mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 21:46:22 +01:00
182 lines
10 KiB
Plaintext
182 lines
10 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * networking/routes/route-configuration.adoc
|
|
|
|
[id="nw-route-specific-annotations_{context}"]
|
|
= Route-specific annotations
|
|
|
|
The Ingress Controller can set the default options for all the routes it exposes. An individual route can override some of these defaults by providing specific configurations in its annotations. Red Hat does not support adding a route annotation to an operator-managed route.
|
|
|
|
[IMPORTANT]
|
|
====
|
|
To create a whitelist with multiple source IPs or subnets, use a space-delimited list. Any other delimiter type causes the list to be ignored without a warning or error message.
|
|
====
|
|
|
|
//For all the variables outlined in this section, you can set annotations on the
|
|
//*route definition* for the route to alter its configuration.
|
|
|
|
.Route annotations
|
|
[cols="3*", options="header"]
|
|
|===
|
|
|Variable | Description | Environment variable used as default
|
|
|`haproxy.router.openshift.io/balance`| Sets the load-balancing algorithm. Available options are `random`, `source`, `roundrobin`, and `leastconn`. The default value is `random`.| `ROUTER_TCP_BALANCE_SCHEME` for passthrough routes. Otherwise, use `ROUTER_LOAD_BALANCE_ALGORITHM`.
|
|
|`haproxy.router.openshift.io/disable_cookies`| Disables the use of cookies to track related connections. If set to `'true'` or `'TRUE'`, the balance algorithm is used to choose which back-end serves connections for each incoming HTTP request. |
|
|
|`router.openshift.io/cookie_name`| Specifies an optional cookie to use for
|
|
this route. The name must consist of any combination of upper and lower case letters, digits, "_",
|
|
and "-". The default is the hashed internal key name for the route. |
|
|
|`haproxy.router.openshift.io/pod-concurrent-connections`| Sets the maximum number of connections that are allowed to a backing pod from a router. +
|
|
Note: If there are multiple pods, each can have this many connections. If you have multiple routers, there is no coordination among them, each may connect this many times. If not set, or set to 0, there is no limit. |
|
|
|`haproxy.router.openshift.io/rate-limit-connections`| Setting `'true'` or `'TRUE'` enables rate limiting functionality which is implemented through stick-tables on the specific backend per route. +
|
|
Note: Using this annotation provides basic protection against distributed denial-of-service (DDoS) attacks. |
|
|
|`haproxy.router.openshift.io/rate-limit-connections.concurrent-tcp`| Limits the number of concurrent TCP connections made through the same source IP address. It accepts a numeric value. +
|
|
Note: Using this annotation provides basic protection against distributed denial-of-service (DDoS) attacks. |
|
|
|`haproxy.router.openshift.io/rate-limit-connections.rate-http`| Limits the rate at which a client with the same source IP address can make HTTP requests. It accepts a numeric value. +
|
|
Note: Using this annotation provides basic protection against distributed denial-of-service (DDoS) attacks. |
|
|
|`haproxy.router.openshift.io/rate-limit-connections.rate-tcp`| Limits the rate at which a client with the same source IP address can make TCP connections. It accepts a numeric value. +
|
|
Note: Using this annotation provides basic protection against distributed denial-of-service (DDoS) attacks. |
|
|
|`haproxy.router.openshift.io/timeout` | Sets a server-side timeout for the route. (TimeUnits) | `ROUTER_DEFAULT_SERVER_TIMEOUT`
|
|
|`haproxy.router.openshift.io/timeout-tunnel` | This timeout applies to a tunnel connection, for example, WebSocket over cleartext, edge, reencrypt, or passthrough routes. With cleartext, edge, or reencrypt route types, this annotation is applied as a timeout tunnel with the existing timeout value. For the passthrough route types, the annotation takes precedence over any existing timeout value set. | `ROUTER_DEFAULT_TUNNEL_TIMEOUT`
|
|
|`ingresses.config/cluster ingress.operator.openshift.io/hard-stop-after` | You can set either an IngressController or the ingress config . This annotation redeploys the router and configures the HA proxy to emit the haproxy `hard-stop-after` global option, which defines the maximum time allowed to perform a clean soft-stop. | `ROUTER_HARD_STOP_AFTER`
|
|
|`router.openshift.io/haproxy.health.check.interval`| Sets the interval for the back-end health checks. (TimeUnits) | `ROUTER_BACKEND_CHECK_INTERVAL`
|
|
|`haproxy.router.openshift.io/ip_whitelist`
|
|
| Sets a whitelist for the route. The whitelist is a space-separated list of IP addresses and CIDR ranges for the approved source addresses. Requests from IP addresses that are not in the whitelist are dropped.
|
|
|
|
The maximum number of IP addresses and CIDR ranges allowed in a whitelist is 61.|
|
|
|`haproxy.router.openshift.io/hsts_header` | Sets a Strict-Transport-Security header for the edge terminated or re-encrypt route. |
|
|
|`haproxy.router.openshift.io/log-send-hostname` | Sets the `hostname` field in the Syslog header. Uses the hostname of the system. `log-send-hostname` is enabled by default if any Ingress API logging method, such as sidecar or Syslog facility, is enabled for the router. |
|
|
|`haproxy.router.openshift.io/rewrite-target` | Sets the rewrite path of the request on the backend. |
|
|
|`router.openshift.io/cookie-same-site` | Sets a value to restrict cookies. The values are:
|
|
|
|
`Lax`: cookies are transferred between the visited site and third-party sites.
|
|
|
|
`Strict`: cookies are restricted to the visited site.
|
|
|
|
`None`: cookies are restricted to the visited site.
|
|
|
|
This value is applicable to re-encrypt and edge routes only. For more information, see the link:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite[SameSite cookies documentation].|
|
|
|
|
|`haproxy.router.openshift.io/set-forwarded-headers` | Sets the policy for handling the `Forwarded` and `X-Forwarded-For` HTTP headers per route. The values are:
|
|
|
|
`append`: appends the header, preserving any existing header. This is the default value.
|
|
|
|
`replace`: sets the header, removing any existing header.
|
|
|
|
`never`: never sets the header, but preserves any existing header.
|
|
|
|
`if-none`: sets the header if it is not already set.| `ROUTER_SET_FORWARDED_HEADERS`
|
|
|
|
|===
|
|
|
|
[NOTE]
|
|
====
|
|
Environment variables cannot be edited.
|
|
====
|
|
|
|
.Router timeout variables
|
|
|
|
`TimeUnits` are represented by a number followed by the unit: `us` *(microseconds), `ms` (milliseconds, default), `s` (seconds), `m` (minutes), `h` *(hours), `d` (days).
|
|
|
|
The regular expression is: [1-9][0-9]*(`us`\|`ms`\|`s`\|`m`\|`h`\|`d`).
|
|
[cols="2,1,2a", options="header"]
|
|
|===
|
|
|Variable | Default | Description
|
|
| `ROUTER_BACKEND_CHECK_INTERVAL` | `5000ms` | Length of time between subsequent liveness checks on back ends.
|
|
| `ROUTER_CLIENT_FIN_TIMEOUT` | `1s` | Controls the TCP FIN timeout period for the client connecting to the route. If the FIN sent to close the connection does not answer within the given time, HAProxy closes the connection. This is harmless if set to a low value and uses fewer resources on the router.
|
|
| `ROUTER_DEFAULT_CLIENT_TIMEOUT` | `30s` | Length of time that a client has to acknowledge or send data.
|
|
| `ROUTER_DEFAULT_CONNECT_TIMEOUT` | `5s` | The maximum connection time.
|
|
| `ROUTER_DEFAULT_SERVER_FIN_TIMEOUT` | `1s` | Controls the TCP FIN timeout from the router to the pod backing the route.
|
|
| `ROUTER_DEFAULT_SERVER_TIMEOUT` | `30s` | Length of time that a server has to acknowledge or send data.
|
|
| `ROUTER_DEFAULT_TUNNEL_TIMEOUT` | `1h` | Length of time for TCP or WebSocket connections to remain open. This timeout period resets whenever HAProxy reloads.
|
|
| `ROUTER_SLOWLORIS_HTTP_KEEPALIVE` | `300s` | Set the maximum time to wait for a new HTTP request to appear. If this is set too low, it can cause problems with browsers and applications not expecting a small `keepalive` value.
|
|
|
|
Some effective timeout values can be the sum of certain variables, rather than the specific expected timeout. For example, `ROUTER_SLOWLORIS_HTTP_KEEPALIVE` adjusts `timeout http-keep-alive`. It is set to `300s` by default, but HAProxy also waits on `tcp-request inspect-delay`, which is set to `5s`. In this case, the overall timeout would be `300s` plus `5s`.
|
|
| `ROUTER_SLOWLORIS_TIMEOUT` | `10s` | Length of time the transmission of an HTTP request can take.
|
|
| `RELOAD_INTERVAL` | `5s` | Allows the minimum frequency for the router to reload and accept new changes.
|
|
| `ROUTER_METRICS_HAPROXY_TIMEOUT` | `5s` | Timeout for the gathering of HAProxy metrics.
|
|
|
|
|===
|
|
|
|
.A route setting custom timeout
|
|
[source,yaml]
|
|
----
|
|
apiVersion: route.openshift.io/v1
|
|
kind: Route
|
|
metadata:
|
|
annotations:
|
|
haproxy.router.openshift.io/timeout: 5500ms <1>
|
|
...
|
|
----
|
|
<1> Specifies the new timeout with HAProxy supported units (`us`, `ms`, `s`, `m`, `h`, `d`). If the unit is not provided, `ms` is the default.
|
|
|
|
[NOTE]
|
|
====
|
|
Setting a server-side timeout value for passthrough routes too low can cause
|
|
WebSocket connections to timeout frequently on that route.
|
|
====
|
|
|
|
.A route that allows only one specific IP address
|
|
[source,yaml]
|
|
----
|
|
metadata:
|
|
annotations:
|
|
haproxy.router.openshift.io/ip_whitelist: 192.168.1.10
|
|
----
|
|
|
|
.A route that allows several IP addresses
|
|
[source,yaml]
|
|
----
|
|
metadata:
|
|
annotations:
|
|
haproxy.router.openshift.io/ip_whitelist: 192.168.1.10 192.168.1.11 192.168.1.12
|
|
----
|
|
|
|
.A route that allows an IP address CIDR network
|
|
[source,yaml]
|
|
----
|
|
metadata:
|
|
annotations:
|
|
haproxy.router.openshift.io/ip_whitelist: 192.168.1.0/24
|
|
----
|
|
|
|
.A route that allows both IP an address and IP address CIDR networks
|
|
[source,yaml]
|
|
----
|
|
metadata:
|
|
annotations:
|
|
haproxy.router.openshift.io/ip_whitelist: 180.5.61.153 192.168.1.0/24 10.0.0.0/8
|
|
----
|
|
|
|
.A route specifying a rewrite target
|
|
[source,yaml]
|
|
----
|
|
apiVersion: route.openshift.io/v1
|
|
kind: Route
|
|
metadata:
|
|
annotations:
|
|
haproxy.router.openshift.io/rewrite-target: / <1>
|
|
...
|
|
----
|
|
<1> Sets `/` as rewrite path of the request on the backend.
|
|
|
|
Setting the `haproxy.router.openshift.io/rewrite-target` annotation on a route specifies that the Ingress Controller should rewrite paths in HTTP requests using this route before forwarding the requests to the backend application.
|
|
The part of the request path that matches the path specified in `spec.path` is replaced with the rewrite target specified in the annotation.
|
|
|
|
The following table provides examples of the path rewriting behavior for various combinations of `spec.path`, request path, and rewrite target.
|
|
|
|
.rewrite-target examples:
|
|
[cols="4*", options="header"]
|
|
|===
|
|
|Route.spec.path|Request path|Rewrite target| Forwarded request path
|
|
|/foo|/foo|/|/
|
|
|/foo|/foo/|/|/
|
|
|/foo|/foo/bar|/|/bar
|
|
|/foo|/foo/bar/|/|/bar/
|
|
|/foo|/foo|/bar|/bar
|
|
|/foo|/foo/|/bar|/bar/
|
|
|/foo|/foo/bar|/baz|/baz/bar
|
|
|/foo|/foo/bar/|/baz|/baz/bar/
|
|
|/foo/|/foo|/|N/A (request path does not match route path)
|
|
|/foo/|/foo/|/|/
|
|
|/foo/|/foo/bar|/|/bar
|
|
|===
|