From c47039b3ac5066084869608e5f0936fda0d5fc64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CShauna=20Diaz=E2=80=9D?= Date: Tue, 12 Aug 2025 07:45:36 -0400 Subject: [PATCH] CP-419-OSDOCS-15307: adds filename for CA bundle MicroShift --- .../microshift-ingress-controller-config.adoc | 23 ++++++++----------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/modules/microshift-ingress-controller-config.adoc b/modules/microshift-ingress-controller-config.adoc index 4ede08a2ac42..34befac51dbb 100644 --- a/modules/microshift-ingress-controller-config.adoc +++ b/modules/microshift-ingress-controller-config.adoc @@ -7,7 +7,13 @@ [id="microshift-ingress-control-config_{context}"] = Configuring ingress control in {microshift-short} -You can use detailed ingress control settings by updating the {microshift-short} service configuration file. +You can use detailed ingress control settings by updating the {microshift-short} service configuration file or using a configuration snippet. + +[IMPORTANT] +==== +* A `config.yaml` configuration file takes precedence over built-in settings. The `config.yaml` file is read every time the {microshift-short} service starts. +* Configuration snippet YAMLs take precedence over both built-in settings and the `config.yaml` configuration file. +==== .Prerequisites @@ -20,18 +26,8 @@ You can use detailed ingress control settings by updating the {microshift-short} . Apply ingress control settings in one of the two following ways: .. Update the {microshift-short} `config.yaml` configuration file by making a copy of the provided `config.yaml.default` file in the `/etc/microshift/` directory, naming it `config.yaml` and keeping it in the source directory. -+ -[IMPORTANT] -==== -After you create the `config.yaml`, the configuration file takes precedence over built-in settings. The `config.yaml` file is read every time the {microshift-short} service starts. -==== .. Use a configuration snippet to apply the ingress control settings you want. To do this, create a configuration snippet YAML file and put it in the `/etc/microshift/config.d/` configuration directory. -+ -[IMPORTANT] -==== -Configuration snippet YAMLs take precedence over both built-in settings and the `config.yaml` configuration file. -==== . Replace the default values in the `ingress` section of the {microshift-short} YAML with your valid values, or create a configuration snippet file with the sections you need. + @@ -111,8 +107,8 @@ ingress: When configured, this field must contain a valid expression or the {microshift-short} service fails. At least one pattern must match a client certificate's distinguished name; otherwise, the ingress controller rejects the certificate and denies the connection. ==== -|`clientTLS.ClientCA` -|Specifies a required config map that is in the `openshift-ingress` namespace. Required to enable client TLS. The config map must contain a certificate authority (CA) bundle. +|`clientTLS.clientCA` +|Specifies a required config map that is in the `openshift-ingress` namespace. Required to enable client TLS. The config map must contain a certificate authority (CA) bundle named `ca-bundle.pem` or the deployment of the default router fails. |`clientTLS.ClientCA.name` |The `metadata.name` of the config map referenced in the `clientTLS.ClientCA` value. @@ -147,7 +143,6 @@ When configured, this field must contain a valid expression or the {microshift-s * When the policy is set to `Respond`, the ingress controller sends an HTTP `400` or `408` response, logs the connection if access logging is enabled, and counts the connection in the appropriate metrics. * When the policy is set to `Ignore`, the `http-ignore-probes` parameter is added to the `HAproxy` process configuration. After this parameter is added, the ingress controller closes the connection without sending a response, then either logs the connection or incrementing metrics. -//Q: are the incrementing metrics in this case config'd by the admin, or are they automatic to our config? |`logEmptyRequests` |Specifies connections for which no request is received and logged. `Log` and `Ignore` are valid values. Empty requests typically come from load-balancer health probes or preconnects and can often be safely ignored. However, these requests can also be caused by network errors and port scans. Therefore, setting this field to `Ignore` can impede detection or diagnosis of network problems and detecting intrusion attempts. The default value is `Log`.