Getting cluster geo tag from nodes labels and annotations

[jkremser]

more details in issue #720

Unfortunately, the clusterGeoTag was also used in helm chart for calculating the extdnsOwnerID which is then passed to external-dns deployment as an argument for the main binary/container. However we don't know it upfront so I had to add a logic around it. It (external-dns deployment) takes the param as the env variable from a configmap called external-dns-env. If the cm is not there it won't get deployed (-> no race conditions), we create this configmap after k8gb start with the correctly calculated value for EXTERNAL_DNS_TXT_OWNER_ID (same logic as before)

k8gb now has to be able to read the nodes in order to get the annotations or labels on them

I've created a dummy rbac for tests in just to be able to read the nodes as well (we are not using the global one called "k8gb" because there would be a risk that operator would be handling the gslb resources). In the terratest we deploy another k8gb instance using helm with crippled RBAC and test if it fails if geo tag is not provided by env var nor by label/annotations on the nodes and then put the label on nodes, kill the pod to enforce the restart and check that this time it's ok, since it gets the geo tag from a node.

[k0da]

Do we controll k8gb namespace in tests?

[jkremser]

y, gets created & deleted here. They will look like k8gb-test-geo-tag-1fuk1x where the last chunk is random

[k0da]

We can throw away envsubs and use .Release.Namespace in original RBAC and ommit having separate rbac resource here.

[kuritka]

Hi overall excellent idea and good job!

I have only three little things mentioned in review.

[somaritane]

@jkremser nice work!
This feature might help a lot to simplify the GitOps-centric k8gb deployment workflows, with one set of k8gb deployment settings valid for all the clusters.
There might be a few conceptual comments/questions we might want to address before merging.

[somaritane]

We should reflect the inference resolution order in the documentation.

[somaritane]

topology.kubernetes.io/zone label might be actually unique for every node in the cluster, at least for managed cloud k8s clusters (EKS, AKS, etc):

kubectl get nodes -o custom-columns=NAME:'{.metadata.name}',REGION:'{.metadata.labels.topology\.kubernetes\.io/region}',ZONE:'{metadata.labels.topology\.kubernetes\.io/zone}'
NAME                                       REGION      ZONE
ip-XXX-XXX-XXX-XXX.eu-west-1.compute.internal   eu-west-1   eu-west-1a
ip-YYY-YYY-YYY-YYY.eu-west-1.compute.internal   eu-west-1   eu-west-1b
ip-ZZZ-ZZZ-ZZZ-ZZZ.eu-west-1.compute.internal   eu-west-1   eu-west-1c

Probably we shouldn't care about zones at all in this case?
According to https://kubernetes.io/docs/reference/labels-annotations-taints/#topologykubernetesiozone:

Kubernetes makes a few assumptions about the structure of zones and regions:

1. regions and zones are hierarchical: zones are strict subsets of regions and no zone can be in 2 regions
2. zone names are unique across regions; for example region "africa-east-1" might be comprised of zones "africa-east-1a" and "africa-east-1b"

So in this case, topology.kubernetes.io/region seems like the only viable source of truth.

[k0da]

What about NS1 or rfc2136 provider, IIUC controller now expects R53 hosted zone ID and will fail if string matching pattern won't be provided.

[jkremser]

It can be empty, the regexp check is done only if it's not an empty string. So for NS1 or rfc2136 the env var is not going to be set.

If it's empty, the DNS_ZONE value is used instead (same as before in the _helpers.tpl)

[k0da]

Maybe we can use same owner across providers? Not sure mainaining separate case for r53 worth it.

[kuritka]

I cannot fully evaluate if it would not be better from the maintenance point of view to always create configMap declaratively (somewhere in yaml configurations) with predefined value ("%s-%s-%s", txtOwnerPrefix, cfg.DNSZone, cfg.ClusterGeoTag). And only if cfg.Route53HostedZoneID was set, we would update the txtOwnerKey rather than always create configMap in the Go code (handling if it was created etc...).

@team WDYT?

*anyway: createOrUpdateExternalDNSConfigMap is nice code snippet, storing into my coding notes

[jkremser]

In the case when geo tag is not provided upfront, we have it only after k8gb starts (reading it from the node labels), so we can't have it in yaml in helm chart.

why not to create the cm before external-dns start and update the key from the k8gb?
..because if the env var in Deployment is referenced from a ConfigMap and that cm is not there yet, the deployment will wait for the cm to be created. So it solves the race/data condition when external-dns could do its job (reconcile the dnsendpoints) with wrong ownerId + updating the CM will not make the deployment that uses it to restart iirc, we would need to restart it anyway.

I am currently looking into an option to throw away the geo tag from the txt-owner-id as we talked about it and use the k8gb-{{ .Values.k8gb.dnsZone }}-$uuid where $uuid is generated during the helm install (w/ the option to override it using helm values).. the problem with this approach is that helm upgrade will regenerate the uuid (as I've pointed out during the call) so it's quite cumbersome to do that... helm install will give you some random id, then we have to use it during the helm upgrade ... not very user (/dev-ops) friendly

[kuritka]

@jkremser , ok, thanks for the explanation

[ytsarev]

This is breaking change, we need documentation for it

[ytsarev]

@jkremser do you plan to continue working on this PR?

[ytsarev]

Stale, we can return to it if there is a demand by community. Thanks for the implementation attempt!