From 0387a9698b7a79c1894b0a74bd220d43add03a0c Mon Sep 17 00:00:00 2001 From: Grant Spence Date: Mon, 3 Jul 2023 17:09:58 -0400 Subject: [PATCH] NE-1325: External DNS Operator support for Shared VPCs Update the aws-cross-account-dns-zone.md enhancement to include details on how we are updating the External DNS Operator to support cross account DNS record creation in AWS shard VPCs. --- .../installer/aws-cross-account-dns-zone.md | 51 +++++++++++++++++-- 1 file changed, 48 insertions(+), 3 deletions(-) diff --git a/enhancements/installer/aws-cross-account-dns-zone.md b/enhancements/installer/aws-cross-account-dns-zone.md index 1a63f5402e3..36a3f008ac0 100644 --- a/enhancements/installer/aws-cross-account-dns-zone.md +++ b/enhancements/installer/aws-cross-account-dns-zone.md @@ -139,8 +139,6 @@ type AWSDNSSpec struct { ``` -The name of the field is discussed further in open questions. - #### Install Config `platform.aws.hostedZoneRole` would be added to complement the existing `platform.aws.hostedZone` field. @@ -162,9 +160,31 @@ platform: hostedZone: Z00147933I3NWOQ6M4699 hostedZoneRole: arn:aws:iam:::role/ ``` -Please see Open Questions for further discussion of the install config. +### API: External DNS Operator + +This enhancement also extends [External DNS Operator](https://github.com/openshift/external-dns-operator), an add-on +operator deployable using Operator Lifecycle Manager (OLM), to support cross-account DNS zones in AWS. We extend the +`ExternalDNS` API object by adding the field `RoleARN` to `ExternalDNSAWSProviderOptions` struct (`spec.provider.aws`). +Refer to [`externaldns_types.go`](https://github.com/openshift/external-dns-operator/blob/main/api/v1beta1/externaldns_types.go) +for the existing API structure of the `ExternalDNS` object. These API updates are purely additive and, therefore, +represent a non-breaking, backwards-compatible change. + +```go +type ExternalDNSAWSProviderOptions struct { + [...] + // RoleARN contains the ARN of a IAM role that will be assumed when using the AWS API. + // It provides the ability to use a hosted zone in another AWS account. + // + // +kubebuilder:validation:Optional + // +kubebuilder:validation:Pattern:=`^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$` + // +optional + RoleARN *string `json:"roleARN,omitempty"` + [...] +} +``` +See [External DNS Operator Details](#External-DNS-Operator-Details) for more implementation details. ### Implementation Details/Notes/Constraints [optional] @@ -218,6 +238,28 @@ An example IAM Trust Policy: ``` +#### External DNS Operator Details + +Prior to this enhancement, the [External DNS Operator API](https://github.com/openshift/external-dns-operator/blob/main/api) +did not allow users to configure an AWS role ARN field. As a result, there wasn't a supported way to use the External +DNS Operator to create DNS records in another AWS account within a shared VPC. + +The External DNS Operator configures and runs the [External DNS](https://github.com/openshift/external-dns) binary. +Conveniently, External DNS already supports the [`--aws-assume-role`](https://github.com/openshift/external-dns/blob/fe00b4b83c2263282a9068655e8e3fbbc167b653/docs/faq.md#can-external-dns-manageaddremove-records-in-a-hosted-zone-which-is-setup-in-different-aws-account) +argument, which uses the specified AWS role ARN when creating new DNS records. Therefore, to support shared VPCs with +the External DNS Operator, we update the [API](#API-External-DNS-Operator) to expose the `--aws-assume-role` argument +for the External DNS binary. + +By design, External DNS can update both public and private DNS zones using credentials that the cluster-admin provides. +Therefore, External DNS Operator users are able to use the new [API](#API-External-DNS-Operator) to update both public +and private DNS zones in other accounts, provided the role ARN has appropriate permissions. + +More details on using a role ARN to create DNS records in another AWS account will be documented in External DNS +Operator's [Docs](https://github.com/openshift/external-dns-operator/tree/main/docs). + +Note that External DNS Operator updates are asynchronous to OpenShift's standard release of OpenShift Container +Platform. Therefore, any updates to External DNS Operator are considered out of payload. + ### Risks and Mitigations Add-on operators needing permissions will not work unless updated to use the role ARN. @@ -235,6 +277,9 @@ platform dependencies in this config, but it should be carefully considered. An e2e test will be setup which utilizes both AWS CI accounts. +For the External DNS Operator, we will add e2e tests utilizing both AWS CI accounts using the RoleARN to create DNS +records. + ### Graduation Criteria This functionality is targeted for 4.14 GA and for backporting to previous releases.