Merge pull request #2584 from alebedev87/OCPBUGS-60885-abortonclose

openshift-merge-bot[bot] · web-flow · commit 0952bf66a5db · 2025-11-20T15:43:21.000Z
OCPBUGS-60885: Add ClosedClientConnectionPolicy to IngressController API
diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go
diff --git a/operator/v1/tests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml b/operator/v1/tests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml
@@ -14,6 +14,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
     - name: Should be able to create an IngressController with valid Actions
       initial: |
         apiVersion: operator.openshift.io/v1
@@ -75,6 +76,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           httpHeaders:
             actions:
               response:
@@ -497,6 +499,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           tuningOptions:
             connectTimeout: 10s
     - name: Should be able to create an IngressController with valid composite connect timeout
@@ -518,6 +521,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           tuningOptions:
             connectTimeout: 100ms300μs
     - name: Should be able to create an IngressController with valid fraction connect timeout
@@ -539,6 +543,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           tuningOptions:
             connectTimeout: 1.5m
     - name: Should not be able to create an IngressController with invalid unit connect timeout
@@ -582,6 +587,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           tuningOptions:
             httpKeepAliveTimeout: 10s
     - name: Should be able to create an IngressController with valid composite httpKeepAlive timeout
@@ -603,6 +609,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           tuningOptions:
             httpKeepAliveTimeout: 100s300ms
     - name: Should be able to create an IngressController with valid fraction httpKeepAlive timeout
@@ -624,6 +631,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           tuningOptions:
             httpKeepAliveTimeout: 1.5m
     - name: Should not be able to create an IngressController with invalid unit httpKeepAlive timeout
@@ -688,6 +696,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           domain: "this-label-has-exactly-63-characters-validating-at-the-boundary.com"
     - name: Should not be able to create an IngressController with invalid domain
       initial: |
@@ -761,6 +770,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           domain: "123-foo.com"
     - name: Should not be able to update already invalid domain to another invalid domain
       initialCRDPatches:
@@ -817,5 +827,6 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           domain: "*.foo.com"
           replicas: 3
diff --git a/operator/v1/tests/ingresscontrollers.operator.openshift.io/IngressControllerLBOpenStack.yaml b/operator/v1/tests/ingresscontrollers.operator.openshift.io/IngressControllerLBOpenStack.yaml
@@ -20,6 +20,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           endpointPublishingStrategy:
             type: LoadBalancerService
             loadBalancer:
@@ -44,6 +45,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           endpointPublishingStrategy:
             type: LoadBalancerService
             loadBalancer:
@@ -70,6 +72,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           endpointPublishingStrategy:
             type: LoadBalancerService
             loadBalancer:
diff --git a/operator/v1/tests/ingresscontrollers.operator.openshift.io/IngressControllerLBSubnetsAWS.yaml b/operator/v1/tests/ingresscontrollers.operator.openshift.io/IngressControllerLBSubnetsAWS.yaml
@@ -29,6 +29,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           endpointPublishingStrategy:
             type: LoadBalancerService
             loadBalancer:
@@ -71,6 +72,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           endpointPublishingStrategy:
             type: LoadBalancerService
             loadBalancer:
@@ -185,6 +187,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           endpointPublishingStrategy:
             type: LoadBalancerService
             loadBalancer:
@@ -476,6 +479,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           endpointPublishingStrategy:
             type: LoadBalancerService
             loadBalancer:
@@ -534,6 +538,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           endpointPublishingStrategy:
             type: LoadBalancerService
             loadBalancer:
@@ -584,6 +589,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           endpointPublishingStrategy:
             type: LoadBalancerService
             loadBalancer:
diff --git a/operator/v1/tests/ingresscontrollers.operator.openshift.io/SetEIPForNLBIngressController+IngressControllerLBSubnetsAWS.yaml b/operator/v1/tests/ingresscontrollers.operator.openshift.io/SetEIPForNLBIngressController+IngressControllerLBSubnetsAWS.yaml
@@ -14,6 +14,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
     - name: Should not allow ingress controller creation if sum of number subnets name and id provided is not equal to the number of eipAllocations.
       initial: |
         apiVersion: operator.openshift.io/v1
@@ -125,6 +126,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           endpointPublishingStrategy:
             loadBalancer:
               dnsManagementPolicy: Managed
@@ -180,6 +182,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           endpointPublishingStrategy:
             loadBalancer:
               dnsManagementPolicy: Managed
@@ -234,6 +237,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           endpointPublishingStrategy:
             loadBalancer:
               dnsManagementPolicy: Managed
diff --git a/operator/v1/tests/ingresscontrollers.operator.openshift.io/SetEIPForNLBIngressController.yaml b/operator/v1/tests/ingresscontrollers.operator.openshift.io/SetEIPForNLBIngressController.yaml
@@ -14,6 +14,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
     - name: Should allow to set NLB parameters when LBType is NLB.
       initial: |
         apiVersion: operator.openshift.io/v1
@@ -43,6 +44,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           endpointPublishingStrategy:
             loadBalancer:
               dnsManagementPolicy: Managed
@@ -299,6 +301,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           endpointPublishingStrategy:
             loadBalancer:
               dnsManagementPolicy: Managed
@@ -321,6 +324,7 @@ tests:
         spec:
           httpEmptyRequestsPolicy: Respond
           idleConnectionTerminationPolicy: Immediate
+          closedClientConnectionPolicy: Continue
           endpointPublishingStrategy:
             loadBalancer:
               dnsManagementPolicy: Managed
diff --git a/operator/v1/types_ingress.go b/operator/v1/types_ingress.go
@@ -344,6 +344,47 @@ type IngressControllerSpec struct {
 	// +kubebuilder:default:="Immediate"
 	// +default="Immediate"
 	IdleConnectionTerminationPolicy IngressControllerConnectionTerminationPolicy `json:"idleConnectionTerminationPolicy,omitempty"`
+
+	// closedClientConnectionPolicy controls how the IngressController
+	// behaves when the client closes the TCP connection while the TLS
+	// handshake or HTTP request is in progress. This option maps directly
+	// to HAProxy’s "abortonclose" option.
+	//
+	// Valid values are: "Abort" and "Continue".
+	// The default value is "Continue".
+	//
+	// When set to "Abort", the router will stop processing the TLS handshake
+	// if it is in progress, and it will not send an HTTP request to the backend server
+	// if the request has not yet been sent when the client closes the connection.
+	//
+	// When set to "Continue", the router will complete the TLS handshake
+	// if it is in progress, or send an HTTP request to the backend server
+	// and wait for the backend server's response, regardless of
+	// whether the client has closed the connection.
+	//
+	// Setting "Abort" can help free CPU resources otherwise spent on TLS computation
+	// for connections the client has already closed, and can reduce request queue
+	// size, thereby reducing the load on saturated backend servers.
+	//
+	// Important Considerations:
+	//
+	//   - The default policy ("Continue") is HTTP-compliant, and requests
+	//     for aborted client connections will still be served.
+	//     Use the "Continue" policy to allow a client to send a request
+	//     and then immediately close its side of the connection while
+	//     still receiving a response on the half-closed connection.
+	//
+	//   - When clients use keep-alive connections, the most common case for premature
+	//     closure is when the user wants to cancel the transfer or when a timeout
+	//     occurs. In that case, the "Abort" policy may be used to reduce resource consumption.
+	//
+	//   - Using RSA keys larger than 2048 bits can significantly slow down
+	//     TLS computations. Consider using the "Abort" policy to reduce CPU usage.
+	//
+	// +optional
+	// +kubebuilder:default:="Continue"
+	// +default="Continue"
+	ClosedClientConnectionPolicy IngressControllerClosedClientConnectionPolicy `json:"closedClientConnectionPolicy,omitempty"`
 }
 
 // httpCompressionPolicy turns on compression for the specified MIME types.
@@ -2170,3 +2211,34 @@ const (
 	// connection.
 	IngressControllerConnectionTerminationPolicyDeferred IngressControllerConnectionTerminationPolicy = "Deferred"
 )
+
+// IngressControllerClosedClientConnectionPolicy controls how the IngressController
+// behaves when the client closes the TCP connection while the TLS
+// handshake or HTTP request is in progress.
+//
+// +kubebuilder:validation:Enum=Abort;Continue
+type IngressControllerClosedClientConnectionPolicy string
+
+const (
+	// IngressControllerClosedClientConnectionPolicyAbort aborts processing early when the client
+	// closes the connection.
+	//
+	// This affects two types of processing: TLS handshake computation on the router
+	// and request handling.
+	//
+	// When the client closes the connection, the router will stop processing
+	// the TLS handshake, preventing unnecessary CPU work.
+	//
+	// If the HTTP request has not yet been sent to the backend, it will be aborted.
+	// If the request is already being processed by the backend, the router will
+	// half-close the connection to signal this condition to the backend server,
+	// which can then decide how to proceed.
+	IngressControllerClosedClientConnectionPolicyAbort IngressControllerClosedClientConnectionPolicy = "Abort"
+
+	// IngressControllerClosedClientConnectionPolicyContinue continues processing even if the client
+	// closes the connection.
+	//
+	// The router will complete the TLS handshake and wait for the backend
+	// server's response regardless of the client having closed the connection.
+	IngressControllerClosedClientConnectionPolicyContinue IngressControllerClosedClientConnectionPolicy = "Continue"
+)
diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml
@@ -109,6 +109,48 @@ spec:
                 - clientCA
                 - clientCertificatePolicy
                 type: object
+              closedClientConnectionPolicy:
+                default: Continue
+                description: |-
+                  closedClientConnectionPolicy controls how the IngressController
+                  behaves when the client closes the TCP connection while the TLS
+                  handshake or HTTP request is in progress. This option maps directly
+                  to HAProxy’s "abortonclose" option.
+
+                  Valid values are: "Abort" and "Continue".
+                  The default value is "Continue".
+
+                  When set to "Abort", the router will stop processing the TLS handshake
+                  if it is in progress, and it will not send an HTTP request to the backend server
+                  if the request has not yet been sent when the client closes the connection.
+
+                  When set to "Continue", the router will complete the TLS handshake
+                  if it is in progress, or send an HTTP request to the backend server
+                  and wait for the backend server's response, regardless of
+                  whether the client has closed the connection.
+
+                  Setting "Abort" can help free CPU resources otherwise spent on TLS computation
+                  for connections the client has already closed, and can reduce request queue
+                  size, thereby reducing the load on saturated backend servers.
+
+                  Important Considerations:
+
+                    - The default policy ("Continue") is HTTP-compliant, and requests
+                      for aborted client connections will still be served.
+                      Use the "Continue" policy to allow a client to send a request
+                      and then immediately close its side of the connection while
+                      still receiving a response on the half-closed connection.
+
+                    - When clients use keep-alive connections, the most common case for premature
+                      closure is when the user wants to cancel the transfer or when a timeout
+                      occurs. In that case, the "Abort" policy may be used to reduce resource consumption.
+
+                    - Using RSA keys larger than 2048 bits can significantly slow down
+                      TLS computations. Consider using the "Abort" policy to reduce CPU usage.
+                enum:
+                - Abort
+                - Continue
+                type: string
               defaultCertificate:
                 description: |-
                   defaultCertificate is a reference to a secret containing the default
diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml
diff --git a/operator/v1/zz_generated.swagger_doc_generated.go b/operator/v1/zz_generated.swagger_doc_generated.go
