feat: support webhook provider in Chart #4032

mloiseleur · 2023-11-10T13:47:12Z

Description

Adds support to the Helm chart for running a webhook provider as a sidecar.
Fixes #4025
Alternative implementation of #3966.

Checklist

End user documentation updated

mloiseleur · 2023-11-10T13:55:38Z

@stevehipwell @johngmyers I submit this alternative implementation in the hope to find an agreement between your two positions.

I have tried to make this PR:

Follows current API
Avoid extraneous parameters

It tries to reuse as much as possible from main container:

Same Secret, since it's possible to set multiple files into the same Secret
Same readinessProbe & livenessProbe

It's breaking because now, with webhook provider, a provider can have specific args, env, securityContext and so on...

For the probes, I noticed that ionos and adguard uses /health instead of /healthz
@akrieg-ionos @muhlba91 What do you think about unifying probes path of your providers under /healthz ?

muhlba91 · 2023-11-10T14:43:55Z

sounds good to me, and it makes it easier for users to switch providers.

i suggest we also add this in https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/webhook-provider.md as kind of a convention that if a health endpoint is provided by the provider it should listen to /healthz?

stevehipwell · 2023-11-10T17:47:29Z

@mloiseleur I like this approach, I do have a couple of comments/questions.

How would this work with an external webhook provider?
Could we not make this a breaking change by supporting provider: <NAME> with a type test?

mloiseleur · 2023-11-11T10:06:03Z

How would this work with an external webhook provider?

For instance, on _ionos_

with those values:

provider:
  name: ionos
  env:
    - name: LOG_LEVEL
      value: debug
    - name: IONOS_API_KEY
      valueFrom:
        secretKeyRef:
          name: ionos-credentials
          key: api-key
    - name: SERVER_HOST
      value: "0.0.0.0"
    - name: IONOS_DEBUG
      value: "true"

It produces this output

      [...]
      containers:
        - name: external-dns
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 65534
          image: registry.k8s.io/external-dns/external-dns:v0.13.6
          imagePullPolicy: IfNotPresent
          args:
            - --log-level=info
            - --log-format=text
            - --interval=1m
            - --source=service
            - --source=ingress
            - --policy=upsert-only
            - --registry=txt
            - --provider=webhook
          ports:
            - name: http
              protocol: TCP
              containerPort: 7979
          livenessProbe:
            failureThreshold: 2
            httpGet:
              path: /healthz
              port: http
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
          readinessProbe:
            failureThreshold: 6
            httpGet:
              path: /healthz
              port: http
            initialDelaySeconds: 5
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
        - name: ionos
          image: ghcr.io/ionos-cloud/external-dns-ionos-webhook:v0.6.0
          imagePullPolicy: IfNotPresent
          env:
            - name: LOG_LEVEL
              value: debug
            - name: IONOS_API_KEY
              valueFrom:
                secretKeyRef:
                  key: api-key
                  name: ionos-credentials
            - name: SERVER_HOST
              value: 0.0.0.0
            - name: IONOS_DEBUG
              value: "true"
          ports:
            - name: http
              protocol: TCP
              containerPort: 8888
          livenessProbe:
            failureThreshold: 2
            httpGet:
              path: /healthz
              port: http
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
          readinessProbe:
            failureThreshold: 6
            httpGet:
              path: /healthz
              port: http
            initialDelaySeconds: 5
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5

Could we not make this a breaking change by supporting provider: <NAME> with a type test?

There is an implementation without breaking change through e00eb22. It makes the code more complex.

charts/external-dns/templates/_helpers.tpl

stevehipwell · 2023-11-11T20:31:31Z

@mloiseleur an external webhook provider would be one running at a URL (separate pod or external to cluster etc) so would only need the args and not the sidecar container.

johngmyers · 2023-11-14T05:20:15Z

A webhook outside the pod is explicitly not supported. That would require external-dns to support authenticating to the webhook, otherwise attackers could make changes to DNS by making requests directly to the webhook.

charts/external-dns/templates/_helpers.tpl

charts/external-dns/templates/deployment.yaml

johngmyers · 2023-11-14T05:38:56Z

charts/external-dns/templates/deployment.yaml

+          volumeMounts:
+            {{- if $.Values.secretConfiguration.enabled }}
+            - name: secrets
+              mountPath: {{ tpl $.Values.secretConfiguration.mountPath $ }}


Secrets should not be shared across the main container and sidecar. They should only be readable to containers that need them in order to reduce the risk of compromise. Most of the time (when running a webhook provider) only the webhook sidecar will need secrets, though there are a few obscure sources that could need secrets.

Most of the time (when running a webhook provider) only the webhook sidecar will need secrets.

Oh That's right !
🤔 Wdyt then about mounting the secret only on external-dns for in-tree provider and only on the sidecar for webhook providers ?
cc @stevehipwell @mrueg

I would be strongly in favour of not supporting secretConfiguration for the webhook sidecar as secrets should preferably be managed outside of the Helm chart and then interacted with via the extraVolumes & extraVolumeMounts values.

The cloudfoundry source takes a password, but I suppose that can only come in through args, not a mounted secret. So perhaps we could say it would be unlikely for a future source to require a mounted secret.

I wouldn't want to have secretConfiguration only work for in-tree providers. That would be an odd discontinuity.

I added specific extraVolumeMounts for sidecar with 9109597

I still don't think we should be explicitly using secretConfiguration here, the secret COULD be mounted by the extraVolumeMounts but we should be recommending external secrets be used if needed.

charts/external-dns/templates/deployment.yaml

stevehipwell

@mloiseleur sorry it's taken me a while to get back to this. I've replied to some existing comments and then added an inline comment on the values. I'd like to get the values spec defined before reviewing anything else.

charts/external-dns/values.yaml

stevehipwell · 2023-11-20T21:21:17Z

A webhook outside the pod is explicitly not supported. That would require external-dns to support authenticating to the webhook, otherwise attackers could make changes to DNS by making requests directly to the webhook.

@johngmyers the docs only recommend using a sidecar and I can think of a number of configurations which would allow the webhook to run externally while still being secure.

Docs:

The ideal setup for providers is to run as a sidecar in the same pod of the ExternalDNS container, listening only on localhost. This is not strictly a requirement, but we do not recommend other setups.

johngmyers · 2023-11-21T07:20:26Z

I would be in favor of modifying the docs to make a stronger statement.

Unless we add support for outbound authentication to the webhook provider, securing an externally-deployed provider would require something like a service mesh's network policy. It's complicated, likely to be left out, and deploying externally doesn't give any worthwhile advantages.

charts/external-dns/templates/deployment.yaml

mrueg · 2023-11-21T08:37:45Z

Unless we add support for outbound authentication to the webhook provider, securing an externally-deployed provider would require something like a service mesh's network policy. It's complicated, likely to be left out, and deploying externally doesn't give any worthwhile advantages.

If we default to tight coupling, we could add support for unix sockets and use a shared mount between external-dns and the provider.
CC: @Raffo if you have any thoughts?

Raffo · 2023-11-21T17:10:18Z

I would be in favor of modifying the docs to make a stronger statement.

We can totally do that. I think it should be allow to go on the really hard path of running the webhook outside or the pod, but that should be strongly discouraged.

CC: @Raffo if you have any thoughts?

I don't think there's any need for now to support that. We only have to provide the right information IMO.

mloiseleur · 2023-11-27T10:43:26Z

I updated values (and code) following review comments.
I'm unsure what to do about secret.
I'll update the VALUES.md once we have an agreement on values spec.

Co-authored-by: Steve Hipwell <steve.hipwell@gmail.com>

Raffo · 2024-01-04T13:42:52Z

@stevehipwell do you think we should have the other PR merged first? If so can we speed that up? Or can we instead merge this one first? The reason I am asking is that I am starting to think of the next release and we still don't have the chart out for v0.14.0 and I'd love to get that fixed.

stevehipwell · 2024-01-04T15:09:40Z

@stevehipwell do you think we should have the other PR merged first?

@Raffo which PR is that?

stevehipwell

@mloiseleur I think we're down to two outstanding discussions; the provider.name value comment and the use of secretConfiguration within the webhook container.

CC @Raffo

charts/external-dns/values.yaml

mloiseleur · 2024-01-04T15:58:26Z

@mloiseleur I think we're down to two outstanding discussions; the provider.name value comment and the use of secretConfiguration within the webhook container.

CC @Raffo

I tried to fix the first point.
For the second point, I understood following previous comments that you would depreciate secret config in an other PR.
As soon as it's deprecated, I can then remove it in this PR.
Did I missed something ?

stevehipwell · 2024-01-04T16:01:39Z

I tried to fix the first point.
For the second point, I understood following #4032 (comment) that you would depreciate secret config in an other PR.
As soon as it's deprecated, I can then remove it in this PR.
Did I missed something ?

@mloiseleur I think we got out of sync on this; I was assuming we'd get this PR merged and then I'd do the deprecation and any other tidy up in a PR before we release.

Raffo · 2024-01-04T18:11:04Z

Can we get this merged now that the confusion has been clarified?

stevehipwell · 2024-01-05T12:49:02Z

@Raffo I think we can merge this once the value comment commit is on this branch. I'd prefer to also remove the secretConfiguration config from the webhook container on this branch so it never hits master but I could remove this afterwards as part of the deprecation if required.

Raffo · 2024-01-05T21:31:41Z

Cool. @mloiseleur are you OK to make the requested changes?

mloiseleur · 2024-01-06T09:23:52Z

I think we can merge this once the value comment commit is on this branch.

@stevehipwell : I'm sorry, it seems I missed that. What is this "value comment" that I should add and commit ?

On my side, I prefer to merge it with consistency on secretConfiguration, knowing that you will remove both afterwards.

stevehipwell · 2024-01-08T10:26:10Z

@stevehipwell : I'm sorry, it seems I missed that. What is this "value comment" that I should add and commit ?

@mloiseleur this was the commit you commented to me, and it looks like it's been applied to the branch.

I'm not comfortable merging something (webhook support for secretConfiguration) which is going to be removed before it's ever released and may lead to end-user confusion; so I've opened #4161 now to be merged before this PR.

k8s-ci-robot · 2024-01-08T18:38:22Z

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

mloiseleur · 2024-01-09T08:11:06Z

@stevehipwell @Raffo This PR is ready for merge review.

stevehipwell

Thanks for all of your work on this @mloiseleur.

/approve
/label tide/merge-method-squash

stevehipwell · 2024-01-09T08:42:50Z

@Raffo there are non chart changes in the PR so I can't approve (I'll LGTM instead).

/lgtm

stevehipwell · 2024-01-09T08:45:30Z

@appkins once this is merged could you can rebase and squash #4073 so we can release the chart? Remember the CHANGELOG items need to be copied through to the chart annotations.

Raffo · 2024-01-09T14:28:16Z

/approve

k8s-ci-robot · 2024-01-09T14:28:39Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Raffo, stevehipwell

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [Raffo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

* BREAKING CHANGE: 💥 support webhook provider in Chart * add /healthz to webhook tutorial * keep backward compatibility * moved images to values * Update charts/external-dns/values.yaml Co-authored-by: Steve Hipwell <steve.hipwell@gmail.com> * fixed name for sidecar + doc update + externalVolumeMounts * add serviceMonitor endpoint, improve webhook provider tutorial and differentiate probes * doc: use helm-docs for README * fix rebase error * Apply suggestions from code review Co-authored-by: Steve Hipwell <steve.hipwell@gmail.com> * introduce external-dns.webhookImage to match current image function * fix port name of probes * update template with webhook provider support * Apply suggestions from code review Co-authored-by: Steve Hipwell <steve.hipwell@gmail.com> * Update charts/external-dns/templates/deployment.yaml Co-authored-by: Steve Hipwell <steve.hipwell@gmail.com> * Update charts/external-dns/templates/deployment.yaml Co-authored-by: Steve Hipwell <steve.hipwell@gmail.com> * following review on provider.name doc * remove secretConfiguration on webhook --------- Co-authored-by: Steve Hipwell <steve.hipwell@gmail.com>

k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Nov 10, 2023

k8s-ci-robot requested review from johngmyers and stevehipwell November 10, 2023 13:47

k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Nov 10, 2023

mloiseleur force-pushed the feat/webhook-chart branch from 7c12908 to 7aff33a Compare November 10, 2023 14:21

k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 10, 2023

k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 10, 2023

mloiseleur force-pushed the feat/webhook-chart branch from fac7b08 to c4b71e8 Compare November 11, 2023 09:56

k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 11, 2023

mrueg reviewed Nov 11, 2023

View reviewed changes

charts/external-dns/templates/_helpers.tpl Outdated Show resolved Hide resolved

M0NsTeRRR mentioned this pull request Nov 11, 2023

fix: regression on scaleway provider in 0.14.0 #4039

Merged

johngmyers suggested changes Nov 14, 2023

View reviewed changes

k8s-ci-robot assigned johngmyers Nov 14, 2023

mloiseleur changed the title ~~BREAKING CHANGE: 💥 support webhook provider in Chart~~ feat: support webhook provider in Chart Nov 18, 2023

stevehipwell suggested changes Nov 20, 2023

View reviewed changes

charts/external-dns/values.yaml Outdated Show resolved Hide resolved

k8s-ci-robot assigned stevehipwell Nov 20, 2023

stevehipwell mentioned this pull request Nov 20, 2023

Helm chart support for webhook sidecar #3966

Closed

2 tasks

johngmyers reviewed Nov 21, 2023

View reviewed changes

charts/external-dns/templates/deployment.yaml Show resolved Hide resolved

Update charts/external-dns/templates/deployment.yaml

bc69c01

Co-authored-by: Steve Hipwell <steve.hipwell@gmail.com>

stevehipwell suggested changes Jan 4, 2024

View reviewed changes

charts/external-dns/values.yaml Outdated Show resolved Hide resolved

following review on provider.name doc

c5e7933

k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 8, 2024

mloiseleur and others added 2 commits January 9, 2024 09:05

Merge branch 'master' into feat/webhook-chart

3e56c73

remove secretConfiguration on webhook

9299b59

k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 9, 2024

stevehipwell reviewed Jan 9, 2024

View reviewed changes

k8s-ci-robot added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Jan 9, 2024

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 9, 2024

k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 9, 2024

k8s-ci-robot merged commit 0009a6b into kubernetes-sigs:master Jan 9, 2024
15 checks passed

mloiseleur deleted the feat/webhook-chart branch January 9, 2024 15:04

feat: support webhook provider in Chart #4032

feat: support webhook provider in Chart #4032

Conversation

mloiseleur commented Nov 10, 2023 • edited Loading

mloiseleur commented Nov 10, 2023

muhlba91 commented Nov 10, 2023

stevehipwell commented Nov 10, 2023

mloiseleur commented Nov 11, 2023 • edited Loading

stevehipwell commented Nov 11, 2023

johngmyers commented Nov 14, 2023

johngmyers Nov 14, 2023

Choose a reason for hiding this comment

mloiseleur Nov 18, 2023

Choose a reason for hiding this comment

stevehipwell Nov 20, 2023

Choose a reason for hiding this comment

johngmyers Nov 21, 2023

Choose a reason for hiding this comment

mloiseleur Nov 27, 2023

Choose a reason for hiding this comment

stevehipwell Dec 7, 2023

Choose a reason for hiding this comment

stevehipwell left a comment

Choose a reason for hiding this comment

stevehipwell commented Nov 20, 2023

johngmyers commented Nov 21, 2023

mrueg commented Nov 21, 2023

Raffo commented Nov 21, 2023

mloiseleur commented Nov 27, 2023

Raffo commented Jan 4, 2024

stevehipwell commented Jan 4, 2024

stevehipwell left a comment

Choose a reason for hiding this comment

mloiseleur commented Jan 4, 2024

stevehipwell commented Jan 4, 2024

Raffo commented Jan 4, 2024

stevehipwell commented Jan 5, 2024

Raffo commented Jan 5, 2024

mloiseleur commented Jan 6, 2024 • edited Loading

stevehipwell commented Jan 8, 2024

k8s-ci-robot commented Jan 8, 2024

mloiseleur commented Jan 9, 2024

stevehipwell left a comment

Choose a reason for hiding this comment

stevehipwell commented Jan 9, 2024

stevehipwell commented Jan 9, 2024

Raffo commented Jan 9, 2024

k8s-ci-robot commented Jan 9, 2024

mloiseleur commented Nov 10, 2023 •

edited

Loading

mloiseleur commented Nov 11, 2023 •

edited

Loading

mloiseleur commented Jan 6, 2024 •

edited

Loading