openshift
diff --git a/‎openapi/generated_openapi/zz_generated.openapi.go‎
Lines changed: 7 additions & 1 deletion b/‎openapi/generated_openapi/zz_generated.openapi.go‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎operator/v1/tests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml‎
Lines changed: 107 additions & 0 deletions b/‎operator/v1/tests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml‎
Lines changed: 107 additions & 0 deletions
diff --git a/‎operator/v1/types_ingress.go‎
Lines changed: 33 additions & 3 deletions b/‎operator/v1/types_ingress.go‎
Lines changed: 33 additions & 3 deletions
diff --git a/‎operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml‎
Lines changed: 41 additions & 3 deletions b/‎operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml‎
Lines changed: 41 additions & 3 deletions
diff --git a/‎operator/v1/zz_generated.deepcopy.go‎
Lines changed: 1 addition & 0 deletions b/‎operator/v1/zz_generated.deepcopy.go‎
Lines changed: 1 addition & 0 deletions
@@ -563,6 +563,113 @@ tests:
           tuningOptions:
             connectTimeout: "4 s"
       expectedError: "IngressController.operator.openshift.io \"default\" is invalid: spec.tuningOptions.connectTimeout: Invalid value: \"4 s\": spec.tuningOptions.connectTimeout in body should match '^(0|([0-9]+(\\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$'"
+    - name: Should be able to create an IngressController with valid nominal httpKeepAlive timeout
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: default
+          namespace: openshift-ingress-operator
+        spec:
+          tuningOptions:
+            httpKeepAliveTimeout: 10s
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: default
+          namespace: openshift-ingress-operator
+        spec:
+          httpEmptyRequestsPolicy: Respond
+          idleConnectionTerminationPolicy: Immediate
+          tuningOptions:
+            httpKeepAliveTimeout: 10s
+    - name: Should be able to create an IngressController with valid composite httpKeepAlive timeout
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: default
+          namespace: openshift-ingress-operator
+        spec:
+          tuningOptions:
+            httpKeepAliveTimeout: 100s300ms
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: default
+          namespace: openshift-ingress-operator
+        spec:
+          httpEmptyRequestsPolicy: Respond
+          idleConnectionTerminationPolicy: Immediate
+          tuningOptions:
+            httpKeepAliveTimeout: 100s300ms
+    - name: Should be able to create an IngressController with valid fraction httpKeepAlive timeout
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: default
+          namespace: openshift-ingress-operator
+        spec:
+          tuningOptions:
+            httpKeepAliveTimeout: 1.5m
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: default
+          namespace: openshift-ingress-operator
+        spec:
+          httpEmptyRequestsPolicy: Respond
+          idleConnectionTerminationPolicy: Immediate
+          tuningOptions:
+            httpKeepAliveTimeout: 1.5m
+    - name: Should not be able to create an IngressController with invalid unit httpKeepAlive timeout
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: default
+          namespace: openshift-ingress-operator
+        spec:
+          tuningOptions:
+            httpKeepAliveTimeout: 3d
+      expectedError: "IngressController.operator.openshift.io \"default\" is invalid: spec.tuningOptions.httpKeepAliveTimeout: Invalid value: \"string\": httpKeepAliveTimeout must be a valid duration string composed of an unsigned integer value, optionally followed by a decimal fraction and a unit suffix (ms, s, m)"
+    - name: Should not be able to create an IngressController with invalid space httpKeepAlive timeout
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: default
+          namespace: openshift-ingress-operator
+        spec:
+          tuningOptions:
+            httpKeepAliveTimeout: "4 s"
+      expectedError: "IngressController.operator.openshift.io \"default\" is invalid: spec.tuningOptions.httpKeepAliveTimeout: Invalid value: \"string\": httpKeepAliveTimeout must be a valid duration string composed of an unsigned integer value, optionally followed by a decimal fraction and a unit suffix (ms, s, m)"
+    - name: Should not be able to create an IngressController with httpKeepAlive timeout too big
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: default
+          namespace: openshift-ingress-operator
+        spec:
+          tuningOptions:
+            httpKeepAliveTimeout: 100m
+      expectedError: "IngressController.operator.openshift.io \"default\" is invalid: spec.tuningOptions.httpKeepAliveTimeout: Invalid value: \"string\": httpKeepAliveTimeout must be less than or equal to 15 minutes"
+    - name: Should not be able to create an IngressController with httpKeepAlive timeout too small
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: default
+          namespace: openshift-ingress-operator
+        spec:
+          tuningOptions:
+            httpKeepAliveTimeout: 0.001ms
+      expectedError: "IngressController.operator.openshift.io \"default\" is invalid: spec.tuningOptions.httpKeepAliveTimeout: Invalid value: \"string\": httpKeepAliveTimeout must be greater than or equal to 1 millisecond"
     - name: Should be able to create an IngressController with valid domain
       initial: |
         apiVersion: operator.openshift.io/v1
 
@@ -298,9 +298,9 @@ type IngressControllerSpec struct {
 	//     case HAProxy handles it in the old process and closes
 	//     the connection after sending the response.
 	//
-	//   - HAProxy's `timeout http-keep-alive` duration expires
-	//     (300 seconds in OpenShift's configuration, not
-	//     configurable).
+	//   - HAProxy's `timeout http-keep-alive` duration expires.
+	//     By default this is 300 seconds, but it can be changed
+	//     using httpKeepAliveTimeout tuning option.
 	//
 	//   - The client's keep-alive timeout expires, causing the
 	//     client to close the connection.
@@ -1884,6 +1884,36 @@ type IngressControllerTuningOptions struct {
 	// +optional
 	ConnectTimeout *metav1.Duration `json:"connectTimeout,omitempty"`
 
+	// httpKeepAliveTimeout defines the maximum allowed time to wait for
+	// a new HTTP request to appear on a connection from the client to the router.
+	//
+	// This field expects an unsigned duration string of a decimal number, with optional
+	// fraction and a unit suffix, e.g. "300ms", "1.5s" or "2m45s".
+	// Valid time units are "ms", "s", "m".
+	// The allowed range is from 1 millisecond to 15 minutes.
+	//
+	// When omitted, this means the user has no opinion and the platform is left
+	// to choose a reasonable default. This default is subject to change over time.
+	// The current default is 300s.
+	//
+	// Low values (tens of milliseconds or less) can cause clients to close and reopen connections
+	// for each request, leading to reduced connection sharing.
+	// For HTTP/2, special care should be taken with low values.
+	// A few seconds is a reasonable starting point to avoid holding idle connections open
+	// while still allowing subsequent requests to reuse the connection.
+	//
+	// High values (minutes or more) favor connection reuse but may cause idle
+	// connections to linger longer.
+	//
+	// +kubebuilder:validation:Type:=string
+	// +kubebuilder:validation:XValidation:rule="self.matches('^([0-9]+(\\\\.[0-9]+)?(ms|s|m))+$')",message="httpKeepAliveTimeout must be a valid duration string composed of an unsigned integer value, optionally followed by a decimal fraction and a unit suffix (ms, s, m)"
+	// +kubebuilder:validation:XValidation:rule="!self.matches('^([0-9]+(\\\\.[0-9]+)?(ms|s|m))+$') || duration(self) <= duration('15m')",message="httpKeepAliveTimeout must be less than or equal to 15 minutes"
+	// +kubebuilder:validation:XValidation:rule="!self.matches('^([0-9]+(\\\\.[0-9]+)?(ms|s|m))+$') || duration(self) >= duration('1ms')",message="httpKeepAliveTimeout must be greater than or equal to 1 millisecond"
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=16
+	// +optional
+	HTTPKeepAliveTimeout metav1.Duration `json:"httpKeepAliveTimeout,omitempty"`
+
 	// tlsInspectDelay defines how long the router can hold data to find a
 	// matching route.
 	//
 
@@ -1300,9 +1300,9 @@ spec:
                       case HAProxy handles it in the old process and closes
                       the connection after sending the response.
 
-                    - HAProxy's `timeout http-keep-alive` duration expires
-                      (300 seconds in OpenShift's configuration, not
-                      configurable).
+                    - HAProxy's `timeout http-keep-alive` duration expires.
+                      By default this is 300 seconds, but it can be changed
+                      using httpKeepAliveTimeout tuning option.
 
                     - The client's keep-alive timeout expires, causing the
                       client to close the connection.
@@ -2250,6 +2250,44 @@ spec:
                       2147483647ms (24.85 days).  Both are subject to change over time.
                     pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$
                     type: string
+                  httpKeepAliveTimeout:
+                    description: |-
+                      httpKeepAliveTimeout defines the maximum allowed time to wait for
+                      a new HTTP request to appear on a connection from the client to the router.
+
+                      This field expects an unsigned duration string of a decimal number, with optional
+                      fraction and a unit suffix, e.g. "300ms", "1.5s" or "2m45s".
+                      Valid time units are "ms", "s", "m".
+                      The allowed range is from 1 millisecond to 15 minutes.
+
+                      When omitted, this means the user has no opinion and the platform is left
+                      to choose a reasonable default. This default is subject to change over time.
+                      The current default is 300s.
+
+                      Low values (tens of milliseconds or less) can cause clients to close and reopen connections
+                      for each request, leading to reduced connection sharing.
+                      For HTTP/2, special care should be taken with low values.
+                      A few seconds is a reasonable starting point to avoid holding idle connections open
+                      while still allowing subsequent requests to reuse the connection.
+
+                      High values (minutes or more) favor connection reuse but may cause idle
+                      connections to linger longer.
+                    maxLength: 16
+                    minLength: 1
+                    type: string
+                    x-kubernetes-validations:
+                    - message: httpKeepAliveTimeout must be a valid duration string
+                        composed of an unsigned integer value, optionally followed
+                        by a decimal fraction and a unit suffix (ms, s, m)
+                      rule: self.matches('^([0-9]+(\\.[0-9]+)?(ms|s|m))+$')
+                    - message: httpKeepAliveTimeout must be less than or equal to
+                        15 minutes
+                      rule: '!self.matches(''^([0-9]+(\\.[0-9]+)?(ms|s|m))+$'') ||
+                        duration(self) <= duration(''15m'')'
+                    - message: httpKeepAliveTimeout must be greater than or equal
+                        to 1 millisecond
+                      rule: '!self.matches(''^([0-9]+(\\.[0-9]+)?(ms|s|m))+$'') ||
+                        duration(self) >= duration(''1ms'')'
                   maxConnections:
                     description: |-
                       maxConnections defines the maximum number of simultaneous