[NE-568] Add option to manage DNS to ingresscontrollers #1114
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
/assign @sherine-k @alebedev87 |
This enhancement provides the customer the ability to completely disable DNS management on the Ingress Controller so that DNS can be managed externally by them.
thejasn
force-pushed
the
feature/configurable-dns-lb
branch
from
649a339
to
c14c290
Compare
thejasn
force-pushed
the
feature/configurable-dns-lb
branch
2 times, most recently
from
6c049ac
to
d5e5918
Compare
|
/label tide/merge-method-squash |
openshift-ci
bot
added
the
tide/merge-method-squash
thejasn
force-pushed
the
feature/configurable-dns-lb
branch
from
d5e5918
to
b9413d0
Compare
thejasn
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
Updated downgrade strategy Signed-off-by: thejasn <thn@redhat.com>
Signed-off-by: thejasn <thn@redhat.com>
thejasn
force-pushed
the
feature/configurable-dns-lb
branch
from
bd4c459
to
42e2736
Compare
|
/retitle [NE-568] Add option to manage DNS to ingresscontrollers |
openshift-ci
bot
changed the title
There was a problem hiding this comment.
@thejasn overall I understand the intent but I did have a few questions/comments and some feedback to share. For any of my API related comments, defer to the API Team for final say. I mostly wanted to share my recent API experience to help move the needle.
| // +kubebuilder:validation:Optional | ||
| // +kubebuilder:validation:Enum=Managed;Unmanaged | ||
| // +optional | ||
| DNS LoadBalancerDNSManagementPolicy `json:"dns"` |
There was a problem hiding this comment.
I'd expect this to be DNSManagementPolicy so it's more clear at a glance what it's affecting.
There was a problem hiding this comment.
Are you suggesting sharing the type variable between the fields? I wanted to avoid that, hence the different names. Sharing the type doesn't seem correct, since it would couple the two objects LoadBalancerStrategy and DNSRecord when any new types are added (eg: externalDNS). WDYT?
There was a problem hiding this comment.
Ah, that's a great question! I wasn't as clear as I intended to be; this is the change I'm suggesting for clarity.
| DNS LoadBalancerDNSManagementPolicy `json:"dns"` | |
| DNSManagementPolicy LoadBalancerDNSManagementPolicy `json:"dns"` |
That way you're maintaining the distinction in type between LoadBalancerDNSManagementPolicy and DNSManagementPolicy but when a cluster admin is reading the API/config it's clear that they're changing the loadBalancerStrategy.dnsManagementPolicy which is, in my opinion, more clear than loadBalancerStrategy.dns. Also just a reminder that ultimately the API team should make the call on the shape of the API but I suspect they'd err on the side of making configuration options more obvious.
| // +kubebuilder:validation:Optional | ||
| // +kubebuilder:validation:Enum=Managed;Unmanaged | ||
| // +optional | ||
| ManagementPolicy DNSManagementPolicy `json:"managementPolicy"` |
There was a problem hiding this comment.
Similarly here as above, I'd expect this to be DNSManagementPolicy. Although with this one it's sort of implicit what the management policy is informing so this is probably even more nit-like than above.
|
|
||
| - Provide a day-0 solution for cluster installations involving external DNS | ||
| management by the customer. | ||
| - DNS migration from managed to unmanaged. |
There was a problem hiding this comment.
I read this as "DNS management policy migration from managed to unmanaged". If that's the correct way to read this then I think it should be made more explicit as you do allow for migration from managed to unmanaged when the IC domain is the same as the cluster domain in the Modifying/Updating an ingresscontroller section.
There was a problem hiding this comment.
Ahh, this was meant to state traffic management is not going to be considered during moving from Managed to Unmanaged. I've updated the point, to make it more clear.
thejasn
force-pushed
the
feature/configurable-dns-lb
branch
from
f534252
to
e176ff1
Compare
|
|
||
| ### API Extensions | ||
|
|
||
| The ingresscontroller CRD is extended by adding an optional field `DNS` |
There was a problem hiding this comment.
| The ingresscontroller CRD is extended by adding an optional field `DNS` | |
| The ingresscontroller CRD is extended by adding an optional field `DNSManagementPolicy` |
thejasn
force-pushed
the
feature/configurable-dns-lb
branch
from
e176ff1
to
c2ed4c2
Compare
thejasn
force-pushed
the
feature/configurable-dns-lb
branch
from
c2ed4c2
to
b87ec6d
Compare
Co-authored-by: Chad Scribner <cscribne@redhat.com>
thejasn
force-pushed
the
feature/configurable-dns-lb
branch
from
b87ec6d
to
f4535ec
Compare
| will be updated, | ||
| - `DNSReady` condition will be set to true and reason updated to | ||
| UnmanagedDNS. | ||
| - Post successfully updating the ingresscontroller, the associated *DNSRecord* |
There was a problem hiding this comment.
Added deletion workflow.
| by the operator, but it is to be noted that if the ingresscontroller is updated from | ||
| `Unmanaged` to `Managed` any changes done will be lost during re-sync. | ||
|
|
||
| If the ingresscontroller is deleted, and the associated *DNSRecord* still exists |
There was a problem hiding this comment.
Clarified the implementation details on how deletion of ingresscontrollers will be done.
There was a problem hiding this comment.
I know that there is probably no easy way out. But I think it still a bit contradictory. In this comment we say that DNSRecord CR won't be created/updated/deleted, however the deletion will still happen: deletionTimestamp will be added. Also the same comment says that it's the full responsibility of the cluster admin to deal with DNSRecord CRs however the cluster admin won't do oc delete dnsrecord it has to be oc edit dnsrecord (as not removed finalization label will block the deletion) which is kinda not intuitive.
I think I'm rather for one of the following:
- "fully orphaned" unmanaged
DNSRecordCR: cluster admin has to doaws route53 delete resource record+oc delete dnsrecord. The orphanedDNSRecordCRs can be found with the command you suggested. - "cloud provider orphaned" unmanaged
DNSRecordCR: cluster admin has to doaws route53 delete resource recordonly.DNSRecordwill be cleared from the finalization label without doing the actual finalization.
@thejasn, @brandisher: WDYT guys?
There was a problem hiding this comment.
Based on our discussion, decided to treat Unmanaged as the DNS record on the cloud provider will be unmanaged by the operator. (going ahead with latter)
| - `Managed`: It is the default state and behaves the same as the existing | ||
| implementation. The ingresscontroller manages create/update/delete actions | ||
| on the *DNSRecord* CR and the actual DNS records on the DNS provider. | ||
| - `Unmanaged`: In this state, the ingresscontroller will not create/update/delete | ||
| the *DNSRecord* associated with it, nor does it create/update/delete | ||
| the actual DNS record on the cloud provider. This responsibility entirely falls | ||
| on the cluster admin. |
There was a problem hiding this comment.
Clearly stated what the 2 new states denote and their scope.
Signed-off-by: thejasn <thn@redhat.com>
|
/lgtm |
| ### Goals | ||
|
|
||
| - Provide the ability to opt out of DNS management by the `cluster-ingress-operator`. | ||
| - Recover from degraded state of the `cluster-ingress-operator` during upgrades |
There was a problem hiding this comment.
| - Recover from degraded state of the `cluster-ingress-operator` during upgrades | |
| - Enable migration |
| Currently, there is partial support provided by the `installer` (in UPI installations) | ||
| to disable the `cluster-ingress-operator` from managing the DNS cluster-wide as documented |
There was a problem hiding this comment.
I wouldn't say "partial support" or "provided by the installer"; it's an existing, course-grained option in the cluster DNS config, which the cluster administrator can configure at install time (by customizing installer manifests) or after installation (using oc patch dnses.config.openshift.io/cluster --type=merge --patch='{"spec":{"privateZone":null,"publicZone":null}}). The goal, as your next paragraph says, is to add a more fine-grained option.
| *DNSRecord* CR and the DNS record on the cloud provider. | ||
| - Test the following update paths on a custom ingresscontroller | ||
| - Updating `.loadbalancer.dnsManagementPolicy` from `Managed` -> `Unmanaged` -> `Managed` and | ||
| to ensure no conflicts during creation/recreation of DNS record on the cloud provider. |
There was a problem hiding this comment.
Why "recreation"? Is the test going to delete the DNS record after setting dnsManagementPolicy to "Unmanaged"?
There was a problem hiding this comment.
Yes, that is what I had in mind. Thinking of testing both the scenarios to verify there were no collisions during recreation.
There was a problem hiding this comment.
Thanks, that makes sense; it just isn't clear from the test plan as written.
There was a problem hiding this comment.
The test plan might need to be revisited. I've mostly implemented this feature and turns out we can't have updates from Unmanaged to Managed since domain cannot be updated. Essentially, to update an ingresscontroller from Unmanaged to Managed becomes an DELETE and CREATE (replace) due to the limitation on domain.
Although it is possible to update from Managed to Unmanaged users would be forced to re-use the domain leading to again DELETE and CREATE of the ingresscontroller so that a new unmanaged domain can be given.
So I'm thinking it is better to make dnsManagementPolicy also not updatable similar to domain (figured this would be better than making domain updatable`), then the test plan would be straight forward. Just test with an Unmanaged ingresscontroller.
There was a problem hiding this comment.
I don't understand. Why would it matter that domain cannot be updated? The operator should still be able to do an upsert when the management state is changed from Unmanaged to Managed, the same as it does an upsert if a managed DNSRecord's targets change. On some platforms, an upsert may actually be implemented as discrete delete and create steps within a transaction, but that's an implementation detail that is abstracted behind the dns.Provider interface.
| - Updating `Unmanaged` -> `Managed` and to ensure creation of new *DNSRecord* | ||
| and correct conditions. |
There was a problem hiding this comment.
Is the idea here to create the IngressController with "Unmanaged", update it to "Managed", and verify that the operator creates the DNS record upon the update to the IngressController? Here, "DNSRecord" means the actual DNS record and not the CR, right?
There was a problem hiding this comment.
Yes, updated the text.
thejasn
force-pushed
the
feature/configurable-dns-lb
branch
from
9664dba
to
4a584ad
Compare
|
|
||
| - Provide a day-0 solution for cluster installations involving external DNS | ||
| management by the customer. | ||
| - Traffic management during DNS management policy migration from managed to unmanaged. |
There was a problem hiding this comment.
The ingresscontroller will still handle any traffic that it receives, so I'm not sure exactly what this means. Does this refer to DNS traffic, or to ingress (HTTP/TLS) traffic?
| __Note__: This feature is only supported on new or non-default ingresscontrollers. | ||
| The default ingresscontroller can be modified/updated at the discretion of | ||
| the cluster admin. |
There was a problem hiding this comment.
Would we do something (such as trigger an alert or set Upgradeable=False) to convey that the cluster is no longer in a supported state?
| - The DNSRecord will also be updated as part of the same reconcile, | ||
| `.spec.dnsManagementPolicy` will be set to `Unmanaged` and the following conditions | ||
| will be updated, |
| *DNSRecord* CR and the DNS record on the cloud provider. | ||
| - Test the following update paths on a custom ingresscontroller | ||
| - Updating `.loadbalancer.dnsManagementPolicy` from `Managed` -> `Unmanaged` -> `Managed` and | ||
| to ensure no conflicts during creation/recreation of DNS record on the cloud provider. |
There was a problem hiding this comment.
Thanks, that makes sense; it just isn't clear from the test plan as written.
Co-authored-by: Miciah Dashiel Butler Masters <mmasters@redhat.com> Signed-off-by: thejasn <thn@redhat.com>
thejasn
force-pushed
the
feature/configurable-dns-lb
branch
from
4a1b4e7
to
0df2f16
Compare
|
@thejasn: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Thanks! |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
This enhancement provides the customer the ability to completely
disable DNS management on the Ingress Controller so that DNS can be
managed externally by them.
Signed-off-by: thejasn thn@redhat.com