config/v1: add public and private zones to DNSSpec #202
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -26,6 +26,40 @@ type DNSSpec struct { | |
| // For example, given the base domain `openshift.example.com`, an API server | ||
| // DNS record may be created for `cluster-api.openshift.example.com`. | ||
| BaseDomain string `json:"baseDomain"` | ||
| // publicZone is the location where all the DNS records that are publicly accessible to | ||
| // the internet exist. | ||
| // If this field is nil, no public records should be created. | ||
| // +optional | ||
| PublicZone *DNSZone `json:"publicZone,omitempty"` | ||
|
Contributor
There was a problem hiding this comment. Is this allowed to be changed?
Contributor
Author
There was a problem hiding this comment. Technically no.
Member
There was a problem hiding this comment.
Why not? "I don't want public DNS anymore" and "actually, I want it back" seem like reasonable admin decisions, right?
Contributor
Author
There was a problem hiding this comment.
Oh Yeah, true |
||
| // privateZone is the location where all the DNS records that are only available internally | ||
| // to the cluster exist. | ||
| // If this field is nil, no private records should be created. | ||
| // +optional | ||
| PrivateZone *DNSZone `json:"privateZone,omitempty"` | ||
| } | ||
|
|
||
| // DNSZone is used to define a DNS hosted zone. | ||
| // A zone can be identified by an ID or tags. | ||
| type DNSZone struct { | ||
|
Contributor
There was a problem hiding this comment. So is this meant to be a platform specific, opaque struct that will be able to address the zone on any supported platform? Will ID+Tags cover all those or do we need a union type that allows for a more strongly typed config object per supported platform?
Contributor
Author
There was a problem hiding this comment.
ID or Tags, I don't think you need both...
Contributor
There was a problem hiding this comment. I think ID should cover it. @openshift/sig-network-edge WDYT?
Contributor
There was a problem hiding this comment. Either should work for us. What's more convenient for the user? Are we going to respond to updates to this config?
Member
There was a problem hiding this comment. Is an ID string AWS-specific or cross-platform? Will other providers need additional information to discover/update the zones?
Contributor
Author
There was a problem hiding this comment. I think an unique identifier or set of tags should be enough to find the zone across platforms.
Member
There was a problem hiding this comment.
Are we supporting cross-platform DNS providers (e.g. an AWS cluster with Route 53 for internal DNS and... some other DNS provider for the public zone)? I think AWS load balancers may require Route 53? If we aren't worried about per-platform zone entries, then we can get the platform information from the infrastructure config. While a string might be sufficient for all platforms, using: type DNSZone struct {
ID *string `json:"id"`
}gives us room to add more properties if we end up needing them later.
Contributor
Author
There was a problem hiding this comment.
The installer currently cannot use ID for the pricate r53 zone as it is created by the terraform.. so id is not known when
Member
There was a problem hiding this comment.
Ah, that makes sense. I guess the ingress operator could perform the tag -> ID lookup in its first round and then push its own update to the config to get more efficient lookups later, if we're concerned about API quotas.
Contributor
There was a problem hiding this comment. So we need an ID for the public zone and tags for the private zone? If so it seems like AWS implies details leaking into this API, but maybe I'm misunderstanding? If tags are sufficient to address the private zone, should the be sufficient to address the public zone? |
||
| // id is the identifier that can be used to find the DNS hosted zone. | ||
| // | ||
| // on AWS zone can be fetched using `ID` as id in [1] | ||
| // on Azure zone can be fetched using `ID` as a pre-determined name in [2], | ||
| // on GCP zone can be fetched using `ID` as a pre-determined name in [3]. | ||
| // | ||
| // [1]: https://docs.aws.amazon.com/cli/latest/reference/route53/get-hosted-zone.html#options | ||
| // [2]: https://docs.microsoft.com/en-us/cli/azure/network/dns/zone?view=azure-cli-latest#az-network-dns-zone-show | ||
| // [3]: https://cloud.google.com/dns/docs/reference/v1/managedZones/get | ||
| // +optional | ||
| ID string `json:"id,omitempty"` | ||
|
|
||
| // tags can be used to query the DNS hosted zone. | ||
|
Contributor
There was a problem hiding this comment. Tags is dangerous, that's not going to be identical across platforms. What is this actually capturing?
Contributor
There was a problem hiding this comment. If this isn't truly platform independent you need to make this specific to the platform, or make the details opaque (i.e. have a string defined as opaque that no one except the person who wrote it is allowed to read).
Contributor
Author
There was a problem hiding this comment. The installer currently cannot use ID to define the private r53 zone as it is created by the private zone is created by terraform.. so ID is not known when Therefore DNSZone has And I thought finding a resource using
Contributor
There was a problem hiding this comment. If the docs for a human setting this would have to explain it, then it should probably be multiple fields which cannot all be set together (union type) like We intend for end users to set this? What happens when a human changes this? Which operator(s) react and make it valid? If we think that this is set once at install time, and we don't envision a human changing (now, a human could override it maybe later) then status may be more appropriate.
Member
There was a problem hiding this comment.
If "ID strings" are a cross-platform concept (and they are, right?), then I don't see a need for platform-specific versions of ID property. Same for tags, although from @abhinavdahiya's comment above it sounds like tags may not be cross-platform, with some platforms supporting tags and some supporting creator supplied names.
I don't see a problem with users setting tags, but I don't think users will need that functionality either. And while it's theoretically possible to suck Route 53 zone creation up into the asset graph so we could fill in the ID here, that would break the current, useful separation between "create all the assets locally" and "push them up to the target cloud" that BYOH and similar rely on (I think?).
I don't think this is different from the ID. In both cases, the ingress operator is pulling fresh values from the config and using them to look up the zones under management.
Contributor
There was a problem hiding this comment.
The operator can use a watch on the config object to react when
Contributor
There was a problem hiding this comment. So treating
Contributor
Author
There was a problem hiding this comment. I think we should move with
Contributor
There was a problem hiding this comment. Please add slightly more godoc here capturing this discussion and how it should be used. |
||
| // | ||
| // on AWS, resourcegroupstaggingapi [1] can be used to fetch a zone using `Tags` as tag-filters, | ||
| // | ||
| // [1]: https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html#options | ||
| // +optional | ||
| Tags map[string]string `json:"tags,omitempty"` | ||
| } | ||
|
|
||
| type DNSStatus struct { | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With the zone info, ingress operator doesn't even need this field... and if it's immutable, it could be on status? I can't remember who else might consume this field.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 Let's drop it in favor of a
Domainproperty, which everyone adds their own special subdomains to.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, @ironcladlou was saying you could pull this from the cloud too. I'm a bit more nervous about it
DNSSpecbeing portable between platform without it, but we can always add it back if we hit a platform that needs it.