-
Epic
-
Resolution: Done
-
Undefined
-
None
-
UX work for OSD/ROSA managed Ingress improvements
-
False
-
None
-
False
-
To Do
-
XCMSTRAT-120 - OSD/ROSA managed Ingress improvements
-
0% To Do, 0% In Progress, 100% Done
-
-
User Story
As a managed OpenShift cluster administrator, I want to be able to use the full range of all OCP IngressController configuration options, so that I can better control and manage my ingress as well as meet necessary company compliance requirements.
Acceptance Criteria
- Cloud Ingress Operator (CIO) Ingress Controller management removed for 4.13+ clusters
- Still required for API visibility in classic ROSA/OSD
- Still required for NLB switching on "legacy" cluster (installed <=4.12 and then upgraded)
- Custom Domain Operator (CDO) removed/unavailable for 4.13+ clusters
- Deprecation will not occur until all customers and dependent services (RHOAM) have been duly notified and provided with ample time to migrate from CDO usage to Ingress Controller usage.
- Documentation (KCS article) created to describe
- How to migration from CDO
- What's changing
- Why we're changing
- What does a customer need to do
- Explaining that ICs are still fully supported by CE&E
- 4.13+ new clusters will only provision with NLB Ingress Controllers
- Non-default Ingress Controllers should not affect cluster stability
- Public facing documentation around OSD/ROSA IngressControllers have been updated.
- Service Definition
- RACI
- OCP docs included about IC configuration
- Any changes to the default IngressController (namespaceSelector/routeSelector/etc.) do not affect the RH SLAs around API and Cluster Console.
- The cluster default Ingress Controller (configured by the installer on day-1) should allow the following configuration options in OCM/rosa CLI
- endpointPublishingStrategy (visibility: internal/external)
- namespaceSelector (exclusion only, cannot exclude openshift-/kube- namespaces)
- routeSelector (exclusion only, cannot exclude routes within openshift-/kube-)
- routeAdmission.namespaceOwnership (default: Strict, supports changing to InterNamespaceAllowed)
- routeAdmission. wildcardPolicy (default: WildcardsDisallowed, supports changing to WildcardsAllowed)
- Support changing the hostname for OAuth/Console/Downloads components
- Modifys .spec.componentRoutes[] on the config.openshift.io Ingress option
- Take a single hostname and apply to all 3 components
- Take a tls.crt/tls.key pair for the new hostname
- OAuth: https://docs.openshift.com/container-platform/4.12/authentication/configuring-internal-oauth.html#customizing-the-oauth-server-url_configuring-internal-oauth
- Console: https://docs.openshift.com/container-platform/4.12/web_console/customizing-the-web-console.html#customizing-the-console-route_customizing-web-console
- Downloads: https://docs.openshift.com/container-platform/4.12/web_console/customizing-the-web-console.html#customizing-the-download-route_customizing-web-console
- All non-default IngressController related alerting is silenced
References
Design doc: https://docs.google.com/document/d/10jYbpojEHy80-K_6RKyNoOQvJjtMOnau3CZTwgc-Clw/edit?usp=sharing