OCPBUGS-61858: Add HTTPKeepAliveTimeout to IngressController API

This commit introduces `HTTPKeepAliveTimeout` tuning option to
the IngressController API, allowing customers to configure
`timeout http-keep-alive`.

In OCP versions prior to 4.16, this timeout was not respected
(see haproxy/haproxy#2334).
This addition brings the ability to adjust the behavior
to match pre-4.16 configurations.

Author: alebedev87

openapi/generated_openapi/zz_generated.openapi.go

@@ -563,6 +563,91 @@ tests:
           tuningOptions:
             connectTimeout: "4 s"
       expectedError: "IngressController.operator.openshift.io \"default\" is invalid: spec.tuningOptions.connectTimeout: Invalid value: \"4 s\": spec.tuningOptions.connectTimeout in body should match '^(0|([0-9]+(\\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$'"
+    - name: Should be able to create an IngressController with valid nominal httpKeepAlive timeout
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: default
+          namespace: openshift-ingress-operator
+        spec:
+          tuningOptions:
+            httpKeepAliveTimeout: 10s
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: default
+          namespace: openshift-ingress-operator
+        spec:
+          httpEmptyRequestsPolicy: Respond
+          idleConnectionTerminationPolicy: Immediate
+          tuningOptions:
+            httpKeepAliveTimeout: 10s
+    - name: Should be able to create an IngressController with valid composite httpKeepAlive timeout
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: default
+          namespace: openshift-ingress-operator
+        spec:
+          tuningOptions:
+            httpKeepAliveTimeout: 100ms300μs
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: default
+          namespace: openshift-ingress-operator
+        spec:
+          httpEmptyRequestsPolicy: Respond
+          idleConnectionTerminationPolicy: Immediate
+          tuningOptions:
+            httpKeepAliveTimeout: 100ms300μs
+    - name: Should be able to create an IngressController with valid fraction httpKeepAlive timeout
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: default
+          namespace: openshift-ingress-operator
+        spec:
+          tuningOptions:
+            httpKeepAliveTimeout: 1.5m
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: default
+          namespace: openshift-ingress-operator
+        spec:
+          httpEmptyRequestsPolicy: Respond
+          idleConnectionTerminationPolicy: Immediate
+          tuningOptions:
+            httpKeepAliveTimeout: 1.5m
+    - name: Should not be able to create an IngressController with invalid unit httpKeepAlive timeout
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: default
+          namespace: openshift-ingress-operator
+        spec:
+          tuningOptions:
+            httpKeepAliveTimeout: 3d
+      expectedError: "IngressController.operator.openshift.io \"default\" is invalid: spec.tuningOptions.httpKeepAliveTimeout: Invalid value: \"3d\": spec.tuningOptions.httpKeepAliveTimeout in body should match '^(0|([0-9]+(\\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$'"
+    - name: Should not be able to create an IngressController with invalid space httpKeepAlive timeout
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: default
+          namespace: openshift-ingress-operator
+        spec:
+          tuningOptions:
+            httpKeepAliveTimeout: "4 s"
+      expectedError: "IngressController.operator.openshift.io \"default\" is invalid: spec.tuningOptions.httpKeepAliveTimeout: Invalid value: \"4 s\": spec.tuningOptions.httpKeepAliveTimeout in body should match '^(0|([0-9]+(\\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$'"
     - name: Should be able to create an IngressController with valid domain
       initial: |
         apiVersion: operator.openshift.io/v1

operator/v1/tests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml

@@ -1884,6 +1884,31 @@ type IngressControllerTuningOptions struct {
 	// +optional
 	ConnectTimeout *metav1.Duration `json:"connectTimeout,omitempty"`
 
+	// httpKeepAliveTimeout defines the maximum allowed time to wait for
+	// a new HTTP request to appear.
+	//
+	// This field expects an unsigned duration string of decimal numbers, each with optional
+	// fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m".
+	// Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h".
+	//
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose a reasonable default. This default is subject to change over time.
+	// The current default is 300s.
+	//
+	// Low values (tens of milliseconds or less) can cause clients to close and reopen connections
+	// for each request, leading to excessive TCP or SSL handshakes.
+	// For HTTP/2, special care should be taken with low values.
+	// A few seconds is a reasonable starting point to avoid holding idle connections open
+	// while still allowing subsequent requests to reuse the connection.
+	//
+	// High values (more than a minute) can cause idle connections to linger,
+	// increasing exposure to long-lived but inactive connection attacks.
+	//
+	// +kubebuilder:validation:Pattern=^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+	// +kubebuilder:validation:Type:=string
+	// +optional
+	HTTPKeepAliveTimeout *metav1.Duration `json:"httpKeepAliveTimeout,omitempty"`
+
 	// tlsInspectDelay defines how long the router can hold data to find a
 	// matching route.
 	//

operator/v1/types_ingress.go

@@ -2250,6 +2250,29 @@ spec:
                       2147483647ms (24.85 days).  Both are subject to change over time.
                     pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
                     type: string
+                  httpKeepAliveTimeout:
+                    description: |-
+                      httpKeepAliveTimeout defines the maximum allowed time to wait for
+                      a new HTTP request to appear.
+
+                      This field expects an unsigned duration string of decimal numbers, each with optional
+                      fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m".
+                      Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h".
+
+                      When omitted, this means the user has no opinion and the platform is left
+                      to choose a reasonable default. This default is subject to change over time.
+                      The current default is 300s.
+
+                      Low values (tens of milliseconds or less) can cause clients to close and reopen connections
+                      for each request, leading to excessive TCP or SSL handshakes.
+                      For HTTP/2, special care should be taken with low values.
+                      A few seconds is a reasonable starting point to avoid holding idle connections open
+                      while still allowing subsequent requests to reuse the connection.
+
+                      High values (more than a minute) can cause idle connections to linger,
+                      increasing exposure to long-lived but inactive connection attacks.
+                    pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+                    type: string
                   maxConnections:
                     description: |-
                       maxConnections defines the maximum number of simultaneous

operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml

@@ -2233,6 +2233,29 @@ spec:
                       2147483647ms (24.85 days).  Both are subject to change over time.
                     pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
                     type: string
+                  httpKeepAliveTimeout:
+                    description: |-
+                      httpKeepAliveTimeout defines the maximum allowed time to wait for
+                      a new HTTP request to appear.
+
+                      This field expects an unsigned duration string of decimal numbers, each with optional
+                      fraction and a unit suffix, e.g. "300ms", "1.5h" or "2h45m".
+                      Valid time units are "ns", "us" (or "µs" U+00B5 or "μs" U+03BC), "ms", "s", "m", "h".
+
+                      When omitted, this means the user has no opinion and the platform is left
+                      to choose a reasonable default. This default is subject to change over time.
+                      The current default is 300s.
+
+                      Low values (tens of milliseconds or less) can cause clients to close and reopen connections
+                      for each request, leading to excessive TCP or SSL handshakes.
+                      For HTTP/2, special care should be taken with low values.
+                      A few seconds is a reasonable starting point to avoid holding idle connections open
+                      while still allowing subsequent requests to reuse the connection.
+
+                      High values (more than a minute) can cause idle connections to linger,
+                      increasing exposure to long-lived but inactive connection attacks.
+                    pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
+                    type: string
                   maxConnections:
                     description: |-
                       maxConnections defines the maximum number of simultaneous