are expected to override the defaults before starting or restarting {microshift-short}.
 
 [IMPORTANT]

modules/microshift-default-settings.adoc

@@ -33,7 +33,15 @@ apiServer:
   subjectAltNames: []
   tls:
     cipherSuites:
-            - ""
+    - TLS_AES_128_GCM_SHA256
+    - TLS_AES_256_GCM_SHA384
+    - TLS_CHACHA20_POLY1305_SHA256
+    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
     minVersion: VersionTLS12
 debugging:
   logLevel: "Normal"
@@ -42,6 +50,31 @@ dns:
 etcd:
   memoryLimitMB: 0
 ingress:
+  accessLogging:
+    destination:
+      type:
+      container:
+        maxLength: 1024
+      syslog:
+        address: ""
+        facility: ""
+        maxLength: 1024
+        port: 0
+      type: ""
+    httpCaptureCookies:
+      - matchType: ""
+        maxLength: 0
+        name: ""
+        namePrefix: ""
+    httpCaptureHeaders:
+      request:
+        - maxLength: 0
+          name: ""
+      response:
+        - maxLength: 0
+          name: ""
+    httpLogFormat: ""
+    status: Disabled
   certificateSecret: router-certs-default
   clientTLS:
     allowedSubjectPatterns:
@@ -54,8 +87,9 @@ ingress:
     mimeTypes:
       - ""
   httpEmptyRequestsPolicy: Respond
-  listenAddress:
-    - ""
+  httpErrorCodePages:
+      name: ""
+  listenAddress: []
   logEmptyRequests: Log
   ports:
     http: 80
@@ -65,14 +99,7 @@ ingress:
     wildcardPolicy: WildcardPolicyAllowed
   status: Managed
   tlsSecurityProfile:
-    type: Custom
-    custom:
-      ciphers:
-        - ECDHE-ECDSA-CHACHA20-POLY1305
-        - ECDHE-RSA-CHACHA20-POLY1305
-        - ECDHE-RSA-AES128-GCM-SHA256
-        - ECDHE-ECDSA-AES128-GCM-SHA256
-      minTLSVersion: VersionTLS12
+    type: Intermediate
   tuningOptions:
       clientFinTimeout: "1s"
       clientTimeout: "30s"

modules/microshift-ingress-controller-config.adoc

@@ -41,6 +41,30 @@ Configuration snippet YAMLs take precedence over both built-in settings and the
 apiServer:
 # ...
 ingress:
+  accessLogging:
+    destination:
+      container:
+        maxLength: 1024
+      syslog:
+        address: ""
+        facility: ""
+        maxLength: 1024
+        port: 0
+      type: ""
+    httpCaptureCookies:
+      - matchType: ""
+        maxLength: 0
+        name: ""
+        namePrefix: ""
+    httpCaptureHeaders:
+      request:
+        - maxLength: 0
+          name: ""
+      response:
+        - maxLength: 0
+          name: ""
+    httpLogFormat: ""
+    status: Disabled
   certificateSecret: router-certs-custom
   clientTLS:
     allowedSubjectPatterns: []
@@ -53,6 +77,8 @@ ingress:
     mimeTypes:
       - ""
   httpEmptyRequestsPolicy: Respond
+  httpErrorCodePages:
+      name: ""
   listenAddress: []
   logEmptyRequests: Log
   ports:
@@ -69,7 +95,6 @@ ingress:
       minTLSVersion:""
     intermediate: {}
     old: {}
-    type: ""
   tuningOptions:
     clientFinTimeout: 1s
     clientTimeout: 30s
@@ -91,7 +116,90 @@ ingress:
 |Parameter |Description
 
 |`ingress`
-|The `ingress` section of the {microshift-short} `config.yaml` file defines the configurable parameters for the implemented portions of the {OCP} Ingress Control Operator. All parameters in the rest of this table are subsections in the `ingress` section of the `config.yaml`.
+|The `ingress` section of the {microshift-short} `config.yaml` file defines the configurable parameters for the implemented portions of the {OCP} Ingress Control Operator. The full Operator is not supported on {microshift-short}. All of the following parameters in this table are subsections in the `ingress` section of the {microshift-short} `config.yaml`.
+
+|`accessLogging`
+|Describes how client requests are logged. If this field is empty, access logging is disabled.
+//how do we activate it? in the `status` field? (if yes, how come status is not first in this list?)
+
+|`accessLogging.destination`
+|A destination for logs. The destination for logs can be a local sidecar container or remote.
+//is the default just empty?
+
+|`accessLogging.destination.type`
+|The type of destination for logs. Valid values are `Container` or `Syslog`.
+
+* Setting this value to `Container` specifies that logs should go to a sidecar container. The Ingress Operator configures the container, named logs, on the Ingress Controller pod and configures the Ingress Controller to write logs to the container. The expectation is that the administrator configures a custom logging solution that reads logs from this container. Using container logs means that logs may be dropped if the rate of logs exceeds the container runtime capacity or the custom logging solution capacity.
+//how is microshift handling this?
+* Setting this value to `Syslog` specifies that logs are sent to a Syslog endpoint. You must configure a custom Syslog instance and specify an endpoint that can receive Syslog messages.
+//should we supply instructions or links for these actions?
+
+|`accessLogging.destination.container`
+|Describes parameters for the Container logging destination type.
+//"Currently there are no parameters for container logging, so this field must be empty." per the openshift docs -?
+
+|`accessLogging.destination.container.maxLength`
+|Default value is 1024.
+//characters or data size? what's the context for this number? and behavior when exceeded? are there min and max values?
+
+|`accessLogging.destination.syslog`
+|Describes parameters for the `Syslog` logging destination type.
+
+|`accessLogging.destination.syslog.address`
+|The IP address of the syslog endpoint that receives log messages.
+//any invalid values we should know about?
+
+|`accessLogging.destination.syslog.facility`
+|Specifies the syslog facility of log messages. If this field is empty, the facility is `local1`. Otherwise, the field must specify one of the following valid syslog facilities: `kern`, `user`, `mail`, `daemon`, `auth`, `syslog`, `lpr`, `news`, `uucp`, `cron`, auth2``, `ftp`, `ntp`, `audit`, `alert`, `cron2`, `local0`, `local1`, `local2`, `local3`, `local4`, `local5`, `local6`, or `local7`.
+//all true for microshift?
+
+|`accessLogging.destination.syslog.maxLength`
+|The maximum length of the `Syslog` message. Message length must be at least `480` and not greater than `4096` bytes. If this field is empty, the maximum length is set to the default value of 1024 bytes.
+
+|`accessLogging.destination.syslog.port`
+|The UDP port number of the syslog endpoint that receives log messages. The default value is `0`.
+
+|`httpCaptureCookies`
+|
+
+|`httpCaptureCookiesmatchType`
+|
+
+|`httpCaptureCookiesmaxLength`
+|
+
+|`httpCaptureCookiesname`
+|
+
+|`httpCaptureCookiesnamePrefix`
+|
+
+|`httpCaptureHeaders`
+|
+
+|`httpCaptureHeaders.request`
+|
+
+|`httpCaptureHeaders.request.maxLength`
+|
+
+|`httpCaptureHeaders.request.name`
+|
+
+|`httpCaptureHeaders.response`
+|
+
+|`httpCaptureHeaders.responsemaxLength`
+|
+
+|`httpCaptureHeaders.responsename`
+|
+
+|`httpLogFormat`
+|
+
+|`status`
+|Valid values are `Enabled` and `Disabled`. Default value is `Disabled`.  If this field is set to `Enabled`, the `accessLogging.destination.type` is automatically set to `Container`.
 
 |`certificateSecret`
 |A reference to a `kubernetes.io/tls` type of secret that contains the default certificate that is served by the {microshift-short} ingress controller. When routes do not specify their own certificate, the `certificateSecret` parameter is used. All secrets used must contain `tls.key` key file contents and `tls.crt` certificate file contents.