OCPBUGS-60492: Skip Gateway Service DNS record creation on platforms with ClusterHostedDNS is configured

[sadasu]

When in-cluster DNS/custom-DNS is configured on AWS and GCP, skip creating Gateway Service DNS record.

[openshift-ci-robot]

@sadasu: This pull request references Jira Issue OCPBUGS-60492, which is invalid:

• expected the bug to target the "4.20.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

When in-cluster DNS/custom-DNS is configured on AWS and GCP, skip creating Gateway Service DNS record.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sadasu]

/jira refresh

[openshift-ci-robot]

@sadasu: This pull request references Jira Issue OCPBUGS-60492, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.20.0) matches configured target version for branch (4.20.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @gpei

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[Miciah]

It can be useful to create the DNSRecord CR, but with dnsManagementState: Unmanaged, to serve as a reference for what DNS record the cluster-admin is expected to create. So I would suggest still calling ensureDNSRecordsForGateway but changing it to to set dnsManagementState: Unmanaged when the platform is not supported. Does that make sense?

[sadasu]

My reasoning for putting the check here vs ensureDNSRecordsForGateway was that this check would give the same outcome for each domain within ensureDNSRecordsForGateway.

I see that creating the DNSRecord CR could be useful, so updated implementation.

[Miciah]

My reasoning for putting the check here vs ensureDNSRecordsForGateway was that this check would give the same outcome for each domain within ensureDNSRecordsForGateway.

If you're concerned about the performance impact, you can call checkClusterHostedDNS (previously checkPlatformSupport) in Reconcile and pass the Boolean result to ensureDNSRecordsForGateway.

[Miciah]

Minor grammar and capitalization corrections:

Suggested change

	// checkPlatformSupport return true if the platform supports gateway service dns.
	// Gateway service dns is currently not supported when in-cluster DNS is configured
	// for AWS or GCP platforms.
	func checkPlatformSupport(infraConfig *configv1.Infrastructure) bool {
	// checkPlatformSupport returns true if the platform supports gateway service DNS.
	// Gateway service DNS is currently not supported when in-cluster DNS is configured
	// for AWS or GCP platforms.
	func checkPlatformSupport(infraConfig *configv1.Infrastructure) bool {

Also, I wonder whether the name might be misleading. We don't manage DNS at all on some platforms, but that isn't what this function checks; it only checks whether platforms on which we can manage the DNS records have some alternative custom DNS record management. Maybe a name like checkUsePlatformDefaultDNS? Or invert the Boolean value and condition, and rename the function to checkClusterHostedDNS?

[sadasu]

Updated to invert the Boolean value and condition, and rename the function to checkClusterHostedDNS.

[sadasu]

/retest-required

[candita]

It would be good to investigate this CI failure. It seems related to me, being GCP and DNS.

=== NAME TestAll/parallel/TestInternalLoadBalancerGlobalAccessGCP
operator_test.go:1295: Expected conditions: map[Admitted:True Available:True DNSManaged:True DNSReady:True LoadBalancerManaged:True LoadBalancerReady:True]
Current conditions: map[Admitted:True Available:False DNSManaged:True DNSReady:False Degraded:True DeploymentAvailable:True DeploymentReplicasAllAvailable:True DeploymentReplicasMinAvailable:True DeploymentRollingOut:False EvaluationConditionsDetected:False LoadBalancerManaged:True LoadBalancerProgressing:False LoadBalancerReady:False Progressing:False Upgradeable:True]
...
"message": "One or more other status conditions indicate a degraded state: LoadBalancerReady=False (SyncLoadBalancerFailed: The service-controller component is reporting SyncLoadBalancerFailed events like: Error syncing load balancer: failed to ensure load balancer: googleapi: Error 400: Resource 'projects/XXXXXXXXXXXXXXXXXXXXXX/zones/us-central1-c/instances/ci-op-b4v9j4c3-76b3b-j7ls4-worker-c-sz59r' is expected to be in the subnetwork 'projects/XXXXXXXXXXXXXXXXXXXXXX/regions/us-central1/subnetworks/ci-op-b4v9j4c3-76b3b-j7ls4-master-subnet' but is in the subnetwork 'projects/XXXXXXXXXXXXXXXXXXXXXX/regions/us-central1/subnetworks/ci-op-b4v9j4c3-76b3b-j7ls4-worker-subnet'., wrongSubnetwork\nThe cloud-controller-manager logs may contain more details.)"
},

[candita]

Can you please explain in a comment how this solves the problem of missing DNS name for Gateway objects?

[sadasu]

custom-dns is enabled by the customer when they do not want OpenShift to use the cloud provider's default DNS. So, setting the dnsPolicy to iov1.UnmanagedDNS to cause the Gateway API controller to skip configuring the cloud's DNS.

[candita]

In that case, can the tests provide whatever DNS is likely to be used instead, or at least something resembling DNS? We can't just assume it all works without testing it. Changing the name of this PR might help too.

[patrickdillon]

In that case, can the tests provide whatever DNS is likely to be used instead, or at least something resembling DNS? We can't just assume it all works without testing it. Changing the name of this PR might help too.

The custom DNS CI workflows do that: install using on-cluster networking and then add user-provisioned DNS after the install. We will need to add those jobs to run in this repo.

[patrickdillon]

I suspect we do not need this PR, or to perform a specific conditional for custom DNS

Results are in, and it looks like the installer configuring the DNS zones to nil is not sufficient to resolve this issue.

So I think we do need a check in the ingress controller, but I would not make it specific to custom DNS, but rather based on the presence of the cloud PrivateZone and PublicZone in the DNS config.

[sadasu]

/hold

[Miciah]

/approve
/lgtm

I prefer if the Git commit message references the Jira issue and follows the Kubernetes commit message guidelines, but the changes look fine to me.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Miciah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Miciah]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sadasu]

/hold cancel

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD afb2160 and 2 for PR HEAD fb9ca0b in total

[sadasu]

/retest-required

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD afb2160 and 2 for PR HEAD fb9ca0b in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD afb2160 and 2 for PR HEAD fb9ca0b in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 52a0048 and 1 for PR HEAD fb9ca0b in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 52a0048 and 2 for PR HEAD fb9ca0b in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 52a0048 and 2 for PR HEAD fb9ca0b in total

[openshift-ci]

@sadasu: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-operator	fb9ca0b	link	true	/test e2e-gcp-operator

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[sadasu]

/hold

We've identified that with custom-dns, when no Public and Private zones are specified in the DNS CR, no additional changes are required in the CIO for Gateway controller.
I think this PR can even be closed.

[openshift-bot]

/jira refresh

The requirements for Jira bugs have changed (Jira issues linked to PRs on main branch need to target different OCP), recalculating validity.

[openshift-ci-robot]

@openshift-bot: This pull request references Jira Issue OCPBUGS-60492, which is invalid:

• expected the bug to be open, but it isn't
• expected the bug to target either version "4.21." or "openshift-4.21.", but it targets "4.20.0" instead
• expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Closed (Done) instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

The requirements for Jira bugs have changed (Jira issues linked to PRs on main branch need to target different OCP), recalculating validity.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sadasu]

This fix is currently not considered necessary.

[openshift-ci-robot]

@sadasu: This pull request references Jira Issue OCPBUGS-60492. The bug has been updated to no longer refer to the pull request using the external bug tracker.

Details

In response to this:

When in-cluster DNS/custom-DNS is configured on AWS and GCP, skip creating Gateway Service DNS record.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.