Add ExternalDNS Operator Enhancement Proposal #786
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
sgreene570
force-pushed
the
external-dns-operator-revived
branch
14 times, most recently
from
da9fad6 to
bbdf379
Compare
|
/assign @Miciah @danehans @knobunc |
openshift-ci
bot
requested review from
alebedev87,
candita,
frobware,
miheer and
rfredette
sgreene570
force-pushed
the
external-dns-operator-revived
branch
2 times, most recently
from
71ef92d to
08741e6
Compare
sgreene570
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
sgreene570
force-pushed
the
external-dns-operator-revived
branch
6 times, most recently
from
180aaac to
ab2c65b
Compare
| surface (common fields on relevant ExternalDNS CRDs, consistent labeling of created resources, etc.), yet is easy to build. | ||
| * Build an operator that is suitable for production use of ExternalDNS. | ||
| * Focus on supporting the OpenShift Route resource as a source for ExternalDNS. | ||
| * Additionally support the Kubernetes [service source](https://github.com/kubernetes-sigs/external-dns/blob/master/source/service.go) (namely LoadBalancer services) |
There was a problem hiding this comment.
Aren't services of type LoadBalancer already supported by ExternalDNS? FAQ
There was a problem hiding this comment.
Right, the initial ExternalDNS Operator will only support a subset of the source resources supported by ExternalDNS.
|
|
||
| * Create a GitHub repository to host the operator source code in OpenShift's GitHub org, | ||
| with the hopes of moving the operator's source code into an upstream k8s-sigs repository in the future. | ||
| * Leverage popular frameworks and libraries, e.g. controller-runtime and kubebuilder, to simplify development |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
There was a problem hiding this comment.
Good question. We polled the openshift networking team, and took @danehans 's experience with Contour operator into account when we decided to go forward with kubebuilder + controller-runtime, as opposed to Operator SDK. Kubebuilder + controller-runtime seems to be the more popular approach upstream.
| of the operator and align with upstream communities. | ||
| * Manage dependencies through [Go Modules](https://blog.golang.org/using-go-modules). | ||
| * Create user and developer documentation for running ExternalDNS operator (on both OpenShift and vanilla Kubernetes). | ||
| * Create tooling to simplify building, running, testing, etc. the operator. |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
| proper label selector logic for all source types (instead of label selector based annotations), work may need to be done in the upstream ExternalDNS | ||
| community accordingly. | ||
|
|
||
| As a side note, ExternalDNS deployments will be configured to run ExternalDNS pods on cluster control-plane nodes. |
There was a problem hiding this comment.
Maybe a small explanation why on the control plane nodes?
There was a problem hiding this comment.
See Dane's prior comment:
I think it's common practice for add-on control-plane functionality to use the node roles to run on master nodes only by default.
There was a problem hiding this comment.
I'll elaborate in the EP. Thanks!
sgreene570
force-pushed
the
external-dns-operator-revived
branch
from
ab2c65b to
9fe6d62
Compare
|
@vinny-sabatini @seegeekrow @sanbornick @trzejos @jaideepbellani please review when you have some time. Thanks! |
| - openshift-route: | ||
| ignoreHostnameAnnotation: "true" | ||
| labelSelector: | ||
| foo: bar | ||
| - CRD | ||
| resource: dnsrecords | ||
| - service: | ||
| namespace: foo | ||
| publishInternal: "true" |
There was a problem hiding this comment.
This will probably change anyway, but syntactically, the union type subfields need to be indented. Also, you're missing a colon (but so was my earlier suggestion—oops!), and the field names should be more jsonny/yamlish.
| - openshift-route: | |
| ignoreHostnameAnnotation: "true" | |
| labelSelector: | |
| foo: bar | |
| - CRD | |
| resource: dnsrecords | |
| - service: | |
| namespace: foo | |
| publishInternal: "true" | |
| - openshiftRoute: | |
| ignoreHostnameAnnotation: "true" | |
| labelSelector: | |
| foo: bar | |
| - crd: | |
| resource: dnsrecords | |
| - service: | |
| namespace: foo | |
| publishInternal: "true" |
There was a problem hiding this comment.
Great catch. Fixed! (for now, at least 😁 )
| * Expand upon the existing OpenShift [ingressoperator/dnsrecord](https://github.com/openshift/api/blob/master/operatoringress/v1/types.go) | ||
| CRD to implement the ExternalDNS base [CRD source](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/contributing/crd-source.md). |
There was a problem hiding this comment.
We moved this to non-goals (for 4.9), so we need to be clear here that we are not committing to making this change as part of this specific enhancement.
There was a problem hiding this comment.
Sure. I added a note here that this is work for post 4.9.
| [tutorial section of the ExternalDNS docs](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials). | ||
| In general, ExternalDNS needs proper permissions to view, update, and delete DNS resource records in the relevant DNS zones. | ||
|
|
||
| Support for OpenShift clusters running AWS that |
There was a problem hiding this comment.
Can we just say "Support for AWS clusters that use STS"? The CredentialsRequest API is OpenShift-specific, but given that we'll need some way to provide credentials on vanilla Kubernetes, does support for STS need to be OpenShift-specific?
There was a problem hiding this comment.
Right, we can. Fixed.
| in a cluster, as well as for cluster administrators who want to verify that their requested resources have been created properly. | ||
|
|
||
| Currently, the upstream ExternalDNS CRD source only supports record creation for A or CNAME type records. See | ||
| [upstream issue 164](https://github.com/kubernetes-sigs/external-dns/issues/164) for more context to that end. Contributions may need to be made to |
There was a problem hiding this comment.
Upstream issue 164 seems to be related to leader election. I suspect you are referencing the wrong issue here.
There was a problem hiding this comment.
Looks like I accidentally dropped the 7 from kubernetes-sigs/external-dns#1647.
| source-specific parameters. In this example, ExternalDNS would create DNS Records for Route resources that match the label (read: annotation, more on this later) | ||
| `foo: bar`, and would ignore the ExternalDNS Host Target Override Annotation (See [Implementation Details](#implementation-details) for more details about ExternalDNS | ||
| annotations). This example would also instruct ExternalDNS to create DNS Records for CR instances of type `dnsrecords` (not a part of OCP 4.9 implementation). | ||
| Finally, this example would instruct ExternalDNS to create DNS Records in the given Private zone for Service resource instances in namespace `foo`. |
There was a problem hiding this comment.
"Records", "See", and "Private" can be lowercase. My memory is bad, and by the time I reach this paragraph, the example has scrolled off the screen, and I've figuratively and literally lost sight of it; two things could help: (1) an introductory sentence at the start of this section, such as, "The following example CR will be used throughout this section to explain the proposed CRD", and (2) a gentle reminder of where the example is when referencing it.
| source-specific parameters. In this example, ExternalDNS would create DNS Records for Route resources that match the label (read: annotation, more on this later) | |
| `foo: bar`, and would ignore the ExternalDNS Host Target Override Annotation (See [Implementation Details](#implementation-details) for more details about ExternalDNS | |
| annotations). This example would also instruct ExternalDNS to create DNS Records for CR instances of type `dnsrecords` (not a part of OCP 4.9 implementation). | |
| Finally, this example would instruct ExternalDNS to create DNS Records in the given Private zone for Service resource instances in namespace `foo`. | |
| source-specific parameters. For the example ExternalDNS CR above, the ExternalDNS Operator would create DNS records for Route resources that match the label (read: annotation, more on this later) | |
| `foo: bar`, and would ignore the ExternalDNS Host Target Override Annotation (see [Implementation Details](#implementation-details) for more details about ExternalDNS | |
| annotations). This example would also instruct ExternalDNS to create DNS records for CR instances of type `dnsrecords` (not a part of OCP 4.9 implementation). | |
| Finally, this example would instruct ExternalDNS to create DNS records in the given private zone for Service resource instances in namespace `foo`. |
By the way, do you prefer "the ExternalDNS operator" (because that's what it is), "the ExternalDNS Operator", or "ExternalDNS Operator" (without an article because we're using it as a name)?
There was a problem hiding this comment.
Great suggestions! I've gone ahead and settled on the ExternalDNS operator. I've also fixed all of the typos you highlighted, as well as added the requested details from (1) and (2). Thanks!
This commit contains the original externalDNS operator enhancement proposal create by Daneyon Hansen as a part of openshift#456 (which was closed due to inactivity).
sgreene570
force-pushed
the
external-dns-operator-revived
branch
2 times, most recently
from
2b096a4 to
4eade5e
Compare
This commit relocates and expands upon the original ExternalDNS Operator enhancement. This commit is in support of https://issues.redhat.com/browse/NE-303.
sgreene570
force-pushed
the
external-dns-operator-revived
branch
from
4eade5e to
b0f67e9
Compare
|
Thanks! Let's merge and iterate. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
We are up to 200 comments so we decided to merge this enhancement as is and create follow up PRs as needed. Thanks for the input all! Please feel free to comment here or reach out to me offline with any further comments. |
|
@sgreene570 I reviewed the proposal and it looks pretty good. I have two point below that you may want to consider in the future. For excluding domains external-dns provides several different options. I'm leaning towards using Also, it would be nice to handle DNS for applications deployed across multiple clusters at some point in the future. We have not done any testing with this in our environment, but we think k8s external-dns might help us automate this in the future. It would be super cool if OpenShift could make it easy to automate this in the future. |
@seanmalloy thank you for pointing this out to me! After talking with my team, sounds like we will come up with a way to pass either a slice of domains, or a domain regex, to the
This is an interesting use case that I had not thought about. @seanmalloy, could you maybe help me understand what future work in this space would look like? |
This PR revives and expands upon the original ExternalDNS Operator enhancement (#456).
This is in support of https://issues.redhat.com/browse/NE-303