Uploaded image for project: 'Network Edge'
  1. Network Edge
  2. NE-1340

Backport 4.13: Ingress Operator support preexisting Route53 for Shared VPC clusters

XMLWordPrintable

    • Support preexisting Route53 for Shared VPC clusters
    • BU Product Work
    • False
    • None
    • False
    • Green
    • To Do
    • OCPSTRAT-659 - [Backport 4.13] Support preexisting Route53 for Shared VPC clusters
    • OCPSTRAT-659[Backport 4.13] Support preexisting Route53 for Shared VPC clusters
    • 0% To Do, 0% In Progress, 100% Done
    • 0
    • 0

      OCP/Telco Definition of Done
      Epic Template descriptions and documentation.

      <--- Cut-n-Paste the entire contents of this description into your new Epic —

      Links:

      Enhancement PR: https://github.com/openshift/enhancements/pull/1397 

      API PR: https://github.com/openshift/api/pull/1460 

      Ingress  Operator PR: https://github.com/openshift/cluster-ingress-operator/pull/928 

      Background

      Feature Goal: Support OpenShift installation in AWS Shared VPC scenario where AWS infrastructure resources (at least the Private Hosted Zone) belong to an account separate from the cluster installation target account.

      The ingress operator is responsible for creating DNS records in AWS Route53 for cluster ingress. Prior to the implementation of this epic, the ingress operator doesn't have the capability to add DNS records into an existing Route 53 hosted zone in the shared VPC.

      Epic Goal

      • Add support to the ingress operator for creating DNS records in preexisting Route53 private hosted zones for Shared VPC clusters

      Non-Goals

      • Ingress operator support for day-2 operations (i.e. changes to the AWS IAM Role value after installation)  
      • E2E testing (will be handled by the Installer Team) 

      Design

      As described in the WIP PR https://github.com/openshift/cluster-ingress-operator/pull/928, the ingress operator will consume a new API field that contains the IAM Role ARN for configuring DNS records in the private hosted zone. If this field is present, then the ingress operator will use this account to create all private hosted zone records. The API fields will be described in the Enhancement PR.

      The ingress operator code will accomplish this by defining a new provider implementation that wraps two other DNS providers, using one of them to publish records to the public zone and the other to publish records to the private zone.

      External DNS Operator Impact

      See NE-1299

      AWS Load Balancer Operator (ALBO) Impact

      See NE-1299

      Why is this important?

      • Without this ingress operator support, OpenShift users are unable to create DNS records in a preexisting Route53 private hosted zone which means OpenShift users can't share the Route53 component with a Shared VPC
      • Shared VPCs are considers AWS best practice

      Scenarios

      1. ...

      Acceptance Criteria

      • Unit tests must be written and automatically run in CI (E2E tests will be handled by the Installer Team)
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • Ingress Operator creates DNS Records in preexisting Route53 private hosted zones for shared VPC Clusters
      • Network Edge Team has reviewed all of the related enhancements and code changes for Route53 in Shared VPC Clusters

      Dependencies (internal and external)

      1. Installer Team is adding the new API fields required for enabling sharing Route53 with in Shared VPCs in https://issues.redhat.com/browse/CORS-2613
      2. Testing this epic requires having access to two AWS account

      Previous Work (Optional):

      1. Significant discussion was done in this thread: https://redhat-internal.slack.com/archives/C68TNFWA2/p1681997102492889?thread_ts=1681837202.378159&cid=C68TNFWA2
      1. Slack channel #tmp-xcmbu-114

      Open questions:

      1.  

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

       

              gspence@redhat.com Grant Spence
              mfisher1@redhat.com Michael Fisher
              Miciah Masters
              Melvin Joseph Melvin Joseph
              Dan Chadwick Dan Chadwick
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: