From 7251aaa9a30f3759c2731d061207d2f63cd945de Mon Sep 17 00:00:00 2001 From: Miciah Masters Date: Fri, 5 May 2023 21:00:40 -0400 Subject: [PATCH] Add support for AWS shared VPC in another account Add support for configuring DNS records in AWS Route 53 using a separate account for the private hosted zone. This commit resolves NE-1294. https://issues.redhat.com/browse/NE-1294 * manifests/00-ingress-credentials-request.yaml: Add "sts:AssumeRole" to the CredentialsRequest for AWS. * pkg/manifests/bindata.go: Regenerate. * pkg/dns/aws/dns.go (Config): Add a RoleARN field. (NewProvider): If config.RoleARN is set, use it to configure the AWS client using the specified role. * pkg/dns/split/dns.go: New file. Define a DNS provider implementation that wraps two other DNS providers, using one of them to publish records to the public zone and the other to publish records to the private zone. (Provider): New type. Store the private and public DNS providers, as well as the private zone so that the Ensure, Delete, and Replace methods can use it to determine whether they are publishing to the public zone or to the private zone. (NewProvider): New function. Return a split DNS provider. (Ensure, Delete, Replace): New methods. Implement the dns.Provider interface by calling the respective methods on the wrapped private and public DNS providers. * pkg/dns/split/dns_test.go (TestSplitDNSProvider): Verify that the split DNS provider correctly dispatches to the private or public DNS provider as appropriate, using fakeProvider. (fakeProvider): New type. Define a fake named DNS provider that records its name when invoked. (Ensure, Delete, Replace): New methods for fakeProvider to record invocations and implement the dns.Provider interface. (newFakeProvider): New function. Return a fake provider. * pkg/operator/controller/dns/controller.go (Config): Add a "PrivateHostedZoneAWSEnabled" field to indicate whether the "PrivateHostedZoneAWS" feature gate is enabled. (createDNSProvider): Use the new split DNS provider and the AWS DNS provider's new RoleARN configuration option to configure separate DNS providers for public and private zones when a role ARN for the private zone is specified in the cluster infrastructure config if the "PrivateHostedZoneAWS" feature gate is enabled. * pkg/operator/operator.go (New): Check the "PrivateHostedZoneAWS" feature gate and specify it in the DNS controller config. --- manifests/00-ingress-credentials-request.yaml | 1 + pkg/dns/aws/dns.go | 7 + pkg/dns/split/dns.go | 58 ++++++++ pkg/dns/split/dns_test.go | 126 ++++++++++++++++++ pkg/manifests/bindata.go | 8 +- pkg/operator/controller/dns/controller.go | 20 ++- pkg/operator/operator.go | 2 + 7 files changed, 217 insertions(+), 5 deletions(-) create mode 100644 pkg/dns/split/dns.go create mode 100644 pkg/dns/split/dns_test.go diff --git a/manifests/00-ingress-credentials-request.yaml b/manifests/00-ingress-credentials-request.yaml index 09cab4c77..7878da40c 100644 --- a/manifests/00-ingress-credentials-request.yaml +++ b/manifests/00-ingress-credentials-request.yaml @@ -26,6 +26,7 @@ spec: - route53:ListTagsForResources - route53:ChangeResourceRecordSets - tag:GetResources + - sts:AssumeRole resource: "*" --- apiVersion: cloudcredential.openshift.io/v1 diff --git a/pkg/dns/aws/dns.go b/pkg/dns/aws/dns.go index 5d321e007..2b6864496 100644 --- a/pkg/dns/aws/dns.go +++ b/pkg/dns/aws/dns.go @@ -16,6 +16,7 @@ import ( "github.com/aws/aws-sdk-go/aws/arn" "github.com/aws/aws-sdk-go/aws/awserr" "github.com/aws/aws-sdk-go/aws/client/metadata" + "github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/aws/aws-sdk-go/aws/endpoints" "github.com/aws/aws-sdk-go/aws/request" "github.com/aws/aws-sdk-go/aws/session" @@ -93,6 +94,9 @@ type Config struct { // that is used by SDK to configure the credentials. SharedCredentialFile string + // RoleARN is an optional ARN to use for the AWS client session. + RoleARN string + // Region is the AWS region ELBs are created in. Region string // ServiceEndpoints is the list of AWS API endpoints to use for @@ -140,6 +144,9 @@ func NewProvider(config Config, operatorReleaseVersion string) (*Provider, error Name: "openshift.io/ingress-operator", Fn: request.MakeAddToUserAgentHandler("openshift.io ingress-operator", operatorReleaseVersion), }) + if config.RoleARN != "" { + sess.Config.WithCredentials(stscreds.NewCredentials(sess, config.RoleARN)) + } if len(region) == 0 { if sess.Config.Region != nil { diff --git a/pkg/dns/split/dns.go b/pkg/dns/split/dns.go new file mode 100644 index 000000000..c055c43f1 --- /dev/null +++ b/pkg/dns/split/dns.go @@ -0,0 +1,58 @@ +package split + +import ( + "reflect" + + iov1 "github.com/openshift/api/operatoringress/v1" + "github.com/openshift/cluster-ingress-operator/pkg/dns" + logf "github.com/openshift/cluster-ingress-operator/pkg/log" + + configv1 "github.com/openshift/api/config/v1" +) + +var ( + _ dns.Provider = &Provider{} + log = logf.Logger.WithName("dns") +) + +// Provider is a dns.Provider that wraps two other providers. The first +// provider is used for public hosted zones, and the second provider is used for +// private hosted zones. +type Provider struct { + private, public dns.Provider + privateZone *configv1.DNSZone +} + +// NewProvider returns a new Provider that wraps the provided wrappers, using +// the first for the public zone and the second for the private zone. +func NewProvider(public, private dns.Provider, privateZone *configv1.DNSZone) *Provider { + return &Provider{ + public: public, + private: private, + privateZone: privateZone, + } +} + +// Ensure calls the Ensure method of one of the wrapped DNS providers. +func (p *Provider) Ensure(record *iov1.DNSRecord, zone configv1.DNSZone) error { + if reflect.DeepEqual(zone, *p.privateZone) { + return p.private.Ensure(record, zone) + } + return p.public.Ensure(record, zone) +} + +// Delete calls the Delete method of one of the wrapped DNS providers. +func (p *Provider) Delete(record *iov1.DNSRecord, zone configv1.DNSZone) error { + if reflect.DeepEqual(zone, *p.privateZone) { + return p.private.Delete(record, zone) + } + return p.public.Delete(record, zone) +} + +// Replace calls the Replace method of one of the wrapped DNS providers. +func (p *Provider) Replace(record *iov1.DNSRecord, zone configv1.DNSZone) error { + if reflect.DeepEqual(zone, *p.privateZone) { + return p.private.Replace(record, zone) + } + return p.public.Replace(record, zone) +} diff --git a/pkg/dns/split/dns_test.go b/pkg/dns/split/dns_test.go new file mode 100644 index 000000000..f2a669f83 --- /dev/null +++ b/pkg/dns/split/dns_test.go @@ -0,0 +1,126 @@ +package split_test + +import ( + "testing" + + "github.com/stretchr/testify/assert" + + configv1 "github.com/openshift/api/config/v1" + iov1 "github.com/openshift/api/operatoringress/v1" + + "github.com/openshift/cluster-ingress-operator/pkg/dns" + splitdns "github.com/openshift/cluster-ingress-operator/pkg/dns/split" +) + +// TestSplitDNSProvider verifies that the split DNS provider dispatches to the +// public or private provider as appropriate for the DNS zone. +func TestSplitDNSProvider(t *testing.T) { + var ( + // ch is a channel that is used in the fake public and private + // providers to record which one is called. + ch = make(chan string, 6) + // getResult reads and returns one item from ch, or returns the + // empty string if ch is empty. + getResult = func() string { + var result string + select { + case result = <-ch: + default: + } + return result + } + // publicProvider is a fake dns.Provider for the public zone. + publicProvider = newFakeProvider("public", ch) + // privateProvider is a fake dns.Provider for the private zone. + privateProvider = newFakeProvider("private", ch) + // publicZoneWithID is a public zone that is defined by ID. + publicZoneWithID = configv1.DNSZone{ID: "public_zone"} + // privateZoneWithID is a private zone that is defined by ID. + privateZoneWithID = configv1.DNSZone{ID: "private_zone"} + // publicZoneWithTags is a public zone that is defined by tags. + publicZoneWithTags = configv1.DNSZone{Tags: map[string]string{"zone": "public"}} + // privateZoneWithID is a private zone that is defined by tags. + privateZoneWithTags = configv1.DNSZone{Tags: map[string]string{"zone": "private"}} + ) + testCases := []struct { + name string + publicZone configv1.DNSZone + privateZone configv1.DNSZone + publishToZone configv1.DNSZone + expect string + }{ + { + name: "publish to public zone specified by id", + publicZone: publicZoneWithID, + privateZone: privateZoneWithID, + publishToZone: publicZoneWithID, + expect: "public", + }, + { + name: "publish to private zone specified by id", + publicZone: publicZoneWithID, + privateZone: privateZoneWithID, + publishToZone: privateZoneWithID, + expect: "private", + }, + { + name: "publish to public zone specified by tags", + publicZone: publicZoneWithTags, + privateZone: privateZoneWithID, + publishToZone: publicZoneWithTags, + expect: "public", + }, + { + name: "publish to private zone specified by tags", + publicZone: publicZoneWithTags, + privateZone: privateZoneWithTags, + publishToZone: privateZoneWithTags, + expect: "private", + }, + { + name: "publish to other zone should fall back to the public zone", + publicZone: publicZoneWithID, + privateZone: privateZoneWithID, + publishToZone: configv1.DNSZone{ID: "other_zone"}, + expect: "public", + }, + } + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + provider := splitdns.NewProvider(publicProvider, privateProvider, &tc.privateZone) + assert.NoError(t, provider.Ensure(&iov1.DNSRecord{}, tc.publishToZone)) + assert.Equal(t, tc.expect, getResult()) + assert.NoError(t, provider.Replace(&iov1.DNSRecord{}, tc.publishToZone)) + assert.Equal(t, tc.expect, getResult()) + assert.NoError(t, provider.Delete(&iov1.DNSRecord{}, tc.publishToZone)) + assert.Equal(t, tc.expect, getResult()) + assert.Empty(t, ch) + }) + } + +} + +var _ dns.Provider = &fakeProvider{} + +type fakeProvider struct { + name string + recorder chan string +} + +func (p *fakeProvider) Ensure(record *iov1.DNSRecord, zone configv1.DNSZone) error { + p.recorder <- p.name + return nil +} +func (p *fakeProvider) Delete(record *iov1.DNSRecord, zone configv1.DNSZone) error { + p.recorder <- p.name + return nil +} +func (p *fakeProvider) Replace(record *iov1.DNSRecord, zone configv1.DNSZone) error { + p.recorder <- p.name + return nil +} + +// newFakeProvider returns a new dns.Provider that records invocations. +func newFakeProvider(name string, ch chan string) dns.Provider { + return &fakeProvider{name, ch} +} diff --git a/pkg/manifests/bindata.go b/pkg/manifests/bindata.go index 03679de9d..654e02d1b 100644 --- a/pkg/manifests/bindata.go +++ b/pkg/manifests/bindata.go @@ -22,7 +22,7 @@ // manifests/00-cluster-role.yaml (3.661kB) // manifests/00-custom-resource-definition-internal.yaml (7.756kB) // manifests/00-custom-resource-definition.yaml (105.24kB) -// manifests/00-ingress-credentials-request.yaml (4.905kB) +// manifests/00-ingress-credentials-request.yaml (4.928kB) // manifests/00-namespace.yaml (508B) // manifests/0000_90_ingress-operator_00_prometheusrole.yaml (446B) // manifests/0000_90_ingress-operator_01_prometheusrolebinding.yaml (514B) @@ -546,7 +546,7 @@ func manifests00CustomResourceDefinitionYaml() (*asset, error) { return a, nil } -var _manifests00IngressCredentialsRequestYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x57\xdf\x6f\xdb\x36\x10\x7e\xf7\x5f\x41\xe8\xa5\x40\x01\xba\x0b\x86\x01\x03\xdf\x1c\x67\xeb\x06\xb4\x43\xe1\x6c\x2d\xb0\xb7\x13\x79\x56\x0e\xa5\x8e\x1a\x8f\x52\xb7\xfe\xf5\x03\x2d\x45\xb6\x2b\xcd\x59\x7e\x74\x08\xb2\xbc\x45\xbc\xef\xa8\xbb\xef\xbe\x2f\xf2\x41\x43\xef\x31\x0a\x05\x36\xca\xfa\xd0\x3a\x1b\xd1\x21\x27\x02\xbf\x0c\x0d\xb2\x5c\xd1\x36\x2d\x29\xbc\xea\xce\x16\x1f\x89\x9d\x51\xeb\x11\x20\x1b\xfc\xa3\x45\x49\x8b\x1a\x13\x38\x48\x60\x16\x4a\x79\x28\xd1\x4b\xfe\x4b\x29\x1b\x38\xc5\xe0\x3d\x46\x9d\x42\xf0\xb2\xfc\xf8\xbd\x2c\x29\x18\x55\x9c\x2d\xbf\x29\x16\x4a\x31\xd4\x68\xd4\xf8\x1e\x4d\x5c\x45\x14\x19\x22\xd2\x80\x3d\x0a\xef\x0a\xd4\xfb\x0a\x75\x68\x30\x42\x0a\x71\xa1\x14\x30\x87\x04\x89\x02\x0f\x2f\x27\xb6\xbe\x75\xb8\x8c\xe8\x11\x04\x8f\xbb\xa1\xb2\x1e\x6e\xab\x81\xa1\x42\x67\x54\x91\x62\x8b\xc5\xcd\xa9\x82\x7e\x7b\x9d\xa5\xaf\xa8\xba\xd2\xd0\x01\x79\x28\xc9\x53\xfa\xeb\x16\xf7\x10\x57\x1e\x35\x07\x87\xda\x61\x87\x3e\x37\x33\xa6\x4b\x83\x36\xf7\x21\x18\x3b\xb2\xb8\xb2\x36\xb4\x9c\x7e\xc9\xac\xe4\x63\xad\x06\xaa\x0e\x29\x10\xb4\x11\xd3\x06\xb7\x3d\x01\x3d\xb9\x5f\x72\x26\x63\x6c\x42\xef\xcc\x95\x4d\x0c\x1d\x39\x8c\x97\x43\x39\x4a\xdd\x46\x30\x19\xdf\x8b\x66\xf5\xe1\xf2\xdd\xc1\x55\xbb\x88\x24\x48\x58\x23\xa7\x1f\x38\x45\xc2\x61\x6c\x5a\xe1\x76\x8b\x36\x19\xb5\xf2\x3e\x7c\xda\x9d\x29\x05\x36\x4f\xd6\x0c\x4f\x5a\xa1\x07\x49\x64\x7d\x00\x57\x82\x07\xb6\xc4\x95\xb9\x40\xb1\x91\x4a\x7c\x13\xc0\x9d\xef\x4e\x31\xca\x98\x12\x43\x9b\xf0\xbb\x6f\xcd\x1b\x92\xf4\x53\x90\x84\xee\xf7\xc0\x38\x1f\xff\x15\x2a\xf9\x31\xc4\x0d\x4a\x68\xa3\x9d\x01\xad\xaf\x80\x2b\xbc\x8e\x6f\xd0\x86\xe8\x2e\x31\xed\x81\x09\x2a\xf3\x3a\x0f\xe3\xf8\x86\x38\x3c\x1b\x55\xbc\x2c\x16\x5a\xeb\xc5\xa3\x34\xa0\x86\xcf\x6d\xc4\x67\x1b\x3e\x39\x1b\xe6\xb1\x4e\x8c\x18\x83\xc7\x73\x62\x47\x5c\x8d\x26\xcc\x67\x46\xad\xb3\x7e\xa8\x6c\x73\x15\x8f\x57\xac\x95\x6d\x9e\xa5\xfa\xd4\xa4\xfa\x7a\xfd\x6e\x22\xd4\x26\x27\x6e\x89\xd1\x6d\x82\xc7\x23\xad\xca\x2b\xc7\xb2\x04\x57\x13\x7f\x1d\xa5\xfe\x93\xf8\xa8\xac\x77\xf7\xdf\x5e\x81\xd7\x03\x7b\x28\xc6\x7e\x3e\x7f\xbb\xce\xe0\x29\x6d\xc1\x93\xa5\x2f\xf8\xda\x7f\x4b\x0b\x1b\xd9\x74\x67\xa6\xf4\x2d\xd6\xf4\xa7\x69\xda\xd2\x93\x35\x04\xb5\x31\xc6\x0c\x72\xca\x84\x9b\xb7\x3b\x0d\xc7\xe2\x0e\xa9\x1b\x04\x77\xb7\xcc\x0f\x91\xd2\x3e\x13\x52\xff\x0f\xe9\xb0\x81\x7e\x34\xc5\x90\x94\x15\x7f\x8d\x56\xaa\x03\xdf\xe6\x20\x71\xc2\xc8\x98\xb4\x74\x56\x8a\xff\x31\x11\x8e\x65\xe4\xe0\xc1\xed\xff\x9f\x3a\xaf\x09\x9f\x30\x76\x77\x58\x16\xbe\x9a\xf1\x72\x41\xef\xa7\x3f\x74\x8f\xfd\x37\x11\xde\x3d\xc5\x77\x3f\x01\xde\x4f\x84\x73\x32\xbc\x59\x8a\x37\xf8\xf2\x99\xa0\xa7\xe9\x57\xf0\x54\x42\x09\x27\xbf\x96\x93\x0a\x1f\xda\xab\xab\xbe\x88\xf9\x0f\xe5\xfc\x46\x9a\xa7\x75\xbc\x7f\x0e\x67\x9e\x1c\x8b\x59\x39\x77\x11\x6a\x20\xee\xb7\xc0\x39\xc8\x6f\x8d\x83\x84\x37\xa1\x2e\xd0\xe3\xbf\x41\xf5\x4b\xee\x21\x4e\x46\xe0\xdc\xee\x7c\xb8\x75\xbe\x78\xf9\xe2\x64\x4f\x4d\x97\x3e\xe7\x8e\xf2\x6a\x3c\x53\xc3\x2e\xdc\x77\x73\x0a\xd1\x77\x72\x1a\xd1\x77\xb1\xc7\xc8\x69\x90\x9c\x6c\x66\xda\xf8\x83\x5b\xe5\xef\x00\x00\x00\xff\xff\xa9\x69\xe0\x68\x29\x13\x00\x00") +var _manifests00IngressCredentialsRequestYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x57\x4d\x6f\xdc\x46\x0c\xbd\xef\xaf\x18\xe8\x12\x20\x80\x36\x35\x8a\x02\xc5\xdc\xd6\xeb\x36\x2d\x90\x14\xc1\xba\x4d\x80\xde\xa8\x19\xae\x4c\x64\xc4\x51\x87\x94\xd2\xe6\xd7\x17\xb3\x92\xf7\xc3\xab\xae\xeb\x8f\x14\x81\xeb\x9b\x3d\x7c\x1c\x91\x8f\xef\x49\x4b\x68\xe9\x3d\x26\xa1\xc8\xd6\xb8\x10\x3b\xef\x12\x7a\x64\x25\x08\xf3\xd8\x22\xcb\x15\xad\x75\x4e\xf1\x55\x7f\x36\xfb\x48\xec\xad\x59\x6e\x01\xb2\xc2\x3f\x3a\x14\x9d\x35\xa8\xe0\x41\xc1\xce\x8c\x09\x50\x61\x90\xfc\x97\x31\x2e\xb2\xa6\x18\x02\xa6\x52\x63\x0c\x32\xff\xf8\xbd\xcc\x29\x5a\x53\x9c\xcd\xbf\x29\x66\xc6\x30\x34\x68\xcd\xf6\x39\x25\x71\x9d\x50\x64\x8c\x48\x0b\xee\x20\xbc\x29\xb0\xdc\x55\x58\xc6\x16\x13\x68\x4c\x33\x63\x80\x39\x2a\x28\x45\x1e\x1f\x4e\xec\x42\xe7\x71\x9e\x30\x20\x08\x1e\x76\x43\x55\x33\xde\xd6\x00\x43\x8d\xde\x9a\x42\x53\x87\xc5\xed\xa9\x82\x61\x7d\x9d\x55\x5e\x51\x7d\x55\x42\x0f\x14\xa0\xa2\x40\xfa\xd7\x1d\xee\x21\xae\x03\x96\x1c\x3d\x96\x1e\x7b\x0c\xb9\x99\x6d\xba\xb4\xe8\x72\x1f\x82\xa9\x27\x87\x0b\xe7\x62\xc7\xfa\x4b\x66\x25\x1f\x97\x66\xa4\x6a\x9f\x02\x41\x97\x50\x57\xb8\x1e\x08\x18\xc8\xbd\xc9\x99\x6c\x63\x47\xf4\x4e\x5c\xd9\xa6\xd8\x93\xc7\x74\x39\x96\x63\xcc\x5d\x04\x93\xf1\x83\x68\x16\x1f\x2e\xdf\xed\x5d\xb5\x89\x88\x82\x62\x83\xac\x3f\xb0\x26\xc2\x71\x6c\xa5\xc1\xf5\x1a\x9d\x5a\xb3\x08\x21\x7e\xda\x9c\x19\x03\x2e\x4f\xd6\x8e\xff\x95\x06\x03\x88\x92\x0b\x11\x7c\x05\x01\xd8\x11\xd7\xf6\x02\xc5\x25\xaa\xf0\x4d\x04\x7f\xbe\x39\xc5\x24\xdb\x94\x14\x3b\xc5\xef\xbe\xb5\x6f\x48\xf4\xa7\x28\x8a\xfe\xf7\xc8\x38\x1d\xff\x15\x6a\xf9\x31\xa6\x15\x4a\xec\x92\x9b\x00\x2d\xaf\x80\x6b\xbc\x8e\xaf\xd0\xc5\xe4\x2f\x51\x77\x40\x85\xda\xbe\xce\xc3\xb8\x79\x83\xa8\xd8\x85\x48\xd7\xe0\x2a\x06\x1c\x8f\xd3\x08\xb3\xa6\x78\x59\xcc\xca\xb2\x9c\x7d\x95\xbe\x2c\xe1\x73\x97\xf0\xd9\x9d\x4f\xce\x9d\x79\xac\x47\xfe\x4c\x31\xe0\x39\xb1\x27\xae\xb7\xde\xcc\x67\xd6\x2c\xb3\x7e\xa8\xea\x72\x15\x5f\xaf\x58\x6b\xd7\x3e\x4b\xf5\xa9\x49\xf5\xf5\xf2\xdd\x91\x50\xdb\x9c\xb8\x26\x46\x9f\x5f\xa9\x07\x5a\x95\x57\x9e\x65\x0e\xbe\x21\xfe\x32\x4a\xfd\x27\xf1\x51\xd5\x6c\xee\xbf\xbb\x02\xaf\x07\xf6\x58\x8c\xfd\x7c\xfe\x76\x99\xc1\xc7\xb4\xc5\x40\x8e\x6e\xf0\xb5\xfb\xc4\x16\x2e\xb1\xed\xcf\x6c\x15\x3a\x6c\xe8\x4f\xdb\x76\x55\x20\x67\x09\x1a\x6b\xad\x1d\xe5\x94\x09\xb7\x6f\x37\x1a\x4e\xc5\x3d\x52\x57\x08\xfe\x7e\x99\x1f\x12\xe9\x2e\x13\x74\x78\x21\xed\x37\x30\x8c\xa6\x18\x93\xb2\xe2\xaf\xd1\xc6\xf4\x10\xba\x1c\x24\x56\x4c\x8c\x5a\x4a\xef\xa4\xf8\x1f\x13\xe1\x59\xb6\x1c\x3c\xba\xfd\xff\x53\xe7\xb5\xf1\x13\xa6\xfe\x1e\x3b\xc4\x17\x33\x5e\x2e\xe8\xfd\xf1\xef\xdf\x43\xff\x1d\x09\xef\x81\xe2\x7b\x98\x00\x1f\x26\xc2\x29\x19\xde\x2e\xc5\x5b\x7c\xf9\x4c\xd0\xd3\xf4\x2b\x04\xaa\xa0\x82\x93\x5f\xcb\xa3\x0a\x1f\xdb\xab\x8b\xa1\x88\xe9\x0f\xe5\xf4\xa2\x9a\xa7\x75\xb8\x96\x8e\x67\x81\x3c\x8b\x5d\x78\x7f\x11\x1b\x20\x1e\x96\xc3\x29\xc8\x6f\xad\x07\xc5\xdb\x50\x17\x18\xf0\xdf\xa0\x86\xdd\x77\x1f\x27\x5b\xe0\xd4\x4a\xbd\xbf\x75\xbe\x78\xf9\xe2\x64\x4f\x6d\xaf\x9f\x73\x47\x79\x63\x9e\xa8\x61\x13\x1e\xba\x39\x85\x18\x3a\x39\x8d\x18\xba\xd8\x61\xe4\x34\x48\x4e\x36\x73\xdc\xf8\xa3\x5b\xe5\xef\x00\x00\x00\xff\xff\xa8\xfc\x88\x32\x40\x13\x00\x00") func manifests00IngressCredentialsRequestYamlBytes() ([]byte, error) { return bindataRead( @@ -561,8 +561,8 @@ func manifests00IngressCredentialsRequestYaml() (*asset, error) { return nil, err } - info := bindataFileInfo{name: "manifests/00-ingress-credentials-request.yaml", size: 4905, mode: os.FileMode(420), modTime: time.Unix(1, 0)} - a := &asset{bytes: bytes, info: info, digest: [32]uint8{0xa2, 0xe6, 0x7c, 0x7, 0x90, 0x9c, 0xd5, 0xcf, 0xe2, 0x46, 0x63, 0x83, 0xd, 0x38, 0x92, 0x27, 0x20, 0x80, 0xa1, 0xe9, 0x70, 0x7f, 0xd4, 0x8f, 0x6f, 0xbc, 0x8b, 0xc3, 0xad, 0xd2, 0x59, 0x9e}} + info := bindataFileInfo{name: "manifests/00-ingress-credentials-request.yaml", size: 4928, mode: os.FileMode(420), modTime: time.Unix(1, 0)} + a := &asset{bytes: bytes, info: info, digest: [32]uint8{0xca, 0x11, 0xd4, 0x75, 0x74, 0x68, 0x36, 0xb9, 0x31, 0x15, 0x12, 0x9f, 0x86, 0xf6, 0x7b, 0xc4, 0xbb, 0xa2, 0xe9, 0x42, 0xcd, 0xef, 0x65, 0xb0, 0x7a, 0x9a, 0x5d, 0x6d, 0x25, 0x41, 0x9f, 0x8e}} return a, nil } diff --git a/pkg/operator/controller/dns/controller.go b/pkg/operator/controller/dns/controller.go index b53e17520..c81949081 100644 --- a/pkg/operator/controller/dns/controller.go +++ b/pkg/operator/controller/dns/controller.go @@ -22,6 +22,7 @@ import ( ibm "github.com/openshift/cluster-ingress-operator/pkg/dns/ibm" ibmprivatedns "github.com/openshift/cluster-ingress-operator/pkg/dns/ibm/private" ibmpublicdns "github.com/openshift/cluster-ingress-operator/pkg/dns/ibm/public" + splitdns "github.com/openshift/cluster-ingress-operator/pkg/dns/split" logf "github.com/openshift/cluster-ingress-operator/pkg/log" "github.com/openshift/cluster-ingress-operator/pkg/manifests" "github.com/openshift/cluster-ingress-operator/pkg/operator/controller" @@ -112,6 +113,9 @@ type Config struct { DNSRecordNamespaces []string OperatorReleaseVersion string AzureWorkloadIdentityEnabled bool + // PrivateHostedZoneAWSEnabled indicates whether the "SharedVPC" feature gate is + // enabled. + PrivateHostedZoneAWSEnabled bool } type reconciler struct { @@ -664,7 +668,21 @@ func (r *reconciler) createDNSProvider(dnsConfig *configv1.DNS, platformStatus * if err != nil { return nil, fmt.Errorf("failed to create AWS DNS manager: %v", err) } - dnsProvider = provider + var roleARN string + if dnsConfig.Spec.Platform.AWS != nil { + roleARN = dnsConfig.Spec.Platform.AWS.PrivateZoneIAMRole + } + if roleARN != "" && r.config.PrivateHostedZoneAWSEnabled { + cfg := cfg + cfg.RoleARN = roleARN + privateProvider, err := awsdns.NewProvider(cfg, r.config.OperatorReleaseVersion) + if err != nil { + return nil, fmt.Errorf("failed to create AWS DNS manager for shared VPC: %v", err) + } + dnsProvider = splitdns.NewProvider(provider, privateProvider, dnsConfig.Spec.PrivateZone) + } else { + dnsProvider = provider + } case configv1.AzurePlatformType: environment := platformStatus.Azure.CloudName if environment == "" { diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go index 6c87a997b..7e19fcf3f 100644 --- a/pkg/operator/operator.go +++ b/pkg/operator/operator.go @@ -128,6 +128,7 @@ func New(config operatorconfig.Config, kubeConfig *rest.Config) (*Operator, erro return nil, err } azureWorkloadIdentityEnabled := featureGates.Enabled(configv1.FeatureGateAzureWorkloadIdentity) + sharedVPCEnabled := featureGates.Enabled(configv1.FeatureGatePrivateHostedZoneAWS) gatewayAPIEnabled := featureGates.Enabled(configv1.FeatureGateGatewayAPI) // Set up an operator manager for the operator namespace. @@ -244,6 +245,7 @@ func New(config operatorconfig.Config, kubeConfig *rest.Config) (*Operator, erro }, OperatorReleaseVersion: config.OperatorReleaseVersion, AzureWorkloadIdentityEnabled: azureWorkloadIdentityEnabled, + PrivateHostedZoneAWSEnabled: sharedVPCEnabled, }); err != nil { return nil, fmt.Errorf("failed to create dns controller: %v", err) }