Merge pull request #110361 from openshift/revert-105153-OSDOCS-16863-4RE-18

Revert "[enterprise-4.18] OSDOCS-16863-4RE: CQA for MetalLB Ingress and Route"

Author: JoeAldinger

microshift_networking/microshift-configuring-routes.adoc

@@ -6,10 +6,7 @@ include::_attributes/attributes-microshift.adoc[]
 
 toc::[]
 
-[role="_abstract"]
-To enable {microshift-short} node access for services, configure the cluster routes. By using this configuration, you can expose specific applications directly through the network interface of the node.
-
-Secure routes provide the ability to use several types of TLS termination to serve certificates to the client. See the _Additional resources_ section for links to the {OCP} documentation that describe how to create re-encrypt, edge, and passthrough routes with custom certificates.
+You can configure routes for services to have {microshift-short} node access.
 
 //OCP module, edit with care; Creating an insecure/http route
 include::modules/microshift-nw-create-http-based-route.adoc[leveloffset=+1]
@@ -53,8 +50,10 @@ include::modules/nw-ingress-edge-route-default-certificate.adoc[leveloffset=+1]
 //OCP module, edit with care
 include::modules/nw-ingress-reencrypt-route-custom-cert.adoc[leveloffset=+1]
 
-[role="_additional-resources"]
-.Additional resources
+[id="microshift-secured-routes_{context}"]
+== Secured routes
+
+Secure routes provide the ability to use several types of TLS termination to serve certificates to the client. The following links to the {OCP} documentation describe how to create re-encrypt, edge, and passthrough routes with custom certificates.
 
 * link:https://docs.redhat.com/en/documentation/openshift_container_platform/{ocp-version}/html/networking/configuring-routes#nw-ingress-creating-a-reencrypt-route-with-a-custom-certificate_secured-routes[Creating a re-encrypt route with a custom certificate]
 

modules/microshift-nw-create-http-based-route.adoc

@@ -6,10 +6,7 @@
 [id="microshift-nw-creating-a-route_{context}"]
 = Creating an HTTP-based route
 
-[role="_abstract"]
-To host your application at a public URL by using the basic HTTP routing protocol, create an HTTP-based route. This configuration exposes a service on an unsecured application port, allowing external access without TLS encryption.
-
-A route can either be secure or unsecured, depending on the network security configuration of your application.
+A route allows you to host your application at a public URL. It can either be secure or unsecured, depending on the network security configuration of your application. An HTTP-based route is an unsecured route that uses the basic HTTP routing protocol and exposes a service on an unsecured application port.
 
 The following procedure describes how to create a simple HTTP-based route to a web application, using the `hello-microshift` application as an example.
 
@@ -41,11 +38,11 @@ $ oc expose svc/hello-microshift --hostname=microshift.com $namespace
 +
 [source,terminal]
 ----
-$ oc get routes -o yaml <name of resource> -n $namespace
+$ oc get routes -o yaml <name of resource> -n $namespace <1>
 ----
-* `namespace`: Specifies the route that is named `hello-microshift` and the namespace is named `hello-microshift`.
-+
-.Sample YAML definition for the created unsecured route
+<1> In this example, the route is named `hello-microshift` and the namespace is named `hello-microshift`.
+
+.Sample YAML definition of the created unsecured route:
 [source,yaml]
 ----
 apiVersion: route.openshift.io/v1
@@ -54,20 +51,17 @@ metadata:
   name: hello-microshift
   namespace: hello-microshift
 spec:
-  host: microshift.com
+  host: microshift.com <1>
   port:
-    targetPort: 8080
+    targetPort: 8080 <2>
   to:
     kind: Service
     name: hello-microshift
 ----
-+
-where:
-+
-`spec.host`:: Specifies the hostname.
-`port.targetPort`:: Specifies the target port for the router to map the endpoint port in the service.
+<1> Example hostname.
+<2> `targetPort` is required for the router to map the endpoint port in the service.
 +
 [NOTE]
 ====
-{microshift-short} does not use an API that creates a default ingress domain, but instead provides a wildcard for automatically generated domains. Each route can also define a separate hostname.
+{microshift-short} does not a use an API that creates a default ingress domain, but instead provides a wildcard for automatically generated domains. Each route can also define a separate hostname.
 ====

modules/microshift-nw-enforcing-hsts-per-domain.adoc

@@ -6,8 +6,7 @@
 [id="microshift-nw-enforcing-hsts-per-domain_{context}"]
 = Enforcing HTTP Strict Transport Security per-domain
 
-[role="_abstract"]
-To enforce secure communication per-domain, configure routes with a compliant HSTS policy annotation. For upgraded nodes with non-compliant routes, ensure consistent enforcement by updating the source manifests to apply the new security policies.
+You can configure a route with a compliant HSTS policy annotation. To handle an upgraded node with noncompliant HSTS routes, you can update the manifests at the source and apply the updates.
 
 You cannot use `oc expose route` or `oc create route` commands to add a route in a domain that enforces HSTS because the API for these commands does not accept annotations.
 
@@ -17,30 +16,28 @@ HSTS cannot be applied to insecure, or non-TLS, routes.
 ====
 
 .Prerequisites
-
 * You have root access to the node.
 * You installed the {oc-first}.
 
 .Procedure
 
-* Apply HSTS to all routes in the node by running the following command:
+* Apply HSTS to all routes in the node by running the following `oc annotate command`:
 +
 [source,terminal]
 ----
 $ oc annotate route --all --all-namespaces --overwrite=true "haproxy.router.openshift.io/hsts_header"="max-age=31536000;preload;includeSubDomains"
 ----
-
-* Apply HSTS to all routes in a particular namespace by running the following command:
++
+* Apply HSTS to all routes in a particular namespace by running the following `oc annotate command`:
 +
 [source,terminal]
 [subs="+quotes"]
 ----
-$ oc annotate route --all -n __<my_namespace>__ --overwrite=true "haproxy.router.openshift.io/hsts_header"="max-age=31536000;preload;includeSubDomains"
+$ oc annotate route --all -n __<my_namespace>__ --overwrite=true "haproxy.router.openshift.io/hsts_header"="max-age=31536000;preload;includeSubDomains" <1>
 ----
-* `<my_namespace>`: Specify the namespace that you want to use.
+<1> Replace `_<my_namespace>_` with the namespace you want to use.
 
 .Verification
-
 * Review the HSTS annotations on all routes by running the following command:
 +
 [source,terminal]

modules/nw-annotating-a-route-with-a-cookie-name.adoc

@@ -11,10 +11,7 @@
 [id="nw-annotating-a-route-with-a-cookie-name_{context}"]
 = Annotating a route with a cookie
 
-[role="_abstract"]
-To enable applications to manage session persistence and load distribution, annotate the route with a custom cookie name. Overwriting the default cookie allows the backend application to identify and delete the specific cookie, forcing endpoint re-selection when necessary.
-
-When a server is overloaded, the server tries to remove the requests from the client and redistribute the requests to other endpoints.
+You can set a cookie name to overwrite the default, auto-generated one for the route. This allows the application receiving route traffic to know the cookie name. Deleting the cookie can force the next request to re-choose an endpoint. The result is that if a server is overloaded, that server tries to remove the requests from the client and redistribute them.
 
 .Procedure
 
@@ -25,10 +22,12 @@ When a server is overloaded, the server tries to remove the requests from the cl
 $ oc annotate route <route_name> router.openshift.io/cookie_name="<cookie_name>"
 ----
 +
+--
 where:
-+
+
 `<route_name>`:: Specifies the name of the route.
 `<cookie_name>`:: Specifies the name for the cookie.
+--
 +
 For example, to annotate the route `my_route` with the cookie name `my_cookie`:
 +
@@ -44,9 +43,11 @@ $ oc annotate route my_route router.openshift.io/cookie_name="my_cookie"
 $ ROUTE_NAME=$(oc get route <route_name> -o jsonpath='{.spec.host}')
 ----
 +
+--
 where:
-+
+
 `<route_name>`:: Specifies the name of the route.
+--
 
 . Save the cookie, and then access the route:
 +

modules/nw-disabling-hsts.adoc

@@ -6,8 +6,7 @@
 [id="nw-disabling-hsts_{context}"]
 = Disabling HTTP Strict Transport Security per-route
 
-[role="_abstract"]
-To allow unencrypted connections or troubleshoot access issues, disable HTTP Strict Transport Security (HSTS) for a specific route. Setting the `max-age` route annotation to `0` instructs browsers to stop enforcing HTTPS requirements on the route host.
+To disable HTTP strict transport security (HSTS) per-route, you can set the `max-age` value in the route annotation to `0`.
 
 .Prerequisites
 ifndef::microshift[]
@@ -20,7 +19,7 @@ endif::microshift[]
 
 .Procedure
 
-* To disable HSTS, enter the following to set the `max-age` value in the route annotation to `0`:
+* To disable HSTS, set the `max-age` value in the route annotation to `0`, by entering the following command:
 +
 [source,terminal]
 ----
@@ -33,8 +32,6 @@ You can alternatively apply the following YAML to create the config map for disa
 
 [source,yaml]
 ----
-kind: Route
-apiVersion: route.openshift.io/v1
 metadata:
   annotations:
     haproxy.router.openshift.io/hsts_header: max-age=0

modules/nw-enabling-hsts-per-route.adoc

@@ -6,8 +6,7 @@
 [id="nw-enabling-hsts-per-route_{context}"]
 = Enabling HTTP Strict Transport Security per-route
 
-[role="_abstract"]
-To enforce secure HTTPS connections for specific applications, enable HTTP Strict Transport Security (HSTS) on a per-route basis. Applying the `haproxy.router.openshift.io/hsts_header` annotation to edge and re-encrypt routes ensures that browsers reject unencrypted traffic.
+HTTP strict transport security (HSTS) is implemented in the HAProxy template and applied to edge and re-encrypt routes that have the `haproxy.router.openshift.io/hsts_header` annotation.
 
 .Prerequisites
 ifndef::microshift[]
@@ -22,7 +21,7 @@ endif::microshift[]
 
 * To enable HSTS on a route, add the `haproxy.router.openshift.io/hsts_header` value to the edge-terminated or re-encrypt route. You can use the `oc annotate` tool to do this by running the following command. To properly run the command, ensure that the semicolon (`;`) in the `haproxy.router.openshift.io/hsts_header` route annotation is also surrounded by double quotation marks (`""`).
 +
-.Example `annotate` command that sets the maximum age to `31536000` ms (approximately 8.5 hours)
+.Example `annotate` command that sets the maximum age to `31536000` ms (approximetly 8.5 hours)
 [source,terminal]
 ----
 $ oc annotate route <route_name> -n <namespace> --overwrite=true "haproxy.router.openshift.io/hsts_header=max-age=31536000;\
@@ -36,7 +35,7 @@ apiVersion: route.openshift.io/v1
 kind: Route
 metadata:
   annotations:
-    haproxy.router.openshift.io/hsts_header: max-age=31536000;includeSubDomains;preload
+    haproxy.router.openshift.io/hsts_header: max-age=31536000;includeSubDomains;preload <1> <2> <3>
 # ...
 spec:
   host: def.abc.com
@@ -46,9 +45,7 @@ spec:
   wildcardPolicy: "Subdomain"
 # ...
 ----
-+
-where:
-+
-`max-age`:: Specifies the measurement of the length of time, in seconds, for the HSTS policy. If set to `0`, it negates the policy.
-`includeSubDomains`:: Specifies that all subdomains of the host must have the same HSTS policy as the host. Optional parameter.
-`preload`:: Specifies that the site is included in the HSTS preload list when `max-age` is greater than `0`. For example, sites such as Google can construct a list of sites that have `preload` set. Browsers can then use these lists to determine which sites they can communicate with over HTTPS, even before they have interacted with the site. Without `preload` set, browsers must have interacted with the site over HTTPS, at least once, to get the header. Optional parameter.
+<1> Required. `max-age` measures the length of time, in seconds, that the HSTS policy is in effect. If set to `0`, it negates the policy.
+<2> Optional. When included, `includeSubDomains` tells the client
+that all subdomains of the host must have the same HSTS policy as the host.
+<3> Optional. When `max-age` is greater than 0, you can add `preload` in  `haproxy.router.openshift.io/hsts_header` to allow external services to include this site in their HSTS preload lists. For example, sites such as Google can construct a list of sites that have `preload` set. Browsers can then use these lists to determine which sites they can communicate with over HTTPS, even before they have interacted with the site. Without `preload` set, browsers must have interacted with the site over HTTPS, at least once, to get the header.

modules/nw-enabling-hsts.adoc

@@ -7,8 +7,7 @@
 [id="nw-enabling-hsts_{context}"]
 = HTTP Strict Transport Security
 
-[role="_abstract"]
-To enhance security and optimize website performance, use the HTTP Strict Transport Security (HSTS) policy. This mechanism signals browsers to use only HTTPS traffic on the route host, eliminating the need for HTTP redirects and speeding up user interactions.
+HTTP Strict Transport Security (HSTS) policy is a security enhancement, which signals to the browser client that only HTTPS traffic is allowed on the route host. HSTS also optimizes web traffic by signaling HTTPS transport is required, without using HTTP redirects. HSTS is useful for speeding up interactions with websites.
 
 When HSTS policy is enforced, HSTS adds a Strict Transport Security header to HTTP and HTTPS responses from the site. You can use the `insecureEdgeTerminationPolicy` value in a route to redirect HTTP to HTTPS. When HSTS is enforced, the client changes all requests from the HTTP URL to HTTPS before the request is sent, eliminating the need for a redirect.
 

modules/nw-http-header-configuration.adoc

@@ -7,16 +7,12 @@
 [id="nw-http-header-configuration_{context}"]
 = HTTP header configuration
 
-[role="_abstract"]
 ifndef::microshift[]
-To customize request and response headers for your applications, configure the Ingress Controller or apply specific route annotations. Understanding the interaction between these configuration methods ensures you effectively manage global and route-specific header policies.
-
-You can also set certain headers by using route annotations. The various ways of configuring headers can present challenges when working together.
+{product-title} provides different methods for working with HTTP headers. When setting or deleting headers, you can use specific fields in the Ingress Controller or an individual route to modify request and response headers. You can also set certain headers by using route annotations. The various ways of configuring headers can present challenges when working together.
 endif::microshift[]
-ifdef::microshift[]
-To customize request and response headers, modify individual route configurations or apply route annotations. Understanding the interaction between these methods ensures you effectively manage header policies and resolve potential configuration conflicts.
 
-The various ways of configuring headers can present challenges when working together.
+ifdef::microshift[]
+When setting or deleting headers, you can use an individual route to modify request and response headers. You can also set certain headers by using route annotations. The various ways of configuring headers can present challenges when working together.
 endif::microshift[]
 
 ifndef::microshift[]
@@ -34,7 +30,8 @@ You can only set or delete headers within a `Route` CR. You cannot append header
 endif::microshift[]
 
 ifndef::microshift[]
-Order of precedence::
+[id="nw-http-header-configuration-order_{context}"]
+== Order of precedence
 
 When the same HTTP header is modified both in the Ingress Controller and in a route, HAProxy prioritizes the actions in certain ways depending on whether it is a request or response header.
 
@@ -107,7 +104,8 @@ ifdef::microshift[]
 Any actions defined in a route override values set using route annotations.
 endif::microshift[]
 
-Special case headers::
+[id="nw-http-header-configuration-special-cases_{context}"]
+== Special case headers
 
 The following headers are either prevented entirely from being set or deleted, or allowed under specific circumstances: