diff --git a/admin_guide/managing_networking.adoc b/admin_guide/managing_networking.adoc index 1942eac270fc..8b7b7c3aea4a 100644 --- a/admin_guide/managing_networking.adoc +++ b/admin_guide/managing_networking.adoc @@ -144,6 +144,40 @@ $ systemctl restart atomic-openshift-master-api atomic-openshift-master-controll ---- +[[admin-guide-managing-networking-ingress]] +== Setting up the HAProxy router to accept ingress objects + +By default, the HAProxy router only accepts route objects. You can set up the +HAProxy router as a Kubernetes +link:https://kubernetes.io/docs/concepts/services-networking/ingress/[Ingress +Controller] so that it accepts both route and ingress objects. If configured, +the same rules apply for claiming a domain for a namespace based on the creation +time of the object. For example, the oldest route winning against any other +claimants wanting to use the same namespace. + +For example, ownership of routes is based on the claims made for that host name with the same namespace. The oldest route wins against any other claims. + +While this makes the router compatible with Kubernetes ingress +objects, some caveats exist: + +* Ingress objects store the keys and certificates in secrets, so the router needs permission to read all secrets in the system. +* Ingress objects only support edge termination for *https* routes. + +To configure an existing router to have Ingress support (assuming the default +name of `router` for the deployment configuration and the service-account): + +. Set the `ROUTER_ENABLE_INGRESS` environment variable to `true`: ++ +---- +$ oc env dc router ROUTER_ENABLE_INGRESS=true` +---- + +. Add the cluster-admin role to the router: ++ +---- +$ oc adm policy add-role-to-user cluster-admin router` +---- + [[admin-guide-controlling-egress-traffic]] == Controlling Egress Traffic diff --git a/architecture/topics/router_environment_variables.adoc b/architecture/topics/router_environment_variables.adoc index f3570f3f5e5a..cfaf0fe6dcdc 100644 --- a/architecture/topics/router_environment_variables.adoc +++ b/architecture/topics/router_environment_variables.adoc @@ -45,6 +45,7 @@ connections (and any time HAProxy is reloaded), the old HAProxy processes will "linger" around for that period. xref:time-units[(TimeUnits)] |`ROUTER_DENIED_DOMAINS` | | A comma-separated list of domains that the host name in a route can not be part of. No subdomain in the domain can be used either. Overrides option `ROUTER_ALLOWED_DOMAINS`. |`ROUTER_ENABLE_COMPRESSION`| | If `true` or `TRUE`, compress responses when possible. +|`ROUTER_ENABLE_INGRESS`| | If `true` or `TRUE`, look at both Ingress objects and Route objects. |`ROUTER_LISTEN_ADDR`| 0.0.0.0:1936 | Sets the listening address for xref:../../install_config/router/default_haproxy_router.adoc#exposing-the-router-metrics[router metrics]. |`ROUTER_LOG_LEVEL` | warning | The log level to send to the syslog server. |`ROUTER_MAX_CONNECTIONS`| 20000 | Maximum number of concurrent connections.