Parameters
The parent key for all of the following parameters is openshift4_ingress.
ingressControllers
| type |
dictionary |
| default |
Default ingress controller. |
A dictionary holding the .spec for ingress controllers.
The keys of the dict are used as names for the ingress controllers.
See the OpenShift docs for available parameters.
The domain parameter is required.
To remove all ingress controllers, set to null.
ingressControllerAnnotations
| type |
dictionary |
| default |
|
A dictionary holding the annotations for ingress controllers.
The keys of the dict are the names of the ingress controllers to annotate.
cloud.provider
| type |
string |
| default |
|
The name of the cloud provider where the DNS service is hosted.
Except for special cases, this parameter should always be set to ${facts:cloud}.
cloud.credentials
| type |
string |
| default |
undefined |
The cloud provider credentials which will be used by the Issuer.
If this isn’t set, a CredentialsRequest will be created.
cloud.gcp.projectName
| type |
string |
| default |
undefined |
The GCP project name in which the DNS setup is hosted.
cloud.aws.accessKey
| type |
string |
| default |
undefined |
Access key ID to be used for Route53 access.
The credentials will be created by this component via a CredentialsRequest.
Unfortunately the access key ID must be copied from the resulting secret:
kubectl get secret ingress-cert-issuer-credentials \
-n openshift-ingress \
-o jsonpath='{.data.aws_access_key_id}' | \
base64 --decodecloud.azure.clientID
| type |
string |
| default |
undefined |
kubectl get secret ingress-cert-issuer-credentials \
-n openshift-ingress \
-o jsonpath='{.data.azure_client_id}' | \
base64 --decodecloud.azure.subscriptionID
| type |
string |
| default |
undefined |
kubectl get secret ingress-cert-issuer-credentials \
-n openshift-ingress \
-o jsonpath='{.data.azure_subscription_id}' | \
base64 --decodecloud.azure.tenantID
| type |
string |
| default |
undefined |
kubectl get secret ingress-cert-issuer-credentials \
-n openshift-ingress \
-o jsonpath='{.data.azure_tenant_id}' | \
base64 --decodecloud.azure.resourceGroupName
| type |
string |
| default |
undefined |
kubectl get secret ingress-cert-issuer-credentials \
-n openshift-ingress \
-o jsonpath='{.data.azure_resourcegroup}' | \
base64 --decodepatchDualStack
| type |
dictionary |
patchDualStack.enabled
| type |
bool |
| default |
|
When this parameter is set to true, the component deploys an Espejote Admission mutating webhook which intercepts newly created router pods and sets environment variable ROUTER_IP_V4_V6_MODE to v4v6.
patchDualStack.objectSelector
| type |
dictionary |
| default |
The value of this parameter is used as is for the Espejote Admission’s `webhookConfiguration.objectSelector field.
By default, the component configures the webhook to select all router pods.
Users can override this parameter to only select a subset of router pods.
secrets
| type |
dictionary |
| default |
|
Each entry in parameter secrets is deployed onto the cluster as a Kubernetes Secret with type=kubernetes.io/tls.
Entries with null values are skipped.
This allows users to remove secrets which were configured higher up in the hierarchy.
The component has basic validation to ensure the secret contents are a plausible Kubernetes TLS secret.
The dictionary keys are used as metadata.name for the resulting Secret resources.
The dictionary values are directly merged into a Secret resource which only has type=kubernetes.io/tls set.
The secrets are created in the namespace indicated by parameter namespace.
The OpenShift authentication operator generates a secret which contains the certificate and secret key of the ingress default certificate in a single field. To ensure that the concatenated data is always valid, the component appends a trailing newline to each field of the provided secret.
cert_manager_certs
| type |
dictionary |
| default |
|
Each entry in parameter cert_manager_certs is deployed onto the cluster as a cert-manager Certificate resource.
Entries with null values are skipped.
This allows users to remove certificates which were configured higher up in the hierarchy.
The dictionary keys are used as metadata.name and spec.secretName for the resulting Certificate resources.
The dictionary values are then directly directly merged into the mostly empty Certificate resources.
Examples
Managing a secret for the wildcard certificate
parameters:
openshift4_ingress:
ingressControllers:
prod:
domain: apps.example.com
defaultCertificate:
# Use the secret configured below
name: prod-wildcard
namespaceSelector:
matchLabels:
environment: prod
ingressControllerAnnotations:
prod:
ingress.operator.openshift.io/default-enable-http2: true
secrets:
prod-wildcard:
stringData:
tls.key: "?{vaultkv:...}" # reference to private key in Vault
tls.crt: "?{vaultkv:...}" # reference to cert in VaultManaging a cert-manager wildcard certificate
|
This requires an issuer which supports DNS01 challenges. See the Using DNS01 challenges how-to for component cert-manager to get started with DNS01 challenges. |
parameters:
openshift4_ingress:
ingressControllers:
prod:
domain: apps.example.com
defaultCertificate:
# Use the secret for the certificate below.
# By default, the component creates a secret with name
# `prod-wildcard-tls` for certificate resource `prod-wildcard`
name: prod-wildcard-tls
cert_manager_certificates:
prod-wildcard-tls:
spec:
dnsNames:
- '*.apps.example.com'
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer