NE-969: Add IBM DNS Services provider support for private clusters

[SzucsAti]

With this PR, cluster-ingress-operators running on Private IBMCloud IPI/UPI clusters will be able to use DNS Services (https://cloud.ibm.com/docs/dns-svcs?topic=dns-svcs-about-dns-services) as their DNS provider.

Pulling in latest openshift/api changes as it's needed for this PR.

This PR is required for Private IBMCloud IPI/UPI clusters.

[jeffnowicki]

/cc @Miciah

[Miciah]

/retitle NE-969: Add IBM DNS Services provider support for private clusters

[jeffnowicki]

/retest-required

[gcs278]

/assign @gcs278

[gcs278]

Thanks for the PR. We discussed this in our PR review meeting. I'll do a review sometime next week.

[gcs278]

Looks pretty good, thanks for the PR. I'm have a small concern with code reuse and consistency here. Seems code was adapted from existing code and there are a few duplicate logic sections. I'm just wonder if we could structure to enable better code reuse and less unique logic paths. I will get back to you on maybe a potential suggestion, but at the moment, I don't have any other suggestions other than my comments.

[gcs278]

nit IBM CIS DNS is capitalized in error message but not the info, i don't really mind, but I do like consistency.

[SzucsAti]

Fixed.

[Miciah]

Personally, I'd prefer using proper names ("IBM CIS DNS", "IBM Cloud DNS Services", and so on) in error messages and log messages. We should use whatever will be most familiar to users or easiest for users to look up in a web search or in product documentation.

[gcs278]

nit IBM DNSSVCS is capitlized in the error message, but no the info.

[SzucsAti]

Fixed.

[gcs278]

This is another nit, but these if statements have a few lines of repeated logic, minus the specific error message. Have you thought about just using the if statement to create the ibm DNS configs then using common logic for ibmprivatedns.NewProvider? If it seems reasonable.

Suggested change

	provider, err := ibmprivatedns.NewProvider(ibmprivatedns.Config{
	providerCfg := ibmprivatedns.Config{

[SzucsAti]

Done.

[gcs278]

I've seen some of our test code use test parameters like expectMessageContains. Do you think that would be beneficial to be more granular here? I suppose it would protect against false positives in which expectedErr true, but not necessarily the error we expect.

[SzucsAti]

Makes sense. Added expectErrorContains and updated the tests accordingly.

[gcs278]

Could you make this error more descriptive? It's a bit vague. Result of what operation?
edit: I realize this is adapted from cis_provider.go, but still think they both are vague error message.

[SzucsAti]

Done.

[gcs278]

nit goland is saying this is a "duplicate alias" since the name of the package is the same as the alias.

[SzucsAti]

Fixed.

[gcs278]

something isn't super clear to me, why is there only 1 DnsClient when in cis_provider.go has a map of DnsClient? Maybe that would make a good comment - describing why/the difference.

[SzucsAti]

In case of CIS sdk, zoneID is stored and used in the provider options which is set during client creation. So we decided to create a zoneID to client map, so we don't have to create a client each time there is a dns operation. https://github.com/SzucsAti/cluster-ingress-operator/blob/ibm-dnssvc-support/pkg/dns/ibm/public/cis_provider.go#L45-#L52

In case of DNS-SVCS sdk, zoneID is a required parameter in every function and it's not needed to set in client options. https://github.com/SzucsAti/cluster-ingress-operator/blob/ibm-dnssvc-support/pkg/dns/ibm/private/dnssvcs_provider.go#L44-#L49

[gcs278]

Got it, thanks for the explanation.

[gcs278]

this config struct is nearly common with the one in cis_provider.go. I'm curious if we could share.

[SzucsAti]

Couldn't really find a place to put these common functions/structures, so ended up creating common.go in the dns/ibm folder. Moved Config there to be used by both providers.

[gcs278]

I think that makes sense to me. I see InstanceID is a bit overloaded since it could be different types of ID's for public or private (CRN ID vs. IstanceID?). But I think this is okay.

[gcs278]

nit does zone need to be pass-by-value here? Doesn't that do an unnecessary memory copy?
Same comment goes for cis_provider.go to be consistent.

[SzucsAti]

Changed it. (Side note: as I see this change is inconsistent with the way other platform providers do it.)

[gcs278]

@SzucsAti yea reviewing this again, I was asking the question, not necessarily suggesting it to be changed. Sorry I should have been more clear with my statement that I wasn't 100% sure.

I was originally thinking pointers are just overall better, but after reading https://medium.com/@meeusdylan/when-to-use-pointers-in-go-44c15fe04eac, it really only matters when there are large complex structures.

If you see this change as inconsistent, I'd recommend changing back. Sorry about that.

[SzucsAti]

Reverted the change.

[gcs278]

nit does zone need to be pass-by-value here? Doesn't that do an unnecessary memory copy?
Same comment goes for cis_provider.go to be consistent.

[SzucsAti]

Done.

[SzucsAti]

@gcs278 Thank you for the review. Addressed your comments.

I agree that the usage of the providers looks similar. Unfortunately there are noticeable differences when it comes to the providers' sdks, which makes it hard to reuse code for both providers without overengineering, but I'm open to suggestions. I created a common.go file and moved duplicated config/function there based on your comments.

[gcs278]

thanks for the comment responses. Looking good.

[gcs278]

typo: initialize

[SzucsAti]

Fixed.

[gcs278]

nit this is also a redundant alias.

[SzucsAti]

Fixed.

[gcs278]

nit this is a redundant alias

[SzucsAti]

Fixed.

[gcs278]

Is a nil results always a bad thing? I noticed in cis_provider.go, they don't validate if the results is nil (but maybe it's different).

[SzucsAti]

Right, this check is not needed. Realised that errors were not aggregated, just returned.. fixed that as well.

[gcs278]

Got it - thanks I see that now, I confused the logic, but that makes sense now.

[gcs278]

Now that I look at this more, the isPublic bool feels sorta like leaky abstraction. Should at the function getIbmDNSProvider really be the one determining if it is private or public with operating on platformStatus instead of a specific instanceId? I could be over simplifying, but see if it makes sense.

[SzucsAti]

Not sure if I understand this comment correctly. From just an instanceID value we can't decide on which provider to use. Can't really create getPublicDNSProvider and getPrivateDNSProvider, because there would be too much duplicated logic, also I'm hesitant to make changes to getIbmDNSProvider as PowerVS Platform also uses it.

As far as I know PowerVS also plans to adopt using DNS Services provider in the near future, which will make it easy to simplify and revisit this part of the code. I'd prefer to leave it as it is for now.

[gcs278]

Oh okay I missed the PowerVSPlatformType that uses platformStatus.PowerVS.CISInstanceCRN. Never mind, this pattern is fine.

[gcs278]

thanks for also updating this! I like the consistency.

[gcs278]

@Miciah I've done my most of my reviewing, mind taking a look when you get a chance?

[gcs278]

I took another pass. The I did miss your comment response about the pointers, but I agree with your comment about inconsistency. I think we should revert those pointer updates.

Otherwise just waiting on a second pass from Miciah.

[Miciah]

If the first outer if condition err != nil is true and the inner if condition response != nil && response.StatusCode != http.StatusNotFound is false because response is nil, then the error is ignored. Should the logic be the following?

Suggested change

	if err != nil {
	if response != nil && response.StatusCode != http.StatusNotFound {
	return fmt.Errorf("delete: failed to list the dns record: %w", err)
	}
	}
	if err != nil {
	if response == nil || response.StatusCode != http.StatusNotFound {
	return fmt.Errorf("delete: failed to list the dns record: %w", err)
	}
	}

[SzucsAti]

Agree, changed it.

[Miciah]

Can we be absolutely certain that resourceRecord.Type is non-nil? I'd prefer this logic include a nil check.

What if the record has some other type? I'd prefer this logic use a switch with a default clause.

What are the possible types of rData["cname"] and rData["ip"]? Using fmt.Sprint here seems slightly odd.

Suggested change

	if *resourceRecord.Type == string(iov1.CNAMERecordType) {
	resourceRecordTarget = fmt.Sprint(rData["cname"])
	}
	if *resourceRecord.Type == string(iov1.ARecordType) {
	resourceRecordTarget = fmt.Sprint(rData["ip"])
	}
	if resourceRecord.Type == nil {
	return fmt.Errorf("delete: resource data has record with nil type: %v", resourceRecord)
	}
	switch *resourceRecord.Type {
	case string(iov1.CNAMERecordType):
	resourceRecordTarget = fmt.Sprint(rData["cname"])
	case string(iov1.ARecordType):
	resourceRecordTarget = fmt.Sprint(rData["ip"])
	default:
	return fmt.Errorf("delete: resource data has record with unknown type: %v", resourceRecord)
	// Or should we log and continue?
	}

[SzucsAti]

Can we be absolutely certain that resourceRecord.Type is non-nil? I'd prefer this logic include a nil check.

There is a ValidateInputDNSData(record, zone) call at the beginning of the functions that does nil checks.

What if the record has some other type? I'd prefer this logic use a switch with a default clause.

Makes sense. Changed it to switch-case.

What are the possible types of rData["cname"] and rData["ip"]? Using fmt.Sprint here seems slightly odd.

It supposed to be string only. Added a type check just to be safe and changed the way we convert it.

[Miciah]

Can we be absolutely certain that resourceRecord.Type is non-nil? I'd prefer this logic include a nil check.

There is a ValidateInputDNSData(record, zone) call at the beginning of the functions that does nil checks.

That checks the input that is used for the ListResourceRecords call, but it doesn't validate the result, right? Is it safe to assume that the result is valid if the input was valid?

[SzucsAti]

Oh correct. Added nil check validation for list result.

[Miciah]

Is it possible for resourceRecord.Name to be nil? I'd prefer a nil check, just in case.

[SzucsAti]

There is a ValidateInputDNSData(record, zone) call at the beginning of the functions that does nil checks.

[Miciah]

What if err is non-nil and delResponse is nil?

[SzucsAti]

I believe we should return error in that case. Changed it accordingly.

[Miciah]

Could you swap the inner and outer for loops and move the unmarshaling logic before the loop over targets to avoid repeatedly unmarshaling each resourceRecord when there are multiple targets?

[SzucsAti]

Done.

[Miciah]

Personally, I'd prefer using proper names ("IBM CIS DNS", "IBM Cloud DNS Services", and so on) in error messages and log messages. We should use whatever will be most familiar to users or easiest for users to look up in a web search or in product documentation.

[Miciah]

This would be more Go idiomatic:

Suggested change

	// Common configuration of ibm providers
	// InstanceID is GUID in case of dns svcs and CRN in case of cis
	type Config struct {
	APIKey string
	InstanceID string
	UserAgent string
	Zones []string
	// Config holds common configuration of IBM DNS providers.
	type Config struct {
	// APIKey is the IBM Cloud API key that the provider will use.
	APIKey string
	// InstanceID is GUID in case of dns svcs and CRN in case of cis.
	InstanceID string
	// UserAgent is the user-agent identifier that the client will use in
	// HTTP requests to the IBM Cloud API.
	UserAgent string
	// Zones is a list of DNS zones in which the DNS provider manages DNS records.
	Zones []string

[SzucsAti]

Thank you. Applied your suggestion.

[Miciah]

Please add a godoc comment.

[SzucsAti]

Done.

[Miciah]

Seems like this interface should be defined in "github.com/IBM/networking-go-sdk/dnssvcsv1", but I guess we can't do anything about that. Maybe add a comment to say that we're defining this interface to describe the methods defined in dnssvcsv1 for the purpose of having an interface that we can use in the implementation and test code for cluster-ingress-operator's provider logic.

[SzucsAti]

Exactly. Added a comment.

[Miciah]

defaultDNSSVCSRecordTTL and DNSSVCSApiEndpoint can be declared as consts. Since DNSSVCSApiEndpoint isn't used outside this package, it doesn't need to be exported. Please add godoc!

Suggested change

	defaultDNSSVCSRecordTTL = int64(120)
	DNSSVCSApiEndpoint = "https://api.dns-svcs.cloud.ibm.com/v1"
	)
	)
	const (
	// defaultDNSSVCSRecordTTL is the default TTL used when a DNS record
	// does not specify a valid TTL.
	defaultDNSSVCSRecordTTL = int64(120)
	// dnsSvcsApiEndpoint is the API endpoint for IBM Cloud DNS Services.
	dnsSvcsApiEndpoint = "https://api.dns-svcs.cloud.ibm.com/v1"
	)

Actually, could you use dnssvcsv1.DefaultServiceURL and do away with DNSSVCSApiEndpoint entirely?

[SzucsAti]

Using DefaultServiceURL.

[cjschaef]

@Miciah @SzucsAti Any further progress on getting this reviewed/approved?
This will soon become a blocker for the IBM Cloud IPI GA, once we start adding Private cluster support in the installer and I'm hoping to avoid that if possible.

[SzucsAti]

Created an IPI cluster on IBMCloud and verified that the changes we made don't break the existing CIS integration. DNS Services integration seems to work properly as well. Waiting if there are more suggestions or concerns.

[jeffnowicki]

/retest-required

[SzucsAti]

Resolved the conflicts. We no longer need to update the openshift/api dependency as it was updated on the master branch.

[jeffnowicki]

/retest-required

[Miciah]

Suggested change

	return fmt.Errorf("delete: resource data has record with unknown rData cname type: %v ", err)
	return fmt.Errorf("delete: resource data has record with unknown rData cname type: %T", rData["cname"])

[SzucsAti]

Fixed.

[Miciah]

Suggested change

	return fmt.Errorf("delete: resource data has record with unknown rData ip type: %v ", err)
	return fmt.Errorf("delete: resource data has record with unknown rData ip type: %T", rData["ip"])

[SzucsAti]

Fixed.

[Miciah]

This is going to return an error message that contains pointer addresses. You need to dereference resourceRecord.Type to include useful information:

Suggested change

	return fmt.Errorf("delete: resource data has record with unknown type: %v", resourceRecord)
	return fmt.Errorf("delete: resource data has record with unknown type: %v", *resourceRecord.Type)

If you need to provide more information, you'll need to dereference each field that you want to include in the error message (or use something more sophisticated, such as go-spew):

Suggested change

	return fmt.Errorf("delete: resource data has record with unknown type: %v", resourceRecord)
	return fmt.Errorf("delete: resource data has record with unknown type: %v, id: %v", *resourceRecord.Type, *resourceRecord.ID)

[SzucsAti]

Fixed.

[Miciah]

Would it make sense to log something if we're trying to delete a record and we find one that doesn't match?

Suggested change

	if resourceRecordTarget == target && *resourceRecord.Name == dnsName {
	if *resourceRecord.Name == dnsName {
	if resourceRecordTarget != target {
	log.Info("delete: ignoring record with matching name but unexpected target", "record", record, "target", resourceRecordTarget)
	continue
	}

[SzucsAti]

Makes sense. Applied the suggestion.

[Miciah]

Suggested change

	if (delResponse != nil && delResponse.StatusCode != http.StatusNotFound) || delResponse == nil {
	if delResponse == nil || delResponse.StatusCode != http.StatusNotFound {

[SzucsAti]

Fixed.

[Miciah]

Sorry for being so persnickety, but...

Suggested change

	//getIbmDNSProvider initializes and returns an IBM DNS provider instance.
	// getIbmDNSProvider initializes and returns an IBM DNS provider instance.

[SzucsAti]

Fixed.

[Miciah]

Looks like you're changing "IBM CIS DNS" to upper-case elsewhere, right? Anyway, might as well change to using %w while you're updating this code.

Suggested change

	return nil, fmt.Errorf("failed to create ibm cis dns provider: %v", err)
	return nil, fmt.Errorf("failed to create IBM CIS DNS provider: %w", err)

Actually, getIbmDNSProvider already wraps whatever error it returns with "failed to initialize IBM CIS DNS provider", so is it necessary to wrap the error here? Might as well just return it as-is, no?

Suggested change

	return nil, fmt.Errorf("failed to create ibm cis dns provider: %v", err)
	return nil, err

[SzucsAti]

Correct, changed it.

[Miciah]

Suggested change

	return nil, fmt.Errorf("failed to create ibm dnssvcs dns provider: %v", err)
	return nil, fmt.Errorf("failed to create IBM Cloud DNS Services provider: %w", err)

or

Suggested change

	return nil, fmt.Errorf("failed to create ibm dnssvcs dns provider: %v", err)
	return nil, err

per my other comment: #796 (comment)

[SzucsAti]

Changed it.

[Miciah]

Suggested change

	return nil, fmt.Errorf("failed to initialize IBM CIS DNS provider: %v", err)
	return nil, fmt.Errorf("failed to initialize IBM CIS DNS provider: %w", err)

[SzucsAti]

Fixed.

[Miciah]

Suggested change

	return nil, fmt.Errorf("failed to initialize IBM Cloud DNS Services provider: %v", err)
	return nil, fmt.Errorf("failed to initialize IBM Cloud DNS Services provider: %w", err)

[SzucsAti]

Fixed.

[gcs278]

/lgtm but Miciah should review the responses to his comments and approve

[Miciah]

It's looking really good! Thanks!
/approve
/lgtm

We have an issue in CI, which is being addressed here: #818
I'm putting a hold on this PR while that issue is sorted out so the PR doesn't needlessly rerun CI. Once the CI issue is resolved, the hold can be removed with /hold cancel.
/hold

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Miciah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Miciah]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jeffnowicki]

@Miciah / @gcs278 looks like all tests for #818 passed... hopefully it can get reviewed/merged soon so this PR can progress/merge. Thank you.

[Miciah]

#818 merged. E2E should pass now.
/hold cancel
/retest-required

[Miciah]

e2e-aws-operator failed on must-gather.
/test e2e-aws-operator

[jeffnowicki]

/retest-required

[openshift-ci]

@SzucsAti: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-single-node	3ef4123	link	false	/test e2e-aws-single-node
ci/prow/e2e-gcp-serial	3ef4123	link	true	/test e2e-gcp-serial
ci/prow/e2e-azure-ovn	1096655	link	false	/test e2e-azure-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[SzucsAti]

/retest-required

[mkumatag]

we need these required flags: px-approved, qe-approved, docs-approved as well @jeffnowicki @SzucsAti

[jeffnowicki]

@mkumatag I have slack DM'd with @Miciah to get the right people notified so we can get these labels added and PR merged.

[ahardin-rh]

/label docs-approved

[jeffnowicki]

@sferich888 @ShudiLi would you please review/add px-approved and qe-approved labels accordingly?

[ShudiLi]

/label qe-approved
@jeffnowicki thanks

[CFields651]

/label px-approved