Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-44630

Shared VPC: Control plane operator fails to create DNS entries in local zone when local zone exists in the cluster account

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Undefined Undefined
    • None
    • 4.17.z, 4.18
    • HyperShift
    • Important
    • None
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, when you created a hosted cluster by using a shared VPC where the private DNS hosted zones existed in the cluster creator account, the private link controller failed to create the route53 DNS records in the local zone. With this release, the ingress shared role adds records to the private link controller. The VPC endpoint is used to share the role to create the VPC endpoint in the VPC owner account. A hosted cluster is created in a shared VPC configuration, where the private hosted zones exist in the cluster creator account.
      ====
      *Cause*: Create a hosted cluster using a shared vpc in which the private DNS hosted zones exist in the cluster creator account.
      *Consequence*: The private link controller fails to create the route53 dns records in the local zone because it is assuming the same role for both vpc endpoint creation and private zone record creation.
      *Fix*: Use the ingress shared role to add records to the private zone in the private link controller, and only use the vpc endpoint shared role to create the vpc endpoint in the vpc owner account.
      *Result*: A hosted cluster can be created in a shared vpc configuration in which the private hosted zones exist in the cluster creator account.
      Show
      Previously, when you created a hosted cluster by using a shared VPC where the private DNS hosted zones existed in the cluster creator account, the private link controller failed to create the route53 DNS records in the local zone. With this release, the ingress shared role adds records to the private link controller. The VPC endpoint is used to share the role to create the VPC endpoint in the VPC owner account. A hosted cluster is created in a shared VPC configuration, where the private hosted zones exist in the cluster creator account. ==== *Cause*: Create a hosted cluster using a shared vpc in which the private DNS hosted zones exist in the cluster creator account. *Consequence*: The private link controller fails to create the route53 dns records in the local zone because it is assuming the same role for both vpc endpoint creation and private zone record creation. *Fix*: Use the ingress shared role to add records to the private zone in the private link controller, and only use the vpc endpoint shared role to create the vpc endpoint in the vpc owner account. *Result*: A hosted cluster can be created in a shared vpc configuration in which the private hosted zones exist in the cluster creator account.
    • Bug Fix
    • Done

      This is a clone of issue OCPBUGS-44476. The following is the description of the original issue:

      Description of problem:

          When hosted zones are created in the cluster creator account, and the ingress role is a role in the cluster creator account, the private link controller fails to create DNS records in the local zone.

      Version-Release number of selected component (if applicable):

          4.18

      How reproducible:

          Always

      Steps to Reproduce:

          1. Set up shared vpc infrastructure in which the hosted zone and local zone exist in the cluster creator account. 
    2. Create a hosted cluster

      Actual results:

          The hosted cluster never gets nodes to join because it is missing records in the local hosted zone.

      Expected results:

          The hosted cluster completes installation with available nodes.

      Additional info:

          Creating the hosted zones in the cluster creator account is an alternative way of setting up shared vpc infrastructure. In this mode, the role to assume for creating DNS records is a role in the cluster creator account and not in the vpc account.

              cewong@redhat.com Cesar Wong
              openshift-crt-jira-prow OpenShift Prow Bot
              Jie Zhao Jie Zhao
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: