Use direct cluster ingress #94
Conversation
openshift-ci-robot
added
the
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sjenning The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
sjenning
force-pushed
the
direct-cluster-ingress
branch
3 times, most recently
from
d9a61f0
to
efe7925
Compare
|
This PR is blocked by two things:
refs |
| @@ -35,6 +35,20 @@ type HostedClusterSpec struct { | |||
|
|
|||
| // InfraID is used to identify the cluster in cloud platforms | |||
| InfraID string `json:"infraID,omitempty"` | |||
|
|
|||
| // DNS configuration for the cluster | |||
There was a problem hiding this comment.
nit: isnt this for the ingress controller, not the cluster itself?
There was a problem hiding this comment.
@derekwaynecarr It is for the ingress controller. Which makes me think, should we allow you to specify an arbitrary list of ingress controllers like Hive does?
There was a problem hiding this comment.
- If this is for ingress, and if there are multiple ingresses configured (as @csrwng asks), does that mean each ingress's DNS zone is defined independently?
- What fields are mutable? What is the behavior if they are mutated?
There was a problem hiding this comment.
Yes, this just configures the default ingress controller
There was a problem hiding this comment.
can we reflect this expectation either in a comment or the API field name?
openshift-ci-robot
added
the
needs-rebase
sjenning
force-pushed
the
direct-cluster-ingress
branch
from
efe7925
to
ebc39f7
Compare
openshift-ci-robot
removed
the
needs-rebase
sjenning
force-pushed
the
direct-cluster-ingress
branch
from
ebc39f7
to
2981e3d
Compare
sjenning
force-pushed
the
direct-cluster-ingress
branch
from
2981e3d
to
feeed78
Compare
sjenning
force-pushed
the
direct-cluster-ingress
branch
from
feeed78
to
0f68f9e
Compare
| @@ -174,7 +180,7 @@ func CreateCluster(ctx context.Context, opts Options) error { | |||
|
|
|||
| exampleObjects := apifixtures.ExampleOptions{ | |||
| Namespace: opts.Namespace, | |||
| Name: opts.Name, | |||
| Name: infra.Name, | |||
There was a problem hiding this comment.
just to clarify, Is it a hard requirement for the cluster.Name to be the same than the infra.Name? or is it only for the BaseDomain and the infraID?
There was a problem hiding this comment.
The cluster Name is independent the InfraID. The Name and BaseDomain are used to determine the DNS private zone.
There was a problem hiding this comment.
It's not clear to me still why ExampleOptions.Name is now being changed to infra.Name. Isn't ExampleOptions.Name supposed to equal the HostedCluster name (represented here by opts.Name)?
| } | ||
|
|
||
| cmd.Flags().StringVar(&opts.InfraID, "infra-id", opts.InfraID, "Cluster ID with which to tag AWS resources (required)") | ||
| cmd.Flags().StringVar(&opts.AWSCredentialsFile, "aws-creds", opts.AWSCredentialsFile, "Path to an AWS credentials file (required)") | ||
| cmd.Flags().StringVar(&opts.OutputFile, "output-file", opts.OutputFile, "Path to file that will contain output information from infra resources (optional)") | ||
| cmd.Flags().StringVar(&opts.Region, "region", opts.Region, "Region where cluster infra should be created") | ||
| cmd.Flags().StringSliceVar(&opts.AdditionalTags, "additional-tags", opts.AdditionalTags, "Additional tags to set on AWS resources") | ||
| cmd.Flags().StringVar(&opts.Name, "name", opts.Name, "A name for the cluster") |
There was a problem hiding this comment.
may be clarify what a name for the cluster means? e.g "this is added as a subdomain when creating ingress resources"
There was a problem hiding this comment.
This is the same flag you would pass to create cluster and I copied the description from there hoping people would understand they are the same thing. While we only use the name for DNS at create infra time, we use it for other things at create cluster time e.g. determining the namespace for the HCP.
| awsConfig := &aws.Config{ | ||
| // Route53 is weird about regions | ||
| // https://github.com/openshift/cluster-ingress-operator/blob/5660b43d66bd63bbe2dcb45fb40df98d8d91347e/pkg/dns/aws/dns.go#L163-L169 | ||
| Region: aws.String("us-east-1"), |
|
|
||
| func (o *CreateInfraOptions) CreatePrivateZone(client route53iface.Route53API, vpcID string) (string, error) { | ||
| name := fmt.Sprintf("%s.%s", o.Name, o.BaseDomain) | ||
| id, err := lookupZone(client, name, true) |
There was a problem hiding this comment.
nit: can inline the if sentence here since variables are only used within its context
| @@ -85,6 +88,7 @@ func NewCreateCommand() *cobra.Command { | |||
| cmd.Flags().StringVar(&opts.Region, "region", opts.Region, "Region to use for AWS infrastructure.") | |||
| cmd.Flags().StringVar(&opts.InfraID, "infra-id", opts.InfraID, "Infrastructure ID to use for AWS resources.") | |||
There was a problem hiding this comment.
orthogonal to this PR, we should clarify this must be unique for the each cluster living in the same aws account
|
|
||
| // DNSSpec specifies the DNS configuration in the cluster | ||
| type DNSSpec struct { | ||
| // BaseDomain is the base domain of the cluster. |
There was a problem hiding this comment.
We need to figure out how to specify this unambiguously.
- What exactly does it represent? e.g.
- The canonical domain suffix for any generated records for this cluster?
- The suffix of a computed canonical name (e.g. name+basedomain)?
- Is it a canonical FQDN? If not, how is the canonical value computed?
- The current implementation seems to imply this is not a canonical FQDN
- Must BaseDomain be a subdomain of the domain represented by PublicZoneId/PrivateZoneID?
- What are the uniqueness constraints?
- If there are uniqueness constraints, it's implied the value on spec is not usable absent some sort of async validation process
- Where is that validation result surfaced on status?
- What field will our controllers read given the spec value isn't necessarily valid?
- Does this imply some sort of valid or admitted condition for HostedClusters generally the API should describe and the operator must honor?
There was a problem hiding this comment.
If ingress is considered required, I'm not entirely sure how to separate the notion this is configuration for "the ingress controller" and not for the cluster itself (https://github.com/openshift/hypershift/pull/94/files#r591603025). Seems like a distinction without a difference?
| // PublicZoneID is the Hosted Zone ID where all the DNS records that are publicly accessible to | ||
| // the internet exist. | ||
| // +optional | ||
| PublicZoneID string `json:"publicZoneID,omitempty"` |
There was a problem hiding this comment.
Along the lines of the above, what doe these represent? e.g. Are they assumed to be authoritative for BaseDomain?
sjenning
force-pushed
the
direct-cluster-ingress
branch
2 times, most recently
from
f47a3d5
to
84df1b8
Compare
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
/test e2e-aws |
sjenning
force-pushed
the
direct-cluster-ingress
branch
from
84df1b8
to
2e9fd73
Compare
|
/test e2e-aws |
sjenning
force-pushed
the
direct-cluster-ingress
branch
from
2e9fd73
to
3add1d0
Compare
|
/test e2e-aws |
|
tagging and will address pending issues as a follow up |
Remaining issues:
router-defaultService. I think this is a "Cluster Name" vs "Infra ID" cluster ownership tagging issue. Fixed in Use InfraID as CAPI cluster name #95dns_controllerin the ingress operator isn't able to make calls against Route53 Fixed in create OIDC resources and STS assumed roles #111 wire in KAS signing key and issuer URL from IAM create #117 wire in AWS roles #120base-domainin the CI environment.Reviewer notes:
create infrastage, notcreate clusterstage. There is a new--base-domainand--nameflag oncreate infra.--base-domainis required while--namewill default to example same ascreate cluster.create infrawill look up the public zone ID based on thebase-domainand will lookup/create the private zone based on thenameandbase-domain