openshift-docs/modules/microshift-config-parameters-table.adoc

// Module included in the following assemblies:
//
// * microshift_configuring/microshift-using-config-yaml.adoc

:_mod-docs-content-type: REFERENCE
[id="microshift-config-parameters-table_{context}"]
= Parameters and values for the {microshift-short} config.yaml file

The following table explains {microshift-short} configuration YAML parameters and valid values for each:

.{microshift-short} `config.yaml` parameters
[cols="1,2,3a","15%,10%,75%",options="header"]
|===
|Field|Type|Description

|`advertiseAddress`
|`string`
|A string that specifies the IP address from which the API server is advertised to members of the cluster. The default value is calculated based on the address of the service network.

|`auditLog.maxFileAge`
|`number`
|How long log files are kept before automatic deletion. The default value of `0` in the `maxFileAge` parameter means a log file is never deleted based on age. This value can be configured.

|`auditLog.maxFileSize`
|`number`
|By default, when the `audit.log` file reaches the `maxFileSize` limit, the `audit.log` file is rotated and {microshift-short} begins writing to a new `audit.log` file. This value can be configured.

|`auditLog.maxFiles`
|`number`
|The total number of log files kept. By default, {microshift-short} retains 10 log files. The oldest is deleted when an excess file is created. This value can be configured.

|`auditLog.profile`
|`Default`, `WriteRequestBodies`, `AllRequestBodies`, or `None`
|Logs only metadata for read and write requests; does not log request bodies except for OAuth access token requests. If you do not specify this field, the `Default` profile is used.

|`namedCertificates`
|`list`
|Defines externally generated certificates and domain names by using custom certificate authorities.

|`namedCertificates.certPath`
|`path`
|The full path to the certificate.

|`namedCertificates.keyPath`
|`path`
|The full path to the certificate key.

|`namedCertificates.names`
|`list`
|Optional. Add a list of explicit DNS names. Leading wildcards are allowed. If no names are provided, the implicit names are extracted from the certificates.

|`subjectAltNames`
|Fully qualified domain names (FQDNs), wildcards such as `*.domain.com`, or IP addresses.
|Subject Alternative Names for API server certificates. SANs indicate all of the domain names and IP addresses that are secured by a certificate.

|`debugging.logLevel`
|`Normal`, `Debug`, `Trace`, or `TraceAll`
|Log verbosity. Default is `Normal`.

|`dns.baseDomain`
|`valid domain`
|Base domain of the cluster. All managed DNS records are subdomains of this base.

|`etcd.memoryLimitMB`
|`number`
|By default, `etcd` uses as much memory as needed to handle the load on the system. However, in memory constrained systems, it might be preferred or necessary to limit the amount of memory `etcd` can to use at a given time.

|`ingress.defaultHTTPVersion`
|`number`
|Determines the default HTTP version to be used for ingress. Default value is `1`, which is the HTTP/1.1 protocol.

|`ingress.forwardedHeaderPolicy`
|`Append`, `Replace`, `IfNone`, `Never`
|Specifies when and how the ingress router sets the `Forwarded`, `X-Forwarded-For`, `X-Forwarded-Host`, `X-Forwarded-Port`, `X-Forwarded-Proto`, and `X-Forwarded-Proto-Version` HTTP headers.

* `Append` specifies that the ingress router appends existing headers. `Append` is the default value.

* `Replace` specifies that the ingress router sets the headers and replaces any existing `Forwarded` or `X-Forwarded-*` headers.

* `IfNone` specifies that the ingress router sets headers if they are not already set.

* `Never` specifies that ingress router never sets the headers, preserving any existing headers.

|`ingress.httpCompression`
|`object`
|`httpCompression` defines a policy for HTTP traffic compression. There is no HTTP compression by default.

|`ingress.httpCompression.mimeTypes`
|`array` or null
|`mimeTypes` is a list of MIME types to compress. When the list is empty, the ingress controller does not apply any compression. To define a list, use the format of the Content-Type definition in RFC 1341 that specifies the type and subtype of data in the body of a message and the native encoding of the data. For example, `Content-Type := type \"/\" subtype *[\";\" parameter]`.

* The value of `Content-Type` can be one of the following types: application, audio, image, message, multipart, text, video, or a custom type preceded by `\"X-\"` and followed by a token. The token must be defined in one of the following ways:

* The token is a `string` of at least one character, and does not contain white spaces, control characters, or any of the characters in the `tspecials` set.

* The `tspecials` set contains the characters `()\u003c\u003e@,;:\\\"/[]?.=`.

* The subtype in Content-Type is also a token.

* The optional parameters following the subtype are defined as `token \"=\" (token / quoted-string)`.

* The `quoted-string`, as defined in RFC 822, is surrounded by double quotes and can contain white spaces plus any character except `\\`, `\"`, and `CR`. The `quoted-string` can also contain any single ASCII character if it is escaped by the following characters: `\\.",`.

Not all MIME types benefit from compression, but `HAProxy` uses resources to try to compress files when compression is configured. Generally speaking, text formats such as `html`, `ccs`, and `js` benefit from compression. Spending CPU resources to compress file types that are already compressed, such as images, audio, and video, is probably not worth the limited benefit.

|`ingress.httpEmptyRequestsPolicy`
|`Respond` or `Ignore`
|The default value is `Respond`. Describes how HTTP connections should be handled if the connection times out before a request is received. These connections typically come from the health probes of a load balancer service health or a web browser's speculative connections, such as a `preconnect`.

* If the field is set to `Respond`, the ingress controller sends an "HTTP 400" or "408" response, logs the connection if access logging is enabled, and counts the connection in the appropriate metrics.

* If the field is set to `Ignore`, the ingress controller closes the connection without sending a response, logging the connection, or incrementing metrics. Setting this field to `Ignore` might impede detection and diagnosis of problems or intrusions, especially when timed-out connections are caused by network errors or port scans. In both cases, logging empty requests can be useful for diagnosing errors and detecting intrusion attempts.

|`ingress.listenAddress`
|IP address, NIC name, or multiple
|Value defaults to the entire network of the host. The valid configurable value is a list that can be either a single IP address or NIC name or multiple IP addresses and NIC names.

|`ingress.logEmptyRequests`
|`Log` or `Ignore`
|Default value is `Log`. Specifies how connections on which empty requests are received are logged. These connections typically come from the health probes of a load balancer service health or a web browser's speculative connections, such as a `preconnect`. Logging typical requests might be undesirable, but requests can also be caused by network errors or port scans, in which case logging can be useful for diagnosing errors and detecting intrusion attempts.

|`ingress.ports.http`
|`80`
|Default port shown. Configurable. Valid value is a single, unique port in the `1-65535` range. The values of the `ports.http` and `ports.https` fields cannot be the same.

|`ingress.ports.https`
|`443`
|Default port shown. Configurable. Valid value is a single, unique port in the `1-65535` range. The values of the `ports.http` and `ports.https` fields cannot be the same.

|`ingress.routeAdmissionPolicy.namespaceOwnership`
|`Strict` or `InterNamespaceAllowed`
|Describes how hostname claims across namespaces are handled. By default, allows routes to claim different paths of the same hostname across namespaces. Specifying `Strict` prevents routes in different namespaces from claiming the same hostname. If the value is deleted in a customized {microshift-short} `config.yaml`, the `InterNamespaceAllowed` value is automatically set.

|`ingress.status`
|`Managed` or `Removed`
|Router status. Default is `Managed`.

|`ingress.tuningOptions`
|Objects
|Specifies options for tuning the performance of ingress controller pods.

|`ingress.tuningOptions.clientFinTimeout`
|`string` with format `duration`
|Defines how long a connection is held open while waiting for a client response to the server/backend before closing the connection. The default timeout is `1s`, which is 1 second.

|`ingress.tuningOptions.clientTimeout`
|`string` with format `duration`
|Defines how long a connection is held open while waiting for a client response. The default timeout is `30s`, which is 30 seconds.

|`ingress.tuningOptions.headerBufferBytes`
|An `integer` with the `format` of `int32`; `16384` is the minimum value when HTTP/2 is enabled.
|Describes how much memory in bytes must be reserved for `IngressController` connection sessions. Default value is `32768` in bytes.

* Setting this field is generally not recommended because `headerBufferBytes` values that are too small can break the `IngressController` and `headerBufferBytes` values that are too large can cause the `IngressController` to use significantly more memory than necessary.

|`ingress.tuningOptions.headerBufferMaxRewriteBytes`
|`integer`, formatted `int32`; `4096` is the minimum value
|Describes how much memory in bytes must be reserved from `headerBufferBytes` for HTTP header rewriting and appending for `IngressController` connection sessions. Default value is `8192` bytes. Incoming HTTP requests are limited to the `headerBufferBytes` bytes minus the `headerBufferMaxRewriteBytes` bytes, meaning that the value of `headerBufferBytes` must be greater than the value of `headerBufferMaxRewriteBytes`.

* Setting this field is generally not recommended because `headerBufferMaxRewriteBytes` values that are too small can break the `IngressController` and `headerBufferMaxRewriteBytes` values that are too large can cause the `IngressController` to use significantly more memory than necessary.

|`ingress.tuningOptions.healthCheckInterval: ""`
|`string` with pattern: `^(0\|([0-9]+(\\.[0-9]+)?(ns\|us\|µs\|μs\|ms\|s\|m\|h))+)$`
|The default `healthCheckInterval` value is `5s`, which is 5 seconds. This parameter value defines how long the router waits between two consecutive health checks on the router's configured backends. Currently the minimum allowed value is `1s` and the maximum allowed value is `2147483647ms`, which is 24.85 days. The range might change in future releases.

* This value is applied globally as a default for all routes, but can be overridden per-route by the route annotation `router.openshift.io/haproxy.health.check.interval`.

* Requires an unsigned duration string of decimal numbers, each with an optional fraction and unit suffix, such as `300ms`, `1.5h` or `2h45m`. Valid time units are `ns`, `us` (or `µs` U+00B5 or `μs` U+03BC), `ms`, `s`, `m`, `h`.

* Setting this parameter value to less than `5s` can cause excess traffic due to too frequent TCP health checks and accompanying SYN packet storms.

* Setting this parameter value too high can result in increased latency because of backend servers that are no longer available, but have not yet been detected as such.

* An empty or `0` value means "no opinion" and the ingress controller chooses a default. Note that the default value might change in future releases.

|`ingress.tuningOptions.maxConnections`
|`integer`, valid values are: `empty`, `0`, `-1`, and the range `2000-2000000`
|Default value is `0`. defines the maximum number of simultaneous connections that can be established per `HAProxy` process. Increasing this value allows each ingress controller pod to handle more connections at the cost of additional system resources being consumed.

* If this field is empty or `0`, the `IngressController` uses the default value of `50000`, but the default is subject to change in future releases.

* If the value is `-1`, then `HAProxy` dynamically computes a maximum value based on the available resources set with `ulimit` values in the running container. Selecting `-1`, which means `auto`, results in a large value being computed, and therefore each `HAProxy` process incurs significant memory usage compared with the current default of `50000`.

* Setting a value that is greater than the current operating system limit prevents the `HAProxy` process from starting.

* You can monitor memory usage for router containers with the following metric:
+
[source,terminal]
----
container_memory_working_set_bytes{container=`router`,namespace=`openshift-ingress`}`
----
+
* You can monitor memory usage of individual `HAProxy`processes in router containers with the following metric:
+
[source,terminal]
----
container_memory_working_set_bytes{container=`router`,namespace=`openshift-ingress`}/container_processes{container=`router`,namespace=`openshift-ingress`}
----

|`ingress.tuningOptions.serverFinTimeout`
|`string` in the format `duration`
|Defines how long a connection is held open while waiting for a server or backend response to the client before closing the connection. The default timeout is `1s`.

|`ingress.tuningOptions.serverTimeout`
|`string` in the format `duration`
|Defines how long a connection is held open while waiting for a server or backend response. The default timeout is `30s`.

|`ingress.tuningOptions.threadCount`
|`integer` in the form `int32`; minimum value is `1`, maximum is `64`
|Defines the number of threads created per `HAProxy` process. The default value is `4`. If this field is empty, the default value is used.

* Setting this field is generally not recommended. Creating more threads allows each ingress controller pod to handle more connections at the cost of more system resources being used. Increasing the number of HAProxy threads allows the ingress controller pods to use more CPU time under load, potentially starving other pods if set too high. Conversely, reducing the number of threads may cause the ingress controller to perform poorly.

|`ingress.tuningOptions.tlsInspectDelay`
|`string` in the format `duration`
|Defines how long the router can hold data to find a matching route. Setting this interval with too short a value can cause the router to revert to the default certificate for edge-terminated clients or re-encrypt routes, even when a better-matching certificate could be used.

* The default inspect delay is `5s` which is 5 seconds, which is expected to be sufficient for most cases. Increasing the value of this configuration specifically for high-latency networks can cause a delay in finishing the SSL handshake. Any configured value must be transparent to your application.

|`ingress.tuningOptions.tunnelTimeout`
|`string` in the format `duration`
|Defines how long a tunnel connection, including websockets, are held open while the tunnel is idle. The default timeout is `1h`, which is 1 hour.

|`kubelet`
|See the {microshift-short} low-latency instructions
|Parameter for passthrough configuration of the kubelet node agent. Used for low-latency configuration. Default value is null.

|`manifests`
|`list of paths`
|The locations on the file system to scan for `kustomization` files to use to load manifests. Set to a list of paths to scan only those paths. Set to an empty list to disable loading manifests. The entries in the list can be glob patterns to match multiple subdirectories. Default values are `/usr/lib/microshift/manifests`, `/usr/lib/microshift/manifests.d/`, `/etc/microshift/manifests`, and `/etc/microshift/manifests.d/`.

|`network.clusterNetwork`
|IP address block
|A block of IP addresses from which pod IP addresses are allocated. IPv4 is the default network. Dual-stack entries are supported. The first entry in this field is immutable after {microshift-short} starts. Default range is `10.42.0.0/16`.

|`network.serviceNetwork`
|IP address block
|A block of virtual IP addresses for Kubernetes services. IP address pool for services. IPv4 is the default. Dual-stack entries are supported. The first entry in this field is immutable after {microshift-short} starts. Default range is `10.43.0.0/16`.

|`network.serviceNodePortRange`
|`range`
|The port range allowed for Kubernetes services of type `NodePort`. If not specified, the default range of 30000-32767 is used. Services without a `NodePort` specified are automatically allocated one from this range. This parameter can be updated after {microshift-short} starts.

|`node.hostnameOverride`
|`string`
|The name of the node. The default value is the hostname. If non-empty, this string is used to identify the node instead of the hostname. This value is immutable after {microshift-short} starts.

|`node.nodeIP`
|IPv4 address
|The IPv4 address of the node. The default value is the IP address of the default route.

|`nodeIPv6`
|IPv6 address
|The IPv6 address for the node for dual-stack configurations. Cannot be configured in single stack for either IPv4 or IPv6. Default is an empty value or null.

|`storage.driver`
|`none` or `lvms`
|Default value is empty. An empty value or null field defaults to LVMS deployment.

|`storage.optionalCsiComponents`
|`array`
|Default value is null or an empty array. A null or empty array defaults to deploying `snapshot-controller` and `snapshot-webhook`. Expected values are `csi-snapshot-controller`, `csi-snapshot-webhook`, or `none`. An entry of `none` is mutually exclusive with all other values.
|===