[release-4.13] NE-1341: Add support for AWS shared VPC in another account #966
Conversation
gcs278
force-pushed
the
release-4.13-shared-vpc
branch
from
9dac29d to
ee6dcce
Compare
gcs278
changed the title
|
@gcs278: This pull request references NE-1341 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
the
jira/valid-reference
|
/test e2e-aws-operator |
|
The order of the commits looks funny: % git --no-pager log1 --no-decorate --reverse origin/release-4.13..gcs278/release-4.13-shared-vpc --
77943a4d7 Add support for AWS shared VPC in another account
f5eaf5ec9 Bump openshift/api for PrivateHostedZoneAWS
ee6dccea5 OCPBUGS-14998: Only use RoleARN for Route53 APIGoing from oldest to newest, the bump should be first, then the implementation, and then the bug fix. Otherwise the changes look fine. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
gcs278
force-pushed
the
release-4.13-shared-vpc
branch
from
ee6dcce to
a0e5846
Compare
@Miciah Good catch, that makes sense so the implementation commit isn't broken. https://github.com/openshift/cluster-ingress-operator/compare/ee6dccea564293606159ff6854cb084072d1d199..a0e58466f0ed23fee3e3334a15559133a21eb98b reorders the commits. |
|
Looks good; we just need the API backport to merge now so that the bump commit can have a proper ref. |
|
/retest-required |
|
/test e2e-aws-operator |
|
/assign @Miciah |
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
Bump to github.com/openshift/api@2d9b4641953634dd191455e2399189b57a099a08 to get the new "PrivateHostedZoneAWS" feature gate and the DNS.spec.platform.aws.privateZoneIAMRole API field to allow configuring a private hosted zone in a shared VPC. * go.mod: Bump openshift/api. * go.sum: * vendor/*: Regenerate.
Add support for configuring DNS records in AWS Route 53 using a separate account for the private hosted zone. This commit resolves NE-1294. https://issues.redhat.com/browse/NE-1294 * manifests/00-ingress-credentials-request.yaml: Add "sts:AssumeRole" to the CredentialsRequest for AWS. * pkg/manifests/bindata.go: Regenerate. * pkg/dns/aws/dns.go (Config): Add a RoleARN field. (NewProvider): If config.RoleARN is set, use it to configure the AWS client using the specified role. * pkg/dns/split/dns.go: New file. Define a DNS provider implementation that wraps two other DNS providers, using one of them to publish records to the public zone and the other to publish records to the private zone. (Provider): New type. Store the private and public DNS providers, as well as the private zone so that the Ensure, Delete, and Replace methods can use it to determine whether they are publishing to the public zone or to the private zone. (NewProvider): New function. Return a split DNS provider. (Ensure, Delete, Replace): New methods. Implement the dns.Provider interface by calling the respective methods on the wrapped private and public DNS providers. * pkg/dns/split/dns_test.go (TestSplitDNSProvider): Verify that the split DNS provider correctly dispatches to the private or public DNS provider as appropriate, using fakeProvider. (fakeProvider): New type. Define a fake named DNS provider that records its name when invoked. (Ensure, Delete, Replace): New methods for fakeProvider to record invocations and implement the dns.Provider interface. (newFakeProvider): New function. Return a fake provider. * pkg/operator/controller/dns/controller.go (Config): Add a "PrivateHostedZoneAWSEnabled" field to indicate whether the "PrivateHostedZoneAWS" feature gate is enabled. (createDNSProvider): Use the new split DNS provider and the AWS DNS provider's new RoleARN configuration option to configure separate DNS providers for public and private zones when a role ARN for the private zone is specified in the cluster infrastructure config if the "PrivateHostedZoneAWS" feature gate is enabled. * pkg/operator/operator.go (New): Check the "PrivateHostedZoneAWS" feature gate and specify it in the DNS controller config.
To support Shared VPC, we split the DNS client into public and private providers, the private using the RoleARN (Account A) and the public using the default (Account B). However, the RoleARN only provides API access for Account A's Route53 service, not the ability to describe Account B's ELBs. This fix isolates the RoleARN to only be used with Route53 API services. `pkg/dns/aws/dns.go`: Create a separate Route53 session object that uses the RoleARN when provided.
Miciah
force-pushed
the
release-4.13-shared-vpc
branch
from
a0e5846 to
1c6bac8
Compare
|
https://github.com/openshift/cluster-ingress-operator/compare/a0e58466f0ed23fee3e3334a15559133a21eb98b..1c6bac83c205164bb7e18d9715359f7c6818742e bumps to openshift/api@2d9b464 since openshift/api#1529 merged. |
openshift-ci
bot
removed
the
do-not-merge/hold
Looks like miciah was able to push directly to your remote and keep the original PR. Nice! Thanks! |
|
/lgtm This change adds e2e-aws-operator failed because must-gather failed. |
openshift-ci
bot
added
the
backport-risk-assessed
|
@gcs278: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/label cherry-pick-approved |
openshift-ci
bot
added
the
cherry-pick-approved
mrunalp
added
the
jira/valid-bug
|
@gcs278: This pull request references NE-1341 which is a valid jira issue. Retaining the jira/valid-bug label as it was manually added. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[release-4.12] NE-1372: Add support for AWS shared VPC in another account #966
9 participants
Add support for configuring DNS records in AWS Route 53 using a separate account for the private hosted zone.
This PR cherry-picks 7251aaa (from #928, the original implementation) and 047bd98 (from #951, a bug fix for https://issues.redhat.com/browse/OCPBUGS-14998).
How I generated this backport:
go.modto usegithub.com/openshift/api v0.0.0-20230803134339-2d9b46419536go mod tidygo mod vendorgit cherry-pick 7251aaa9a30f3759c2731d061207d2f63cd945de(7251aaa)pkg/manifests/bindata.go: Regeneratedpkg/operator/controller/dns/controller.go: RemovedPrivateHostedZoneAWSEnabledfrom config structure for the dns controller. Removed associated check forr.config.PrivateHostedZoneAWSEnabledpkg/operator/operator.go: 7251aaa had feature gate logic. We are not backporting the feature gate so I did not integrate any feature gate logic in the merge.git cherry-pick --continue, etc...git cherry-pick 047bd986587a923029586a2497ec99d0a5a242a0(047bd98)