[release-4.18] OCPBUGS-70315: Implement HTTPKeepAliveTimeout tuning option

[alebedev87]

Manual cherry-pick of #1323.

This commit implements HTTPKeepAliveTimeout tuning option of the IngressController API allowing customers to configure timeout http-keep-alive.

In OCP versions prior to 4.16, this timeout was not respected (see haproxy/haproxy#2334). This implementation brings the ability to adjust the behavior to match pre-4.16 configurations.

API PR: openshift/api#2638.

[openshift-ci-robot]

@alebedev87: This pull request references Jira Issue OCPBUGS-70315, which is valid.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.18.z) matches configured target version for branch (4.18.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-68378 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-68378 targets the "4.19.z" version, which is one of the valid target versions: 4.19.0, 4.19.z
• bug has dependents

Requesting review from QA contact:
/cc @ShudiLi

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Manual cherry-pick of #1323.

This commit implements HTTPKeepAliveTimeout tuning option of the IngressController API allowing customers to configure timeout http-keep-alive.

In OCP versions prior to 4.16, this timeout was not respected (see haproxy/haproxy#2334). This implementation brings the ability to adjust the behavior to match pre-4.16 configurations.

API PR: openshift/api#2638.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ShudiLi]

Tested it with 4.18.0-0-2026-01-06-015149-test-ci-ln-ywhwtg2-latest

1.
% oc get clusterversion
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.18.0-0-2026-01-06-015149-test-ci-ln-ywhwtg2-latest   True        False         29m     Cluster version is 4.18.0-0-2026-01-06-015149-test-ci-ln-ywhwtg2-latest

2. configure httpKeepAliveTimeout with valid 50ms, 50s and 15m
% oc -n openshift-ingress-operator get ingresscontroller default -oyaml | yq ".spec.tuningOptions"
httpKeepAliveTimeout: 50ms

% oc -n openshift-ingress rsh router-default-75fd58df47-7mhld
sh-5.1$ env | grep -i live
ROUTER_SLOWLORIS_HTTP_KEEPALIVE=50ms


% oc -n openshift-ingress-operator get ingresscontroller default -oyaml | yq ".spec.tuningOptions"
httpKeepAliveTimeout: 50s

% oc -n openshift-ingress rsh router-default-57b98f6cf6-h6tfp
sh-5.1$ env | grep -i live
ROUTER_SLOWLORIS_HTTP_KEEPALIVE=50s

% oc -n openshift-ingress-operator get ingresscontroller default -oyaml | yq ".spec.tuningOptions"
httpKeepAliveTimeout: 15m

% oc -n openshift-ingress rsh router-default-7545c5f69f-66khc
sh-5.1$ env | grep -i live
ROUTER_SLOWLORIS_HTTP_KEEPALIVE=15m

3. configure httpKeepAliveTimeout with invalid 50m and 1h
# ingresscontrollers.operator.openshift.io "default" was not valid:
# * spec.tuningOptions.httpKeepAliveTimeout: Invalid value: "string": httpKeepAliveTimeout must be less than or equal to 15 minutes

# ingresscontrollers.operator.openshift.io "default" was not valid:
# * spec.tuningOptions.httpKeepAliveTimeout: Invalid value: "string": httpKeepAliveTimeout must be a valid duration string composed of an unsigned integer value, optionally followed by a decimal fraction and a unit suffix (ms, s, m)
#

4. function test of httpKeepAliveTimeout with is 50s(create pod, service and the route, then send traffic and check captured packets)
sh-4.4# tcpdump -i any port 80 -s 0 -n
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
03:08:40.984766 IP 10.131.0.24.45022 > 104.198.49.92.http: Flags [S], seq 3646407093, win 64680, options [mss 1320,sackOK,TS val 3424488488 ecr 0,nop,wscale 7], length 0
03:08:40.987243 IP 104.198.49.92.http > 10.131.0.24.45022: Flags [S.], seq 3308724120, ack 3646407094, win 65400, options [mss 1320,sackOK,TS val 452781324 ecr 3424488488,nop,wscale 7], length 0
03:08:40.987297 IP 10.131.0.24.45022 > 104.198.49.92.http: Flags [.], ack 1, win 506, options [nop,nop,TS val 3424488490 ecr 452781324], length 0
03:08:40.987504 IP 10.131.0.24.45022 > 104.198.49.92.http: Flags [P.], seq 1:97, ack 1, win 506, options [nop,nop,TS val 3424488491 ecr 452781324], length 96: HTTP: GET /a1.txt  HTTP/1.1
03:08:40.991249 IP 104.198.49.92.http > 10.131.0.24.45022: Flags [P.], seq 1:417, ack 97, win 511, options [nop,nop,TS val 452781328 ecr 3424488491], length 416: HTTP: HTTP/1.1 200 OK
03:08:40.991288 IP 10.131.0.24.45022 > 104.198.49.92.http: Flags [.], ack 417, win 503, options [nop,nop,TS val 3424488494 ecr 452781328], length 0
03:09:30.995315 IP 104.198.49.92.http > 10.131.0.24.45022: Flags [F.], seq 417, ack 97, win 511, options [nop,nop,TS val 452831331 ecr 3424488494], length 0
03:09:31.036214 IP 10.131.0.24.45022 > 104.198.49.92.http: Flags [.], ack 418, win 503, options [nop,nop,TS val 3424538539 ecr 452831331], length 0
03:09:40.961758 IP 10.131.0.24.45022 > 104.198.49.92.http: Flags [P.], seq 97:192, ack 418, win 503, options [nop,nop,TS val 3424548465 ecr 452831331], length 95: HTTP: GET /a2.txt HTTP/1.1
03:09:40.961855 IP 104.198.49.92.http > 10.131.0.24.45022: Flags [R], seq 3308724538, win 0, length 0

[ShudiLi]

/retest-required

[ShudiLi]

/label qe-approved
/verified by @ShudiLi

[openshift-ci-robot]

@ShudiLi: This PR has been marked as verified by @ShudiLi.

Details

In response to this:

/label qe-approved
/verified by @ShudiLi

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@alebedev87: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[Miciah]

/approve
/lgtm

This is a low-risk change. The openshift/api bump adds a new field that is nullable with no default value, the changes to the operator logic only take effect if the cluster-admin sets the new field to an explicit, non-nil value, and the rest of the changes are test refactoring and coverage for the new API field.

/label backport-risk-approved

[openshift-ci]

@Miciah: The label(s) /label backport-risk-approved cannot be applied. These labels are supported: acknowledge-critical-fixes-only, platform/aws, platform/azure, platform/baremetal, platform/google, platform/libvirt, platform/openstack, ga, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, px-approved, docs-approved, qe-approved, ux-approved, no-qe, downstream-change-needed, rebase/manual, cluster-config-api-changed, run-integration-tests, approved, backport-risk-assessed, bugzilla/valid-bug, cherry-pick-approved, jira/valid-bug, ok-to-test, stability-fix-approved, staff-eng-approved. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

Details

In response to this:

/approve
/lgtm

This is a low-risk change. The openshift/api bump adds a new field that is nullable with no default value, the changes to the operator logic only take effect if the cluster-admin sets the new field to an explicit, non-nil value, and the rest of the changes are test refactoring and coverage for the new API field.

/label backport-risk-approved

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Miciah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Miciah]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Miciah]

/label backport-risk-assessed

[openshift-ci-robot]

@alebedev87: Jira Issue Verification Checks: Jira Issue OCPBUGS-70315
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-70315 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Manual cherry-pick of #1323.

This commit implements HTTPKeepAliveTimeout tuning option of the IngressController API allowing customers to configure timeout http-keep-alive.

In OCP versions prior to 4.16, this timeout was not respected (see haproxy/haproxy#2334). This implementation brings the ability to adjust the behavior to match pre-4.16 configurations.

API PR: openshift/api#2638.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-robot]

Fix included in accepted release 4.18.0-0.nightly-2026-01-06-195439