docs/user/aws/install_upi: Explain DNS-zone lookup #2420
Conversation
openshift-ci-robot
added
the
size/M
openshift-ci-robot
added
the
approved
wking
force-pushed
the
aws-dns-shared-private-zone
branch
2 times, most recently
from
5087891 to
4def045
Compare
|
/test e2e-aws-upi |
|
UPI failed with: Which makes sense for "ingress couldn't find the internal zone", because we haven't patched the CI template to add the new Python. |
Also let's keep in mind these UPI templates are reference only we don't have to keep all the knobs.. so i would need this PR to make a stronger case of changing this example for enhancement as this is definitely not a bug fix. |
I'm not adding a new knob to a template, I'm changing to a new hard-coded value that is more appropriate for UPI.
My initial motivation is supporting the UPI approach shuffle here, where we're actually trying to plug a cluster into preexisting infrastructure (instead of having the advantage of being able to call This PR also lets us drop the previous Configure Router for UPI section which showed the DNS config but didn't suggest any user actions to take based on its output, and I think getting rid of that section is an improvement. |
why the pre-existing Private Zone in the templates themselves..
^^ why? we can have our CI (or reference) use a per cluster private dns zone resource |
the cluster operator fails because not the template needs to provide the DNS records compared to the ingress-operator. So this is not improvement, rather changing behavior. |
…i-e2e: Update AWS private Route 53 discovery We shouldn't assume folks will have a private zone they can dedicate to the sole use of the new cluster. This commit applies the manifest update suggested in [1], and uses 'sed' to update the CloudFormation template even for older installer branches that don't have the template change from [1]. [1]: openshift/installer#2420
|
I am okay if we want to document how to let ingress controller control DNS records in a private zone of the user. but changing the UPI template to use shared is not the correct path, as the UPI is one reference and it's fine if we choose to let ingress-operator control the private zone created for the cluster. |
|
IMHO we should document only two options... 1) create a new one via templates (and own it) or b) |
wking
force-pushed
the
aws-dns-shared-private-zone
branch
from
4def045 to
fbceb82
Compare
Done in 4def0457b -> fbceb82b5.
This also makes sense to me. But I expect "I'm providing a private zone, here's it's ID" to be more common than "I'm providing a private zone, and I've conveniently tagged it with the |
|
The doc addition is fine.
I am a hard No on increasing the complexity of our UPI reference and tests anymore on this specific case. |
wking
force-pushed
the
aws-dns-shared-private-zone
branch
from
fbceb82 to
77e7c28
Compare
wking
changed the title
I still think "reference by ID" is simpler than "add the |
|
|
||
| #### Identify the internal DNS zone | ||
|
|
||
| If you want [the ingress operator][ingress-operator] to manage DNS records on your behalf, adjust the `privateZone` section in the DNS configuration to identify the zone it should use. |
There was a problem hiding this comment.
AFAIK ingress-operator adds the dns records to for clusterdomain only. Can it handle any other?
There was a problem hiding this comment.
AFAIK ingress-operator adds the dns records to for clusterdomain only.
Ingress is filling DNSRecord requests. In most cases now this is just going to be the default-wildcard record, and I dropped an example YAML dump of that into the 14e0691 commit message for the curious ;). But folks pushing new DNSRecords will probably get them filled, because I don't think the ingress operator has (or should have) guards about which DNSRecords it should or should not fill. If you're authorized to push a DNSRecord where ingress is looking, you should get it filled.
There was a problem hiding this comment.
But in case where the private dns zone id is for not-clusterdomain. then the DNSRecord created by default would fail right.
There was a problem hiding this comment.
But in case where the private dns zone id is for
not-clusterdomain. then the DNSRecord created by default would fail right.
Ah, probably. Although it depends on the zone domains. So you could have an example.com zone, and Ingress could create an a.example.com record even if your cluster was c.d.e.example.com (I think ;). But yeah, I expect it would fail to create example.edu. Does that matter? We aren't telling them to create DNSRecords here, we're just telling them how to feed zones to the ingress operator, which can have its own docs about what it can and cannot support.
wking
changed the title
We shouldn't assume folks will have a private zone they can dedicate to the sole use of the new cluster. This commit talks users through adjusting their DNS configuration to consume an existing zone with arbitrary identification. I'd like to drop the owned tag from 01_vpc.yaml, but that's been contentious [1]. I'm punting in this commit so we can get the consensus doc change landed. [1]: openshift#2420 (comment)
wking
force-pushed
the
aws-dns-shared-private-zone
branch
from
77e7c28 to
639c38e
Compare
|
@wking: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jstuever, wking The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
We shouldn't assume folks will have a private zone they can dedicate to the sole use of the new cluster. This commit talks users through adjusting their DNS configuration to consume an existing zone with arbitrary identification. I'd like to drop the owned tag from 01_vpc.yaml, but that's been contentious [1]. I'm punting in this commit so we can get the consensus doc change landed. [1]: openshift#2420 (comment)
We shouldn't assume folks will have a private zone they can dedicate to the sole use of the new cluster. This pull-request talks users through adjusting their DNS configuration to consume an existing private zone with arbitrary identification.
CC @ewolinetz, @kalexand-rh