New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkg/asset/installconfig/aws: public DNS validation #5189
pkg/asset/installconfig/aws: public DNS validation #5189
Conversation
Previously, an existing public A record would cause an install failure when Terraform tried to create the public A record and failed on the collision. With this PR's precheck, you'll fail a bit faster. But the overall result will be similar. If you want to avoid the leak entirely, you'll need to reverse ae9cbaf (#1508), and start claiming the private record before you claim the public record. That way, the deletion logic will find the private record and know it can safely remove the public record. It will be a bit racy, although your new precheck will limit the exposure. You'll be vulnerable to:
It's possible you could move the precheck into a Terraform data request or some such, to reduce the racy gap between step 1 and step 4. But even with your Go-side precheck, the gap may be small enough that we can say "probably won't happen too often, and we can manually restore B's public A record if it does" and decide that that risk is less annoying than the current A record leak. I personally don't have much opinion on the annoyance level of leaking public records on deletion vs. removing public records that really belong to one cluster when deleting a separate cluster. Parallel installs using the same name seems like something that will probably never happen for production clusters. |
b66afef
to
31a8f2c
Compare
/test e2e-aws |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am good with this change, on its merits. This aligns with the small window of vulnerability that we have with BYO hosted zone. And both those vulnerabilities seem acceptably rare and shoot-yourself-in-the-foot enough to me.
33c911f
to
8f8ccfb
Compare
/test e2e-aws |
8f8ccfb
to
e2a8d07
Compare
Verify no DNS records exist in the public DNS zone. This helps to prevent installing into an existing cluster. The goal here is to not leak public DNS records. This should help make the race condition less likely. https://issues.redhat.com/browse/CORS-1195
e2a8d07
to
b88b077
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: staebler The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
10 similar comments
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
18 similar comments
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
@jhixson74: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Verify no DNS records exist in the public DNS zone. This helps to prevent
installing into an existing cluster. The goal here is to not leak public DNS
records. This should help make the race condition less likely.
https://issues.redhat.com/browse/CORS-1195