User Story

As a managed OpenShift cluster administrator, I want to be able to use the full range of all OCP IngressController configuration options, so that I can better control and manage my ingress as well as meet necessary company compliance requirements. 

Acceptance Criteria

• Cloud Ingress Operator (CIO) Ingress Controller management removed for 4.13+ clusters
  • Still required for API visibility in classic ROSA/OSD
  • Still required for NLB switching on "legacy" cluster (installed <=4.12 and then upgraded)
• Custom Domain Operator (CDO) removed/unavailable for 4.13+ clusters
  • Deprecation will not occur until all customers and dependent services (RHOAM) have been duly notified and provided with ample time to migrate from CDO usage to Ingress Controller usage.
• Documentation (KCS article) created to describe
  • How to migration from CDO
  • What's changing
  • Why we're changing
  • What does a customer need to do
  • Explaining that ICs are still fully supported by CE&E
• 4.13+ new clusters will only provision with NLB Ingress Controllers
• Non-default Ingress Controllers should not affect cluster stability
• Public facing documentation around OSD/ROSA IngressControllers have been updated.
  • Service Definition
  • RACI
  • OCP docs included about IC configuration
• Any changes to the default IngressController (namespaceSelector/routeSelector/etc.) do not affect the RH SLAs around API and Cluster Console.
• The cluster default Ingress Controller (configured by the installer on day-1) should allow the following configuration options in OCM/rosa CLI
  • endpointPublishingStrategy (visibility: internal/external)
  • namespaceSelector (exclusion only, cannot exclude openshift-/kube- namespaces)
  • routeSelector (exclusion only, cannot exclude routes within openshift-/kube-)
  • routeAdmission.namespaceOwnership (default: Strict, supports changing to InterNamespaceAllowed)
  • routeAdmission. wildcardPolicy (default: WildcardsDisallowed, supports changing to WildcardsAllowed)
• Support changing the hostname for OAuth/Console/Downloads components
  • Modifys .spec.componentRoutes[] on the config.openshift.io Ingress option
  • Take a single hostname and apply to all 3 components
  • Take a tls.crt/tls.key pair for the new hostname
  • OAuth: https://docs.openshift.com/container-platform/4.12/authentication/configuring-internal-oauth.html#customizing-the-oauth-server-url_configuring-internal-oauth
  • Console: https://docs.openshift.com/container-platform/4.12/web_console/customizing-the-web-console.html#customizing-the-console-route_customizing-web-console
  • Downloads: https://docs.openshift.com/container-platform/4.12/web_console/customizing-the-web-console.html#customizing-the-download-route_customizing-web-console
• All non-default IngressController related alerting is silenced

References

• ADR-083: https://docs.google.com/document/d/16-qJcN6UcDSoogYAJ6i2Eko8Cos022y4T9sqwvpt2NY/edit

Design doc: https://docs.google.com/document/d/10jYbpojEHy80-K_6RKyNoOQvJjtMOnau3CZTwgc-Clw/edit?usp=sharing