Skip to content

Commit

Permalink
NE-1325: External DNS Operator support for Shared VPCs
Browse files Browse the repository at this point in the history
Update the aws-cross-account-dns-zone.md enhancement to include
details on how we are updating the External DNS Operator to support
cross account DNS record creation in AWS shard VPCs.
  • Loading branch information
gcs278 committed Jul 7, 2023
1 parent 15cfd89 commit 0387a96
Showing 1 changed file with 48 additions and 3 deletions.
51 changes: 48 additions & 3 deletions enhancements/installer/aws-cross-account-dns-zone.md
Original file line number Diff line number Diff line change
Expand Up @@ -139,8 +139,6 @@ type AWSDNSSpec struct {

```

The name of the field is discussed further in open questions.

#### Install Config

`platform.aws.hostedZoneRole` would be added to complement the existing `platform.aws.hostedZone` field.
Expand All @@ -162,9 +160,31 @@ platform:
hostedZone: Z00147933I3NWOQ6M4699
hostedZoneRole: arn:aws:iam::<account-a>:role/<role-name>
```
Please see Open Questions for further discussion of the install config.
### API: External DNS Operator
This enhancement also extends [External DNS Operator](https://github.com/openshift/external-dns-operator), an add-on
operator deployable using Operator Lifecycle Manager (OLM), to support cross-account DNS zones in AWS. We extend the
`ExternalDNS` API object by adding the field `RoleARN` to `ExternalDNSAWSProviderOptions` struct (`spec.provider.aws`).
Refer to [`externaldns_types.go`](https://github.com/openshift/external-dns-operator/blob/main/api/v1beta1/externaldns_types.go)
for the existing API structure of the `ExternalDNS` object. These API updates are purely additive and, therefore,
represent a non-breaking, backwards-compatible change.

```go
type ExternalDNSAWSProviderOptions struct {
[...]
// RoleARN contains the ARN of a IAM role that will be assumed when using the AWS API.
// It provides the ability to use a hosted zone in another AWS account.
//
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Pattern:=`^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$`
// +optional
RoleARN *string `json:"roleARN,omitempty"`
[...]
}
```

See [External DNS Operator Details](#External-DNS-Operator-Details) for more implementation details.

### Implementation Details/Notes/Constraints [optional]

Expand Down Expand Up @@ -218,6 +238,28 @@ An example IAM Trust Policy:

```

#### External DNS Operator Details

Prior to this enhancement, the [External DNS Operator API](https://github.com/openshift/external-dns-operator/blob/main/api)
did not allow users to configure an AWS role ARN field. As a result, there wasn't a supported way to use the External
DNS Operator to create DNS records in another AWS account within a shared VPC.

The External DNS Operator configures and runs the [External DNS](https://github.com/openshift/external-dns) binary.
Conveniently, External DNS already supports the [`--aws-assume-role`](https://github.com/openshift/external-dns/blob/fe00b4b83c2263282a9068655e8e3fbbc167b653/docs/faq.md#can-external-dns-manageaddremove-records-in-a-hosted-zone-which-is-setup-in-different-aws-account)
argument, which uses the specified AWS role ARN when creating new DNS records. Therefore, to support shared VPCs with
the External DNS Operator, we update the [API](#API-External-DNS-Operator) to expose the `--aws-assume-role` argument
for the External DNS binary.

By design, External DNS can update both public and private DNS zones using credentials that the cluster-admin provides.
Therefore, External DNS Operator users are able to use the new [API](#API-External-DNS-Operator) to update both public
and private DNS zones in other accounts, provided the role ARN has appropriate permissions.

More details on using a role ARN to create DNS records in another AWS account will be documented in External DNS
Operator's [Docs](https://github.com/openshift/external-dns-operator/tree/main/docs).

Note that External DNS Operator updates are asynchronous to OpenShift's standard release of OpenShift Container
Platform. Therefore, any updates to External DNS Operator are considered out of payload.

### Risks and Mitigations

Add-on operators needing permissions will not work unless updated to use the role ARN.
Expand All @@ -235,6 +277,9 @@ platform dependencies in this config, but it should be carefully considered.

An e2e test will be setup which utilizes both AWS CI accounts.

For the External DNS Operator, we will add e2e tests utilizing both AWS CI accounts using the RoleARN to create DNS
records.

### Graduation Criteria

This functionality is targeted for 4.14 GA and for backporting to previous releases.
Expand Down

0 comments on commit 0387a96

Please sign in to comment.