added info for routes to accept ingress objects

Author: brice

admin_guide/managing_networking.adoc

@@ -144,6 +144,40 @@ $ systemctl restart atomic-openshift-master-api atomic-openshift-master-controll
 
 ----
 
+[[admin-guide-managing-networking-ingress]]
+== Setting up the HAProxy router to accept ingress objects
+
+By default, the HAProxy router only accepts route objects. You can set up the
+HAProxy router as a Kubernetes
+link:https://kubernetes.io/docs/concepts/services-networking/ingress/[Ingress
+Controller] so that it accepts both route and ingress objects. If configured,
+the same rules apply for claiming a domain for a namespace based on the creation
+time of the object. For example, the oldest route winning against any other
+claimants wanting to use the same namespace.
+
+For example, ownership of routes is based on the claims made for that host name with the same namespace. The oldest route wins against any other claims. 
+
+While this makes the router compatible with Kubernetes ingress
+objects, some caveats exist:
+
+* Ingress objects store the keys and certificates in secrets, so the router needs permission to read all secrets in the system.
+* Ingress objects only support edge termination for *https* routes.
+
+To configure an existing router to have Ingress support (assuming the default
+name of `router` for the deployment configuration and the service-account):
+
+. Set the `ROUTER_ENABLE_INGRESS` environment variable to `true`:
++
+----
+$ oc env dc router ROUTER_ENABLE_INGRESS=true`
+----
+
+. Add the cluster-admin role to the router:
++
+----
+$ oc adm policy add-role-to-user cluster-admin router`
+----
+
 [[admin-guide-controlling-egress-traffic]]
 == Controlling Egress Traffic
 

architecture/topics/router_environment_variables.adoc

@@ -45,6 +45,7 @@ connections (and any time HAProxy is reloaded), the old HAProxy processes
 will "linger" around for that period. xref:time-units[(TimeUnits)]
 |`ROUTER_DENIED_DOMAINS` | | A comma-separated list of domains that the host name in a route can not be part of. No subdomain in the domain can be used either. Overrides option `ROUTER_ALLOWED_DOMAINS`.
 |`ROUTER_ENABLE_COMPRESSION`| | If `true` or `TRUE`, compress responses when possible.
+|`ROUTER_ENABLE_INGRESS`| | If `true` or `TRUE`, look at both Ingress objects and Route objects.
 |`ROUTER_LISTEN_ADDR`| 0.0.0.0:1936 | Sets the listening address for xref:../../install_config/router/default_haproxy_router.adoc#exposing-the-router-metrics[router metrics].
 |`ROUTER_LOG_LEVEL` | warning | The log level to send to the syslog server.
 |`ROUTER_MAX_CONNECTIONS`| 20000 | Maximum number of concurrent connections.