Merge pull request #729 from Miciah/operator-slash-ingress-add-parameters-for-empty-requests

openshift-merge-robot · web-flow · commit acb572771a9c · 2021-07-22T10:26:24.000-04:00
operator/ingress: Add parameters for empty requests
diff --git a/operator/v1/0000_50_ingress-operator_00-ingresscontroller.crd.yaml b/operator/v1/0000_50_ingress-operator_00-ingresscontroller.crd.yaml
@@ -327,6 +327,28 @@ spec:
                 required:
                 - type
                 type: object
+              httpEmptyRequestsPolicy:
+                default: Respond
+                description: "httpEmptyRequestsPolicy describes how HTTP connections
+                  should be handled if the connection times out before a request is
+                  received. Allowed values for this field are \"Respond\" and \"Ignore\".
+                  \ If the field is set to \"Respond\", the ingress controller sends
+                  an HTTP 400 or 408 response, logs the connection (if access logging
+                  is enabled), and counts the connection in the appropriate metrics.
+                  \ If the field is set to \"Ignore\", the ingress controller closes
+                  the connection without sending a response, logging the connection,
+                  or incrementing metrics.  The default value is \"Respond\". \n Typically,
+                  these connections come from load balancers' health probes or Web
+                  browsers' speculative connections (\"preconnect\") and can be safely
+                  ignored.  However, these requests may also be caused by network
+                  errors, and so setting this field to \"Ignore\" may impede detection
+                  and diagnosis of problems.  In addition, these requests may be caused
+                  by port scans, in which case logging empty requests may aid in detecting
+                  intrusion attempts."
+                enum:
+                - Respond
+                - Ignore
+                type: string
               httpErrorCodePages:
                 description: httpErrorCodePages specifies a configmap with custom
                   error pages. The administrator must create this configmap in the
@@ -658,6 +680,23 @@ spec:
                           or reencrypt connections).  It does not affect the log format
                           for TLS passthrough connections."
                         type: string
+                      logEmptyRequests:
+                        default: Log
+                        description: logEmptyRequests specifies how connections on
+                          which no request is received should be logged.  Typically,
+                          these empty requests come from load balancers' health probes
+                          or Web browsers' speculative connections ("preconnect"),
+                          in which case logging these requests may be undesirable.  However,
+                          these requests may also be caused by network errors, in
+                          which case logging empty requests may be useful for diagnosing
+                          the errors.  In addition, these requests may be caused by
+                          port scans, in which case logging empty requests may aid
+                          in detecting intrusion attempts.  Allowed values for this
+                          field are "Log" and "Ignore".  The default value is "Log".
+                        enum:
+                        - Log
+                        - Ignore
+                        type: string
                     required:
                     - destination
                     type: object
diff --git a/operator/v1/types_ingress.go b/operator/v1/types_ingress.go
@@ -191,6 +191,28 @@ type IngressControllerSpec struct {
 	// +optional
 	HTTPHeaders *IngressControllerHTTPHeaders `json:"httpHeaders,omitempty"`
 
+	// httpEmptyRequestsPolicy describes how HTTP connections should be
+	// handled if the connection times out before a request is received.
+	// Allowed values for this field are "Respond" and "Ignore".  If the
+	// field is set to "Respond", the ingress controller sends an HTTP 400
+	// or 408 response, logs the connection (if access logging is enabled),
+	// and counts the connection in the appropriate metrics.  If the field
+	// is set to "Ignore", the ingress controller closes the connection
+	// without sending a response, logging the connection, or incrementing
+	// metrics.  The default value is "Respond".
+	//
+	// Typically, these connections come from load balancers' health probes
+	// or Web browsers' speculative connections ("preconnect") and can be
+	// safely ignored.  However, these requests may also be caused by
+	// network errors, and so setting this field to "Ignore" may impede
+	// detection and diagnosis of problems.  In addition, these requests may
+	// be caused by port scans, in which case logging empty requests may aid
+	// in detecting intrusion attempts.
+	//
+	// +optional
+	// +kubebuilder:default:="Respond"
+	HTTPEmptyRequestsPolicy HTTPEmptyRequestsPolicy `json:"httpEmptyRequestsPolicy,omitempty"`
+
 	// tuningOptions defines parameters for adjusting the performance of
 	// ingress controller pods. All fields are optional and will use their
 	// respective defaults if not set. See specific tuningOptions fields for
@@ -905,6 +927,17 @@ type IngressControllerCaptureHTTPCookieUnion struct {
 	NamePrefix string `json:"namePrefix"`
 }
 
+// LoggingPolicy indicates how an event should be logged.
+// +kubebuilder:validation:Enum=Log;Ignore
+type LoggingPolicy string
+
+const (
+	// LoggingPolicyLog indicates that an event should be logged.
+	LoggingPolicyLog LoggingPolicy = "Log"
+	// LoggingPolicyIgnore indicates that an event should not be logged.
+	LoggingPolicyIgnore LoggingPolicy = "Ignore"
+)
+
 // AccessLogging describes how client requests should be logged.
 type AccessLogging struct {
 	// destination is where access logs go.
@@ -949,6 +982,21 @@ type AccessLogging struct {
 	// +optional
 	// +kubebuilder:validation:MaxItems=1
 	HTTPCaptureCookies []IngressControllerCaptureHTTPCookie `json:"httpCaptureCookies,omitempty"`
+
+	// logEmptyRequests specifies how connections on which no request is
+	// received should be logged.  Typically, these empty requests come from
+	// load balancers' health probes or Web browsers' speculative
+	// connections ("preconnect"), in which case logging these requests may
+	// be undesirable.  However, these requests may also be caused by
+	// network errors, in which case logging empty requests may be useful
+	// for diagnosing the errors.  In addition, these requests may be caused
+	// by port scans, in which case logging empty requests may aid in
+	// detecting intrusion attempts.  Allowed values for this field are
+	// "Log" and "Ignore".  The default value is "Log".
+	//
+	// +optional
+	// +kubebuilder:default:="Log"
+	LogEmptyRequests LoggingPolicy `json:"logEmptyRequests,omitempty"`
 }
 
 // IngressControllerLogging describes what should be logged where.
@@ -1135,6 +1183,20 @@ type IngressControllerTuningOptions struct {
 	ThreadCount int32 `json:"threadCount,omitempty"`
 }
 
+// HTTPEmptyRequestsPolicy indicates how HTTP connections for which no request
+// is received should be handled.
+// +kubebuilder:validation:Enum=Respond;Ignore
+type HTTPEmptyRequestsPolicy string
+
+const (
+	// HTTPEmptyRequestsPolicyRespond indicates that the ingress controller
+	// should respond to empty requests.
+	HTTPEmptyRequestsPolicyRespond HTTPEmptyRequestsPolicy = "Respond"
+	// HTTPEmptyRequestsPolicyIgnore indicates that the ingress controller
+	// should ignore empty requests.
+	HTTPEmptyRequestsPolicyIgnore HTTPEmptyRequestsPolicy = "Ignore"
+)
+
 var (
 	// Available indicates the ingress controller deployment is available.
 	IngressControllerAvailableConditionType = "Available"
diff --git a/operator/v1/zz_generated.swagger_doc_generated.go b/operator/v1/zz_generated.swagger_doc_generated.go
