Feature Overview (aka. Goal Summary)

MicroShift Ingress Router is currently always on, running on all IPs on fixed ports. Customers are requesting more flexibility in configuring ingress.

Goals (aka. expected user outcomes)

• Expose configuration options for more router configruation options like enable/disabling it, having it listen on certain IPs only etc (see requirements below)

Requirements (aka. Acceptance Criteria):

1. Allow disabling of router. There are use cases in which MicroShift is "egress" only (e.g. Industrial IoT solutions where pods connect only to southbound shopfloor systems and northbound cloud systems, no inbound services at all). In case the router is disabled in the config, no pods should be started (to save on resources), and all firewall ports for the router (80, 443) must be closed (also in firewalld/iptables) for improved security posture (minimize attack surface)
2. being able to configure which ports the router is listening on
3. being able to configure which IP/Adresses (and thus: nics) the router is listening on. There are use cases e.g. in the industrial space where the router should be reachable only on internal shopfloor networks, but not on northbound public networks. Or Vice Versa. Or Both.
4. Ports being open/closed should be advertised/document in the audit log.

Use Cases (Optional):

See above requirements section for example use cases.

Out of Scope

n/a

Background

1. https://issues.redhat.com/browse/USHIFT-639
2. https://issues.redhat.com/browse/USHIFT-1806 
3. https://docs.google.com/document/d/1sXjyK-DTE6UzTDJ9ldQze8FIU5Q4Alnk3AQaESODsVQ/edit?usp=sharing
4. https://issues.redhat.com/browse/OCPBUGS-25391 

Customer Considerations

Requested by multiple EAP customers

Documentation Considerations

• Configuration option needs to be documented in the "configuring" book
• Maybe we want a "Configure the router" in the "networking" book

Interoperability Considerations

None