WIP: one DNS per workspace

kcp-dev · Nov 3, 2022 · c3cba76 · c3cba76
1 parent 9a28d65
commit c3cba76
Show file tree

Hide file tree

Showing 18 changed files with 572 additions and 157 deletions.
diff --git a/cmd/syncer/cmd/syncer.go b/cmd/syncer/cmd/syncer.go
@@ -114,7 +114,7 @@ func Run(ctx context.Context, options *synceroptions.Options) error {
 			SyncTargetWorkspace: logicalcluster.New(options.FromClusterName),
 			SyncTargetName:      options.SyncTargetName,
 			SyncTargetUID:       options.SyncTargetUID,
-			DNSServer:           options.DNSServer,
+			DNSImage:            options.DNSImage,
 		},
 		numThreads,
 		options.APIImportPollInterval,

diff --git a/cmd/syncer/options/options.go b/cmd/syncer/options/options.go
@@ -43,7 +43,7 @@ type Options struct {
 	SyncTargetUID       string
 	Logs                *logs.Options
 	SyncedResourceTypes []string
-	DNSServer           string
+	DNSImage            string
 
 	APIImportPollInterval time.Duration
 }
@@ -78,7 +78,7 @@ func (options *Options) AddFlags(fs *pflag.FlagSet) {
 	fs.Var(kcpfeatures.NewFlagValue(), "feature-gates", ""+
 		"A set of key=value pairs that describe feature gates for alpha/experimental features. "+
 		"Options are:\n"+strings.Join(kcpfeatures.KnownFeatures(), "\n")) // hide kube-only gates
-	fs.StringVar(&options.DNSServer, "dns", options.DNSServer, "kcp DNS server name.")
+	fs.StringVar(&options.DNSImage, "dns-image", options.DNSImage, "kcp DNS server image.")
 
 	options.Logs.AddFlags(fs)
 }

diff --git a/pkg/cliplugins/workload/plugin/sync.go b/pkg/cliplugins/workload/plugin/sync.go
@@ -687,21 +687,17 @@ type templateArgs struct {
 	// ServiceAccount is the name of the service account to create in the syncer
 	// namespace on the pcluster.
 	ServiceAccount string
-	// DNSServiceAccount is the name of the DNS service account to create in the syncer
-	// namespace on the pcluster.
-	DNSServiceAccount string
 	// ClusterRole is the name of the cluster role to create for the syncer on the
 	// pcluster.
 	ClusterRole string
-	// ClusterRoleBinding is the name of the DNS cluster role binding to create for the
-	// syncer on the pcluster.
-	DNSClusterRole string
 	// ClusterRoleBinding is the name of the cluster role binding to create for the
 	// syncer on the pcluster.
 	ClusterRoleBinding string
-	// ClusterRoleBinding is the name of the DNS cluster role binding to create for the
+	// DnsRole is the name of the DNS  role  to create for the syncer on the pcluster.
+	DNSRole string
+	// DNSRoleBinding is the name of the DNS role binding to create for the
 	// syncer on the pcluster.
-	DNSClusterRoleBinding string
+	DNSRoleBinding string
 	// GroupMappings is the mapping of api group to resources that will be used to
 	// define the cluster role rules for the syncer in the pcluster. The syncer will be
 	// granted full permissions for the resources it will synchronize.
@@ -718,8 +714,6 @@ type templateArgs struct {
 	// DeploymentApp is the label value that the syncer's deployment will select its
 	// pods with.
 	DeploymentApp string
-	// DNSAppName is the name of the deployment that will run the kcp dns resolver
-	DNSAppName string
 }
 
 // renderSyncerResources renders the resources required to deploy a syncer to a pcluster.
@@ -731,19 +725,17 @@ func renderSyncerResources(input templateInput, syncerID string, resourceForPerm
 	dnsSyncerID := strings.Replace(syncerID, "syncer", "dns", 1)
 
 	tmplArgs := templateArgs{
-		templateInput:         input,
-		ServiceAccount:        syncerID,
-		DNSServiceAccount:     dnsSyncerID,
-		ClusterRole:           syncerID,
-		DNSClusterRole:        dnsSyncerID,
-		ClusterRoleBinding:    syncerID,
-		DNSClusterRoleBinding: dnsSyncerID,
-		GroupMappings:         getGroupMappings(resourceForPermission),
-		Secret:                syncerID,
-		SecretConfigKey:       SyncerSecretConfigKey,
-		Deployment:            syncerID,
-		DeploymentApp:         syncerID,
-		DNSAppName:            dnsSyncerID,
+		templateInput:      input,
+		ServiceAccount:     syncerID,
+		ClusterRole:        syncerID,
+		ClusterRoleBinding: syncerID,
+		DNSRole:            dnsSyncerID,
+		DNSRoleBinding:     dnsSyncerID,
+		GroupMappings:      getGroupMappings(resourceForPermission),
+		Secret:             syncerID,
+		SecretConfigKey:    SyncerSecretConfigKey,
+		Deployment:         syncerID,
+		DeploymentApp:      syncerID,
 	}
 
 	syncerTemplate, err := embeddedResources.ReadFile("syncer.yaml")

diff --git a/pkg/cliplugins/workload/plugin/syncer.yaml b/pkg/cliplugins/workload/plugin/syncer.yaml
@@ -11,12 +11,6 @@ metadata:
   namespace: {{.Namespace}}
 ---
 apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{.DNSServiceAccount}}
-  namespace: {{.Namespace}}
----
-apiVersion: v1
 kind: Secret
 metadata:
   name: {{.ServiceAccount}}-token
@@ -39,6 +33,37 @@ rules:
   - "list"
   - "watch"
   - "delete"
+- apiGroups:
+    - ""
+  resources:
+    - services
+  verbs:
+    - "create"
+    - "get"
+    - "list"
+    - "update"
+    - "delete"
+- apiGroups:
+    - "apps"
+  resources:
+    - deployments
+  verbs:
+    - "create"
+    - "get"
+    - "list"
+    - "update"
+    - "delete"
+- apiGroups:
+    - "rbac"
+  resources:
+    - roles
+    - rolebindings
+  verbs:
+    - "create"
+    - "get"
+    - "list"
+    - "update"
+    - "delete"
 - apiGroups:
   - "apiextensions.k8s.io"
   resources:
@@ -59,20 +84,6 @@ rules:
 {{- end}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{.DNSClusterRole}}
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    verbs:
-      - "get"
-      - "list"
-      - "watch"
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{.ClusterRoleBinding}}
@@ -86,16 +97,59 @@ subjects:
   namespace: {{.Namespace}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: Role
 metadata:
-  name: {{.DNSClusterRoleBinding}}
+  name: {{.DNSRole}}
+  namespace: {{.Namespace}}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  - services
+  verbs:
+  - "create"
+  - "get"
+  - "list"
+  - "update"
+  - "delete"
+  - "watch"
+- apiGroups:
+  - "apps"
+  resources:
+  - deployments
+  verbs:
+  - "create"
+  - "get"
+  - "list"
+  - "update"
+  - "delete"
+  - "watch"
+- apiGroups:
+  - "rbac.authorization.k8s.io"
+  resources:
+  - roles
+  - rolebindings
+  verbs:
+  - "create"
+  - "get"
+  - "list"
+  - "update"
+  - "delete"
+  - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{.DNSRoleBinding}}
+  namespace: {{.Namespace}}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{.DNSClusterRole}}
+  kind: Role
+  name: {{.DNSRole}}
 subjects:
   - kind: ServiceAccount
-    name: {{.DNSServiceAccount}}
+    name: {{.ServiceAccount}}
     namespace: {{.Namespace}}
 ---
 apiVersion: v1
@@ -159,7 +213,7 @@ spec:
 {{- if .FeatureGatesString }}
         - --feature-gates={{ .FeatureGatesString }}
 {{- end}}
-        - --dns={{.DNSAppName}}.{{.Namespace}}.svc.cluster.local
+        - --dns-image={{.Image}}
         env:
         - name: NAMESPACE
           valueFrom:
@@ -178,59 +232,3 @@ spec:
           secret:
             secretName: {{.Secret}}
             optional: false
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{.DNSAppName}}
-  namespace: {{.Namespace}}
-spec:
-  replicas: {{.Replicas}}
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: {{.DNSAppName}}
-  template:
-    metadata:
-      labels:
-        app: {{.DNSAppName}}
-    spec:
-      containers:
-      - name: kcp-dns
-        command:
-        - /ko-app/syncer
-        args:
-        - dns
-        - start
-        env:
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        image: {{.Image}}
-        imagePullPolicy: IfNotPresent
-        terminationMessagePolicy: FallbackToLogsOnError
-      serviceAccountName: {{.DNSServiceAccount}}
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{.DNSAppName}}
-  namespace: {{.Namespace}}
-  labels:
-    app: {{.DNSAppName}}
-spec:
-  type: ClusterIP
-  selector:
-    app: {{.DNSAppName}}
-  ports:
-    - name: dns
-      port: 53
-      protocol: UDP
-      targetPort: 5353
-    - name: dns-tcp
-      port: 53
-      protocol: TCP
-      targetPort: 5353
-
diff --git a/pkg/dns/plugin/nsmap/config.go b/pkg/dns/plugin/nsmap/config.go
@@ -19,6 +19,7 @@ package nsmap
 import (
 	"context"
 	"errors"
+	"log"
 	"os"
 
 	corev1 "k8s.io/api/core/v1"
@@ -30,11 +31,18 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 )
 
-const (
+var (
 	// ConfigMapName is the name of the configmap containing logical to physical namespace mappings
 	ConfigMapName = "config-nsmap"
 )
 
+func init() {
+	ConfigMapName = os.Getenv("CONFIGMAP_NAME")
+	if ConfigMapName == "" {
+		log.Fatal("missing required environment variable CONFIGMAP_NAME")
+	}
+}
+
 // OnUpdateFn is the function signature for receiving ConfigMap updates.
 type OnUpdateFn func(ctx context.Context, configMap *corev1.ConfigMap)
 

diff --git a/pkg/syncer/namespace/deployment_dns.yaml b/pkg/syncer/namespace/deployment_dns.yaml
@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: Name
+  namespace: Namespace
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: Name
+  template:
+    metadata:
+      labels:
+        app: Name
+    spec:
+      containers:
+        - name: kcp-dns
+          command:
+            - /ko-app/syncer
+          args:
+            - dns
+            - start
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: CONFIGMAP_NAME
+              value: ConfigMapName
+          image: Image
+          imagePullPolicy: IfNotPresent
+          terminationMessagePolicy: FallbackToLogsOnError
+      serviceAccountName: Name