$ oc annotate route <route_name> \
--overwrite haproxy.router.openshift.io/timeout=<timeout><time_unit> (1)
OpenShift Container Platform provides methods for communicating from outside the cluster with services running in the cluster. This method uses load balancers on AWS, specifically a Network Load Balancer (NLB) or a Classic Load Balancer (CLB). Both types of load balancers can forward the client’s IP address to the node, but a CLB requires proxy protocol support, which OpenShift Container Platform automatically enables.
There are two ways to configure an Ingress Controller to use an NLB:
By force replacing the Ingress Controller that is currently using a CLB. This deletes the IngressController
object and an outage will occur while the new DNS records propagate and the NLB is being provisioned.
By editing an existing Ingress Controller that uses a CLB to use an NLB. This changes the load balancer without having to delete and recreate the IngressController
object.
Both methods can be used to switch from an NLB to a CLB.
You can configure these load balancers on a new or existing AWS cluster.
OpenShift Container Platform provides a method for setting a custom timeout period for a specific route or Ingress Controller. Additionally, an AWS Classic Load Balancer (CLB) has its own timeout period with a default time of 60 seconds.
If the timeout period of the CLB is shorter than the route timeout or Ingress Controller timeout, the load balancer can prematurely terminate the connection. You can prevent this problem by increasing both the timeout period of the route and CLB.
You can configure the default timeouts for an existing route when you have services in need of a low timeout, which is required for Service Level Availability (SLA) purposes, or a high timeout, for cases with a slow back end.
You need a deployed Ingress Controller on a running cluster.
Using the oc annotate
command, add the timeout to the route:
$ oc annotate route <route_name> \
--overwrite haproxy.router.openshift.io/timeout=<timeout><time_unit> (1)
1 | Supported time units are microseconds (us), milliseconds (ms), seconds (s), minutes (m), hours (h), or days (d). |
The following example sets a timeout of two seconds on a route named myroute
:
$ oc annotate route myroute --overwrite haproxy.router.openshift.io/timeout=2s
You can configure the default timeouts for a Classic Load Balancer (CLB) to extend idle connections.
You must have a deployed Ingress Controller on a running cluster.
Set an AWS connection idle timeout of five minutes for the default ingresscontroller
by running the following command:
$ oc -n openshift-ingress-operator patch ingresscontroller/default \
--type=merge --patch='{"spec":{"endpointPublishingStrategy": \
{"type":"LoadBalancerService", "loadBalancer": \
{"scope":"External", "providerParameters":{"type":"AWS", "aws": \
{"type":"Classic", "classicLoadBalancer": \
{"connectionIdleTimeout":"5m"}}}}}}}'
Optional: Restore the default value of the timeout by running the following command:
$ oc -n openshift-ingress-operator patch ingresscontroller/default \
--type=merge --patch='{"spec":{"endpointPublishingStrategy": \
{"loadBalancer":{"providerParameters":{"aws":{"classicLoadBalancer": \
{"connectionIdleTimeout":null}}}}}}}'
You must specify the |
OpenShift Container Platform provides methods for communicating from outside the cluster with services that run in the cluster. One such method uses a Network Load Balancer (NLB). You can configure an NLB on a new or existing AWS cluster.
You can switch the Ingress Controller that is using a Classic Load Balancer (CLB) to one that uses a Network Load Balancer (NLB) on AWS.
Switching between these load balancers will not delete the IngressController
object.
This procedure might cause the following issues:
|
Modify the existing Ingress Controller that you want to switch to using an NLB. This example assumes that your default Ingress Controller has an External
scope and no other customizations:
ingresscontroller.yaml
fileapiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
creationTimestamp: null
name: default
namespace: openshift-ingress-operator
spec:
endpointPublishingStrategy:
loadBalancer:
scope: External
providerParameters:
type: AWS
aws:
type: NLB
type: LoadBalancerService
If you do not specify a value for the |
If your Ingress Controller has other customizations that you want to update, such as changing the domain, consider force replacing the Ingress Controller definition file instead. |
Apply the changes to the Ingress Controller YAML file by running the command:
$ oc apply -f ingresscontroller.yaml
Expect several minutes of outages while the Ingress Controller updates.
You can switch the Ingress Controller that is using a Network Load Balancer (NLB) to one that uses a Classic Load Balancer (CLB) on AWS.
Switching between these load balancers will not delete the IngressController
object.
This procedure might cause an outage that can last several minutes due to new DNS records propagation, new load balancers provisioning, and other factors. IP addresses and canonical names of the Ingress Controller load balancer might change after applying this procedure. |
Modify the existing Ingress Controller that you want to switch to using a CLB. This example assumes that your default Ingress Controller has an External
scope and no other customizations:
ingresscontroller.yaml
fileapiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
creationTimestamp: null
name: default
namespace: openshift-ingress-operator
spec:
endpointPublishingStrategy:
loadBalancer:
scope: External
providerParameters:
type: AWS
aws:
type: Classic
type: LoadBalancerService
If you do not specify a value for the |
If your Ingress Controller has other customizations that you want to update, such as changing the domain, consider force replacing the Ingress Controller definition file instead. |
Apply the changes to the Ingress Controller YAML file by running the command:
$ oc apply -f ingresscontroller.yaml
Expect several minutes of outages while the Ingress Controller updates.
You can replace an Ingress Controller that is using a Classic Load Balancer (CLB) with one that uses a Network Load Balancer (NLB) on AWS.
This procedure might cause the following issues:
|
Create a file with a new default Ingress Controller. The following example assumes that your default Ingress Controller has an External
scope and no other customizations:
ingresscontroller.yml
fileapiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
creationTimestamp: null
name: default
namespace: openshift-ingress-operator
spec:
endpointPublishingStrategy:
loadBalancer:
scope: External
providerParameters:
type: AWS
aws:
type: NLB
type: LoadBalancerService
If your default Ingress Controller has other customizations, ensure that you modify the file accordingly.
If your Ingress Controller has no other customizations and you are only updating the load balancer type, consider following the procedure detailed in "Switching the Ingress Controller from using a Classic Load Balancer to a Network Load Balancer". |
Force replace the Ingress Controller YAML file:
$ oc replace --force --wait -f ingresscontroller.yml
Wait until the Ingress Controller is replaced. Expect several of minutes of outages.
You can create an Ingress Controller backed by an AWS Network Load Balancer (NLB) on an existing cluster.
You must have an installed AWS cluster.
PlatformStatus
of the infrastructure resource must be AWS.
To verify that the PlatformStatus
is AWS, run:
$ oc get infrastructure/cluster -o jsonpath='{.status.platformStatus.type}'
AWS
Create an Ingress Controller backed by an AWS NLB on an existing cluster.
Create the Ingress Controller manifest:
$ cat ingresscontroller-aws-nlb.yaml
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: $my_ingress_controller(1)
namespace: openshift-ingress-operator
spec:
domain: $my_unique_ingress_domain(2)
endpointPublishingStrategy:
type: LoadBalancerService
loadBalancer:
scope: External(3)
providerParameters:
type: AWS
aws:
type: NLB
1 | Replace $my_ingress_controller with a unique name for the Ingress Controller. |
2 | Replace $my_unique_ingress_domain with a domain name that is unique among all Ingress Controllers in the cluster. This variable must be a subdomain of the DNS name <clustername>.<domain> . |
3 | You can replace External with Internal to use an internal NLB. |
Create the resource in the cluster:
$ oc create -f ingresscontroller-aws-nlb.yaml
Before you can configure an Ingress Controller NLB on a new AWS cluster, you must complete the Creating the installation configuration file procedure. |
You can create an Ingress Controller backed by an AWS Network Load Balancer (NLB) on a new cluster.
Create the install-config.yaml
file and complete any modifications to it.
Create an Ingress Controller backed by an AWS NLB on a new cluster.
Change to the directory that contains the installation program and create the manifests:
$ ./openshift-install create manifests --dir <installation_directory> (1)
1 | For <installation_directory> , specify the name of the directory that
contains the install-config.yaml file for your cluster. |
Create a file that is named cluster-ingress-default-ingresscontroller.yaml
in the <installation_directory>/manifests/
directory:
$ touch <installation_directory>/manifests/cluster-ingress-default-ingresscontroller.yaml (1)
1 | For <installation_directory> , specify the directory name that contains the
manifests/ directory for your cluster. |
After creating the file, several network configuration files are in the
manifests/
directory, as shown:
$ ls <installation_directory>/manifests/cluster-ingress-default-ingresscontroller.yaml
cluster-ingress-default-ingresscontroller.yaml
Open the cluster-ingress-default-ingresscontroller.yaml
file in an editor and enter a custom resource (CR) that describes the Operator configuration you want:
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
creationTimestamp: null
name: default
namespace: openshift-ingress-operator
spec:
endpointPublishingStrategy:
loadBalancer:
scope: External
providerParameters:
type: AWS
aws:
type: NLB
type: LoadBalancerService
Save the cluster-ingress-default-ingresscontroller.yaml
file and quit the text editor.
Optional: Back up the manifests/cluster-ingress-default-ingresscontroller.yaml
file. The installation program deletes the manifests/
directory when creating the cluster.
You can manually specify load balancer subnets for Ingress Controllers in an existing cluster. By default, the load balancer subnets are automatically discovered by AWS, but specifying them in the Ingress Controller overrides this, allowing for manual control.
You must have an installed AWS cluster.
You must know the names or IDs of the subnets to which you intend to map your IngressController
.
Create a custom resource (CR) file.
Create a YAML file (e.g., sample-ingress.yaml
) with the following content:
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
namespace: openshift-ingress-operator
name: <name>
spec:
domain: <domain>
endpointPublishingStrategy:
type: LoadBalancerService
loadBalancer:
scope: External
dnsManagementPolicy: Managed
Create a custom resource (CR) file.
Add subnets to your YAML file:
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: <name> (1)
namespace: openshift-ingress-operator
spec:
domain: <domain> (2)
endpointPublishingStrategy:
type: LoadBalancerService
loadBalancer:
scope: External
providerParameters:
type: AWS
aws:
type: Classic
classicLoadBalancer: (3)
subnets:
ids: (4)
- <subnet> (5)
- <subnet>
- <subnet>
dnsManagementPolicy: Managed
1 | Replace <name> with a name for the IngressController . |
||
2 | Replace <domain> with the DNS name serviced by the IngressController . |
||
3 | You can also use the networkLoadBalancer field if using an NLB. |
||
4 | You can optionally specify a subnet by name using the names field instead of specifying the subnet by ID. |
||
5 | Specify subnet IDs (or names if you using names ).
|
Apply the CR file.
Save the file and apply it using the OpenShift CLI (oc
).
$ oc apply -f sample-ingress.yaml
Confirm the load balancer was provisioned successfully by checking the IngressController
conditions.
$ oc get ingresscontroller -n openshift-ingress-operator <name> -o jsonpath="{.status.conditions}" | yq -PC
You can update an IngressController
with manually specified load balancer subnets in OpenShift Container Platform to avoid any disruptions, to maintain the stability of your services, and to ensure that your network configuration aligns with your specific requirements. The following procedures show you how to select and apply new subnets, verify the configuration changes, and confirm successful load balancer provisioning.
This procedure may cause an outage that can last several minutes due to new DNS records propagation, new load balancers provisioning, and other factors. IP addresses and canonical names of the Ingress Controller load balancer might change after applying this procedure. |
To update an IngressController
with manually specified load balancer subnets, you can follow these steps:
Modify the existing IngressController to update to the new subnets.
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: <name> (1)
namespace: openshift-ingress-operator
spec:
domain: <domain> (2)
endpointPublishingStrategy:
type: LoadBalancerService
loadBalancer:
scope: External
providerParameters:
type: AWS
aws:
type: Classic (3)
classicLoadBalancer: (4)
subnets:
ids: (5)
- <updated_subnet> (6)
- <updated_subnet>
- <updated_subnet>
1 | Replace <name> with a name for the IngressController . |
2 | Replace <domain> with the DNS name serviced by the IngressController . |
3 | Specify updated subnet IDs (or names if you using names ). |
4 | You can also use the networkLoadBalancer field if using an NLB. |
5 | You can optionally specify a subnet by name using the names field instead of specifying the subnet by ID. |
6 | Update subnet IDs (or names if you are using names ). |
You can specify a maximum of one subnet per availability zone. Only provide public subnets for external Ingress Controllers and private subnets for internal Ingress Controllers. |
Examine the Progressing
condition on the IngressController
for instructions on how to apply the subnet updates by running the following command:
$ oc get ingresscontroller -n openshift-ingress-operator subnets -o jsonpath="{.status.conditions[?(@.type==\"Progressing\")]}" | yq -PC
lastTransitionTime: "2024-11-25T20:19:31Z"
message: 'One or more status conditions indicate progressing: LoadBalancerProgressing=True (OperandsProgressing: One or more managed resources are progressing: The IngressController subnets were changed from [...] to [...]. To effectuate this change, you must delete the service: `oc -n openshift-ingress delete svc/router-<name>`; the service load-balancer will then be deprovisioned and a new one created. This will most likely cause the new load-balancer to have a different host name and IP address and cause disruption. To return to the previous state, you can revert the change to the IngressController: [...]'
reason: IngressControllerProgressing
status: "True"
type: Progressing
To apply the update, delete the service associated with the Ingress controller by running the following command:
$ oc -n openshift-ingress delete svc/router-<name>
To confirm that the load balancer was provisioned successfully, check the IngressController
conditions by running the following command:
$ oc get ingresscontroller -n openshift-ingress-operator <name> -o jsonpath="{.status.conditions}" | yq -PC
For more information on support for NLBs, see Network Load Balancer support on AWS.
For more information on proxy protocol support for CLBs, see Configure proxy protocol support for your Classic Load Balancer