NE-1294: Add support for AWS shared VPC in another account

go.mod

@@ -142,6 +142,6 @@ require (
 // github.com/operator-framework/operator-sdk.
 replace (
 	bitbucket.org/ww/goautoneg => github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d
-	github.com/openshift/api => github.com/openshift/api v0.0.0-20230503123822-b6cc8ba8ba17
+	github.com/openshift/api => github.com/openshift/api v0.0.0-20230602160751-5c5196d9f4af
 	k8s.io/client-go => k8s.io/client-go v0.27.2
 )

go.sum

@@ -414,7 +414,6 @@ github.com/go-openapi/jsonpointer v0.17.2/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwds
 github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
 github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
 github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
 github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
@@ -423,7 +422,6 @@ github.com/go-openapi/jsonreference v0.17.2/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3Hfo
 github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
 github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc=
 github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
-github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg=
 github.com/go-openapi/jsonreference v0.20.1 h1:FBLnyygC4/IZZr893oiomc9XaghoveYTrLC1F86HID8=
 github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
 github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
@@ -456,7 +454,6 @@ github.com/go-openapi/swag v0.17.2/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/
 github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
 github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
-github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
 github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g=
 github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
 github.com/go-openapi/validate v0.17.2/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4=
@@ -833,7 +830,6 @@ github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
-github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/maistra/istio-operator v0.0.0-20230322122339-793794762e67 h1:MKacYZbpog8jM+uN3/TQS/FUO+Emz/qdAhma63x1pCk=
@@ -965,7 +961,6 @@ github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9
 github.com/onsi/gomega v1.20.1/go.mod h1:DtrZpjmvpn2mPm4YWQa0/ALMDj9v4YxLgojwPeREyVo=
 github.com/onsi/gomega v1.21.1/go.mod h1:iYAIXgPSaDHak0LCMA+AWBpIKBr8WZicMxnE8luStNc=
 github.com/onsi/gomega v1.22.1/go.mod h1:x6n7VNe4hw0vkyYUM4mjIXx3JbLiPaBPNgB7PRQ1tuM=
-github.com/onsi/gomega v1.23.0/go.mod h1:Z/NWtiqwBrwUt4/2loMmHL63EDLnYHmVbuBpDr2vQAg=
 github.com/onsi/gomega v1.24.0/go.mod h1:Z/NWtiqwBrwUt4/2loMmHL63EDLnYHmVbuBpDr2vQAg=
 github.com/onsi/gomega v1.24.1/go.mod h1:3AOiACssS3/MajrniINInwbfOOtfZvplPzuRSmvt1jM=
 github.com/onsi/gomega v1.26.0/go.mod h1:r+zV744Re+DiYCIPRlYOTxn0YkOLcAnW8k1xXdMPGhM=
@@ -987,8 +982,8 @@ github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.m
 github.com/opencontainers/runtime-spec v0.1.2-0.20190618234442-a950415649c7/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
-github.com/openshift/api v0.0.0-20230503123822-b6cc8ba8ba17 h1:7OulZncUKirgo9KhoJGmD4kbZ0YfXcChdDJeI0262pg=
-github.com/openshift/api v0.0.0-20230503123822-b6cc8ba8ba17/go.mod h1:ctXNyWanKEjGj8sss1KjjHQ3ENKFm33FFnS5BKaIPh4=
+github.com/openshift/api v0.0.0-20230602160751-5c5196d9f4af h1:d31ErBNJPDZkZcUjex+QiTKJLLyMcIhHUkER7CcURwU=
+github.com/openshift/api v0.0.0-20230602160751-5c5196d9f4af/go.mod h1:4VWG+W22wrB4HfBL88P40DxLEpSOaiBVxUnfalfJo9k=
 github.com/openshift/build-machinery-go v0.0.0-20200211121458-5e3d6e570160/go.mod h1:1CkcsT3aVebzRBzVTSbiKSkJMsC/CASqxesfqEMfJEc=
 github.com/openshift/client-go v0.0.0-20200116152001-92a2713fa240/go.mod h1:4riOwdj99Hd/q+iAcJZfNCsQQQMwURnZV6RL4WHYS5w=
 github.com/openshift/client-go v0.0.0-20230120202327-72f107311084 h1:66uaqNwA+qYyQDwsMWUfjjau8ezmg1dzCqub13KZOcE=
@@ -1435,7 +1430,6 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
-golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
 golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
 golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
@@ -1966,7 +1960,7 @@ k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78=
 k8s.io/api v0.18.3/go.mod h1:UOaMwERbqJMfeeeHc8XJKawj4P9TgDRnViIqqBeH2QA=
 k8s.io/api v0.18.6/go.mod h1:eeyxr+cwCjMdLAmr2W3RyDI0VvTawSg/3RFFBEnmZGI=
 k8s.io/api v0.19.3/go.mod h1:VF+5FT1B74Pw3KxMdKyinLo+zynBaMBiAfGMuldcNDs=
-k8s.io/api v0.26.1/go.mod h1:xd/GBNgR0f707+ATNyPmQ1oyKSgndzXij81FzWGsejg=
+k8s.io/api v0.27.1/go.mod h1:z5g/BpAiD+f6AArpqNjkY+cji8ueZDU/WV1jcj5Jk4E=
 k8s.io/api v0.27.2 h1:+H17AJpUMvl+clT+BPnKf0E3ksMAzoBBg7CntpSuADo=
 k8s.io/api v0.27.2/go.mod h1:ENmbocXfBT2ADujUXcBhHV55RIT31IIEvkntP6vZKS4=
 k8s.io/apiextensions-apiserver v0.0.0-20190918161926-8f644eb6e783/go.mod h1:xvae1SZB3E17UpV59AWc271W/Ph25N+bjPyR63X6tPY=
@@ -1994,7 +1988,7 @@ k8s.io/apimachinery v0.18.2/go.mod h1:9SnR/e11v5IbyPCGbvJViimtJ0SwHG4nfZFjU77ftc
 k8s.io/apimachinery v0.18.3/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko=
 k8s.io/apimachinery v0.18.6/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko=
 k8s.io/apimachinery v0.19.3/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=
-k8s.io/apimachinery v0.26.1/go.mod h1:tnPmbONNJ7ByJNz9+n9kMjNP8ON+1qoAIIC70lztu74=
+k8s.io/apimachinery v0.27.1/go.mod h1:5ikh59fK3AJ287GUvpUsryoMFtH9zj/ARfWCo3AyXTM=
 k8s.io/apimachinery v0.27.2 h1:vBjGaKKieaIreI+oQwELalVG4d8f3YAMNpWLzDXkxeg=
 k8s.io/apimachinery v0.27.2/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E=
 k8s.io/apiserver v0.0.0-20190918160949-bfa5e2e684ad/go.mod h1:XPCXEwhjaFN29a8NldXA901ElnKeKLrLtREO9ZhFyhg=
@@ -2066,7 +2060,7 @@ k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKf
 k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=
 k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=
 k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o=
-k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4=
+k8s.io/kube-openapi v0.0.0-20230308215209-15aac26d736a/go.mod h1:y5VtZWM9sHHc2ZodIH/6SHzXj+TPU5USoA8lcIeKEKY=
 k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg=
 k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg=
 k8s.io/kube-state-metrics v1.7.2/go.mod h1:U2Y6DRi07sS85rmVPmBFlmv+2peBcL8IWGjM+IjYA/E=
@@ -2085,7 +2079,6 @@ k8s.io/utils v0.0.0-20200229041039-0a110f9eb7ab/go.mod h1:sZAwmy6armz5eXlNoLmJcl
 k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
 k8s.io/utils v0.0.0-20200603063816-c1c6865ac451/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-k8s.io/utils v0.0.0-20221107191617-1a15be271d1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPBjNSSOMowRZxxsY=
 k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 maistra.io/api v0.0.0-20210601141927-1cbee4cb8ce8/go.mod h1:Os/zrIv6nsjgC43UAo17FFv+fvYlzANUWIpNNZEZ/KE=
@@ -2109,7 +2102,6 @@ sigs.k8s.io/controller-tools v0.3.0/go.mod h1:enhtKGfxZD1GFEoMgP8Fdbu+uKQ/cq1/WG
 sigs.k8s.io/controller-tools v0.4.1/go.mod h1:G9rHdZMVlBDocIxGkK3jHLWqcTMNvveypYJwrvYKjWU=
 sigs.k8s.io/gateway-api v0.5.1-0.20220921185115-ee7a83814203 h1:t53lCjyZa7bsj1vZbAboYAH0p0OpqdGpGeM30IZIew8=
 sigs.k8s.io/gateway-api v0.5.1-0.20220921185115-ee7a83814203/go.mod h1:x0AP6gugkFV8fC/oTlnOMU0pnmuzIR8LfIPRVUjxSqA=
-sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/kube-storage-version-migrator v0.0.4 h1:qsCecgZHgdismlTt8xCmS/3numvpxrj58RWJeIg76wc=

manifests/00-ingress-credentials-request.yaml

@@ -26,6 +26,7 @@ spec:
       - route53:ListTagsForResources
       - route53:ChangeResourceRecordSets
       - tag:GetResources
+      - sts:AssumeRole
       resource: "*"
 ---
 apiVersion: cloudcredential.openshift.io/v1

pkg/dns/aws/dns.go

@@ -16,6 +16,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/arn"
 	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/aws/client/metadata"
+	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/aws/aws-sdk-go/aws/request"
 	"github.com/aws/aws-sdk-go/aws/session"
@@ -93,6 +94,9 @@ type Config struct {
 	// that is used by SDK to configure the credentials.
 	SharedCredentialFile string
 
+	// RoleARN is an optional ARN to use for the AWS client session.
+	RoleARN string
+
 	// Region is the AWS region ELBs are created in.
 	Region string
 	// ServiceEndpoints is the list of AWS API endpoints to use for
@@ -140,6 +144,9 @@ func NewProvider(config Config, operatorReleaseVersion string) (*Provider, error
 		Name: "openshift.io/ingress-operator",
 		Fn:   request.MakeAddToUserAgentHandler("openshift.io ingress-operator", operatorReleaseVersion),
 	})
+	if config.RoleARN != "" {
+		sess.Config.WithCredentials(stscreds.NewCredentials(sess, config.RoleARN))
+	}
 
 	if len(region) == 0 {
 		if sess.Config.Region != nil {

pkg/dns/split/dns.go

@@ -0,0 +1,58 @@
+package split
+
+import (
+	"reflect"
+
+	iov1 "github.com/openshift/api/operatoringress/v1"
+	"github.com/openshift/cluster-ingress-operator/pkg/dns"
+	logf "github.com/openshift/cluster-ingress-operator/pkg/log"
+
+	configv1 "github.com/openshift/api/config/v1"
+)
+
+var (
+	_   dns.Provider = &Provider{}
+	log              = logf.Logger.WithName("dns")
+)
+
+// Provider is a dns.Provider that wraps two other providers.  The first
+// provider is used for public hosted zones, and the second provider is used for
+// private hosted zones.
+type Provider struct {
+	private, public dns.Provider
+	privateZone     *configv1.DNSZone
+}
+
+// NewProvider returns a new Provider that wraps the provided wrappers, using
+// the first for the public zone and the second for the private zone.
+func NewProvider(public, private dns.Provider, privateZone *configv1.DNSZone) *Provider {
+	return &Provider{
+		public:      public,
+		private:     private,
+		privateZone: privateZone,
+	}
+}
+
+// Ensure calls the Ensure method of one of the wrapped DNS providers.
+func (p *Provider) Ensure(record *iov1.DNSRecord, zone configv1.DNSZone) error {
+	if reflect.DeepEqual(zone, *p.privateZone) {
+		return p.private.Ensure(record, zone)
+	}
+	return p.public.Ensure(record, zone)
+}
+
+// Delete calls the Delete method of one of the wrapped DNS providers.
+func (p *Provider) Delete(record *iov1.DNSRecord, zone configv1.DNSZone) error {
+	if reflect.DeepEqual(zone, *p.privateZone) {
+		return p.private.Delete(record, zone)
+	}
+	return p.public.Delete(record, zone)
+}
+
+// Replace calls the Replace method of one of the wrapped DNS providers.
+func (p *Provider) Replace(record *iov1.DNSRecord, zone configv1.DNSZone) error {
+	if reflect.DeepEqual(zone, *p.privateZone) {
+		return p.private.Replace(record, zone)
+	}
+	return p.public.Replace(record, zone)
+}

pkg/dns/split/dns_test.go

@@ -0,0 +1,126 @@
+package split_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	configv1 "github.com/openshift/api/config/v1"
+	iov1 "github.com/openshift/api/operatoringress/v1"
+
+	"github.com/openshift/cluster-ingress-operator/pkg/dns"
+	splitdns "github.com/openshift/cluster-ingress-operator/pkg/dns/split"
+)
+
+// TestSplitDNSProvider verifies that the split DNS provider dispatches to the
+// public or private provider as appropriate for the DNS zone.
+func TestSplitDNSProvider(t *testing.T) {
+	var (
+		// ch is a channel that is used in the fake public and private
+		// providers to record which one is called.
+		ch = make(chan string, 6)
+		// getResult reads and returns one item from ch, or returns the
+		// empty string if ch is empty.
+		getResult = func() string {
+			var result string
+			select {
+			case result = <-ch:
+			default:
+			}
+			return result
+		}
+		// publicProvider is a fake dns.Provider for the public zone.
+		publicProvider = newFakeProvider("public", ch)
+		// privateProvider is a fake dns.Provider for the private zone.
+		privateProvider = newFakeProvider("private", ch)
+		// publicZoneWithID is a public zone that is defined by ID.
+		publicZoneWithID = configv1.DNSZone{ID: "public_zone"}
+		// privateZoneWithID is a private zone that is defined by ID.
+		privateZoneWithID = configv1.DNSZone{ID: "private_zone"}
+		// publicZoneWithTags is a public zone that is defined by tags.
+		publicZoneWithTags = configv1.DNSZone{Tags: map[string]string{"zone": "public"}}
+		// privateZoneWithID is a private zone that is defined by tags.
+		privateZoneWithTags = configv1.DNSZone{Tags: map[string]string{"zone": "private"}}
+	)
+	testCases := []struct {
+		name          string
+		publicZone    configv1.DNSZone
+		privateZone   configv1.DNSZone
+		publishToZone configv1.DNSZone
+		expect        string
+	}{
+		{
+			name:          "publish to public zone specified by id",
+			publicZone:    publicZoneWithID,
+			privateZone:   privateZoneWithID,
+			publishToZone: publicZoneWithID,
+			expect:        "public",
+		},
+		{
+			name:          "publish to private zone specified by id",
+			publicZone:    publicZoneWithID,
+			privateZone:   privateZoneWithID,
+			publishToZone: privateZoneWithID,
+			expect:        "private",
+		},
+		{
+			name:          "publish to public zone specified by tags",
+			publicZone:    publicZoneWithTags,
+			privateZone:   privateZoneWithID,
+			publishToZone: publicZoneWithTags,
+			expect:        "public",
+		},
+		{
+			name:          "publish to private zone specified by tags",
+			publicZone:    publicZoneWithTags,
+			privateZone:   privateZoneWithTags,
+			publishToZone: privateZoneWithTags,
+			expect:        "private",
+		},
+		{
+			name:          "publish to other zone should fall back to the public zone",
+			publicZone:    publicZoneWithID,
+			privateZone:   privateZoneWithID,
+			publishToZone: configv1.DNSZone{ID: "other_zone"},
+			expect:        "public",
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			provider := splitdns.NewProvider(publicProvider, privateProvider, &tc.privateZone)
+			assert.NoError(t, provider.Ensure(&iov1.DNSRecord{}, tc.publishToZone))
+			assert.Equal(t, tc.expect, getResult())
+			assert.NoError(t, provider.Replace(&iov1.DNSRecord{}, tc.publishToZone))
+			assert.Equal(t, tc.expect, getResult())
+			assert.NoError(t, provider.Delete(&iov1.DNSRecord{}, tc.publishToZone))
+			assert.Equal(t, tc.expect, getResult())
+			assert.Empty(t, ch)
+		})
+	}
+
+}
+
+var _ dns.Provider = &fakeProvider{}
+
+type fakeProvider struct {
+	name     string
+	recorder chan string
+}
+
+func (p *fakeProvider) Ensure(record *iov1.DNSRecord, zone configv1.DNSZone) error {
+	p.recorder <- p.name
+	return nil
+}
+func (p *fakeProvider) Delete(record *iov1.DNSRecord, zone configv1.DNSZone) error {
+	p.recorder <- p.name
+	return nil
+}
+func (p *fakeProvider) Replace(record *iov1.DNSRecord, zone configv1.DNSZone) error {
+	p.recorder <- p.name
+	return nil
+}
+
+// newFakeProvider returns a new dns.Provider that records invocations.
+func newFakeProvider(name string, ch chan string) dns.Provider {
+	return &fakeProvider{name, ch}
+}