You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* xref:../microshift_configuring/microshift-ingress-controller.adoc#microshift-ingress-controller[Using ingress control for a {microshift-short} cluster]
Copy file name to clipboardExpand all lines: modules/microshift-config-parameters-table.adoc
+85-28Lines changed: 85 additions & 28 deletions
Original file line number
Diff line number
Diff line change
@@ -63,11 +63,11 @@ The following table explains {microshift-short} configuration YAML parameters an
63
63
64
64
|`tls.minVersion`
65
65
|`VersionTLS12` or `VersionTLS13`
66
-
|Specifies the minimum version of TLS to serve from the API serve. Default is value is `VersionTLS12`. TLS 1.3 ciphers are preset and not configurable.
66
+
|Specifies the minimum version of TLS to serve from the API server. The default value is `VersionTLS12`.
67
67
68
68
|`debugging.logLevel`
69
69
|`Normal`, `Debug`, `Trace`, or `TraceAll`
70
-
|Log verbosity. Default value is `Normal`.
70
+
|Log verbosity. The default value is `Normal`.
71
71
72
72
|`dns.baseDomain`
73
73
|`valid domain`
@@ -77,25 +77,46 @@ The following table explains {microshift-short} configuration YAML parameters an
77
77
|`number`
78
78
|By default, `etcd` uses as much memory as needed to handle the load on the system. However, in memory constrained systems, it might be preferred or necessary to limit the amount of memory `etcd` can to use at a given time.
79
79
80
+
|`ingress.certificateSecret`
81
+
|`string`
82
+
|A reference to a secret that contains the default certificate that is served by the ingress controller. When routes do not specify their own certificate, `certificateSecret` is used.
83
+
84
+
The secret must contain the following keys and data:
85
+
86
+
* `tls.crt`: certificate file contents
87
+
* `tls.key`: key file contents
88
+
89
+
If you do not set one of these values, a wildcard certificate is automatically generated and used. The certificate is valid for the ingress controller `domain` and `subdomains` fields, and the generated CA for the certificate is automatically integrated with the truststore for the cluster.
90
+
91
+
Any certificate in use is automatically integrated in the {microshift-short} OAuth server.
|`clientTLS` authenticates client access to the cluster and services; as a result, mutual TLS authentication is enabled. If you do not set a value, the client TLS is not enabled. The `clientTLS` parameter has the required subfields, `spec.clientTLS.clientCertificatePolicy` and `spec.clientTLS.ClientCA`.
96
+
97
+
* The `ClientCertificatePolicy` subfield accepts the following two values: `Required` or `Optional`. Note that the ingress controller only checks client certificates for edge-terminated and reencrypt TLS routes; the ingress controller cannot check certificates for cleartext HTTP or passthrough TLS routes. The `ClientCA` subfield specifies a config map that is in the `openshift-ingress` namespace. The config map should contain a CA certificate bundle. A config map is required for this field.
98
+
99
+
* The `AllowedSubjectPatterns` is an optional subfield that specifies a list of regular expressions, which are matched against the distinguished name on a valid client certificate to filter requests. The regular expressions must use the Perl Compatible Regular Expressions (PCRE) syntax. This field must contain a valid expression or the {microshift-short} service fails. At least one pattern must match a client certificate's distinguished name; otherwise, the ingress controller rejects the certificate and denies the connection. If you do not specify a value, the ingress controller does not reject certificates based on the distinguished name.
100
+
80
101
|`ingress.defaultHTTPVersion`
81
102
|`number`
82
-
|Determines the default HTTP version to be used for ingress. Default value is `1`, which is the HTTP/1.1 protocol.
103
+
|Determines the default HTTP version to be used for ingress. The default value is `1`, which is the HTTP/1.1 protocol.
83
104
84
105
|`ingress.forwardedHeaderPolicy`
85
106
|`Append`, `Replace`, `IfNone`, `Never`
86
-
|Specifies when and how the ingress router sets the `Forwarded`, `X-Forwarded-For`, `X-Forwarded-Host`, `X-Forwarded-Port`, `X-Forwarded-Proto`, and `X-Forwarded-Proto-Version` HTTP headers.
107
+
|Specifies when and how the ingress controller sets the `Forwarded`, `X-Forwarded-For`, `X-Forwarded-Host`, `X-Forwarded-Port`, `X-Forwarded-Proto`, and `X-Forwarded-Proto-Version` HTTP headers. The default value is `Append`.
87
108
88
-
* `Append` specifies that the ingress router appends existing headers. `Append` is the default value.
109
+
* `Append` specifies that the ingress controller appends existing headers.
89
110
90
-
* `Replace` specifies that the ingress router sets the headers and replaces any existing `Forwarded` or `X-Forwarded-*` headers.
111
+
* `Replace` specifies that the ingress controller sets the headers and replaces any existing `Forwarded` or `X-Forwarded-*` headers.
91
112
92
-
* `IfNone` specifies that the ingress router sets headers if they are not already set.
113
+
* `IfNone` specifies that the ingress controller sets headers if they are not already set.
93
114
94
-
* `Never` specifies that ingress router never sets the headers, preserving any existing headers.
115
+
* `Never` specifies that ingress controller never sets the headers, preserving any existing headers.
95
116
96
117
|`ingress.httpCompression`
97
118
|`object`
98
-
|`httpCompression` defines a policy for HTTP traffic compression. There is no HTTP compression by default.
119
+
|Defines a policy for HTTP traffic compression. There is no HTTP compression by default.
99
120
100
121
|`ingress.httpCompression.mimeTypes`
101
122
|`array` or null
@@ -117,7 +138,7 @@ Not all MIME types benefit from compression, but `HAProxy` uses resources to try
117
138
118
139
|`ingress.httpEmptyRequestsPolicy`
119
140
|`Respond` or `Ignore`
120
-
|The default value is `Respond`. Describes how HTTP connections should be handled if the connection times out before a request is received. These connections typically come from the health probes of a load balancer service health or a web browser's speculative connections, such as a `preconnect`.
141
+
|The default value is `Respond`. Describes how HTTP connections should be handled if the connection times out before a request is received. These connections typically come from the health probes of a load balancer service or a web browser's speculative connections, such as a `preconnect`.
121
142
122
143
* If the field is set to `Respond`, the ingress controller sends an "HTTP 400" or "408" response, logs the connection if access logging is enabled, and counts the connection in the appropriate metrics.
123
144
@@ -129,23 +150,59 @@ Not all MIME types benefit from compression, but `HAProxy` uses resources to try
129
150
130
151
|`ingress.logEmptyRequests`
131
152
|`Log` or `Ignore`
132
-
|Default value is `Log`. Specifies how connections on which empty requests are received are logged. These connections typically come from the health probes of a load balancer service health or a web browser's speculative connections, such as a `preconnect`. Logging typical requests might be undesirable, but requests can also be caused by network errors or port scans, in which case logging can be useful for diagnosing errors and detecting intrusion attempts.
153
+
|The default value is `Log`. Specifies how connections on which empty requests are received are logged. These connections typically come from the health probes of a load balancer service health or a web browser's speculative connections, such as a `preconnect`. Logging typical requests might be undesirable, but requests can also be caused by network errors or port scans, in which case logging can be useful for diagnosing errors and detecting intrusion attempts.
133
154
134
155
|`ingress.ports.http`
135
156
|`80`
136
-
|Default port shown. Configurable. Valid value is a single, unique port in the `1-65535` range. The values of the `ports.http` and `ports.https` fields cannot be the same.
157
+
|The default port shown. Configurable. Valid value is a single, unique port in the `1-65535` range. The values of the `ports.http` and `ports.https` fields cannot be the same.
137
158
138
159
|`ingress.ports.https`
139
160
|`443`
140
-
|Default port shown. Configurable. Valid value is a single, unique port in the `1-65535` range. The values of the `ports.http` and `ports.https` fields cannot be the same.
161
+
|The default port shown. Configurable. Valid value is a single, unique port in the `1-65535` range. The values of the `ports.http` and `ports.https` fields cannot be the same.
162
+
163
+
|`ingress.routeAdmissionPolicy`
164
+
|`namespaceOwnership` or `wildcardPolicy`
165
+
|Defines a policy for handling new route claims, such as allowing or denying claims across namespaces. By default, allows routes to claim different paths of the same hostname across namespaces.
|Describes how hostname claims across namespaces are handled. By default, allows routes to claim different paths of the same hostname across namespaces. Specifying `Strict` prevents routes in different namespaces from claiming the same hostname. If the value is deleted in a customized {microshift-short}`config.yaml`, the `InterNamespaceAllowed` value is automatically set.
169
+
|Describes how hostname claims across namespaces should be handled. The default value is `InterNamespaceAllowed`. Specifying `Strict` prevents routes in different namespaces from claiming the same hostname. If the value is deleted in a customized {microshift-short}`config.yaml` file, the `InterNamespaceAllowed` value is automatically set.
170
+
171
+
* `Strict`: does not allow routes to claim the same hostname across namespaces.
172
+
173
+
* `InterNamespaceAllowed`: allows routes to claim different paths of the same hostname across namespaces.
174
+
175
+
|`ingress.routeAdmissionPolicy.wildcardPolicy`
176
+
|`WildcardsAllowed` or `WildcardsDisallowed`
177
+
|Describes how routes with wildcard policies are handled by the ingress controller.
178
+
179
+
* `WildcardsAllowed`: Indicates routes with any wildcard policy are admitted by the ingress controller.
180
+
181
+
* `WildcardsDisallowed`: Indicates only routes with a wildcard policy of `None` are admitted by the ingress controller. Updating `wildcardPolicy` from `WildcardsAllowed` to `WildcardsDisallowed` causes admitted routes with a wildcard policy of `Subdomain` to stop working. These routes must be recreated to a wildcard policy of `None` to be readmitted by the ingress controller. `WildcardsDisallowed` is the default setting.
145
182
146
183
|`ingress.status`
147
184
|`Managed` or `Removed`
148
-
|Router status. Default is `Managed`.
185
+
|Router status. The default is `Managed`.
186
+
187
+
|`ingress.tlsSecurityProfile`
188
+
|`object`
189
+
|Specifies settings for ingress controllers TLS connections. If you do not set one, the default value is based on the `apiservers.config.openshift.io/cluster` resource.
190
+
191
+
|`ingress.tlsSecurityProfile.type`
192
+
|`Old`, `Intermediate`, `Modern`, `Custom`
193
+
|Specifies the profile type for the TLS Security. The default value is `Intermediate`.
194
+
195
+
When using the `Old`, `Intermediate`, and `Modern` profile types, the effective profile configuration is subject to change between releases. For example, given a specification to use the `Intermediate` profile deployed on release `X.Y.Z`, an upgrade to release `X.Y.Z+1` might cause a new profile configuration to be applied to the ingress controller, resulting in a rollout.
196
+
197
+
|`ingress.tlsSecurityProfile.minTLSVersion`
198
+
|`number`
199
+
|Specifies the TLS version for ingress controllers.
200
+
201
+
The minimum TLS version is `1.1`, and the maximum TLS version is `1.3`.
202
+
203
+
* Ciphers and the minimum TLS version of the configured security profile are reflected in the `TLSProfile` status.
204
+
205
+
* The ingress controller converts the TLS `1.0` of an `Old` or `Custom` profile to `1.1`.
149
206
150
207
|`ingress.tuningOptions`
151
208
|Objects
@@ -161,13 +218,13 @@ Not all MIME types benefit from compression, but `HAProxy` uses resources to try
161
218
162
219
|`ingress.tuningOptions.headerBufferBytes`
163
220
|An `integer` with the `format` of `int32`; `16384` is the minimum value when HTTP/2 is enabled.
164
-
|Describes how much memory in bytes must be reserved for `IngressController` connection sessions. Default value is `32768` in bytes.
221
+
|Describes how much memory in bytes must be reserved for `IngressController` connection sessions. The default value is `32768` in bytes.
165
222
166
223
* Setting this field is generally not recommended because `headerBufferBytes` values that are too small can break the `IngressController` and `headerBufferBytes` values that are too large can cause the `IngressController` to use significantly more memory than necessary.
|`integer`, formatted `int32`; `4096` is the minimum value
170
-
|Describes how much memory in bytes must be reserved from `headerBufferBytes` for HTTP header rewriting and appending for `IngressController` connection sessions. Default value is `8192` bytes. Incoming HTTP requests are limited to the `headerBufferBytes` bytes minus the `headerBufferMaxRewriteBytes` bytes, meaning that the value of `headerBufferBytes` must be greater than the value of `headerBufferMaxRewriteBytes`.
227
+
|Describes how much memory in bytes must be reserved from `headerBufferBytes` for HTTP header rewriting and appending for `IngressController` connection sessions. The default value is `8192` bytes. Incoming HTTP requests are limited to the `headerBufferBytes` bytes minus the `headerBufferMaxRewriteBytes` bytes, meaning that the value of `headerBufferBytes` must be greater than the value of `headerBufferMaxRewriteBytes`.
171
228
172
229
* Setting this field is generally not recommended because `headerBufferMaxRewriteBytes` values that are too small can break the `IngressController` and `headerBufferMaxRewriteBytes` values that are too large can cause the `IngressController` to use significantly more memory than necessary.
173
230
@@ -187,7 +244,7 @@ Not all MIME types benefit from compression, but `HAProxy` uses resources to try
187
244
188
245
|`ingress.tuningOptions.maxConnections`
189
246
|`integer`, valid values are: `empty`, `0`, `-1`, and the range `2000-2000000`
190
-
|Default value is `0`. defines the maximum number of simultaneous connections that can be established per `HAProxy` process. Increasing this value allows each ingress controller pod to handle more connections at the cost of additional system resources being consumed.
247
+
|The default value is `0`. defines the maximum number of simultaneous connections that can be established per `HAProxy` process. Increasing this value allows each ingress controller pod to handle more connections at the cost of additional system resources being consumed.
191
248
192
249
* If this field is empty or `0`, the `IngressController` uses the default value of `50000`, but the default is subject to change in future releases.
|See the {microshift-short} low-latency instructions
238
-
|Parameter for passthrough configuration of the kubelet node agent. Used for low-latency configuration. Default value is null.
295
+
|Parameter for passthrough configuration of the kubelet node agent. Used for low-latency configuration. The default value is null.
239
296
240
297
|`manifests`
241
298
|`list of paths`
242
-
|The locations on the file system to scan for `kustomization` files to use to load manifests. Set to a list of paths to scan only those paths. Set to an empty list to disable loading manifests. The entries in the list can be glob patterns to match multiple subdirectories. Default values are `/usr/lib/microshift/manifests`, `/usr/lib/microshift/manifests.d/`, `/etc/microshift/manifests`, and `/etc/microshift/manifests.d/`.
299
+
|The locations on the file system to scan for `kustomization` files to use to load manifests. Set to a list of paths to scan only those paths. Set to an empty list to disable loading manifests. The entries in the list can be glob patterns to match multiple subdirectories. The default values are `/usr/lib/microshift/manifests`, `/usr/lib/microshift/manifests.d/`, `/etc/microshift/manifests`, and `/etc/microshift/manifests.d/`.
243
300
244
301
|`network.clusterNetwork`
245
302
|IP address block
246
-
|A block of IP addresses from which pod IP addresses are allocated. IPv4 is the default network. Dual-stack entries are supported. The first entry in this field is immutable after {microshift-short} starts. Default range is `10.42.0.0/16`.
303
+
|A block of IP addresses from which pod IP addresses are allocated. IPv4 is the default network. Dual-stack entries are supported. The first entry in this field is immutable after {microshift-short} starts. The default range is `10.42.0.0/16`.
247
304
248
305
|`network.cniPlugin`
249
306
|String
250
307
|Deploys the Open Virtual Networking - Kubernetes (OVN-K) network plugin as the default container network interface (CNI) when empty or set to `"ovnk"`. Supported values are empty, `""` or `"ovnk"`. Setting to `"none"` removes the CNI and is not recommended. Only OVN-K is managed by {microshift-short}.
251
308
252
309
|`network.multus.status`
253
310
|`string`
254
-
|Controls the deployment of the Multus Container Network Interface (CNI). Default status is `Disabled`. If you set the value to `Enabled`, the Multus CNI cannot be deleted.
311
+
|Controls the deployment of the Multus Container Network Interface (CNI). The default status is `Disabled`. If you set the value to `Enabled`, the Multus CNI cannot be deleted.
255
312
256
313
|`network.serviceNetwork`
257
314
|IP address block
258
-
|A block of virtual IP addresses for Kubernetes services. IP address pool for services. IPv4 is the default. Dual-stack entries are supported. The first entry in this field is immutable after {microshift-short} starts. Default range is `10.43.0.0/16`.
315
+
|A block of virtual IP addresses for Kubernetes services. IP address pool for services. IPv4 is the default. Dual-stack entries are supported. The first entry in this field is immutable after {microshift-short} starts. The default range is `10.43.0.0/16`.
259
316
260
317
|`network.serviceNodePortRange`
261
318
|`range`
262
-
|The port range allowed for Kubernetes services of type `NodePort`. If not specified, the default range of 30000-32767 is used. Services without a `NodePort` specified are automatically allocated one from this range. This parameter can be updated after {microshift-short} starts.
319
+
|The port range allowed for Kubernetes services of type `NodePort`. If you do not specify the range, the default range of `30000-32767` is used. Services without a `NodePort` specified are automatically allocated one from this range. This parameter can be updated after {microshift-short} starts.
|The IPv6 address for the node for dual-stack configurations. Cannot be configured in single stack for either IPv4 or IPv6. Default is an empty value or null.
331
+
|The IPv6 address for the node for dual-stack configurations. Cannot be configured in single stack for either IPv4 or IPv6. The default is an empty value or null.
275
332
276
333
|`storage.driver`
277
334
|`none` or `lvms`
278
-
|Default value is empty. An empty value or null field defaults to LVMS deployment.
335
+
|The default value is empty. An empty value or null field defaults to LVMS deployment.
279
336
280
337
|`storage.optionalCsiComponents`
281
338
|`array`
282
-
|Default value is null or an empty array. A null or empty array defaults to deploying `snapshot-controller`. Expected values are `csi-snapshot-controller` or `none`. A value of `none` is mutually exclusive with all other values.
339
+
|The default value is null or an empty array. A null or empty array defaults to deploying `snapshot-controller`. Expected values are `csi-snapshot-controller` or `none`. A value of `none` is mutually exclusive with all other values.
283
340
284
341
|`telemetry.endpoint`
285
342
|`https://infogw.api.openshift.com`
286
-
|The endpoint where telemetry data is sent. No user or private data is included in the metrics reported. Default value is `https://infogw.api.openshift.com`.
343
+
|The endpoint where telemetry data is sent. No user or private data is included in the metrics reported. The default value is `https://infogw.api.openshift.com`.
0 commit comments