Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Auto populate DNS names #122

Merged
merged 3 commits into from
Oct 5, 2023
Merged

Auto populate DNS names #122

merged 3 commits into from
Oct 5, 2023

Conversation

faisal-memon
Copy link
Contributor

@faisal-memon faisal-memon commented Mar 15, 2023

Auto populate DNS names from services attached to pods. Similar to the way its done in the reconcile mode k8s-workload-registrar.

  • Creates a field indexer for endpoints, index by pod uid
  • When pod comes up we lookup all endpoints with the correct uid
  • Adds the following DNS names: name, name.namespace, name.namespace.svc, name.namespace.svc.clusterdomain. Not a fan of the bare name but added for completeness sake.
  • Enabled with AutoPopulateDNSNames configurable globally and then individually on each cluster spifffe id.

fixes #48

@azdagron
Copy link
Member

Sorry it has taken so long to get around to this @faisal-memon. @MarcosDY and I will try and get it reviewed sometime this week.

Copy link
Collaborator

@MarcosDY MarcosDY left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank Faisal!!!
can you update crd on demo too?

controllers/endpoints_controller.go Outdated Show resolved Hide resolved
controllers/endpoints_controller.go Outdated Show resolved Hide resolved
controllers/pod_controller.go Outdated Show resolved Hide resolved
main.go Outdated Show resolved Hide resolved
migration/README.md Show resolved Hide resolved
migration/README.md Outdated Show resolved Hide resolved
}
sort.Strings(dnsNames) // Sort the list to provide consistent results
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this sorting stuff, can be problematic in some ways, for example, if you want to set a DNS as CN the CN will be the first element on this list, so how can a user say that they want to have an specific value un CN?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in case order is not important, we can simplify add functions to work only with map (since you are verifying using that map that DNS does not exist) and then parse map to []string,
but I still think we may respect order and more in case of template ones that must go at the start of the list

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @MarcosDY for catching this. Its updated to only sort the auto added dns names. The templated ones will be first and in the order specified in the crd.

require.Len(t, entry.DNSNames, len(spec.DNSNameTemplates)-1)
// DNS names are unique
dnsNamesSet := make(map[string]struct{})
for _, dnsName := range entry.DNSNames {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

with this approach we can get more items than expected, why not to compare 2 lists? and see that we get the exact list we expect?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a length check to the test.

@faisal-memon
Copy link
Contributor Author

All comments have been addressed. The demo crds have been updated.

Comment on lines 66 to 67
ctx := context.Background()
err := mgr.GetFieldIndexer().IndexField(ctx, &corev1.Endpoints{}, reconciler.EndpointUID, func(rawObj client.Object) []string {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if context.Background() is correct here or if we should use something else.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

main that is calling this one has a ctx, maybe you may use that one?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I missed that one. Change is in.

Comment on lines 66 to 67
ctx := context.Background()
err := mgr.GetFieldIndexer().IndexField(ctx, &corev1.Endpoints{}, reconciler.EndpointUID, func(rawObj client.Object) []string {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

main that is calling this one has a ctx, maybe you may use that one?

log := log.FromContext(ctx)
endpoints, ok := rawObj.(*corev1.Endpoints)
if !ok {
log.Error(nil, "unexpected type indexing fields", "type", fmt.Sprintf("%T", rawObj), "expecteed", "*corev1.Endpoints")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

expected

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this expected to happen? I'm worried we'll start to spam logs

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should not happen ever

matchLabels:
spiffe.io/spiffe-id: "true"
dnsNameTemplates: ["{{ index .PodMeta.Labels \"app\" }}.{{ .PodMeta.Namespace }}.svc.cluster.local"]
1. Enable `autoPopulateDNSNames` globally in the [Controller Manager Config](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md). See [example](config/spire-controller-manager-config.yaml).
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

may we use the "local" path for Controller Manager Config like used in example (same comment for all paths in this file)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

spiffe.io/spiffe-id: "true"
dnsNameTemplates: ["{{ index .PodMeta.Labels \"app\" }}.{{ .PodMeta.Namespace }}.svc.cluster.local"]
1. Enable `autoPopulateDNSNames` globally in the [Controller Manager Config](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md). See [example](config/spire-controller-manager-config.yaml).
1. For each [ClusterSPIFFEID](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) you to auto populate DNS names for, set the `autoPopulateDNSNames` field there. See [example](config/clusterspiffeid.yaml).
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2.?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have each listed as 1. i think is better. Then you don't have to update every line if you add an item in the middle.

spiffe.io/spiffe-id: "true"
dnsNameTemplates: ["{{ index .PodMeta.Labels \"app\" }}.{{ .PodMeta.Namespace }}.svc.cluster.local"]
1. Enable `autoPopulateDNSNames` globally in the [Controller Manager Config](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md). See [example](config/spire-controller-manager-config.yaml).
1. For each [ClusterSPIFFEID](https://github.com/spiffe/spire-controller-manager/blob/main/docs/clusterspiffeid-crd.md) you to auto populate DNS names for, set the `autoPopulateDNSNames` field there. See [example](config/clusterspiffeid.yaml).
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you to auto populate DNS names for

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

@@ -160,6 +166,23 @@ func renderDNSName(tmpl *template.Template, data *templateData) (string, error)
return rendered, nil
}

func addServiceDNSNames(dnsNames []string, dnsNamesSet map[string]struct{}, endpointsList *corev1.EndpointsList, clusterDomain string) []string {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what do you think about this function returning the list of dns from endpoints (only) and sorted.
and in the caller add the new dns to the list?

dsnNames = append(dnsNames, dnsNamesFromEndpoints( dnsNamesSet, endpointsList, clusterDomain))

that wil simplify this code

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change made.

@faisal-memon
Copy link
Contributor Author

faisal-memon commented Sep 20, 2023

Docs updated. Trying to rebase to fix the dco causes a lot merge conflicts. Whenever this is approved Ill squash and then rebase to fix the dco.

Copy link
Collaborator

@MarcosDY MarcosDY left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good, just a simple nit, and can you solve DCO?

// Index endpoints by UID. Later when we reconcile the Pod this will make it easy to find the associated endpoints
// and auto populate DNS names.
err := mgr.GetFieldIndexer().IndexField(ctx, &corev1.Endpoints{}, reconciler.EndpointUID, func(rawObj client.Object) []string {
log := log.FromContext(ctx)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

log is only used whn error, can you move into if?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

Signed-off-by: Faisal Memon <[email protected]>
Signed-off-by: Faisal Memon <[email protected]>
Signed-off-by: Faisal Memon <[email protected]>
@faisal-memon
Copy link
Contributor Author

@MarcosDY all comments addressed, dco fixed.

@MarcosDY MarcosDY merged commit 091d297 into spiffe:main Oct 5, 2023
6 checks passed
@MarcosDY MarcosDY added this to the 0.4.0 milestone Nov 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Service DNS names should be automatically populated
3 participants