-
Notifications
You must be signed in to change notification settings - Fork 502
/
types_ingress.go
1686 lines (1538 loc) · 70.1 KB
/
types_ingress.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
package v1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
corev1 "k8s.io/api/core/v1"
configv1 "github.com/openshift/api/config/v1"
)
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:subresource:scale:specpath=.spec.replicas,statuspath=.status.availableReplicas,selectorpath=.status.selector
// IngressController describes a managed ingress controller for the cluster. The
// controller can service OpenShift Route and Kubernetes Ingress resources.
//
// When an IngressController is created, a new ingress controller deployment is
// created to allow external traffic to reach the services that expose Ingress
// or Route resources. Updating this resource may lead to disruption for public
// facing network connections as a new ingress controller revision may be rolled
// out.
//
// https://kubernetes.io/docs/concepts/services-networking/ingress-controllers
//
// Whenever possible, sensible defaults for the platform are used. See each
// field for more details.
//
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=1
type IngressController struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// spec is the specification of the desired behavior of the IngressController.
Spec IngressControllerSpec `json:"spec,omitempty"`
// status is the most recently observed status of the IngressController.
Status IngressControllerStatus `json:"status,omitempty"`
}
// IngressControllerSpec is the specification of the desired behavior of the
// IngressController.
type IngressControllerSpec struct {
// domain is a DNS name serviced by the ingress controller and is used to
// configure multiple features:
//
// * For the LoadBalancerService endpoint publishing strategy, domain is
// used to configure DNS records. See endpointPublishingStrategy.
//
// * When using a generated default certificate, the certificate will be valid
// for domain and its subdomains. See defaultCertificate.
//
// * The value is published to individual Route statuses so that end-users
// know where to target external DNS records.
//
// domain must be unique among all IngressControllers, and cannot be
// updated.
//
// If empty, defaults to ingress.config.openshift.io/cluster .spec.domain.
//
// +optional
Domain string `json:"domain,omitempty"`
// httpErrorCodePages specifies a configmap with custom error pages.
// The administrator must create this configmap in the openshift-config namespace.
// This configmap should have keys in the format "error-page-<error code>.http",
// where <error code> is an HTTP error code.
// For example, "error-page-503.http" defines an error page for HTTP 503 responses.
// Currently only error pages for 503 and 404 responses can be customized.
// Each value in the configmap should be the full response, including HTTP headers.
// Eg- https://raw.githubusercontent.com/openshift/router/fadab45747a9b30cc3f0a4b41ad2871f95827a93/images/router/haproxy/conf/error-page-503.http
// If this field is empty, the ingress controller uses the default error pages.
HttpErrorCodePages configv1.ConfigMapNameReference `json:"httpErrorCodePages,omitempty"`
// replicas is the desired number of ingress controller replicas. If unset,
// the default depends on the value of the defaultPlacement field in the
// cluster config.openshift.io/v1/ingresses status.
//
// The value of replicas is set based on the value of a chosen field in the
// Infrastructure CR. If defaultPlacement is set to ControlPlane, the
// chosen field will be controlPlaneTopology. If it is set to Workers the
// chosen field will be infrastructureTopology. Replicas will then be set to 1
// or 2 based whether the chosen field's value is SingleReplica or
// HighlyAvailable, respectively.
//
// These defaults are subject to change.
//
// +optional
Replicas *int32 `json:"replicas,omitempty"`
// endpointPublishingStrategy is used to publish the ingress controller
// endpoints to other networks, enable load balancer integrations, etc.
//
// If unset, the default is based on
// infrastructure.config.openshift.io/cluster .status.platform:
//
// AWS: LoadBalancerService (with External scope)
// Azure: LoadBalancerService (with External scope)
// GCP: LoadBalancerService (with External scope)
// IBMCloud: LoadBalancerService (with External scope)
// AlibabaCloud: LoadBalancerService (with External scope)
// Libvirt: HostNetwork
//
// Any other platform types (including None) default to HostNetwork.
//
// endpointPublishingStrategy cannot be updated.
//
// +optional
EndpointPublishingStrategy *EndpointPublishingStrategy `json:"endpointPublishingStrategy,omitempty"`
// defaultCertificate is a reference to a secret containing the default
// certificate served by the ingress controller. When Routes don't specify
// their own certificate, defaultCertificate is used.
//
// The secret must contain the following keys and data:
//
// tls.crt: certificate file contents
// tls.key: key file contents
//
// If unset, a wildcard certificate is automatically generated and used. The
// certificate is valid for the ingress controller domain (and subdomains) and
// the generated certificate's CA will be automatically integrated with the
// cluster's trust store.
//
// If a wildcard certificate is used and shared by multiple
// HTTP/2 enabled routes (which implies ALPN) then clients
// (i.e., notably browsers) are at liberty to reuse open
// connections. This means a client can reuse a connection to
// another route and that is likely to fail. This behaviour is
// generally known as connection coalescing.
//
// The in-use certificate (whether generated or user-specified) will be
// automatically integrated with OpenShift's built-in OAuth server.
//
// +optional
DefaultCertificate *corev1.LocalObjectReference `json:"defaultCertificate,omitempty"`
// namespaceSelector is used to filter the set of namespaces serviced by the
// ingress controller. This is useful for implementing shards.
//
// If unset, the default is no filtering.
//
// +optional
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
// routeSelector is used to filter the set of Routes serviced by the ingress
// controller. This is useful for implementing shards.
//
// If unset, the default is no filtering.
//
// +optional
RouteSelector *metav1.LabelSelector `json:"routeSelector,omitempty"`
// nodePlacement enables explicit control over the scheduling of the ingress
// controller.
//
// If unset, defaults are used. See NodePlacement for more details.
//
// +optional
NodePlacement *NodePlacement `json:"nodePlacement,omitempty"`
// tlsSecurityProfile specifies settings for TLS connections for ingresscontrollers.
//
// If unset, the default is based on the apiservers.config.openshift.io/cluster resource.
//
// Note that when using the Old, Intermediate, and Modern profile types, the effective
// profile configuration is subject to change between releases. For example, given
// a specification to use the Intermediate profile deployed on release X.Y.Z, an upgrade
// to release X.Y.Z+1 may cause a new profile configuration to be applied to the ingress
// controller, resulting in a rollout.
//
// +optional
TLSSecurityProfile *configv1.TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"`
// clientTLS specifies settings for requesting and verifying client
// certificates, which can be used to enable mutual TLS for
// edge-terminated and reencrypt routes.
//
// +optional
ClientTLS ClientTLS `json:"clientTLS"`
// routeAdmission defines a policy for handling new route claims (for example,
// to allow or deny claims across namespaces).
//
// If empty, defaults will be applied. See specific routeAdmission fields
// for details about their defaults.
//
// +optional
RouteAdmission *RouteAdmissionPolicy `json:"routeAdmission,omitempty"`
// logging defines parameters for what should be logged where. If this
// field is empty, operational logs are enabled but access logs are
// disabled.
//
// +optional
Logging *IngressControllerLogging `json:"logging,omitempty"`
// httpHeaders defines policy for HTTP headers.
//
// If this field is empty, the default values are used.
//
// +optional
HTTPHeaders *IngressControllerHTTPHeaders `json:"httpHeaders,omitempty"`
// httpEmptyRequestsPolicy describes how HTTP connections should be
// handled if the connection times out before a request is received.
// Allowed values for this field are "Respond" and "Ignore". If the
// field is set to "Respond", the ingress controller sends an HTTP 400
// or 408 response, logs the connection (if access logging is enabled),
// and counts the connection in the appropriate metrics. If the field
// is set to "Ignore", the ingress controller closes the connection
// without sending a response, logging the connection, or incrementing
// metrics. The default value is "Respond".
//
// Typically, these connections come from load balancers' health probes
// or Web browsers' speculative connections ("preconnect") and can be
// safely ignored. However, these requests may also be caused by
// network errors, and so setting this field to "Ignore" may impede
// detection and diagnosis of problems. In addition, these requests may
// be caused by port scans, in which case logging empty requests may aid
// in detecting intrusion attempts.
//
// +optional
// +kubebuilder:default:="Respond"
HTTPEmptyRequestsPolicy HTTPEmptyRequestsPolicy `json:"httpEmptyRequestsPolicy,omitempty"`
// tuningOptions defines parameters for adjusting the performance of
// ingress controller pods. All fields are optional and will use their
// respective defaults if not set. See specific tuningOptions fields for
// more details.
//
// Setting fields within tuningOptions is generally not recommended. The
// default values are suitable for most configurations.
//
// +optional
TuningOptions IngressControllerTuningOptions `json:"tuningOptions,omitempty"`
// unsupportedConfigOverrides allows specifying unsupported
// configuration options. Its use is unsupported.
//
// +optional
// +nullable
// +kubebuilder:pruning:PreserveUnknownFields
UnsupportedConfigOverrides runtime.RawExtension `json:"unsupportedConfigOverrides"`
// httpCompression defines a policy for HTTP traffic compression.
// By default, there is no HTTP compression.
//
// +optional
HTTPCompression HTTPCompressionPolicy `json:"httpCompression,omitempty"`
}
// httpCompressionPolicy turns on compression for the specified MIME types.
//
// This field is optional, and its absence implies that compression should not be enabled
// globally in HAProxy.
//
// If httpCompressionPolicy exists, compression should be enabled only for the specified
// MIME types.
type HTTPCompressionPolicy struct {
// mimeTypes is a list of MIME types that should have compression applied.
// This list can be empty, in which case the ingress controller does not apply compression.
//
// Note: Not all MIME types benefit from compression, but HAProxy will still use resources
// to try to compress if instructed to. Generally speaking, text (html, css, js, etc.)
// formats benefit from compression, but formats that are already compressed (image,
// audio, video, etc.) benefit little in exchange for the time and cpu spent on compressing
// again. See https://joehonton.medium.com/the-gzip-penalty-d31bd697f1a2
//
// +listType=set
MimeTypes []CompressionMIMEType `json:"mimeTypes,omitempty"`
}
// CompressionMIMEType defines the format of a single MIME type.
// E.g. "text/css; charset=utf-8", "text/html", "text/*", "image/svg+xml",
// "application/octet-stream", "X-custom/customsub", etc.
//
// The format should follow the Content-Type definition in RFC 1341:
// Content-Type := type "/" subtype *[";" parameter]
// - The type in Content-Type can be one of:
// application, audio, image, message, multipart, text, video, or a custom
// type preceded by "X-" and followed by a token as defined below.
// - The token is a string of at least one character, and not containing white
// space, control characters, or any of the characters in the tspecials set.
// - The tspecials set contains the characters ()<>@,;:\"/[]?.=
// - The subtype in Content-Type is also a token.
// - The optional parameter/s following the subtype are defined as:
// token "=" (token / quoted-string)
// - The quoted-string, as defined in RFC 822, is surrounded by double quotes
// and can contain white space plus any character EXCEPT \, ", and CR.
// It can also contain any single ASCII character as long as it is escaped by \.
//
// +kubebuilder:validation:Pattern=`^(?i)(x-[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|application|audio|image|message|multipart|text|video)/[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+(; *[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+=([^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|"(\\[\x00-\x7F]|[^\x0D"\\])*"))*$`
type CompressionMIMEType string
// NodePlacement describes node scheduling configuration for an ingress
// controller.
type NodePlacement struct {
// nodeSelector is the node selector applied to ingress controller
// deployments.
//
// If set, the specified selector is used and replaces the default.
//
// If unset, the default depends on the value of the defaultPlacement
// field in the cluster config.openshift.io/v1/ingresses status.
//
// When defaultPlacement is Workers, the default is:
//
// kubernetes.io/os: linux
// node-role.kubernetes.io/worker: ''
//
// When defaultPlacement is ControlPlane, the default is:
//
// kubernetes.io/os: linux
// node-role.kubernetes.io/master: ''
//
// These defaults are subject to change.
//
// Note that using nodeSelector.matchExpressions is not supported. Only
// nodeSelector.matchLabels may be used. This is a limitation of the
// Kubernetes API: the pod spec does not allow complex expressions for
// node selectors.
//
// +optional
NodeSelector *metav1.LabelSelector `json:"nodeSelector,omitempty"`
// tolerations is a list of tolerations applied to ingress controller
// deployments.
//
// The default is an empty list.
//
// See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
//
// +optional
Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
}
// EndpointPublishingStrategyType is a way to publish ingress controller endpoints.
// +kubebuilder:validation:Enum=LoadBalancerService;HostNetwork;Private;NodePortService
type EndpointPublishingStrategyType string
const (
// LoadBalancerService publishes the ingress controller using a Kubernetes
// LoadBalancer Service.
LoadBalancerServiceStrategyType EndpointPublishingStrategyType = "LoadBalancerService"
// HostNetwork publishes the ingress controller on node ports where the
// ingress controller is deployed.
HostNetworkStrategyType EndpointPublishingStrategyType = "HostNetwork"
// Private does not publish the ingress controller.
PrivateStrategyType EndpointPublishingStrategyType = "Private"
// NodePortService publishes the ingress controller using a Kubernetes NodePort Service.
NodePortServiceStrategyType EndpointPublishingStrategyType = "NodePortService"
)
// LoadBalancerScope is the scope at which a load balancer is exposed.
// +kubebuilder:validation:Enum=Internal;External
type LoadBalancerScope string
var (
// InternalLoadBalancer is a load balancer that is exposed only on the
// cluster's private network.
InternalLoadBalancer LoadBalancerScope = "Internal"
// ExternalLoadBalancer is a load balancer that is exposed on the
// cluster's public network (which is typically on the Internet).
ExternalLoadBalancer LoadBalancerScope = "External"
)
// CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8"
// or "fd00::/8").
// +kubebuilder:validation:Pattern=`(^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$)`
// + ---
// + The regex for the IPv4 CIDR range was taken from other CIDR fields in the OpenShift API
// + and the one for the IPv6 CIDR range was taken from
// + https://blog.markhatton.co.uk/2011/03/15/regular-expressions-for-ip-addresses-cidr-ranges-and-hostnames/
// + The resulting regex is an OR of both regexes.
type CIDR string
// LoadBalancerStrategy holds parameters for a load balancer.
type LoadBalancerStrategy struct {
// scope indicates the scope at which the load balancer is exposed.
// Possible values are "External" and "Internal".
//
// +kubebuilder:validation:Required
// +required
Scope LoadBalancerScope `json:"scope"`
// allowedSourceRanges specifies an allowlist of IP address ranges to which
// access to the load balancer should be restricted. Each range must be
// specified using CIDR notation (e.g. "10.0.0.0/8" or "fd00::/8"). If no range is
// specified, "0.0.0.0/0" for IPv4 and "::/0" for IPv6 are used by default,
// which allows all source addresses.
//
// To facilitate migration from earlier versions of OpenShift that did
// not have the allowedSourceRanges field, you may set the
// service.beta.kubernetes.io/load-balancer-source-ranges annotation on
// the "router-<ingresscontroller name>" service in the
// "openshift-ingress" namespace, and this annotation will take
// effect if allowedSourceRanges is empty on OpenShift 4.12.
//
// +nullable
// +optional
AllowedSourceRanges []CIDR `json:"allowedSourceRanges,omitempty"`
// providerParameters holds desired load balancer information specific to
// the underlying infrastructure provider.
//
// If empty, defaults will be applied. See specific providerParameters
// fields for details about their defaults.
//
// +optional
ProviderParameters *ProviderLoadBalancerParameters `json:"providerParameters,omitempty"`
// dnsManagementPolicy indicates if the lifecycle of the wildcard DNS record
// associated with the load balancer service will be managed by
// the ingress operator. It defaults to Managed.
// Valid values are: Managed and Unmanaged.
//
// +kubebuilder:default:="Managed"
// +kubebuilder:validation:Required
// +default="Managed"
DNSManagementPolicy LoadBalancerDNSManagementPolicy `json:"dnsManagementPolicy,omitempty"`
}
// LoadBalancerDNSManagementPolicy is a policy for configuring how
// ingresscontrollers manage DNS.
//
// +kubebuilder:validation:Enum=Managed;Unmanaged
type LoadBalancerDNSManagementPolicy string
const (
// ManagedLoadBalancerDNS specifies that the operator manages
// a wildcard DNS record for the ingresscontroller.
ManagedLoadBalancerDNS LoadBalancerDNSManagementPolicy = "Managed"
// UnmanagedLoadBalancerDNS specifies that the operator does not manage
// any wildcard DNS record for the ingresscontroller.
UnmanagedLoadBalancerDNS LoadBalancerDNSManagementPolicy = "Unmanaged"
)
// ProviderLoadBalancerParameters holds desired load balancer information
// specific to the underlying infrastructure provider.
// +union
type ProviderLoadBalancerParameters struct {
// type is the underlying infrastructure provider for the load balancer.
// Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Nutanix",
// "OpenStack", and "VSphere".
//
// +unionDiscriminator
// +kubebuilder:validation:Required
// +required
Type LoadBalancerProviderType `json:"type"`
// aws provides configuration settings that are specific to AWS
// load balancers.
//
// If empty, defaults will be applied. See specific aws fields for
// details about their defaults.
//
// +optional
AWS *AWSLoadBalancerParameters `json:"aws,omitempty"`
// gcp provides configuration settings that are specific to GCP
// load balancers.
//
// If empty, defaults will be applied. See specific gcp fields for
// details about their defaults.
//
// +optional
GCP *GCPLoadBalancerParameters `json:"gcp,omitempty"`
}
// LoadBalancerProviderType is the underlying infrastructure provider for the
// load balancer. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Nutanix",
// "OpenStack", and "VSphere".
//
// +kubebuilder:validation:Enum=AWS;Azure;BareMetal;GCP;Nutanix;OpenStack;VSphere;IBM
type LoadBalancerProviderType string
const (
AWSLoadBalancerProvider LoadBalancerProviderType = "AWS"
AzureLoadBalancerProvider LoadBalancerProviderType = "Azure"
GCPLoadBalancerProvider LoadBalancerProviderType = "GCP"
OpenStackLoadBalancerProvider LoadBalancerProviderType = "OpenStack"
VSphereLoadBalancerProvider LoadBalancerProviderType = "VSphere"
IBMLoadBalancerProvider LoadBalancerProviderType = "IBM"
BareMetalLoadBalancerProvider LoadBalancerProviderType = "BareMetal"
AlibabaCloudLoadBalancerProvider LoadBalancerProviderType = "AlibabaCloud"
NutanixLoadBalancerProvider LoadBalancerProviderType = "Nutanix"
)
// AWSLoadBalancerParameters provides configuration settings that are
// specific to AWS load balancers.
// +union
type AWSLoadBalancerParameters struct {
// type is the type of AWS load balancer to instantiate for an ingresscontroller.
//
// Valid values are:
//
// * "Classic": A Classic Load Balancer that makes routing decisions at either
// the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See
// the following for additional details:
//
// https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb
//
// * "NLB": A Network Load Balancer that makes routing decisions at the
// transport layer (TCP/SSL). See the following for additional details:
//
// https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb
//
// +unionDiscriminator
// +kubebuilder:validation:Required
// +required
Type AWSLoadBalancerType `json:"type"`
// classicLoadBalancerParameters holds configuration parameters for an AWS
// classic load balancer. Present only if type is Classic.
//
// +optional
ClassicLoadBalancerParameters *AWSClassicLoadBalancerParameters `json:"classicLoadBalancer,omitempty"`
// networkLoadBalancerParameters holds configuration parameters for an AWS
// network load balancer. Present only if type is NLB.
//
// +optional
NetworkLoadBalancerParameters *AWSNetworkLoadBalancerParameters `json:"networkLoadBalancer,omitempty"`
}
// AWSLoadBalancerType is the type of AWS load balancer to instantiate.
// +kubebuilder:validation:Enum=Classic;NLB
type AWSLoadBalancerType string
const (
AWSClassicLoadBalancer AWSLoadBalancerType = "Classic"
AWSNetworkLoadBalancer AWSLoadBalancerType = "NLB"
)
// GCPLoadBalancerParameters provides configuration settings that are
// specific to GCP load balancers.
type GCPLoadBalancerParameters struct {
// clientAccess describes how client access is restricted for internal
// load balancers.
//
// Valid values are:
// * "Global": Specifying an internal load balancer with Global client access
// allows clients from any region within the VPC to communicate with the load
// balancer.
//
// https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access
//
// * "Local": Specifying an internal load balancer with Local client access
// means only clients within the same region (and VPC) as the GCP load balancer
// can communicate with the load balancer. Note that this is the default behavior.
//
// https://cloud.google.com/load-balancing/docs/internal#client_access
//
// +optional
ClientAccess GCPClientAccess `json:"clientAccess,omitempty"`
}
// GCPClientAccess describes how client access is restricted for internal
// load balancers.
// +kubebuilder:validation:Enum=Global;Local
type GCPClientAccess string
const (
GCPGlobalAccess GCPClientAccess = "Global"
GCPLocalAccess GCPClientAccess = "Local"
)
// AWSClassicLoadBalancerParameters holds configuration parameters for an
// AWS Classic load balancer.
type AWSClassicLoadBalancerParameters struct {
// connectionIdleTimeout specifies the maximum time period that a
// connection may be idle before the load balancer closes the
// connection. The value must be parseable as a time duration value;
// see <https://pkg.go.dev/time#ParseDuration>. A nil or zero value
// means no opinion, in which case a default value is used. The default
// value for this field is 60s. This default is subject to change.
//
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Format=duration
// +optional
ConnectionIdleTimeout metav1.Duration `json:"connectionIdleTimeout,omitempty"`
}
// AWSNetworkLoadBalancerParameters holds configuration parameters for an
// AWS Network load balancer.
type AWSNetworkLoadBalancerParameters struct {
}
// HostNetworkStrategy holds parameters for the HostNetwork endpoint publishing
// strategy.
type HostNetworkStrategy struct {
// protocol specifies whether the IngressController expects incoming
// connections to use plain TCP or whether the IngressController expects
// PROXY protocol.
//
// PROXY protocol can be used with load balancers that support it to
// communicate the source addresses of client connections when
// forwarding those connections to the IngressController. Using PROXY
// protocol enables the IngressController to report those source
// addresses instead of reporting the load balancer's address in HTTP
// headers and logs. Note that enabling PROXY protocol on the
// IngressController will cause connections to fail if you are not using
// a load balancer that uses PROXY protocol to forward connections to
// the IngressController. See
// http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for
// information about PROXY protocol.
//
// The following values are valid for this field:
//
// * The empty string.
// * "TCP".
// * "PROXY".
//
// The empty string specifies the default, which is TCP without PROXY
// protocol. Note that the default is subject to change.
//
// +kubebuilder:validation:Optional
// +optional
Protocol IngressControllerProtocol `json:"protocol,omitempty"`
// httpPort is the port on the host which should be used to listen for
// HTTP requests. This field should be set when port 80 is already in use.
// The value should not coincide with the NodePort range of the cluster.
// When the value is 0 or is not specified it defaults to 80.
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Maximum=65535
// +kubebuilder:validation:Minimum=0
// +kubebuilder:default=80
// +optional
HTTPPort int32 `json:"httpPort,omitempty"`
// httpsPort is the port on the host which should be used to listen for
// HTTPS requests. This field should be set when port 443 is already in use.
// The value should not coincide with the NodePort range of the cluster.
// When the value is 0 or is not specified it defaults to 443.
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Maximum=65535
// +kubebuilder:validation:Minimum=0
// +kubebuilder:default=443
// +optional
HTTPSPort int32 `json:"httpsPort,omitempty"`
// statsPort is the port on the host where the stats from the router are
// published. The value should not coincide with the NodePort range of the
// cluster. If an external load balancer is configured to forward connections
// to this IngressController, the load balancer should use this port for
// health checks. The load balancer can send HTTP probes on this port on a
// given node, with the path /healthz/ready to determine if the ingress
// controller is ready to receive traffic on the node. For proper operation
// the load balancer must not forward traffic to a node until the health
// check reports ready. The load balancer should also stop forwarding requests
// within a maximum of 45 seconds after /healthz/ready starts reporting
// not-ready. Probing every 5 to 10 seconds, with a 5-second timeout and with
// a threshold of two successful or failed requests to become healthy or
// unhealthy respectively, are well-tested values. When the value is 0 or
// is not specified it defaults to 1936.
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Maximum=65535
// +kubebuilder:validation:Minimum=0
// +kubebuilder:default=1936
// +optional
StatsPort int32 `json:"statsPort,omitempty"`
}
// PrivateStrategy holds parameters for the Private endpoint publishing
// strategy.
type PrivateStrategy struct {
// protocol specifies whether the IngressController expects incoming
// connections to use plain TCP or whether the IngressController expects
// PROXY protocol.
//
// PROXY protocol can be used with load balancers that support it to
// communicate the source addresses of client connections when
// forwarding those connections to the IngressController. Using PROXY
// protocol enables the IngressController to report those source
// addresses instead of reporting the load balancer's address in HTTP
// headers and logs. Note that enabling PROXY protocol on the
// IngressController will cause connections to fail if you are not using
// a load balancer that uses PROXY protocol to forward connections to
// the IngressController. See
// http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for
// information about PROXY protocol.
//
// The following values are valid for this field:
//
// * The empty string.
// * "TCP".
// * "PROXY".
//
// The empty string specifies the default, which is TCP without PROXY
// protocol. Note that the default is subject to change.
//
// +kubebuilder:validation:Optional
// +optional
Protocol IngressControllerProtocol `json:"protocol,omitempty"`
}
// NodePortStrategy holds parameters for the NodePortService endpoint publishing strategy.
type NodePortStrategy struct {
// protocol specifies whether the IngressController expects incoming
// connections to use plain TCP or whether the IngressController expects
// PROXY protocol.
//
// PROXY protocol can be used with load balancers that support it to
// communicate the source addresses of client connections when
// forwarding those connections to the IngressController. Using PROXY
// protocol enables the IngressController to report those source
// addresses instead of reporting the load balancer's address in HTTP
// headers and logs. Note that enabling PROXY protocol on the
// IngressController will cause connections to fail if you are not using
// a load balancer that uses PROXY protocol to forward connections to
// the IngressController. See
// http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for
// information about PROXY protocol.
//
// The following values are valid for this field:
//
// * The empty string.
// * "TCP".
// * "PROXY".
//
// The empty string specifies the default, which is TCP without PROXY
// protocol. Note that the default is subject to change.
//
// +kubebuilder:validation:Optional
// +optional
Protocol IngressControllerProtocol `json:"protocol,omitempty"`
}
// IngressControllerProtocol specifies whether PROXY protocol is enabled or not.
// +kubebuilder:validation:Enum="";TCP;PROXY
type IngressControllerProtocol string
const (
DefaultProtocol IngressControllerProtocol = ""
TCPProtocol IngressControllerProtocol = "TCP"
ProxyProtocol IngressControllerProtocol = "PROXY"
)
// EndpointPublishingStrategy is a way to publish the endpoints of an
// IngressController, and represents the type and any additional configuration
// for a specific type.
// +union
type EndpointPublishingStrategy struct {
// type is the publishing strategy to use. Valid values are:
//
// * LoadBalancerService
//
// Publishes the ingress controller using a Kubernetes LoadBalancer Service.
//
// In this configuration, the ingress controller deployment uses container
// networking. A LoadBalancer Service is created to publish the deployment.
//
// See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
//
// If domain is set, a wildcard DNS record will be managed to point at the
// LoadBalancer Service's external name. DNS records are managed only in DNS
// zones defined by dns.config.openshift.io/cluster .spec.publicZone and
// .spec.privateZone.
//
// Wildcard DNS management is currently supported only on the AWS, Azure,
// and GCP platforms.
//
// * HostNetwork
//
// Publishes the ingress controller on node ports where the ingress controller
// is deployed.
//
// In this configuration, the ingress controller deployment uses host
// networking, bound to node ports 80 and 443. The user is responsible for
// configuring an external load balancer to publish the ingress controller via
// the node ports.
//
// * Private
//
// Does not publish the ingress controller.
//
// In this configuration, the ingress controller deployment uses container
// networking, and is not explicitly published. The user must manually publish
// the ingress controller.
//
// * NodePortService
//
// Publishes the ingress controller using a Kubernetes NodePort Service.
//
// In this configuration, the ingress controller deployment uses container
// networking. A NodePort Service is created to publish the deployment. The
// specific node ports are dynamically allocated by OpenShift; however, to
// support static port allocations, user changes to the node port
// field of the managed NodePort Service will preserved.
//
// +unionDiscriminator
// +kubebuilder:validation:Required
// +required
Type EndpointPublishingStrategyType `json:"type"`
// loadBalancer holds parameters for the load balancer. Present only if
// type is LoadBalancerService.
// +optional
LoadBalancer *LoadBalancerStrategy `json:"loadBalancer,omitempty"`
// hostNetwork holds parameters for the HostNetwork endpoint publishing
// strategy. Present only if type is HostNetwork.
// +optional
HostNetwork *HostNetworkStrategy `json:"hostNetwork,omitempty"`
// private holds parameters for the Private endpoint publishing
// strategy. Present only if type is Private.
// +optional
Private *PrivateStrategy `json:"private,omitempty"`
// nodePort holds parameters for the NodePortService endpoint publishing strategy.
// Present only if type is NodePortService.
// +optional
NodePort *NodePortStrategy `json:"nodePort,omitempty"`
}
// ClientCertificatePolicy describes the policy for client certificates.
// +kubebuilder:validation:Enum="";Required;Optional
type ClientCertificatePolicy string
const (
// ClientCertificatePolicyRequired indicates that a client certificate
// should be required.
ClientCertificatePolicyRequired ClientCertificatePolicy = "Required"
// ClientCertificatePolicyOptional indicates that a client certificate
// should be requested but not required.
ClientCertificatePolicyOptional ClientCertificatePolicy = "Optional"
)
// ClientTLS specifies TLS configuration to enable client-to-server
// authentication, which can be used for mutual TLS.
type ClientTLS struct {
// clientCertificatePolicy specifies whether the ingress controller
// requires clients to provide certificates. This field accepts the
// values "Required" or "Optional".
//
// Note that the ingress controller only checks client certificates for
// edge-terminated and reencrypt TLS routes; it cannot check
// certificates for cleartext HTTP or passthrough TLS routes.
//
// +kubebuilder:validation:Required
// +required
ClientCertificatePolicy ClientCertificatePolicy `json:"clientCertificatePolicy"`
// clientCA specifies a configmap containing the PEM-encoded CA
// certificate bundle that should be used to verify a client's
// certificate. The administrator must create this configmap in the
// openshift-config namespace.
//
// +kubebuilder:validation:Required
// +required
ClientCA configv1.ConfigMapNameReference `json:"clientCA"`
// allowedSubjectPatterns specifies a list of regular expressions that
// should be matched against the distinguished name on a valid client
// certificate to filter requests. The regular expressions must use
// PCRE syntax. If this list is empty, no filtering is performed. If
// the list is nonempty, then at least one pattern must match a client
// certificate's distinguished name or else the ingress controller
// rejects the certificate and denies the connection.
//
// +listType=atomic
// +optional
AllowedSubjectPatterns []string `json:"allowedSubjectPatterns,omitempty"`
}
// RouteAdmissionPolicy is an admission policy for allowing new route claims.
type RouteAdmissionPolicy struct {
// namespaceOwnership describes how host name claims across namespaces should
// be handled.
//
// Value must be one of:
//
// - Strict: Do not allow routes in different namespaces to claim the same host.
//
// - InterNamespaceAllowed: Allow routes to claim different paths of the same
// host name across namespaces.
//
// If empty, the default is Strict.
// +optional
NamespaceOwnership NamespaceOwnershipCheck `json:"namespaceOwnership,omitempty"`
// wildcardPolicy describes how routes with wildcard policies should
// be handled for the ingress controller. WildcardPolicy controls use
// of routes [1] exposed by the ingress controller based on the route's
// wildcard policy.
//
// [1] https://github.com/openshift/api/blob/master/route/v1/types.go
//
// Note: Updating WildcardPolicy from WildcardsAllowed to WildcardsDisallowed
// will cause admitted routes with a wildcard policy of Subdomain to stop
// working. These routes must be updated to a wildcard policy of None to be
// readmitted by the ingress controller.
//
// WildcardPolicy supports WildcardsAllowed and WildcardsDisallowed values.
//
// If empty, defaults to "WildcardsDisallowed".
//
WildcardPolicy WildcardPolicy `json:"wildcardPolicy,omitempty"`
}
// WildcardPolicy is a route admission policy component that describes how
// routes with a wildcard policy should be handled.
// +kubebuilder:validation:Enum=WildcardsAllowed;WildcardsDisallowed
type WildcardPolicy string
const (
// WildcardPolicyAllowed indicates routes with any wildcard policy are
// admitted by the ingress controller.
WildcardPolicyAllowed WildcardPolicy = "WildcardsAllowed"
// WildcardPolicyDisallowed indicates only routes with a wildcard policy
// of None are admitted by the ingress controller.
WildcardPolicyDisallowed WildcardPolicy = "WildcardsDisallowed"
)
// NamespaceOwnershipCheck is a route admission policy component that describes
// how host name claims across namespaces should be handled.
// +kubebuilder:validation:Enum=InterNamespaceAllowed;Strict
type NamespaceOwnershipCheck string
const (
// InterNamespaceAllowedOwnershipCheck allows routes to claim different paths of the same host name across namespaces.
InterNamespaceAllowedOwnershipCheck NamespaceOwnershipCheck = "InterNamespaceAllowed"
// StrictNamespaceOwnershipCheck does not allow routes to claim the same host name across namespaces.
StrictNamespaceOwnershipCheck NamespaceOwnershipCheck = "Strict"
)
// LoggingDestinationType is a type of destination to which to send log
// messages.
//
// +kubebuilder:validation:Enum=Container;Syslog
type LoggingDestinationType string
const (
// Container sends log messages to a sidecar container.
ContainerLoggingDestinationType LoggingDestinationType = "Container"
// Syslog sends log messages to a syslog endpoint.
SyslogLoggingDestinationType LoggingDestinationType = "Syslog"
// ContainerLoggingSidecarContainerName is the name of the container
// with the log output in an ingress controller pod when container
// logging is used.
ContainerLoggingSidecarContainerName = "logs"
)
// SyslogLoggingDestinationParameters describes parameters for the Syslog
// logging destination type.
type SyslogLoggingDestinationParameters struct {
// address is the IP address of the syslog endpoint that receives log
// messages.
//
// +kubebuilder:validation:Required
// +required
Address string `json:"address"`
// port is the UDP port number of the syslog endpoint that receives log
// messages.
//
// +kubebuilder:validation:Required
// +kubebuilder:validation:Minimum=1
// +kubebuilder:validation:Maximum=65535
// +required
Port uint32 `json:"port"`
// facility specifies the syslog facility of log messages.
//
// If this field is empty, the facility is "local1".
//
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Enum=kern;user;mail;daemon;auth;syslog;lpr;news;uucp;cron;auth2;ftp;ntp;audit;alert;cron2;local0;local1;local2;local3;local4;local5;local6;local7
// +optional
Facility string `json:"facility,omitempty"`
// maxLength is the maximum length of the syslog message
//
// If this field is empty, the maxLength is set to "1024".
//
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Maximum=4096
// +kubebuilder:validation:Minimum=480
// +kubebuilder:default=1024
// +optional
MaxLength uint32 `json:"maxLength,omitempty"`
}
// ContainerLoggingDestinationParameters describes parameters for the Container
// logging destination type.
type ContainerLoggingDestinationParameters struct {