Skip to content

Added info for routes to accept ingress objects #8109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 16, 2018
Merged

Added info for routes to accept ingress objects #8109

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions admin_guide/managing_networking.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,40 @@ $ systemctl restart atomic-openshift-master-api atomic-openshift-master-controll

----

[[admin-guide-managing-networking-ingress]]
== Setting up the HAProxy router to accept ingress objects

By default, the HAProxy router only accepts route objects. You can set up the
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In order to describe the comparison, I mentioned the router only accepts route objects. Is this accurate?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is correct.

HAProxy router as a Kubernetes
link:https://kubernetes.io/docs/concepts/services-networking/ingress/[Ingress
Controller] so that it accepts both route and ingress objects. If configured,
the same rules apply for claiming a domain for a namespace based on the creation
time of the object. For example, the oldest route winning against any other
claimants wanting to use the same namespace.

For example, ownership of routes is based on the claims made for that host name with the same namespace. The oldest route wins against any other claims.

While this makes the router compatible with Kubernetes ingress
objects, some caveats exist:

* Ingress objects store the keys and certificates in secrets, so the router needs permission to read all secrets in the system.
* Ingress objects only support edge termination for *https* routes.

To configure an existing router to have Ingress support (assuming the default
name of `router` for the deployment configuration and the service-account):

. Set the `ROUTER_ENABLE_INGRESS` environment variable to `true`:
+
----
$ oc env dc router ROUTER_ENABLE_INGRESS=true`
----

. Add the cluster-admin role to the router:
+
----
$ oc adm policy add-role-to-user cluster-admin router`
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Below two role should be added to sa router, oc adm policy add-role-to-user cluster-admin router is invalid.

oc adm policy add-cluster-role-to-user cluster-reader system:serviceaccount:default:router
oc adm policy add-cluster-role-to-user system:openshift:controller:service-serving-cert-controller system:serviceaccount:default:router

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe oc adm policy add-cluster-role-to-user cluster-reader -z router also work here.

----

[[admin-guide-controlling-egress-traffic]]
== Controlling Egress Traffic

Expand Down
1 change: 1 addition & 0 deletions architecture/topics/router_environment_variables.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ connections (and any time HAProxy is reloaded), the old HAProxy processes
will "linger" around for that period. xref:time-units[(TimeUnits)]
|`ROUTER_DENIED_DOMAINS` | | A comma-separated list of domains that the host name in a route can not be part of. No subdomain in the domain can be used either. Overrides option `ROUTER_ALLOWED_DOMAINS`.
|`ROUTER_ENABLE_COMPRESSION`| | If `true` or `TRUE`, compress responses when possible.
|`ROUTER_ENABLE_INGRESS`| | If `true` or `TRUE`, look at both Ingress objects and Route objects.
|`ROUTER_LISTEN_ADDR`| 0.0.0.0:1936 | Sets the listening address for xref:../../install_config/router/default_haproxy_router.adoc#exposing-the-router-metrics[router metrics].
|`ROUTER_LOG_LEVEL` | warning | The log level to send to the syslog server.
|`ROUTER_MAX_CONNECTIONS`| 20000 | Maximum number of concurrent connections.
Expand Down