1apiVersion: apiextensions.k8s.io/v1
2kind: CustomResourceDefinition
3metadata:
4 annotations:
5 api-approved.openshift.io: https://github.com/openshift/api/pull/616
6 include.release.openshift.io/ibm-cloud-managed: "true"
7 include.release.openshift.io/self-managed-high-availability: "true"
8 include.release.openshift.io/single-node-developer: "true"
9 name: ingresscontrollers.operator.openshift.io
10spec:
11 group: operator.openshift.io
12 names:
13 kind: IngressController
14 listKind: IngressControllerList
15 plural: ingresscontrollers
16 singular: ingresscontroller
17 scope: Namespaced
18 versions:
19 - name: v1
20 schema:
21 openAPIV3Schema:
22 description: "IngressController describes a managed ingress controller for the cluster. The controller can service OpenShift Route and Kubernetes Ingress resources. \n When an IngressController is created, a new ingress controller deployment is created to allow external traffic to reach the services that expose Ingress or Route resources. Updating this resource may lead to disruption for public facing network connections as a new ingress controller revision may be rolled out. \n https://kubernetes.io/docs/concepts/services-networking/ingress-controllers \n Whenever possible, sensible defaults for the platform are used. See each field for more details. \n Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer)."
23 properties:
24 apiVersion:
25 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
26 type: string
27 kind:
28 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
29 type: string
30 metadata:
31 type: object
32 spec:
33 description: spec is the specification of the desired behavior of the IngressController.
34 properties:
35 clientTLS:
36 description: clientTLS specifies settings for requesting and verifying client certificates, which can be used to enable mutual TLS for edge-terminated and reencrypt routes.
37 properties:
38 allowedSubjectPatterns:
39 description: allowedSubjectPatterns specifies a list of regular expressions that should be matched against the distinguished name on a valid client certificate to filter requests. The regular expressions must use PCRE syntax. If this list is empty, no filtering is performed. If the list is nonempty, then at least one pattern must match a client certificate's distinguished name or else the ingress controller rejects the certificate and denies the connection.
40 items:
41 type: string
42 type: array
43 x-kubernetes-list-type: atomic
44 clientCA:
45 description: clientCA specifies a configmap containing the PEM-encoded CA certificate bundle that should be used to verify a client's certificate. The administrator must create this configmap in the openshift-config namespace.
46 properties:
47 name:
48 description: name is the metadata.name of the referenced config map
49 type: string
50 required:
51 - name
52 type: object
53 clientCertificatePolicy:
54 description: "clientCertificatePolicy specifies whether the ingress controller requires clients to provide certificates. This field accepts the values \"Required\" or \"Optional\". \n Note that the ingress controller only checks client certificates for edge-terminated and reencrypt TLS routes; it cannot check certificates for cleartext HTTP or passthrough TLS routes."
55 enum:
56 - ""
57 - Required
58 - Optional
59 type: string
60 required:
61 - clientCA
62 - clientCertificatePolicy
63 type: object
64 defaultCertificate:
65 description: "defaultCertificate is a reference to a secret containing the default certificate served by the ingress controller. When Routes don't specify their own certificate, defaultCertificate is used. \n The secret must contain the following keys and data: \n tls.crt: certificate file contents tls.key: key file contents \n If unset, a wildcard certificate is automatically generated and used. The certificate is valid for the ingress controller domain (and subdomains) and the generated certificate's CA will be automatically integrated with the cluster's trust store. \n If a wildcard certificate is used and shared by multiple HTTP/2 enabled routes (which implies ALPN) then clients (i.e., notably browsers) are at liberty to reuse open connections. This means a client can reuse a connection to another route and that is likely to fail. This behaviour is generally known as connection coalescing. \n The in-use certificate (whether generated or user-specified) will be automatically integrated with OpenShift's built-in OAuth server."
66 properties:
67 name:
68 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
69 type: string
70 type: object
71 x-kubernetes-map-type: atomic
72 domain:
73 description: "domain is a DNS name serviced by the ingress controller and is used to configure multiple features: \n * For the LoadBalancerService endpoint publishing strategy, domain is used to configure DNS records. See endpointPublishingStrategy. \n * When using a generated default certificate, the certificate will be valid for domain and its subdomains. See defaultCertificate. \n * The value is published to individual Route statuses so that end-users know where to target external DNS records. \n domain must be unique among all IngressControllers, and cannot be updated. \n If empty, defaults to ingress.config.openshift.io/cluster .spec.domain."
74 type: string
75 endpointPublishingStrategy:
76 description: "endpointPublishingStrategy is used to publish the ingress controller endpoints to other networks, enable load balancer integrations, etc. \n If unset, the default is based on infrastructure.config.openshift.io/cluster .status.platform: \n AWS: LoadBalancerService (with External scope) Azure: LoadBalancerService (with External scope) GCP: LoadBalancerService (with External scope) IBMCloud: LoadBalancerService (with External scope) AlibabaCloud: LoadBalancerService (with External scope) Libvirt: HostNetwork \n Any other platform types (including None) default to HostNetwork. \n endpointPublishingStrategy cannot be updated."
77 properties:
78 hostNetwork:
79 description: hostNetwork holds parameters for the HostNetwork endpoint publishing strategy. Present only if type is HostNetwork.
80 properties:
81 httpPort:
82 default: 80
83 description: httpPort is the port on the host which should be used to listen for HTTP requests. This field should be set when port 80 is already in use. The value should not coincide with the NodePort range of the cluster. When the value is 0 or is not specified it defaults to 80.
84 format: int32
85 maximum: 65535
86 minimum: 0
87 type: integer
88 httpsPort:
89 default: 443
90 description: httpsPort is the port on the host which should be used to listen for HTTPS requests. This field should be set when port 443 is already in use. The value should not coincide with the NodePort range of the cluster. When the value is 0 or is not specified it defaults to 443.
91 format: int32
92 maximum: 65535
93 minimum: 0
94 type: integer
95 protocol:
96 description: "protocol specifies whether the IngressController expects incoming connections to use plain TCP or whether the IngressController expects PROXY protocol. \n PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. \n The following values are valid for this field: \n * The empty string. * \"TCP\". * \"PROXY\". \n The empty string specifies the default, which is TCP without PROXY protocol. Note that the default is subject to change."
97 enum:
98 - ""
99 - TCP
100 - PROXY
101 type: string
102 statsPort:
103 default: 1936
104 description: statsPort is the port on the host where the stats from the router are published. The value should not coincide with the NodePort range of the cluster. If an external load balancer is configured to forward connections to this IngressController, the load balancer should use this port for health checks. The load balancer can send HTTP probes on this port on a given node, with the path /healthz/ready to determine if the ingress controller is ready to receive traffic on the node. For proper operation the load balancer must not forward traffic to a node until the health check reports ready. The load balancer should also stop forwarding requests within a maximum of 45 seconds after /healthz/ready starts reporting not-ready. Probing every 5 to 10 seconds, with a 5-second timeout and with a threshold of two successful or failed requests to become healthy or unhealthy respectively, are well-tested values. When the value is 0 or is not specified it defaults to 1936.
105 format: int32
106 maximum: 65535
107 minimum: 0
108 type: integer
109 type: object
110 loadBalancer:
111 description: loadBalancer holds parameters for the load balancer. Present only if type is LoadBalancerService.
112 properties:
113 allowedSourceRanges:
114 description: "allowedSourceRanges specifies an allowlist of IP address ranges to which access to the load balancer should be restricted. Each range must be specified using CIDR notation (e.g. \"10.0.0.0/8\" or \"fd00::/8\"). If no range is specified, \"0.0.0.0/0\" for IPv4 and \"::/0\" for IPv6 are used by default, which allows all source addresses. \n To facilitate migration from earlier versions of OpenShift that did not have the allowedSourceRanges field, you may set the service.beta.kubernetes.io/load-balancer-source-ranges annotation on the \"router-<ingresscontroller name>\" service in the \"openshift-ingress\" namespace, and this annotation will take effect if allowedSourceRanges is empty on OpenShift 4.12."
115 items:
116 description: CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8").
117 pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$)
118 type: string
119 nullable: true
120 type: array
121 dnsManagementPolicy:
122 default: Managed
123 description: 'dnsManagementPolicy indicates if the lifecycle of the wildcard DNS record associated with the load balancer service will be managed by the ingress operator. It defaults to Managed. Valid values are: Managed and Unmanaged.'
124 enum:
125 - Managed
126 - Unmanaged
127 type: string
128 providerParameters:
129 description: "providerParameters holds desired load balancer information specific to the underlying infrastructure provider. \n If empty, defaults will be applied. See specific providerParameters fields for details about their defaults."
130 properties:
131 aws:
132 description: "aws provides configuration settings that are specific to AWS load balancers. \n If empty, defaults will be applied. See specific aws fields for details about their defaults."
133 properties:
134 classicLoadBalancer:
135 description: classicLoadBalancerParameters holds configuration parameters for an AWS classic load balancer. Present only if type is Classic.
136 properties:
137 connectionIdleTimeout:
138 description: connectionIdleTimeout specifies the maximum time period that a connection may be idle before the load balancer closes the connection. The value must be parseable as a time duration value; see <https://pkg.go.dev/time#ParseDuration>. A nil or zero value means no opinion, in which case a default value is used. The default value for this field is 60s. This default is subject to change.
139 format: duration
140 type: string
141 type: object
142 networkLoadBalancer:
143 description: networkLoadBalancerParameters holds configuration parameters for an AWS network load balancer. Present only if type is NLB.
144 type: object
145 type:
146 description: "type is the type of AWS load balancer to instantiate for an ingresscontroller. \n Valid values are: \n * \"Classic\": A Classic Load Balancer that makes routing decisions at either the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See the following for additional details: \n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb \n * \"NLB\": A Network Load Balancer that makes routing decisions at the transport layer (TCP/SSL). See the following for additional details: \n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb"
147 enum:
148 - Classic
149 - NLB
150 type: string
151 required:
152 - type
153 type: object
154 gcp:
155 description: "gcp provides configuration settings that are specific to GCP load balancers. \n If empty, defaults will be applied. See specific gcp fields for details about their defaults."
156 properties:
157 clientAccess:
158 description: "clientAccess describes how client access is restricted for internal load balancers. \n Valid values are: * \"Global\": Specifying an internal load balancer with Global client access allows clients from any region within the VPC to communicate with the load balancer. \n https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access \n * \"Local\": Specifying an internal load balancer with Local client access means only clients within the same region (and VPC) as the GCP load balancer can communicate with the load balancer. Note that this is the default behavior. \n https://cloud.google.com/load-balancing/docs/internal#client_access"
159 enum:
160 - Global
161 - Local
162 type: string
163 type: object
164 ibm:
165 description: "ibm provides configuration settings that are specific to IBM Cloud load balancers. \n If empty, defaults will be applied. See specific ibm fields for details about their defaults."
166 properties:
167 protocol:
168 description: "protocol specifies whether the load balancer uses PROXY protocol to forward connections to the IngressController. See \"service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: \"proxy-protocol\"\" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas\" \n PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. \n Valid values for protocol are TCP, PROXY and omitted. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is TCP, without the proxy protocol enabled."
169 enum:
170 - ""
171 - TCP
172 - PROXY
173 type: string
174 type: object
175 type:
176 description: type is the underlying infrastructure provider for the load balancer. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "IBM", "Nutanix", "OpenStack", and "VSphere".
177 enum:
178 - AWS
179 - Azure
180 - BareMetal
181 - GCP
182 - Nutanix
183 - OpenStack
184 - VSphere
185 - IBM
186 type: string
187 required:
188 - type
189 type: object
190 scope:
191 description: scope indicates the scope at which the load balancer is exposed. Possible values are "External" and "Internal".
192 enum:
193 - Internal
194 - External
195 type: string
196 required:
197 - dnsManagementPolicy
198 - scope
199 type: object
200 nodePort:
201 description: nodePort holds parameters for the NodePortService endpoint publishing strategy. Present only if type is NodePortService.
202 properties:
203 protocol:
204 description: "protocol specifies whether the IngressController expects incoming connections to use plain TCP or whether the IngressController expects PROXY protocol. \n PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. \n The following values are valid for this field: \n * The empty string. * \"TCP\". * \"PROXY\". \n The empty string specifies the default, which is TCP without PROXY protocol. Note that the default is subject to change."
205 enum:
206 - ""
207 - TCP
208 - PROXY
209 type: string
210 type: object
211 private:
212 description: private holds parameters for the Private endpoint publishing strategy. Present only if type is Private.
213 properties:
214 protocol:
215 description: "protocol specifies whether the IngressController expects incoming connections to use plain TCP or whether the IngressController expects PROXY protocol. \n PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. \n The following values are valid for this field: \n * The empty string. * \"TCP\". * \"PROXY\". \n The empty string specifies the default, which is TCP without PROXY protocol. Note that the default is subject to change."
216 enum:
217 - ""
218 - TCP
219 - PROXY
220 type: string
221 type: object
222 type:
223 description: "type is the publishing strategy to use. Valid values are: \n * LoadBalancerService \n Publishes the ingress controller using a Kubernetes LoadBalancer Service. \n In this configuration, the ingress controller deployment uses container networking. A LoadBalancer Service is created to publish the deployment. \n See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer \n If domain is set, a wildcard DNS record will be managed to point at the LoadBalancer Service's external name. DNS records are managed only in DNS zones defined by dns.config.openshift.io/cluster .spec.publicZone and .spec.privateZone. \n Wildcard DNS management is currently supported only on the AWS, Azure, and GCP platforms. \n * HostNetwork \n Publishes the ingress controller on node ports where the ingress controller is deployed. \n In this configuration, the ingress controller deployment uses host networking, bound to node ports 80 and 443. The user is responsible for configuring an external load balancer to publish the ingress controller via the node ports. \n * Private \n Does not publish the ingress controller. \n In this configuration, the ingress controller deployment uses container networking, and is not explicitly published. The user must manually publish the ingress controller. \n * NodePortService \n Publishes the ingress controller using a Kubernetes NodePort Service. \n In this configuration, the ingress controller deployment uses container networking. A NodePort Service is created to publish the deployment. The specific node ports are dynamically allocated by OpenShift; however, to support static port allocations, user changes to the node port field of the managed NodePort Service will preserved."
224 enum:
225 - LoadBalancerService
226 - HostNetwork
227 - Private
228 - NodePortService
229 type: string
230 required:
231 - type
232 type: object
233 httpCompression:
234 description: httpCompression defines a policy for HTTP traffic compression. By default, there is no HTTP compression.
235 properties:
236 mimeTypes:
237 description: "mimeTypes is a list of MIME types that should have compression applied. This list can be empty, in which case the ingress controller does not apply compression. \n Note: Not all MIME types benefit from compression, but HAProxy will still use resources to try to compress if instructed to. Generally speaking, text (html, css, js, etc.) formats benefit from compression, but formats that are already compressed (image, audio, video, etc.) benefit little in exchange for the time and cpu spent on compressing again. See https://joehonton.medium.com/the-gzip-penalty-d31bd697f1a2"
238 items:
239 description: "CompressionMIMEType defines the format of a single MIME type. E.g. \"text/css; charset=utf-8\", \"text/html\", \"text/*\", \"image/svg+xml\", \"application/octet-stream\", \"X-custom/customsub\", etc. \n The format should follow the Content-Type definition in RFC 1341: Content-Type := type \"/\" subtype *[\";\" parameter] - The type in Content-Type can be one of: application, audio, image, message, multipart, text, video, or a custom type preceded by \"X-\" and followed by a token as defined below. - The token is a string of at least one character, and not containing white space, control characters, or any of the characters in the tspecials set. - The tspecials set contains the characters ()<>@,;:\\\"/[]?.= - The subtype in Content-Type is also a token. - The optional parameter/s following the subtype are defined as: token \"=\" (token / quoted-string) - The quoted-string, as defined in RFC 822, is surrounded by double quotes and can contain white space plus any character EXCEPT \\, \", and CR. It can also contain any single ASCII character as long as it is escaped by \\."
240 pattern: ^(?i)(x-[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|application|audio|image|message|multipart|text|video)/[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+(; *[^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+=([^][ ()\\<>@,;:"/?.=\x00-\x1F\x7F]+|"(\\[\x00-\x7F]|[^\x0D"\\])*"))*$
241 type: string
242 type: array
243 x-kubernetes-list-type: set
244 type: object
245 httpEmptyRequestsPolicy:
246 default: Respond
247 description: "httpEmptyRequestsPolicy describes how HTTP connections should be handled if the connection times out before a request is received. Allowed values for this field are \"Respond\" and \"Ignore\". If the field is set to \"Respond\", the ingress controller sends an HTTP 400 or 408 response, logs the connection (if access logging is enabled), and counts the connection in the appropriate metrics. If the field is set to \"Ignore\", the ingress controller closes the connection without sending a response, logging the connection, or incrementing metrics. The default value is \"Respond\". \n Typically, these connections come from load balancers' health probes or Web browsers' speculative connections (\"preconnect\") and can be safely ignored. However, these requests may also be caused by network errors, and so setting this field to \"Ignore\" may impede detection and diagnosis of problems. In addition, these requests may be caused by port scans, in which case logging empty requests may aid in detecting intrusion attempts."
248 enum:
249 - Respond
250 - Ignore
251 type: string
252 httpErrorCodePages:
253 description: httpErrorCodePages specifies a configmap with custom error pages. The administrator must create this configmap in the openshift-config namespace. This configmap should have keys in the format "error-page-<error code>.http", where <error code> is an HTTP error code. For example, "error-page-503.http" defines an error page for HTTP 503 responses. Currently only error pages for 503 and 404 responses can be customized. Each value in the configmap should be the full response, including HTTP headers. Eg- https://raw.githubusercontent.com/openshift/router/fadab45747a9b30cc3f0a4b41ad2871f95827a93/images/router/haproxy/conf/error-page-503.http If this field is empty, the ingress controller uses the default error pages.
254 properties:
255 name:
256 description: name is the metadata.name of the referenced config map
257 type: string
258 required:
259 - name
260 type: object
261 httpHeaders:
262 description: "httpHeaders defines policy for HTTP headers. \n If this field is empty, the default values are used."
263 properties:
264 forwardedHeaderPolicy:
265 description: "forwardedHeaderPolicy specifies when and how the IngressController sets the Forwarded, X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Port, X-Forwarded-Proto, and X-Forwarded-Proto-Version HTTP headers. The value may be one of the following: \n * \"Append\", which specifies that the IngressController appends the headers, preserving existing headers. \n * \"Replace\", which specifies that the IngressController sets the headers, replacing any existing Forwarded or X-Forwarded-* headers. \n * \"IfNone\", which specifies that the IngressController sets the headers if they are not already set. \n * \"Never\", which specifies that the IngressController never sets the headers, preserving any existing headers. \n By default, the policy is \"Append\"."
266 enum:
267 - Append
268 - Replace
269 - IfNone
270 - Never
271 type: string
272 headerNameCaseAdjustments:
273 description: "headerNameCaseAdjustments specifies case adjustments that can be applied to HTTP header names. Each adjustment is specified as an HTTP header name with the desired capitalization. For example, specifying \"X-Forwarded-For\" indicates that the \"x-forwarded-for\" HTTP header should be adjusted to have the specified capitalization. \n These adjustments are only applied to cleartext, edge-terminated, and re-encrypt routes, and only when using HTTP/1. \n For request headers, these adjustments are applied only for routes that have the haproxy.router.openshift.io/h1-adjust-case=true annotation. For response headers, these adjustments are applied to all HTTP responses. \n If this field is empty, no request headers are adjusted."
274 items:
275 description: IngressControllerHTTPHeaderNameCaseAdjustment is the name of an HTTP header (for example, "X-Forwarded-For") in the desired capitalization. The value must be a valid HTTP header name as defined in RFC 2616 section 4.2.
276 maxLength: 1024
277 minLength: 0
278 pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$
279 type: string
280 nullable: true
281 type: array
282 uniqueId:
283 description: "uniqueId describes configuration for a custom HTTP header that the ingress controller should inject into incoming HTTP requests. Typically, this header is configured to have a value that is unique to the HTTP request. The header can be used by applications or included in access logs to facilitate tracing individual HTTP requests. \n If this field is empty, no such header is injected into requests."
284 properties:
285 format:
286 description: 'format specifies the format for the injected HTTP header''s value. This field has no effect unless name is specified. For the HAProxy-based ingress controller implementation, this format uses the same syntax as the HTTP log format. If the field is empty, the default value is "%{+X}o\\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid"; see the corresponding HAProxy documentation: http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3'
287 maxLength: 1024
288 minLength: 0
289 pattern: ^(%(%|(\{[-+]?[QXE](,[-+]?[QXE])*\})?([A-Za-z]+|\[[.0-9A-Z_a-z]+(\([^)]+\))?(,[.0-9A-Z_a-z]+(\([^)]+\))?)*\]))|[^%[:cntrl:]])*$
290 type: string
291 name:
292 description: name specifies the name of the HTTP header (for example, "unique-id") that the ingress controller should inject into HTTP requests. The field's value must be a valid HTTP header name as defined in RFC 2616 section 4.2. If the field is empty, no header is injected.
293 maxLength: 1024
294 minLength: 0
295 pattern: ^$|^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$
296 type: string
297 type: object
298 type: object
299 logging:
300 description: logging defines parameters for what should be logged where. If this field is empty, operational logs are enabled but access logs are disabled.
301 properties:
302 access:
303 description: "access describes how the client requests should be logged. \n If this field is empty, access logging is disabled."
304 properties:
305 destination:
306 description: destination is where access logs go.
307 properties:
308 container:
309 description: container holds parameters for the Container logging destination. Present only if type is Container.
310 type: object
311 syslog:
312 description: syslog holds parameters for a syslog endpoint. Present only if type is Syslog.
313 oneOf:
314 - properties:
315 address:
316 format: ipv4
317 - properties:
318 address:
319 format: ipv6
320 properties:
321 address:
322 description: address is the IP address of the syslog endpoint that receives log messages.
323 type: string
324 facility:
325 description: "facility specifies the syslog facility of log messages. \n If this field is empty, the facility is \"local1\"."
326 enum:
327 - kern
328 - user
329 - mail
330 - daemon
331 - auth
332 - syslog
333 - lpr
334 - news
335 - uucp
336 - cron
337 - auth2
338 - ftp
339 - ntp
340 - audit
341 - alert
342 - cron2
343 - local0
344 - local1
345 - local2
346 - local3
347 - local4
348 - local5
349 - local6
350 - local7
351 type: string
352 maxLength:
353 default: 1024
354 description: "maxLength is the maximum length of the syslog message \n If this field is empty, the maxLength is set to \"1024\"."
355 format: int32
356 maximum: 4096
357 minimum: 480
358 type: integer
359 port:
360 description: port is the UDP port number of the syslog endpoint that receives log messages.
361 format: int32
362 maximum: 65535
363 minimum: 1
364 type: integer
365 required:
366 - address
367 - port
368 type: object
369 type:
370 description: "type is the type of destination for logs. It must be one of the following: \n * Container \n The ingress operator configures the sidecar container named \"logs\" on the ingress controller pod and configures the ingress controller to write logs to the sidecar. The logs are then available as container logs. The expectation is that the administrator configures a custom logging solution that reads logs from this sidecar. Note that using container logs means that logs may be dropped if the rate of logs exceeds the container runtime's or the custom logging solution's capacity. \n * Syslog \n Logs are sent to a syslog endpoint. The administrator must specify an endpoint that can receive syslog messages. The expectation is that the administrator has configured a custom syslog instance."
371 enum:
372 - Container
373 - Syslog
374 type: string
375 required:
376 - type
377 type: object
378 httpCaptureCookies:
379 description: httpCaptureCookies specifies HTTP cookies that should be captured in access logs. If this field is empty, no cookies are captured.
380 items:
381 description: IngressControllerCaptureHTTPCookie describes an HTTP cookie that should be captured.
382 properties:
383 matchType:
384 description: matchType specifies the type of match to be performed on the cookie name. Allowed values are "Exact" for an exact string match and "Prefix" for a string prefix match. If "Exact" is specified, a name must be specified in the name field. If "Prefix" is provided, a prefix must be specified in the namePrefix field. For example, specifying matchType "Prefix" and namePrefix "foo" will capture a cookie named "foo" or "foobar" but not one named "bar". The first matching cookie is captured.
385 enum:
386 - Exact
387 - Prefix
388 type: string
389 maxLength:
390 description: maxLength specifies a maximum length of the string that will be logged, which includes the cookie name, cookie value, and one-character delimiter. If the log entry exceeds this length, the value will be truncated in the log message. Note that the ingress controller may impose a separate bound on the total length of HTTP headers in a request.
391 maximum: 1024
392 minimum: 1
393 type: integer
394 name:
395 description: name specifies a cookie name. Its value must be a valid HTTP cookie name as defined in RFC 6265 section 4.1.
396 maxLength: 1024
397 minLength: 0
398 pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$
399 type: string
400 namePrefix:
401 description: namePrefix specifies a cookie name prefix. Its value must be a valid HTTP cookie name as defined in RFC 6265 section 4.1.
402 maxLength: 1024
403 minLength: 0
404 pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]*$
405 type: string
406 required:
407 - matchType
408 - maxLength
409 type: object
410 maxItems: 1
411 nullable: true
412 type: array
413 httpCaptureHeaders:
414 description: "httpCaptureHeaders defines HTTP headers that should be captured in access logs. If this field is empty, no headers are captured. \n Note that this option only applies to cleartext HTTP connections and to secure HTTP connections for which the ingress controller terminates encryption (that is, edge-terminated or reencrypt connections). Headers cannot be captured for TLS passthrough connections."
415 properties:
416 request:
417 description: "request specifies which HTTP request headers to capture. \n If this field is empty, no request headers are captured."
418 items:
419 description: IngressControllerCaptureHTTPHeader describes an HTTP header that should be captured.
420 properties:
421 maxLength:
422 description: maxLength specifies a maximum length for the header value. If a header value exceeds this length, the value will be truncated in the log message. Note that the ingress controller may impose a separate bound on the total length of HTTP headers in a request.
423 minimum: 1
424 type: integer
425 name:
426 description: name specifies a header name. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2.
427 pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$
428 type: string
429 required:
430 - maxLength
431 - name
432 type: object
433 nullable: true
434 type: array
435 response:
436 description: "response specifies which HTTP response headers to capture. \n If this field is empty, no response headers are captured."
437 items:
438 description: IngressControllerCaptureHTTPHeader describes an HTTP header that should be captured.
439 properties:
440 maxLength:
441 description: maxLength specifies a maximum length for the header value. If a header value exceeds this length, the value will be truncated in the log message. Note that the ingress controller may impose a separate bound on the total length of HTTP headers in a request.
442 minimum: 1
443 type: integer
444 name:
445 description: name specifies a header name. Its value must be a valid HTTP header name as defined in RFC 2616 section 4.2.
446 pattern: ^[-!#$%&'*+.0-9A-Z^_`a-z|~]+$
447 type: string
448 required:
449 - maxLength
450 - name
451 type: object
452 nullable: true
453 type: array
454 type: object
455 httpLogFormat:
456 description: "httpLogFormat specifies the format of the log message for an HTTP request. \n If this field is empty, log messages use the implementation's default HTTP log format. For HAProxy's default HTTP log format, see the HAProxy documentation: http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3 \n Note that this format only applies to cleartext HTTP connections and to secure HTTP connections for which the ingress controller terminates encryption (that is, edge-terminated or reencrypt connections). It does not affect the log format for TLS passthrough connections."
457 type: string
458 logEmptyRequests:
459 default: Log
460 description: logEmptyRequests specifies how connections on which no request is received should be logged. Typically, these empty requests come from load balancers' health probes or Web browsers' speculative connections ("preconnect"), in which case logging these requests may be undesirable. However, these requests may also be caused by network errors, in which case logging empty requests may be useful for diagnosing the errors. In addition, these requests may be caused by port scans, in which case logging empty requests may aid in detecting intrusion attempts. Allowed values for this field are "Log" and "Ignore". The default value is "Log".
461 enum:
462 - Log
463 - Ignore
464 type: string
465 required:
466 - destination
467 type: object
468 type: object
469 namespaceSelector:
470 description: "namespaceSelector is used to filter the set of namespaces serviced by the ingress controller. This is useful for implementing shards. \n If unset, the default is no filtering."
471 properties:
472 matchExpressions:
473 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
474 items:
475 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
476 properties:
477 key:
478 description: key is the label key that the selector applies to.
479 type: string
480 operator:
481 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
482 type: string
483 values:
484 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
485 items:
486 type: string
487 type: array
488 required:
489 - key
490 - operator
491 type: object
492 type: array
493 matchLabels:
494 additionalProperties:
495 type: string
496 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
497 type: object
498 type: object
499 x-kubernetes-map-type: atomic
500 nodePlacement:
501 description: "nodePlacement enables explicit control over the scheduling of the ingress controller. \n If unset, defaults are used. See NodePlacement for more details."
502 properties:
503 nodeSelector:
504 description: "nodeSelector is the node selector applied to ingress controller deployments. \n If set, the specified selector is used and replaces the default. \n If unset, the default depends on the value of the defaultPlacement field in the cluster config.openshift.io/v1/ingresses status. \n When defaultPlacement is Workers, the default is: \n kubernetes.io/os: linux node-role.kubernetes.io/worker: '' \n When defaultPlacement is ControlPlane, the default is: \n kubernetes.io/os: linux node-role.kubernetes.io/master: '' \n These defaults are subject to change. \n Note that using nodeSelector.matchExpressions is not supported. Only nodeSelector.matchLabels may be used. This is a limitation of the Kubernetes API: the pod spec does not allow complex expressions for node selectors."
505 properties:
506 matchExpressions:
507 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
508 items:
509 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
510 properties:
511 key:
512 description: key is the label key that the selector applies to.
513 type: string
514 operator:
515 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
516 type: string
517 values:
518 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
519 items:
520 type: string
521 type: array
522 required:
523 - key
524 - operator
525 type: object
526 type: array
527 matchLabels:
528 additionalProperties:
529 type: string
530 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
531 type: object
532 type: object
533 x-kubernetes-map-type: atomic
534 tolerations:
535 description: "tolerations is a list of tolerations applied to ingress controller deployments. \n The default is an empty list. \n See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/"
536 items:
537 description: The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.
538 properties:
539 effect:
540 description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
541 type: string
542 key:
543 description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.
544 type: string
545 operator:
546 description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
547 type: string
548 tolerationSeconds:
549 description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
550 format: int64
551 type: integer
552 value:
553 description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
554 type: string
555 type: object
556 type: array
557 type: object
558 replicas:
559 description: "replicas is the desired number of ingress controller replicas. If unset, the default depends on the value of the defaultPlacement field in the cluster config.openshift.io/v1/ingresses status. \n The value of replicas is set based on the value of a chosen field in the Infrastructure CR. If defaultPlacement is set to ControlPlane, the chosen field will be controlPlaneTopology. If it is set to Workers the chosen field will be infrastructureTopology. Replicas will then be set to 1 or 2 based whether the chosen field's value is SingleReplica or HighlyAvailable, respectively. \n These defaults are subject to change."
560 format: int32
561 type: integer
562 routeAdmission:
563 description: "routeAdmission defines a policy for handling new route claims (for example, to allow or deny claims across namespaces). \n If empty, defaults will be applied. See specific routeAdmission fields for details about their defaults."
564 properties:
565 namespaceOwnership:
566 description: "namespaceOwnership describes how host name claims across namespaces should be handled. \n Value must be one of: \n - Strict: Do not allow routes in different namespaces to claim the same host. \n - InterNamespaceAllowed: Allow routes to claim different paths of the same host name across namespaces. \n If empty, the default is Strict."
567 enum:
568 - InterNamespaceAllowed
569 - Strict
570 type: string
571 wildcardPolicy:
572 description: "wildcardPolicy describes how routes with wildcard policies should be handled for the ingress controller. WildcardPolicy controls use of routes [1] exposed by the ingress controller based on the route's wildcard policy. \n [1] https://github.com/openshift/api/blob/master/route/v1/types.go \n Note: Updating WildcardPolicy from WildcardsAllowed to WildcardsDisallowed will cause admitted routes with a wildcard policy of Subdomain to stop working. These routes must be updated to a wildcard policy of None to be readmitted by the ingress controller. \n WildcardPolicy supports WildcardsAllowed and WildcardsDisallowed values. \n If empty, defaults to \"WildcardsDisallowed\"."
573 enum:
574 - WildcardsAllowed
575 - WildcardsDisallowed
576 type: string
577 type: object
578 routeSelector:
579 description: "routeSelector is used to filter the set of Routes serviced by the ingress controller. This is useful for implementing shards. \n If unset, the default is no filtering."
580 properties:
581 matchExpressions:
582 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
583 items:
584 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
585 properties:
586 key:
587 description: key is the label key that the selector applies to.
588 type: string
589 operator:
590 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
591 type: string
592 values:
593 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
594 items:
595 type: string
596 type: array
597 required:
598 - key
599 - operator
600 type: object
601 type: array
602 matchLabels:
603 additionalProperties:
604 type: string
605 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
606 type: object
607 type: object
608 x-kubernetes-map-type: atomic
609 tlsSecurityProfile:
610 description: "tlsSecurityProfile specifies settings for TLS connections for ingresscontrollers. \n If unset, the default is based on the apiservers.config.openshift.io/cluster resource. \n Note that when using the Old, Intermediate, and Modern profile types, the effective profile configuration is subject to change between releases. For example, given a specification to use the Intermediate profile deployed on release X.Y.Z, an upgrade to release X.Y.Z+1 may cause a new profile configuration to be applied to the ingress controller, resulting in a rollout."
611 properties:
612 custom:
613 description: "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this: \n ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 minTLSVersion: TLSv1.1"
614 nullable: true
615 properties:
616 ciphers:
617 description: "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml): \n ciphers: - DES-CBC3-SHA"
618 items:
619 type: string
620 type: array
621 minTLSVersion:
622 description: "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml): \n minTLSVersion: TLSv1.1 \n NOTE: currently the highest minTLSVersion allowed is VersionTLS12"
623 enum:
624 - VersionTLS10
625 - VersionTLS11
626 - VersionTLS12
627 - VersionTLS13
628 type: string
629 type: object
630 intermediate:
631 description: "intermediate is a TLS security profile based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 \n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 minTLSVersion: TLSv1.2"
632 nullable: true
633 type: object
634 modern:
635 description: "modern is a TLS security profile based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility \n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 minTLSVersion: TLSv1.3 \n NOTE: Currently unsupported."
636 nullable: true
637 type: object
638 old:
639 description: "old is a TLS security profile based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility \n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - DHE-RSA-AES128-SHA256 - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - AES128-SHA256 - AES256-SHA256 - AES128-SHA - AES256-SHA - DES-CBC3-SHA minTLSVersion: TLSv1.0"
640 nullable: true
641 type: object
642 type:
643 description: "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. Old, Intermediate and Modern are TLS security profiles based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations \n The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced. \n Note that the Modern profile is currently not supported because it is not yet well adopted by common software libraries."
644 enum:
645 - Old
646 - Intermediate
647 - Modern
648 - Custom
649 type: string
650 type: object
651 tuningOptions:
652 anyOf:
653 - properties:
654 maxConnections:
655 enum:
656 - -1
657 - 0
658 - properties:
659 maxConnections:
660 format: int32
661 maximum: 2000000
662 minimum: 2000
663 description: "tuningOptions defines parameters for adjusting the performance of ingress controller pods. All fields are optional and will use their respective defaults if not set. See specific tuningOptions fields for more details. \n Setting fields within tuningOptions is generally not recommended. The default values are suitable for most configurations."
664 properties:
665 clientFinTimeout:
666 description: "clientFinTimeout defines how long a connection will be held open while waiting for the client response to the server/backend closing the connection. \n If unset, the default timeout is 1s"
667 format: duration
668 type: string
669 clientTimeout:
670 description: "clientTimeout defines how long a connection will be held open while waiting for a client response. \n If unset, the default timeout is 30s"
671 format: duration
672 type: string
673 headerBufferBytes:
674 description: "headerBufferBytes describes how much memory should be reserved (in bytes) for IngressController connection sessions. Note that this value must be at least 16384 if HTTP/2 is enabled for the IngressController (https://tools.ietf.org/html/rfc7540). If this field is empty, the IngressController will use a default value of 32768 bytes. \n Setting this field is generally not recommended as headerBufferBytes values that are too small may break the IngressController and headerBufferBytes values that are too large could cause the IngressController to use significantly more memory than necessary."
675 format: int32
676 minimum: 16384
677 type: integer
678 headerBufferMaxRewriteBytes:
679 description: "headerBufferMaxRewriteBytes describes how much memory should be reserved (in bytes) from headerBufferBytes for HTTP header rewriting and appending for IngressController connection sessions. Note that incoming HTTP requests will be limited to (headerBufferBytes - headerBufferMaxRewriteBytes) bytes, meaning headerBufferBytes must be greater than headerBufferMaxRewriteBytes. If this field is empty, the IngressController will use a default value of 8192 bytes. \n Setting this field is generally not recommended as headerBufferMaxRewriteBytes values that are too small may break the IngressController and headerBufferMaxRewriteBytes values that are too large could cause the IngressController to use significantly more memory than necessary."
680 format: int32
681 minimum: 4096
682 type: integer
683 healthCheckInterval:
684 description: "healthCheckInterval defines how long the router waits between two consecutive health checks on its configured backends. This value is applied globally as a default for all routes, but may be overridden per-route by the route annotation \"router.openshift.io/haproxy.health.check.interval\". \n Expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix, eg \"300ms\", \"1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\" (or \"µs\" U+00B5 or \"μs\" U+03BC), \"ms\", \"s\", \"m\", \"h\". \n Setting this to less than 5s can cause excess traffic due to too frequent TCP health checks and accompanying SYN packet storms. Alternatively, setting this too high can result in increased latency, due to backend servers that are no longer available, but haven't yet been detected as such. \n An empty or zero healthCheckInterval means no opinion and IngressController chooses a default, which is subject to change over time. Currently the default healthCheckInterval value is 5s. \n Currently the minimum allowed value is 1s and the maximum allowed value is 2147483647ms (24.85 days). Both are subject to change over time."
685 pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
686 type: string
687 maxConnections:
688 description: "maxConnections defines the maximum number of simultaneous connections that can be established per HAProxy process. Increasing this value allows each ingress controller pod to handle more connections but at the cost of additional system resources being consumed. \n Permitted values are: empty, 0, -1, and the range 2000-2000000. \n If this field is empty or 0, the IngressController will use the default value of 50000, but the default is subject to change in future releases. \n If the value is -1 then HAProxy will dynamically compute a maximum value based on the available ulimits in the running container. Selecting -1 (i.e., auto) will result in a large value being computed (~520000 on OpenShift >=4.10 clusters) and therefore each HAProxy process will incur significant memory usage compared to the current default of 50000. \n Setting a value that is greater than the current operating system limit will prevent the HAProxy process from starting. \n If you choose a discrete value (e.g., 750000) and the router pod is migrated to a new node, there's no guarantee that that new node has identical ulimits configured. In such a scenario the pod would fail to start. If you have nodes with different ulimits configured (e.g., different tuned profiles) and you choose a discrete value then the guidance is to use -1 and let the value be computed dynamically at runtime. \n You can monitor memory usage for router containers with the following metric: 'container_memory_working_set_bytes{container=\"router\",namespace=\"openshift-ingress\"}'. \n You can monitor memory usage of individual HAProxy processes in router containers with the following metric: 'container_memory_working_set_bytes{container=\"router\",namespace=\"openshift-ingress\"}/container_processes{container=\"router\",namespace=\"openshift-ingress\"}'."
689 format: int32
690 type: integer
691 reloadInterval:
692 description: "reloadInterval defines the minimum interval at which the router is allowed to reload to accept new changes. Increasing this value can prevent the accumulation of HAProxy processes, depending on the scenario. Increasing this interval can also lessen load imbalance on a backend's servers when using the roundrobin balancing algorithm. Alternatively, decreasing this value may decrease latency since updates to HAProxy's configuration can take effect more quickly. \n The value must be a time duration value; see <https://pkg.go.dev/time#ParseDuration>. Currently, the minimum value allowed is 1s, and the maximum allowed value is 120s. Minimum and maximum allowed values may change in future versions of OpenShift. Note that if a duration outside of these bounds is provided, the value of reloadInterval will be capped/floored and not rejected (e.g. a duration of over 120s will be capped to 120s; the IngressController will not reject and replace this disallowed value with the default). \n A zero value for reloadInterval tells the IngressController to choose the default, which is currently 5s and subject to change without notice. \n This field expects an unsigned duration string of decimal numbers, each with optional fraction and a unit suffix, e.g. \"300ms\", \"1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\" (or \"µs\" U+00B5 or \"μs\" U+03BC), \"ms\", \"s\", \"m\", \"h\". \n Note: Setting a value significantly larger than the default of 5s can cause latency in observing updates to routes and their endpoints. HAProxy's configuration will be reloaded less frequently, and newly created routes will not be served until the subsequent reload."
693 pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
694 type: string
695 serverFinTimeout:
696 description: "serverFinTimeout defines how long a connection will be held open while waiting for the server/backend response to the client closing the connection. \n If unset, the default timeout is 1s"
697 format: duration
698 type: string
699 serverTimeout:
700 description: "serverTimeout defines how long a connection will be held open while waiting for a server/backend response. \n If unset, the default timeout is 30s"
701 format: duration
702 type: string
703 threadCount:
704 description: "threadCount defines the number of threads created per HAProxy process. Creating more threads allows each ingress controller pod to handle more connections, at the cost of more system resources being used. HAProxy currently supports up to 64 threads. If this field is empty, the IngressController will use the default value. The current default is 4 threads, but this may change in future releases. \n Setting this field is generally not recommended. Increasing the number of HAProxy threads allows ingress controller pods to utilize more CPU time under load, potentially starving other pods if set too high. Reducing the number of threads may cause the ingress controller to perform poorly."
705 format: int32
706 maximum: 64
707 minimum: 1
708 type: integer
709 tlsInspectDelay:
710 description: "tlsInspectDelay defines how long the router can hold data to find a matching route. \n Setting this too short can cause the router to fall back to the default certificate for edge-terminated or reencrypt routes even when a better matching certificate could be used. \n If unset, the default inspect delay is 5s"
711 format: duration
712 type: string
713 tunnelTimeout:
714 description: "tunnelTimeout defines how long a tunnel connection (including websockets) will be held open while the tunnel is idle. \n If unset, the default timeout is 1h"
715 format: duration
716 type: string
717 type: object
718 unsupportedConfigOverrides:
719 description: unsupportedConfigOverrides allows specifying unsupported configuration options. Its use is unsupported.
720 nullable: true
721 type: object
722 x-kubernetes-preserve-unknown-fields: true
723 type: object
724 status:
725 description: status is the most recently observed status of the IngressController.
726 properties:
727 availableReplicas:
728 description: availableReplicas is number of observed available replicas according to the ingress controller deployment.
729 format: int32
730 type: integer
731 conditions:
732 description: "conditions is a list of conditions and their status. \n Available means the ingress controller deployment is available and servicing route and ingress resources (i.e, .status.availableReplicas equals .spec.replicas) \n There are additional conditions which indicate the status of other ingress controller features and capabilities. \n * LoadBalancerManaged - True if the following conditions are met: * The endpoint publishing strategy requires a service load balancer. - False if any of those conditions are unsatisfied. \n * LoadBalancerReady - True if the following conditions are met: * A load balancer is managed. * The load balancer is ready. - False if any of those conditions are unsatisfied. \n * DNSManaged - True if the following conditions are met: * The endpoint publishing strategy and platform support DNS. * The ingress controller domain is set. * dns.config.openshift.io/cluster configures DNS zones. - False if any of those conditions are unsatisfied. \n * DNSReady - True if the following conditions are met: * DNS is managed. * DNS records have been successfully created. - False if any of those conditions are unsatisfied."
733 items:
734 description: OperatorCondition is just the standard condition fields.
735 properties:
736 lastTransitionTime:
737 format: date-time
738 type: string
739 message:
740 type: string
741 reason:
742 type: string
743 status:
744 type: string
745 type:
746 type: string
747 type: object
748 type: array
749 domain:
750 description: domain is the actual domain in use.
751 type: string
752 endpointPublishingStrategy:
753 description: endpointPublishingStrategy is the actual strategy in use.
754 properties:
755 hostNetwork:
756 description: hostNetwork holds parameters for the HostNetwork endpoint publishing strategy. Present only if type is HostNetwork.
757 properties:
758 httpPort:
759 default: 80
760 description: httpPort is the port on the host which should be used to listen for HTTP requests. This field should be set when port 80 is already in use. The value should not coincide with the NodePort range of the cluster. When the value is 0 or is not specified it defaults to 80.
761 format: int32
762 maximum: 65535
763 minimum: 0
764 type: integer
765 httpsPort:
766 default: 443
767 description: httpsPort is the port on the host which should be used to listen for HTTPS requests. This field should be set when port 443 is already in use. The value should not coincide with the NodePort range of the cluster. When the value is 0 or is not specified it defaults to 443.
768 format: int32
769 maximum: 65535
770 minimum: 0
771 type: integer
772 protocol:
773 description: "protocol specifies whether the IngressController expects incoming connections to use plain TCP or whether the IngressController expects PROXY protocol. \n PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. \n The following values are valid for this field: \n * The empty string. * \"TCP\". * \"PROXY\". \n The empty string specifies the default, which is TCP without PROXY protocol. Note that the default is subject to change."
774 enum:
775 - ""
776 - TCP
777 - PROXY
778 type: string
779 statsPort:
780 default: 1936
781 description: statsPort is the port on the host where the stats from the router are published. The value should not coincide with the NodePort range of the cluster. If an external load balancer is configured to forward connections to this IngressController, the load balancer should use this port for health checks. The load balancer can send HTTP probes on this port on a given node, with the path /healthz/ready to determine if the ingress controller is ready to receive traffic on the node. For proper operation the load balancer must not forward traffic to a node until the health check reports ready. The load balancer should also stop forwarding requests within a maximum of 45 seconds after /healthz/ready starts reporting not-ready. Probing every 5 to 10 seconds, with a 5-second timeout and with a threshold of two successful or failed requests to become healthy or unhealthy respectively, are well-tested values. When the value is 0 or is not specified it defaults to 1936.
782 format: int32
783 maximum: 65535
784 minimum: 0
785 type: integer
786 type: object
787 loadBalancer:
788 description: loadBalancer holds parameters for the load balancer. Present only if type is LoadBalancerService.
789 properties:
790 allowedSourceRanges:
791 description: "allowedSourceRanges specifies an allowlist of IP address ranges to which access to the load balancer should be restricted. Each range must be specified using CIDR notation (e.g. \"10.0.0.0/8\" or \"fd00::/8\"). If no range is specified, \"0.0.0.0/0\" for IPv4 and \"::/0\" for IPv6 are used by default, which allows all source addresses. \n To facilitate migration from earlier versions of OpenShift that did not have the allowedSourceRanges field, you may set the service.beta.kubernetes.io/load-balancer-source-ranges annotation on the \"router-<ingresscontroller name>\" service in the \"openshift-ingress\" namespace, and this annotation will take effect if allowedSourceRanges is empty on OpenShift 4.12."
792 items:
793 description: CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8").
794 pattern: (^(([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])/([0-9]|[12][0-9]|3[0-2])$)|(^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))$)
795 type: string
796 nullable: true
797 type: array
798 dnsManagementPolicy:
799 default: Managed
800 description: 'dnsManagementPolicy indicates if the lifecycle of the wildcard DNS record associated with the load balancer service will be managed by the ingress operator. It defaults to Managed. Valid values are: Managed and Unmanaged.'
801 enum:
802 - Managed
803 - Unmanaged
804 type: string
805 providerParameters:
806 description: "providerParameters holds desired load balancer information specific to the underlying infrastructure provider. \n If empty, defaults will be applied. See specific providerParameters fields for details about their defaults."
807 properties:
808 aws:
809 description: "aws provides configuration settings that are specific to AWS load balancers. \n If empty, defaults will be applied. See specific aws fields for details about their defaults."
810 properties:
811 classicLoadBalancer:
812 description: classicLoadBalancerParameters holds configuration parameters for an AWS classic load balancer. Present only if type is Classic.
813 properties:
814 connectionIdleTimeout:
815 description: connectionIdleTimeout specifies the maximum time period that a connection may be idle before the load balancer closes the connection. The value must be parseable as a time duration value; see <https://pkg.go.dev/time#ParseDuration>. A nil or zero value means no opinion, in which case a default value is used. The default value for this field is 60s. This default is subject to change.
816 format: duration
817 type: string
818 type: object
819 networkLoadBalancer:
820 description: networkLoadBalancerParameters holds configuration parameters for an AWS network load balancer. Present only if type is NLB.
821 type: object
822 type:
823 description: "type is the type of AWS load balancer to instantiate for an ingresscontroller. \n Valid values are: \n * \"Classic\": A Classic Load Balancer that makes routing decisions at either the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See the following for additional details: \n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb \n * \"NLB\": A Network Load Balancer that makes routing decisions at the transport layer (TCP/SSL). See the following for additional details: \n https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb"
824 enum:
825 - Classic
826 - NLB
827 type: string
828 required:
829 - type
830 type: object
831 gcp:
832 description: "gcp provides configuration settings that are specific to GCP load balancers. \n If empty, defaults will be applied. See specific gcp fields for details about their defaults."
833 properties:
834 clientAccess:
835 description: "clientAccess describes how client access is restricted for internal load balancers. \n Valid values are: * \"Global\": Specifying an internal load balancer with Global client access allows clients from any region within the VPC to communicate with the load balancer. \n https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing#global_access \n * \"Local\": Specifying an internal load balancer with Local client access means only clients within the same region (and VPC) as the GCP load balancer can communicate with the load balancer. Note that this is the default behavior. \n https://cloud.google.com/load-balancing/docs/internal#client_access"
836 enum:
837 - Global
838 - Local
839 type: string
840 type: object
841 ibm:
842 description: "ibm provides configuration settings that are specific to IBM Cloud load balancers. \n If empty, defaults will be applied. See specific ibm fields for details about their defaults."
843 properties:
844 protocol:
845 description: "protocol specifies whether the load balancer uses PROXY protocol to forward connections to the IngressController. See \"service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: \"proxy-protocol\"\" at https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas\" \n PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. \n Valid values for protocol are TCP, PROXY and omitted. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is TCP, without the proxy protocol enabled."
846 enum:
847 - ""
848 - TCP
849 - PROXY
850 type: string
851 type: object
852 type:
853 description: type is the underlying infrastructure provider for the load balancer. Allowed values are "AWS", "Azure", "BareMetal", "GCP", "IBM", "Nutanix", "OpenStack", and "VSphere".
854 enum:
855 - AWS
856 - Azure
857 - BareMetal
858 - GCP
859 - Nutanix
860 - OpenStack
861 - VSphere
862 - IBM
863 type: string
864 required:
865 - type
866 type: object
867 scope:
868 description: scope indicates the scope at which the load balancer is exposed. Possible values are "External" and "Internal".
869 enum:
870 - Internal
871 - External
872 type: string
873 required:
874 - dnsManagementPolicy
875 - scope
876 type: object
877 nodePort:
878 description: nodePort holds parameters for the NodePortService endpoint publishing strategy. Present only if type is NodePortService.
879 properties:
880 protocol:
881 description: "protocol specifies whether the IngressController expects incoming connections to use plain TCP or whether the IngressController expects PROXY protocol. \n PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. \n The following values are valid for this field: \n * The empty string. * \"TCP\". * \"PROXY\". \n The empty string specifies the default, which is TCP without PROXY protocol. Note that the default is subject to change."
882 enum:
883 - ""
884 - TCP
885 - PROXY
886 type: string
887 type: object
888 private:
889 description: private holds parameters for the Private endpoint publishing strategy. Present only if type is Private.
890 properties:
891 protocol:
892 description: "protocol specifies whether the IngressController expects incoming connections to use plain TCP or whether the IngressController expects PROXY protocol. \n PROXY protocol can be used with load balancers that support it to communicate the source addresses of client connections when forwarding those connections to the IngressController. Using PROXY protocol enables the IngressController to report those source addresses instead of reporting the load balancer's address in HTTP headers and logs. Note that enabling PROXY protocol on the IngressController will cause connections to fail if you are not using a load balancer that uses PROXY protocol to forward connections to the IngressController. See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt for information about PROXY protocol. \n The following values are valid for this field: \n * The empty string. * \"TCP\". * \"PROXY\". \n The empty string specifies the default, which is TCP without PROXY protocol. Note that the default is subject to change."
893 enum:
894 - ""
895 - TCP
896 - PROXY
897 type: string
898 type: object
899 type:
900 description: "type is the publishing strategy to use. Valid values are: \n * LoadBalancerService \n Publishes the ingress controller using a Kubernetes LoadBalancer Service. \n In this configuration, the ingress controller deployment uses container networking. A LoadBalancer Service is created to publish the deployment. \n See: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer \n If domain is set, a wildcard DNS record will be managed to point at the LoadBalancer Service's external name. DNS records are managed only in DNS zones defined by dns.config.openshift.io/cluster .spec.publicZone and .spec.privateZone. \n Wildcard DNS management is currently supported only on the AWS, Azure, and GCP platforms. \n * HostNetwork \n Publishes the ingress controller on node ports where the ingress controller is deployed. \n In this configuration, the ingress controller deployment uses host networking, bound to node ports 80 and 443. The user is responsible for configuring an external load balancer to publish the ingress controller via the node ports. \n * Private \n Does not publish the ingress controller. \n In this configuration, the ingress controller deployment uses container networking, and is not explicitly published. The user must manually publish the ingress controller. \n * NodePortService \n Publishes the ingress controller using a Kubernetes NodePort Service. \n In this configuration, the ingress controller deployment uses container networking. A NodePort Service is created to publish the deployment. The specific node ports are dynamically allocated by OpenShift; however, to support static port allocations, user changes to the node port field of the managed NodePort Service will preserved."
901 enum:
902 - LoadBalancerService
903 - HostNetwork
904 - Private
905 - NodePortService
906 type: string
907 required:
908 - type
909 type: object
910 namespaceSelector:
911 description: namespaceSelector is the actual namespaceSelector in use.
912 properties:
913 matchExpressions:
914 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
915 items:
916 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
917 properties:
918 key:
919 description: key is the label key that the selector applies to.
920 type: string
921 operator:
922 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
923 type: string
924 values:
925 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
926 items:
927 type: string
928 type: array
929 required:
930 - key
931 - operator
932 type: object
933 type: array
934 matchLabels:
935 additionalProperties:
936 type: string
937 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
938 type: object
939 type: object
940 x-kubernetes-map-type: atomic
941 observedGeneration:
942 description: observedGeneration is the most recent generation observed.
943 format: int64
944 type: integer
945 routeSelector:
946 description: routeSelector is the actual routeSelector in use.
947 properties:
948 matchExpressions:
949 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
950 items:
951 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
952 properties:
953 key:
954 description: key is the label key that the selector applies to.
955 type: string
956 operator:
957 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
958 type: string
959 values:
960 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
961 items:
962 type: string
963 type: array
964 required:
965 - key
966 - operator
967 type: object
968 type: array
969 matchLabels:
970 additionalProperties:
971 type: string
972 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
973 type: object
974 type: object
975 x-kubernetes-map-type: atomic
976 selector:
977 description: selector is a label selector, in string format, for ingress controller pods corresponding to the IngressController. The number of matching pods should equal the value of availableReplicas.
978 type: string
979 tlsProfile:
980 description: tlsProfile is the TLS connection configuration that is in effect.
981 properties:
982 ciphers:
983 description: "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries their operands do not support. For example, to use DES-CBC3-SHA (yaml): \n ciphers: - DES-CBC3-SHA"
984 items:
985 type: string
986 type: array
987 minTLSVersion:
988 description: "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml): \n minTLSVersion: TLSv1.1 \n NOTE: currently the highest minTLSVersion allowed is VersionTLS12"
989 enum:
990 - VersionTLS10
991 - VersionTLS11
992 - VersionTLS12
993 - VersionTLS13
994 type: string
995 type: object
996 type: object
997 type: object
998 served: true
999 storage: true
1000 subresources:
1001 scale:
1002 labelSelectorPath: .status.selector
1003 specReplicasPath: .spec.replicas
1004 statusReplicasPath: .status.availableReplicas
1005 status: {}
View as plain text