diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index f19cd93672..8f056f796c 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -1344,8 +1344,6 @@ Topics: - Name: Understanding the Ingress Operator File: ingress-operator Distros: openshift-enterprise,openshift-origin -- Name: Ingress sharding - File: ingress-sharding - Name: Configuring the Ingress Controller for manual DNS management File: ingress-controller-dnsmgt Distros: openshift-enterprise,openshift-origin diff --git a/installing/installing_aws/ipi/installing-aws-localzone.adoc b/installing/installing_aws/ipi/installing-aws-localzone.adoc index 9deae15b39..283b7c3da8 100644 --- a/installing/installing_aws/ipi/installing-aws-localzone.adoc +++ b/installing/installing_aws/ipi/installing-aws-localzone.adoc @@ -65,7 +65,7 @@ include::modules/edge-machine-pools-aws-local-zones.adoc[leveloffset=+2] * xref:../../../networking/changing-cluster-network-mtu.adoc#nw-ovn-ipsec-enable_configuring-ipsec-ovn[Changing the MTU for the cluster network] * xref:../../../nodes/scheduling/nodes-scheduler-taints-tolerations.adoc#nodes-scheduler-taints-tolerations-about_nodes-scheduler-taints-tolerations[Understanding taints and tolerations] * xref:../../../storage/understanding-persistent-storage.adoc#pvc-storage-class_understanding-persistent-storage[Storage classes] -* xref:../../../networking/ingress-sharding.adoc#nw-ingress-sharding_ingress-sharding[Ingress Controller sharding] +* xref:../../../networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc#nw-ingress-sharding_configuring-ingress-cluster-traffic-ingress-controller[Ingress Controller sharding] [id="installation-prereqs-aws-local-zone_{context}"] == Installation prerequisites diff --git a/installing/installing_aws/ipi/installing-aws-wavelength-zone.adoc b/installing/installing_aws/ipi/installing-aws-wavelength-zone.adoc index 5d1ff2c58a..56da8c676e 100644 --- a/installing/installing_aws/ipi/installing-aws-wavelength-zone.adoc +++ b/installing/installing_aws/ipi/installing-aws-wavelength-zone.adoc @@ -81,7 +81,7 @@ include::modules/edge-machine-pools-aws-local-zones.adoc[leveloffset=+2] * xref:../../../networking/changing-cluster-network-mtu.adoc#nw-ovn-ipsec-enable_configuring-ipsec-ovn[Changing the MTU for the cluster network] * xref:../../../nodes/scheduling/nodes-scheduler-taints-tolerations.adoc#nodes-scheduler-taints-tolerations-about_nodes-scheduler-taints-tolerations[Understanding taints and tolerations] * xref:../../../storage/understanding-persistent-storage.adoc#pvc-storage-class_understanding-persistent-storage[Storage classes] -* xref:../../../networking/ingress-sharding.adoc#nw-ingress-sharding_ingress-sharding[Ingress Controller sharding] +* xref:../../../networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc#nw-ingress-sharding_configuring-ingress-cluster-traffic-ingress-controller[Ingress Controller sharding] [id="installation-prereqs-aws-wavelength-zone_{context}"] == Installation prerequisites diff --git a/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-aws.adoc b/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-aws.adoc index 9d4be24963..abcf271293 100644 --- a/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-aws.adoc +++ b/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-aws.adoc @@ -30,7 +30,7 @@ include::modules/private-clusters-setting-api-private.adoc[leveloffset=+2] [role="_additional-resources"] .Additional resources -* xref:../../../networking/nw-configuring-ingress-controller-endpoint-publishing-strategy.adoc#nw-ingresscontroller-change-internal_nw-configuring-ingress-controller-endpoint-publishing-strategy[Configuring the Ingress Controller endpoint publishing scope to Internal] +* xref:../../../networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc#nw-ingresscontroller-change-internal_configuring-ingress-cluster-traffic-ingress-controller[Configuring the Ingress Controller endpoint publishing scope to Internal] //Selecting a larger Amazon Web Services instance type for control plane machines include::modules/cpms-changing-aws-instance-type.adoc[leveloffset=+2] diff --git a/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-azure.adoc b/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-azure.adoc index 0da0550042..23c6630846 100644 --- a/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-azure.adoc +++ b/machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-azure.adoc @@ -28,7 +28,7 @@ You can enable features by updating values in the control plane machine set. include::modules/private-clusters-setting-api-private.adoc[leveloffset=+2] [role="_additional-resources"] .Additional resources -* xref:../../../networking/nw-configuring-ingress-controller-endpoint-publishing-strategy.adoc#nw-ingresscontroller-change-internal_nw-configuring-ingress-controller-endpoint-publishing-strategy[Configuring the Ingress Controller endpoint publishing scope to Internal] +* xref:../../../networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc#nw-ingresscontroller-change-internal_configuring-ingress-cluster-traffic-ingress-controller[Configuring the Ingress Controller endpoint publishing scope to Internal] //Selecting an Azure Marketplace image include::modules/installation-azure-marketplace-subscribe.adoc[leveloffset=+2] diff --git a/modules/nw-creating-project-and-service.adoc b/modules/nw-creating-project-and-service.adoc index 1777ef80a4..5c9cacffcc 100644 --- a/modules/nw-creating-project-and-service.adoc +++ b/modules/nw-creating-project-and-service.adoc @@ -47,5 +47,3 @@ nodejs-ex ClusterIP 172.30.197.157 8080/TCP 70s ---- + By default, the new service does not have an external IP address. - - diff --git a/modules/nw-ingress-controller-endpoint-publishing-strategies.adoc b/modules/nw-ingress-controller-endpoint-publishing-strategies.adoc index 7eaaa5c164..1e8e30bcd8 100644 --- a/modules/nw-ingress-controller-endpoint-publishing-strategies.adoc +++ b/modules/nw-ingress-controller-endpoint-publishing-strategies.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/nw-configuring-ingress-controller-endpoint-publishing-strategy.adoc +// * networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-nodeport.adoc :_mod-docs-content-type: CONCEPT [id="nw-ingress-controller-endpoint-publishing-strategies_{context}"] diff --git a/networking/ingress-sharding.adoc b/modules/nw-ingress-sharding-concept.adoc similarity index 50% rename from networking/ingress-sharding.adoc rename to modules/nw-ingress-sharding-concept.adoc index cf479c9200..17df61b3d6 100644 --- a/networking/ingress-sharding.adoc +++ b/modules/nw-ingress-sharding-concept.adoc @@ -1,32 +1,13 @@ -:_mod-docs-content-type: ASSEMBLY -[id="ingress-sharding"] -= Ingress sharding in {product-title} -include::_attributes/common-attributes.adoc[] -:context: ingress-sharding +// Module included in the following assemblies: +// +// * networking/configuring-ingress-cluster-traffic-ingress-controller.adoc -toc::[] +:_mod-docs-content-type: CONCEPT +[id="nw-ingress-sharding-concept_{context}"] += Ingress sharding in {product-title} In {product-title}, an Ingress Controller can serve all routes, or it can serve a subset of routes. By default, the Ingress Controller serves any route created in any namespace in the cluster. You can add additional Ingress Controllers to your cluster to optimize routing by creating _shards_, which are subsets of routes based on selected characteristics. To mark a route as a member of a shard, use labels in the route or namespace `metadata` field. The Ingress Controller uses _selectors_, also known as a _selection expression_, to select a subset of routes from the entire pool of routes to serve. Ingress sharding is useful in cases where you want to load balance incoming traffic across multiple Ingress Controllers, when you want to isolate traffic to be routed to a specific Ingress Controller, or for a variety of other reasons described in the next section. -By default, each route uses the default domain of the cluster. However, routes can be configured to use the domain of the router instead. For more information, see xref:../networking/ingress-sharding.adoc#nw-ingress-sharding-route-configuration_ingress-sharding[Creating a route for Ingress Controller Sharding]. - -include::modules/nw-ingress-sharding.adoc[leveloffset=+1] - -include::modules/nw-ingress-sharding-default.adoc[leveloffset=+2] - -include::modules/nw-ingress-sharding-dns.adoc[leveloffset=+2] - -include::modules/nw-ingress-sharding-route-labels.adoc[leveloffset=+2] - -include::modules/nw-ingress-sharding-namespace-labels.adoc[leveloffset=+2] - -include::modules/nw-ingress-sharding-route-configuration.adoc[leveloffset=+1] - -[discrete] -[role="_additional-resources"] -[id="additional-resources_ingress-sharding"] -== Additional Resources - -* xref:../scalability_and_performance/optimization/routing-optimization.adoc#baseline-router-performance_routing-optimization[Baseline Ingress Controller (router) performance] +By default, each route uses the default domain of the cluster. However, routes can be configured to use the domain of the router instead. \ No newline at end of file diff --git a/modules/nw-ingress-sharding-default.adoc b/modules/nw-ingress-sharding-default.adoc index 4b3b22c8fa..40433a1847 100644 --- a/modules/nw-ingress-sharding-default.adoc +++ b/modules/nw-ingress-sharding-default.adoc @@ -1,7 +1,7 @@ // Module include in the following assemblies: // // * ingress-operator.adoc -// * networking/ingress-sharding.adoc +// * networking/configuring-ingress-cluster-traffic-ingress-controller.adoc :_mod-docs-content-type: PROCEDURE [id="nw-ingress-sharding-default_{context}"] diff --git a/modules/nw-ingress-sharding-dns.adoc b/modules/nw-ingress-sharding-dns.adoc index 39799e5538..70e5e307d4 100644 --- a/modules/nw-ingress-sharding-dns.adoc +++ b/modules/nw-ingress-sharding-dns.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/ingress-sharding.adoc +// * networking/configuring-ingress-cluster-traffic-ingress-controller.adoc :_mod-docs-content-type: CONCEPT [id="nw-ingress-sharding-dns_{context}"] diff --git a/modules/nw-ingress-sharding-route-labels.adoc b/modules/nw-ingress-sharding-route-labels.adoc index b921750afd..8ea1ae6c1c 100644 --- a/modules/nw-ingress-sharding-route-labels.adoc +++ b/modules/nw-ingress-sharding-route-labels.adoc @@ -23,7 +23,7 @@ to another. . Edit the `router-internal.yaml` file: + -[source,terminal] +[source,yaml] ---- # cat router-internal.yaml apiVersion: operator.openshift.io/v1 diff --git a/modules/nw-ingress-sharding.adoc b/modules/nw-ingress-sharding.adoc index b01118f59f..0f06fc1362 100644 --- a/modules/nw-ingress-sharding.adoc +++ b/modules/nw-ingress-sharding.adoc @@ -1,7 +1,6 @@ // Module included in the following assemblies: // -// * ingress-operator.adoc -// * networking/ingress-sharding.adoc +// * networking/configuring-ingress-cluster-traffic-ingress-controller.adoc :_mod-docs-content-type: CONCEPT [id="nw-ingress-sharding_{context}"] @@ -29,71 +28,3 @@ An Ingress Controller can use three sharding methods: * Adding both a namespace selector and route selector to the Ingress Controller, so that routes with labels that match the route selector in a namespace with labels that match the namespace selector are in the Ingress shard. With sharding, you can distribute subsets of routes over multiple Ingress Controllers. These subsets can be non-overlapping, also called _traditional_ sharding, or overlapping, otherwise known as _overlapped_ sharding. - -== Traditional sharding example - -An Ingress Controller `finops-router` is configured with the label selector `spec.namespaceSelector.matchLabels.name` set to `finance` and `ops`: - -.Example YAML definition for `finops-router` -[source,yaml] ----- -apiVersion: operator.openshift.io/v1 -kind: IngressController -metadata: - name: finops-router - namespace: openshift-ingress-operator -spec: - namespaceSelector: - matchLabels: - name: - - finance - - ops ----- - -A second Ingress Controller `dev-router` is configured with the label selector `spec.namespaceSelector.matchLabels.name` set to `dev`: - -.Example YAML definition for `dev-router` -[source,yaml] ----- -apiVersion: operator.openshift.io/v1 -kind: IngressController -metadata: - name: dev-router - namespace: openshift-ingress-operator -spec: - namespaceSelector: - matchLabels: - name: dev ----- - -If all application routes are in separate namespaces, each labeled with `name:finance`, `name:ops`, and `name:dev` respectively, this configuration effectively distributes your routes between the two Ingress Controllers. {product-title} routes for console, authentication, and other purposes should not be handled. - -In the above scenario, sharding becomes a special case of partitioning, with no overlapping subsets. Routes are divided between router shards. - -[WARNING] -==== -The `default` Ingress Controller continues to serve all routes unless the `namespaceSelector` or `routeSelector` fields contain routes that are meant for exclusion. See this link:https://access.redhat.com/solutions/5097511[Red Hat Knowledgebase solution] and the section "Sharding the default Ingress Controller" for more information on how to exclude routes from the default Ingress Controller. -==== - -== Overlapped sharding example - -In addition to `finops-router` and `dev-router` in the example above, you also have `devops-router`, which is configured with the label selector `spec.namespaceSelector.matchLabels.name` set to `dev` and `ops`: - -.Example YAML definition for `devops-router` -[source,yaml] ----- -apiVersion: operator.openshift.io/v1 -kind: IngressController -metadata: - name: devops-router - namespace: openshift-ingress-operator -spec: - namespaceSelector: - matchLabels: - name: - - dev - - ops ----- -The routes in the namespaces labeled `name:dev` and `name:ops` are now serviced by two different Ingress Controllers. With this configuration, you have overlapping subsets of routes. - -With overlapping subsets of routes you can create more complex routing rules. For example, you can divert higher priority traffic to the dedicated `finops-router` while sending lower priority traffic to `devops-router`. diff --git a/modules/nw-ingresscontroller-change-external.adoc b/modules/nw-ingresscontroller-change-external.adoc index 8cbfaeaf1c..9626fd162e 100644 --- a/modules/nw-ingresscontroller-change-external.adoc +++ b/modules/nw-ingresscontroller-change-external.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/nw-configuring-ingress-controller-endpoint-publishing-strategy.adoc +// *networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-nodeport.adoc [id="nw-ingresscontroller-change-external_{context}"] = Configuring the Ingress Controller endpoint publishing scope to External diff --git a/modules/nw-ingresscontroller-change-internal.adoc b/modules/nw-ingresscontroller-change-internal.adoc index 515be29bdb..5c7b12528a 100644 --- a/modules/nw-ingresscontroller-change-internal.adoc +++ b/modules/nw-ingresscontroller-change-internal.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * networking/nw-configuring-ingress-controller-endpoint-publishing-strategy.adoc +// *networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-nodeport.adoc :_mod-docs-content-type: PROCEDURE [id="nw-ingresscontroller-change-internal_{context}"] diff --git a/modules/nw-overlapped-sharding.adoc b/modules/nw-overlapped-sharding.adoc new file mode 100644 index 0000000000..6941b95025 --- /dev/null +++ b/modules/nw-overlapped-sharding.adoc @@ -0,0 +1,32 @@ +// Module included in the following assemblies: +// +// * networking/configuring-ingress-cluster-traffic-ingress-controller.adoc + +:_mod-docs-content-type: CONCEPT +[id="nw-overlapped-sharding_{context}"] +== Overlapped sharding example + +An example of a configured Ingress Controller `devops-router` that has the label selector `spec.namespaceSelector.matchExpressions` with key values set to `dev` and `ops`: + +.Example YAML definition for `devops-router` +[source,yaml] +---- +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: devops-router + namespace: openshift-ingress-operator +spec: + namespaceSelector: + matchExpressions: + - key: name + operator: In + values: + - dev + - ops + +---- + +The routes in the namespaces labeled `name:dev` and `name:ops` are now serviced by two different Ingress Controllers. With this configuration, you have overlapping subsets of routes. + +With overlapping subsets of routes you can create more complex routing rules. For example, you can divert higher priority traffic to the dedicated `finops-router` while sending lower priority traffic to `devops-router`. diff --git a/modules/nw-traditional-sharding.adoc b/modules/nw-traditional-sharding.adoc new file mode 100644 index 0000000000..2a4d5c402d --- /dev/null +++ b/modules/nw-traditional-sharding.adoc @@ -0,0 +1,52 @@ +// Module included in the following assemblies: +// +// * networking/configuring-ingress-cluster-traffic-ingress-controller.adoc + +:_mod-docs-content-type: REFERENCE +[id="nw-traditional-sharding_{context}"] +== Traditional sharding example + +An example of a configured Ingress Controller `finops-router` that has the label selector `spec.namespaceSelector.matchExpressions` with key values set to `finance` and `ops`: + +.Example YAML definition for `finops-router` +[source,yaml] +---- +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: finops-router + namespace: openshift-ingress-operator +spec: + namespaceSelector: + matchExpressions: + - key: name + operator: In + values: + - finance + - ops +---- + +An example of a configured Ingress Controller `dev-router` that has the label selector `spec.namespaceSelector.matchLabels.name` with the key value set to `dev`: + +.Example YAML definition for `dev-router` +[source,yaml] +---- +apiVersion: operator.openshift.io/v1 +kind: IngressController +metadata: + name: dev-router + namespace: openshift-ingress-operator +spec: + namespaceSelector: + matchLabels: + name: dev +---- + +If all application routes are in separate namespaces, such as each labeled with `name:finance`, `name:ops`, and `name:dev`, the configuration effectively distributes your routes between the two Ingress Controllers. {product-title} routes for console, authentication, and other purposes should not be handled. + +In the previous scenario, sharding becomes a special case of partitioning, with no overlapping subsets. Routes are divided between router shards. + +[WARNING] +==== +The `default` Ingress Controller continues to serve all routes unless the `namespaceSelector` or `routeSelector` fields contain routes that are meant for exclusion. See this link:https://access.redhat.com/solutions/5097511[Red Hat Knowledgebase solution] and the section "Sharding the default Ingress Controller" for more information on how to exclude routes from the default Ingress Controller. +==== diff --git a/networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc b/networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc index 79d3bfa926..dc09da2d1f 100644 --- a/networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc +++ b/networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc @@ -6,7 +6,6 @@ include::_attributes/common-attributes.adoc[] toc::[] - {product-title} provides methods for communicating from outside the cluster with services running in the cluster. This method uses an Ingress Controller. @@ -40,22 +39,47 @@ The additional networking required for external systems on a different subnet is out-of-scope for this topic. endif::[] +// Creating a project and service include::modules/nw-creating-project-and-service.adoc[leveloffset=+1] +// Exposing the service by creating a route include::modules/nw-exposing-service.adoc[leveloffset=+1] // Router sharding ifdef::openshift-enterprise,openshift-webscale,openshift-origin[] -include::modules/nw-ingress-sharding-route-labels.adoc[leveloffset=+1] -include::modules/nw-ingress-sharding-namespace-labels.adoc[leveloffset=+1] +// Ingress sharding in OpenShift Container Platform +include::modules/nw-ingress-sharding-concept.adoc[leveloffset=+1] -include::modules/nw-ingress-sharding-route-configuration.adoc[leveloffset=+1] +// Ingress Controller sharding +include::modules/nw-ingress-sharding.adoc[leveloffset=+1] -[role="_additional-resources"] -== Additional resources +// Traditional sharding example +include::modules/nw-traditional-sharding.adoc[leveloffset=+2] -The Ingress Operator manages wildcard DNS. For more information, see the following: +// Overlapped sharding example +include::modules/nw-overlapped-sharding.adoc[leveloffset=+2] + +// Sharding the default Ingress Controller +include::modules/nw-ingress-sharding-default.adoc[leveloffset=+2] + +// Ingress sharding and DNS +include::modules/nw-ingress-sharding-dns.adoc[leveloffset=+2] + +// Configuring Ingress Controller sharding by using route labels +include::modules/nw-ingress-sharding-route-labels.adoc[leveloffset=+2] + +// Configuring Ingress Controller sharding by using namespace labels +include::modules/nw-ingress-sharding-namespace-labels.adoc[leveloffset=+2] + +// Creating a route for Ingress Controller sharding +include::modules/nw-ingress-sharding-route-configuration.adoc[leveloffset=+2] + +[discrete] +[id="additional-resources_ingress-sharding"] +=== Additional Resources + +* xref:../../scalability_and_performance/optimization/routing-optimization.adoc#baseline-router-performance_routing-optimization[Baseline Ingress Controller (router) performance] * xref:../../networking/ingress-operator.adoc#configuring-ingress[Ingress Operator in {product-title}] @@ -64,5 +88,19 @@ The Ingress Operator manages wildcard DNS. For more information, see the followi * xref:../../installing/installing_vsphere/upi/installing-vsphere.adoc#installing-vsphere[Installing a cluster on vSphere] * xref:../../networking/network_security/network_policy/about-network-policy.adoc#about-network-policy[About network policy] +endif::openshift-enterprise,openshift-webscale,openshift-origin[] -endif::[] +// Ingress Controller endpoint publishing strategy +include::modules/nw-ingress-controller-endpoint-publishing-strategies.adoc[leveloffset=+1] + +// Configuring the Ingress Controller endpoint publishing scope to Internal +include::modules/nw-ingresscontroller-change-internal.adoc[leveloffset=+2] + +// Configuring the Ingress Controller endpoint publishing scope to External +include::modules/nw-ingresscontroller-change-external.adoc[leveloffset=+2] + +[discrete] +[id="additional-resources_nw-ingress-controller-endpoint-publishing-strategies"] +=== Additional resources + +* xref:../networking/ingress-operator#nw-ingress-controller-configuration-parameters_configuring-ingress[Ingress Controller configuration parameters] diff --git a/post_installation_configuration/configuring-private-cluster.adoc b/post_installation_configuration/configuring-private-cluster.adoc index 09560e1c2e..1fd3c2025b 100644 --- a/post_installation_configuration/configuring-private-cluster.adoc +++ b/post_installation_configuration/configuring-private-cluster.adoc @@ -18,9 +18,7 @@ include::modules/private-clusters-setting-api-private.adoc[leveloffset=+1] [role="_additional-resources"] .Additional resources -* xref:../networking/nw-configuring-ingress-controller-endpoint-publishing-strategy.adoc#nw-ingresscontroller-change-internal_nw-configuring-ingress-controller-endpoint-publishing-strategy[Configuring the Ingress Controller endpoint publishing scope to Internal] - -include::modules/nw-ingresscontroller-change-internal.adoc[leveloffset=+2] +* xref:../networking/configuring_ingress_cluster_traffic/configuring-ingress-cluster-traffic-ingress-controller.adoc#nw-ingresscontroller-change-internal_configuring-ingress-cluster-traffic-ingress-controller[Configuring the Ingress Controller endpoint publishing scope to Internal] include::modules/registry-configuring-private-storage-endpoint-azure.adoc[leveloffset=+1]