Manage routing wildcard domain #59
Conversation
openshift-ci-robot
added
the
size/XXL
|
/hold |
openshift-ci-robot
added
do-not-merge/hold
pkg/manifests/manifests.go
Outdated
| @@ -49,7 +49,7 @@ func (f *Factory) DefaultClusterIngress(ic *util.InstallConfig) (*ingressv1alpha | |||
| if err != nil { | |||
| return nil, err | |||
| } | |||
| ingressDomain := fmt.Sprintf("%s.%s", ic.Metadata.Name, ic.BaseDomain) | |||
| ingressDomain := fmt.Sprintf("*.apps.%s.%s", ic.Metadata.Name, ic.BaseDomain) | |||
There was a problem hiding this comment.
This will break TestDefaultClusterIngress. Also, do we want to publish the "*." in the canonical name in routes?
There was a problem hiding this comment.
No, canonical name is the name of the DNS wildcard root domain and API consumers should assume that it is ("%s.%s", myName, canonicalHostname). I.e. canonical should always be reported as a.b.c and consumers must assume their name is d.a.b.c
There was a problem hiding this comment.
So we should add the "*." in ensureDNSForLoadBalancer. Not sure about the "apps." though—probably should add "apps." here and adjust TestDefaultClusterIngress to keep it passing.
There was a problem hiding this comment.
We don't yet have any cluster config for the app domain, so I'm just making things up here. Do agree that the *. should be prefixed at runtime in ensureDNSForLoadBalancer().
ironcladlou
force-pushed
the
external-dns
branch
from
d7a32ae
to
008f4fd
Compare
|
@smarterclayton @abhinavdahiya thoughts on how we can approach hosted zone config/discovery here? We need to know:
I'm not entirely clear how 1 is managed in the first place, and for 2 all we have to start with is the hostname attached to the Service status. |
|
here's how hive deletes r53 zones https://github.com/openshift/hive/tree/master/contrib/pkg/awstagdeprovision#L1366-L1421 |
|
It should be the same zone as the apiserver masters unless we have a really
clever use case. Or we just make the installer create it.
On Nov 9, 2018, at 4:42 PM, Dan Mace <notifications@github.com> wrote:
@smarterclayton <https://github.com/smarterclayton> @abhinavdahiya
<https://github.com/abhinavdahiya> thoughts on how we can approach hosted
zone config/discovery here? We need to know:
1. The zone in which the alias should live
2. The zone of the alias target
I'm not entirely clear how 1 is managed in the first place, and for 2 all
we have to start with is the hostname attached to the Service status.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#59 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABG_p2wcssdn-Y-4UaUUny_58d-_sbOZks5utfbEgaJpZM4YW8ay>
.
|
ironcladlou
force-pushed
the
external-dns
branch
2 times, most recently
from
03443f3
to
1ad40b3
Compare
|
Did some more work on this to auto-discover all the inputs... probably worth another review at this point before I go any further. PTAL @openshift/sig-network-edge @smarterclayton |
|
@dgoodwin @joelddiaz @smarterclayton @abhinavdahiya One cleanup problem here I just thought of. The Thoughts? |
pkg/stub/handler.go
Outdated
| @@ -242,6 +242,12 @@ func (h *Handler) ensureRouterForIngress(ci *ingressv1alpha1.ClusterIngress) err | |||
| } else if !errors.IsAlreadyExists(err) { | |||
| return fmt.Errorf("failed to create router service %s/%s: %v", service.Namespace, service.Name, err) | |||
| } | |||
| if ci.Spec.IngressDomain != nil { | |||
| err = h.ensureDNSForLoadBalancer(ci, service) | |||
There was a problem hiding this comment.
we definitely need to think about how to rate limit how often this can be ensured (i.e. should we have a rate limiter that requeues us when the limit expires, should we have a periodic timer, etc).
pkg/stub/dns.go
Outdated
| creds := credentials.NewStaticCredentials(string(awsCreds.Data["aws_access_key_id"]), string(awsCreds.Data["aws_secret_access_key"]), "") | ||
| sess, err := session.NewSession(&aws.Config{ | ||
| Credentials: creds, | ||
| Region: aws.String(h.InstallConfig.Platform.AWS.Region), |
There was a problem hiding this comment.
TODO here to pull this from the Infrastructure config, not InstallConfig.
|
The private zones do get some tagging applied to them (eg tectonicClusterID)... Not sure how helpful that is (or whether we want to embed this kind of tag lookup in the operator/controllers). I'd feel more comfortable with the tags if the hosted zones were being tagged with the kubernetes.io/cluster/$clustername tag. There's an old discussion on this topic here openshift/installer#458 The uninstall code can also be updated to not require the matching private zone, but the question then becomes how would it unambiguously identify the records that need removal in the shared public zone? |
|
Thanks, @joelddiaz. I didn't realize the zone was tagged. I think lookup using the |
ironcladlou
force-pushed
the
external-dns
branch
from
1ad40b3
to
b02d234
Compare
|
@openshift/sig-network-edge @smarterclayton okay, I think this is ready for near final review... I've been using some uncommitted tests for it; we probably need some e2e coverage. Overall I'm extremely uncomfortable maintaining this code and it's probably unsustainable beyond like 2 platforms (aws/gcp), but I'm hoping it's good enough to keep us moving... |
ironcladlou
force-pushed
the
external-dns
branch
2 times, most recently
from
fc7292e
to
37601fb
Compare
|
I added some cheesy logic to cache updates operator-side to stop spamming AWS with UPSERT calls. Can come up with a better way later. |
Looks like something's up with our job |
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
@csrwng you might want to review what we're doing here as part of the external-dns use case analysis. |
pkg/dns/aws/dns.go
Outdated
| // Find the target hosted zone of the load balancer attached to the service. | ||
| // TODO: cache it? | ||
| var targetHostedZoneID string | ||
| loadBalancers, err := m.ELB.DescribeLoadBalancers(&elb.DescribeLoadBalancersInput{}) |
There was a problem hiding this comment.
You'll need the elbv2 version of this call to catch the new network load balancers we're using
There was a problem hiding this comment.
Can you explain further? I'm having no issues w/ the ELBs created by the k8s cloud provider for our services.
There was a problem hiding this comment.
ahh, sorry I was thinking of the nlbs that get created by the installer for masters, but those are not the ones created by the cloud provider.
| } | ||
|
|
||
| // findClusterPublicZone finds the public zone given the base domain. | ||
| func (m *Manager) findClusterPublicZone() *route53.HostedZone { |
There was a problem hiding this comment.
I was hoping to send something like this upstream to external-dns ... add the ability to lookup zones by tags. In the meantime, the code will live in the operator.
pkg/dns/aws/dns.go
Outdated
| // Create or update an alias from the wildcard domain to the service load | ||
| // balancer hostname in both zones. | ||
| // TODO: only make this call if the records don't exist. | ||
| updateRecord := func(zoneID string) error { |
There was a problem hiding this comment.
This is the part that external-dns can do for you right now. Btw, if I set the --registry=noop flag, I don't have it create the ugly TXT records.
|
P.S., current code won't handle deletes or updates to the ClusterIngress. Can address that in a followup; need to get some sort of e2e coverage on this. |
|
/retest |
| Namespace: namespace, | ||
| ManifestFactory: manifests.NewFactory(), | ||
| } | ||
| handler, err := createHandler(namespace) |
cmd/cluster-ingress-operator/main.go
Outdated
|
|
||
| ic, err := util.GetInstallConfig(kubeClient) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("could't get installconfig: %v", err) |
There was a problem hiding this comment.
Typo: "coudn't" (granted, it was already present before your refactoring).
cmd/cluster-ingress-operator/main.go
Outdated
| return nil, fmt.Errorf("Failed to get cvoClient: %v", err) | ||
| } | ||
|
|
||
| ic, err := util.GetInstallConfig(kubeClient) |
There was a problem hiding this comment.
Why separate declaration of kubeClient from use? Really, because there is only one use, we could do away with the variable entirely.
| // records Manager creates in the public zone will also be created in the | ||
| // private zone to ensure public zone records for the cluster can be identified | ||
| // and cleaned up later. | ||
| type Manager struct { |
There was a problem hiding this comment.
The names seem backwards: in the aws package, you define Manager, so we have aws.Manager, and in the dns package, you define DNSManager, so we have dns.DNSManager. It would make better sense to have aws.DNSManager and dns.Manager.
Alternatively, if we anticipate that the aws package will be imported as "awsdns" and if it doesn't make the code too confusing, we could change the name only in the aws package so that we will have dns.Manager and awsdns.Manager.
There was a problem hiding this comment.
Good thoughts... I went with option 2 (dns.Manager and awsdns.Manager).
pkg/dns/aws/dns.go
Outdated
| // and cleaned up later. | ||
| type Manager struct { | ||
| ELB *elb.ELB | ||
| Route53 *route53.Route53 |
There was a problem hiding this comment.
Why are these two fields public?
| sdk.Handle(handler) | ||
| sdk.Run(context.TODO()) | ||
| } | ||
|
|
||
| func createHandler(namespace string) (*stub.Handler, error) { |
There was a problem hiding this comment.
This should be moved to pkg/stub/handler.go and maybe renamed to "NewHandler".
There was a problem hiding this comment.
I almost didn't even refactor this -- I think we have more to think about here in terms of setup. Okay to revisit after the sdk upgrade?
There was a problem hiding this comment.
Sure, it's only a suggestion.
| @@ -0,0 +1,14 @@ | |||
| # Binds the operator role to its Service Account. | |||
There was a problem hiding this comment.
s/operator role to its/aws-creds-secret-reader role to the operator's/
pkg/dns/aws/dns.go
Outdated
| // topology established by the OpenShift installer. Specifically, this implies: | ||
| // | ||
| // 1. A public zone shared by all clusters with <domain-name> | ||
| // 2. A private zone for the cluster with <domain-name> |
There was a problem hiding this comment.
Instead of "<domain-name>", I think it would be clearer to say "domain name equal to the BaseDomain".
pkg/stub/handler.go
Outdated
| // ensureDNSForLoadBalancer configures a wildcard DNS alias for a ClusterIngress | ||
| // targeting the given service. | ||
| func (h *Handler) ensureDNSForLoadBalancer(ci *ingressv1alpha1.ClusterIngress, service *corev1.Service) error { | ||
| // Ensure DNS is configured for the load balancer. |
There was a problem hiding this comment.
This comment doesn't seem helpful.
cmd/cluster-ingress-operator/main.go
Outdated
| }, | ||
| ObjectMeta: metav1.ObjectMeta{ | ||
| Name: "aws-creds", | ||
| Namespace: "kube-system", |
There was a problem hiding this comment.
Could use metav1.NamespaceSystem here.
ironcladlou
force-pushed
the
external-dns
branch
3 times, most recently
from
2fe56f3
to
8c13306
Compare
|
|
||
| var dnsManager dns.Manager | ||
| switch { | ||
| case ic.Platform.AWS != nil: |
There was a problem hiding this comment.
We could have an InstallConfig with a nil Platform, so we should check that here.
There was a problem hiding this comment.
Platform is a value type, can't be nil
There was a problem hiding this comment.
Ah, right, sorry. Never mind!
cmd/cluster-ingress-operator/main.go
Outdated
| AccessID: string(awsCreds.Data["aws_access_key_id"]), | ||
| AccessKey: string(awsCreds.Data["aws_secret_access_key"]), | ||
| Region: ic.Platform.AWS.Region, | ||
| BaseDomain: ic.BaseDomain + ".", |
There was a problem hiding this comment.
As far as I can tell, BaseDomain is allowed to have a final dot, so it might be prudent to do a TrimSuffix to avoid ending up with two dots.
pkg/dns/aws/dns.go
Outdated
|
|
||
| var _ dns.Manager = &Manager{} | ||
|
|
||
| // Manager is a DNSManager for AWS which is tightly coupled to the DNS zone |
There was a problem hiding this comment.
I guess that should be "is a dns.Manager" now.
There was a problem hiding this comment.
Revised comment
pkg/dns/aws/dns.go
Outdated
| }, | ||
| }) | ||
| if err != nil { | ||
| return fmt.Errorf("couldn't update DNS record for in zone %s: %v", zoneID, err) |
There was a problem hiding this comment.
You have two prepositions and only one prepositional object: "for in zone %s".
Add routing wildcard DNS management for AWS. This should be replaced ASAP by something more generalized (e.g. external-dns). The records are managed in a way that's compatible with the installer and are correctly cleaned up during a cluster destroy. *Does not yet handle updates or deletes.*
ironcladlou
force-pushed
the
external-dns
branch
from
8c13306
to
2b9a2f6
Compare
|
/retest |
1 similar comment
|
/retest |
|
Are the changes under |
|
Yeah, the |
|
/lgtm |
1 similar comment
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ironcladlou, Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
Add routing wildcard DNS management for AWS. This should be replaced ASAP by something more generalized (e.g. external-dns).
The records are managed in a way that's compatible with the installer and are correctly cleaned up during a cluster destroy.
Does not yet handle updates or deletes.