OSDOCS-14402:YAML parameter additions

Author: Ted Avery

microshift_configuring/microshift-using-config-yaml.adoc

@@ -29,3 +29,5 @@ include::modules/microshift-config-nodeport-limits.adoc[leveloffset=+2]
 == Additional resources
 
 * xref:../../microshift-greenboot-checking-status.adoc#microshift-greenboot-checking-status[Checking Greenboot status]
+
+* xref:../microshift_configuring/microshift-ingress-controller.adoc#microshift-ingress-controller[Using ingress control for a {microshift-short} cluster]

modules/microshift-config-parameters-table.adoc

@@ -63,7 +63,7 @@ The following table explains {microshift-short} configuration YAML parameters an
 
 |`tls.minVersion`
 |`VersionTLS12` or `VersionTLS13`
-|Specifies the minimum version of TLS to serve from the API serve. Default is value is `VersionTLS12`. TLS 1.3 ciphers are preset and not configurable.
+|Specifies the minimum version of TLS to serve from the API server. Default is value is `VersionTLS12`. TLS 1.3 ciphers are preset and not configurable.
 
 |`debugging.logLevel`
 |`Normal`, `Debug`, `Trace`, or `TraceAll`
@@ -77,25 +77,46 @@ The following table explains {microshift-short} configuration YAML parameters an
 |`number`
 |By default, `etcd` uses as much memory as needed to handle the load on the system. However, in memory constrained systems, it might be preferred or necessary to limit the amount of memory `etcd` can to use at a given time.
 
+|`ingress.certificate.Secret`
+|`string`
+|A string that is a reference to a secret that contains the default certificate that is served by the ingress controller. When Routes do not specify their own certificate, `certificateSecret` is used.
+
+The secret must contain the following keys and data:
+
+* `tls.crt`: certificate file contents
+* `tls.key`: key file contents
+
+If you do not set one, a wildcard certificate is automatically generated and used. The certificate is valid for the ingress controller `domain` and `subdomains`, and the generated certificate's CA is automatically integrated with the cluster's truststore.
+
+Any certificate in use is automatically integrated in the {microshift-short} OAth server.
+
+|`ingress.clientTLS`
+|`spec.clientTLS.clientCertificatePolicy`, `spec.clientTLS.ClientCA`, `AllowedSubjectPatterns`
+|`clientTLS` authenticates client access to the cluster and services; as a result, mutual TLS authentication is enabled. If you do not set one, then client TLS is not enabled. `clientTLS` has the required subfields, `spec.clientTLS.clientCertificatePolicy` and `spec.clientTLS.ClientCA`.
+
+The `ClientCertificatePolicy` subfield accepts one of the two values: `Required` or `Optional`. Note that the ingress controller only checks client certificates for edge-terminated and reencrypt TLS routes; it cannot check certificates for cleartext HTTP or passthrough TLS routes. The `ClientCA` subfield specifies a config map that is in the openshift-ingress namespace. The config map should contain a CA certificate bundle. A config map is required for this field.
+
+The `AllowedSubjectPatterns` is an optional value that specifies a list of regular expressions, which are matched against the distinguished name on a valid client certificate to filter requests. The regular expressions must use PCRE syntax. This field must contain a valid expression or the MicroShift service will fail. At least one pattern must match a client certificate's distinguished name; otherwise, the ingress controller rejects the certificate and denies the connection. If you do not specify a value, the ingress controller does not reject certificates based on the distinguished name.
+
 |`ingress.defaultHTTPVersion`
 |`number`
 |Determines the default HTTP version to be used for ingress. Default value is `1`, which is the HTTP/1.1 protocol.
 
 |`ingress.forwardedHeaderPolicy`
 |`Append`, `Replace`, `IfNone`, `Never`
-|Specifies when and how the ingress router sets the `Forwarded`, `X-Forwarded-For`, `X-Forwarded-Host`, `X-Forwarded-Port`, `X-Forwarded-Proto`, and `X-Forwarded-Proto-Version` HTTP headers.
+|Specifies when and how the ingress controller sets the `Forwarded`, `X-Forwarded-For`, `X-Forwarded-Host`, `X-Forwarded-Port`, `X-Forwarded-Proto`, and `X-Forwarded-Proto-Version` HTTP headers. The default value is `Append`.
 
-* `Append` specifies that the ingress router appends existing headers. `Append` is the default value.
+* `Append` specifies that the ingress controller appends existing headers.
 
-* `Replace` specifies that the ingress router sets the headers and replaces any existing `Forwarded` or `X-Forwarded-*` headers.
+* `Replace` specifies that the ingress controller sets the headers and replaces any existing `Forwarded` or `X-Forwarded-*` headers.
 
-* `IfNone` specifies that the ingress router sets headers if they are not already set.
+* `IfNone` specifies that the ingress controller sets headers if they are not already set.
 
-* `Never` specifies that ingress router never sets the headers, preserving any existing headers.
+* `Never` specifies that ingress controller never sets the headers, preserving any existing headers.
 
 |`ingress.httpCompression`
 |`object`
-|`httpCompression` defines a policy for HTTP traffic compression. There is no HTTP compression by default.
+|Defines a policy for HTTP traffic compression. There is no HTTP compression by default.
 
 |`ingress.httpCompression.mimeTypes`
 |`array` or null
@@ -129,7 +150,7 @@ Not all MIME types benefit from compression, but `HAProxy` uses resources to try
 
 |`ingress.logEmptyRequests`
 |`Log` or `Ignore`
-|Default value is `Log`. Specifies how connections on which empty requests are received are logged. These connections typically come from the health probes of a load balancer service health or a web browser's speculative connections, such as a `preconnect`. Logging typical requests might be undesirable, but requests can also be caused by network errors or port scans, in which case logging can be useful for diagnosing errors and detecting intrusion attempts.
+|The default value is `Log`. Specifies how connections on which empty requests are received are logged. These connections typically come from the health probes of a load balancer service health or a web browser's speculative connections, such as a `preconnect`. Logging typical requests might be undesirable, but requests can also be caused by network errors or port scans, in which case logging can be useful for diagnosing errors and detecting intrusion attempts.
 
 |`ingress.ports.http`
 |`80`
@@ -139,14 +160,49 @@ Not all MIME types benefit from compression, but `HAProxy` uses resources to try
 |`443`
 |Default port shown. Configurable. Valid value is a single, unique port in the `1-65535` range. The values of the `ports.http` and `ports.https` fields cannot be the same.
 
-|`ingress.routeAdmissionPolicy.namespaceOwnership`
+|`ingress.routeAdmissionPolicy`
 |`Strict` or `InterNamespaceAllowed`
-|Describes how hostname claims across namespaces are handled. By default, allows routes to claim different paths of the same hostname across namespaces. Specifying `Strict` prevents routes in different namespaces from claiming the same hostname. If the value is deleted in a customized {microshift-short} `config.yaml`, the `InterNamespaceAllowed` value is automatically set.
+|Defines a policy for handling new route claims, such as allowing or denying claims across namespaces. By default, allows routes to claim different paths of the same hostname across namespaces. Specifying `Strict` prevents routes in different namespaces from claiming the same hostname. If the value is deleted in a customized {microshift-short} `config.yaml`, the `InterNamespaceAllowed` value is automatically set.
+
+|`ingress.routeAdmissionPolicy.namespaceOwnership`
+|`WildcardsAllowed`, `WildcardsDisallowed`
+|Describes how hostname claims across namespaces should be handled. The default value is `Strict`.
+
+* `Strict`: does not allow routes to claim the same hostname across namespaces.
+* `InterNamespaceAllowed`: allows routes to claim different paths of the same hostname across namespaces.
+
+|`ingress.routeAdmissionPolicy.wildcardPolicy`
+|`WildcardsAllowed`, `WildcardsDisallowed`
+|Describes how routes with wildcard policies are handled by the ingress controller.
+
+* `WildcardsAllowed`: Indicates routes with any wildcard policy are admitted by the ingress controller.
+
+* `WildcardsDisallowed`: Indicates only routes with a wildcard policy of `None` are admitted by the Ingress Controller. Updating `wildcardPolicy` from `WildcardsAllowed` to `WildcardsDisallowed` causes admitted routes with a wildcard policy of `Subdomain` to stop working. These routes must be recreated to a wildcard policy of `None` to be readmitted by the Ingress Controller. `WildcardsDisallowed` is the default setting.
 
 |`ingress.status`
 |`Managed` or `Removed`
 |Router status. Default is `Managed`.
 
+|`ingress.tlsSecurityProfile`
+|`object`
+|Specifies settings for TLS connections for ingress controllers. If you do not set one, the default value is based on the `apiservers.config.openshift.io/cluster` resource.
+
+|`ingress.tlsSecurityProfile.type`
+|`Old`, `Intermediate`, `Modern`, 'Custom' 
+|Specifies the profile type for the TLS Security. The default value is `Intermediate`.
+
+When using the `Old`, `Intermediate`, and `Modern` profile types, the effective profile configuration is subject to change between releases. For example, given a specification to use the `Intermediate` profile deployed on release `X.Y.Z`, an upgrade to release `X.Y.Z+1` may cause a new profile configuration to be applied to the ingress controller, resulting in a rollout.
+
+|`ingress.tlsSecurityProfile.minTLSVersion`
+|`number`
+|Specifies the TLS version for ingress controllers.
+
+The minimum TLS version is `1.1`, and the maximum TLS version is `1.3`.
+
+* Ciphers and the minimum TLS version of the configured security profile are reflected in the `TLSProfile` status.
+
+* The ingress controller converts the TLS `1.0` of an `Old` or `Custom` profile to `1.1`.
+
 |`ingress.tuningOptions`
 |Objects
 |Specifies options for tuning the performance of ingress controller pods.
@@ -259,7 +315,7 @@ container_memory_working_set_bytes{container=`router`,namespace=`openshift-ingre
 
 |`network.serviceNodePortRange`
 |`range`
-|The port range allowed for Kubernetes services of type `NodePort`. If not specified, the default range of 30000-32767 is used. Services without a `NodePort` specified are automatically allocated one from this range. This parameter can be updated after {microshift-short} starts.
+|The port range allowed for Kubernetes services of type `NodePort`. If you do not specify the range, the default range of 30000-32767 is used. Services without a `NodePort` specified are automatically allocated one from this range. This parameter can be updated after {microshift-short} starts.
 
 |`node.hostnameOverride`
 |`string`

modules/microshift-default-settings.adoc

@@ -42,15 +42,15 @@ dns:
 etcd:
   memoryLimitMB: 0
 ingress:
-  certificateSecret: router-certs-default
+  certificateSecret: router-certs-custom
   clientTLS:
     allowedSubjectPatterns:
     clientCA:
       name: ""
     clientCertificatePolicy: ""
   defaultHTTPVersion: 1
   forwardedHeaderPolicy: ""
-httpCompression:
+  httpCompression:
     mimeTypes:
       - ""
   httpEmptyRequestsPolicy: Respond
@@ -62,7 +62,17 @@ httpCompression:
     https: 443
   routeAdmissionPolicy:
     namespaceOwnership: InterNamespaceAllowed
+    wildcardPolicy: WildcardPolicyAllowed
   status: Managed
+  tlsSecurityProfile:
+    type: Custom
+    custom:
+      ciphers:
+        - ECDHE-ECDSA-CHACHA20-POLY1305
+        - ECDHE-RSA-CHACHA20-POLY1305
+        - ECDHE-RSA-AES128-GCM-SHA256
+        - ECDHE-ECDSA-AES128-GCM-SHA256
+      minTLSVersion: VersionTLS12
   tuningOptions:
       clientFinTimeout: ""
       clientTimeout: ""