Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-37059: Support deployment on HCP clusters #219

Merged
merged 3 commits into from
Jul 30, 2024
Merged

OCPBUGS-37059: Support deployment on HCP clusters #219

merged 3 commits into from
Jul 30, 2024

Conversation

alebedev87
Copy link
Contributor

@openshift-ci-robot openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. labels Jul 16, 2024
@openshift-ci-robot
Copy link

@alebedev87: This pull request references Jira Issue OCPBUGS-37059, which is invalid:

  • expected the bug to target the "4.17.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Jul 16, 2024
@openshift-ci openshift-ci bot requested review from frobware and gcs278 July 16, 2024 14:13
@alebedev87
Copy link
Contributor Author

/jira refresh

@openshift-ci-robot openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Jul 16, 2024
@openshift-ci-robot
Copy link

@alebedev87: This pull request references Jira Issue OCPBUGS-37059, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.17.0) matches configured target version for branch (4.17.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @melvinjoseph86

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot removed the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Jul 16, 2024
@alebedev87
Copy link
Contributor Author

Infoblox licenses need to be updated to proceed with the infoblox e2e test.

@alebedev87
Copy link
Contributor Author

/retest

@rfredette
Copy link
Contributor

/assign
/assign @gcs278

gcs278
gcs278 reviewed Jul 25, 2024
View reviewed changes
Copy link
Contributor

@gcs278 gcs278 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I tested out in my STS cluster, and had some trouble, but I messed up the OIDC provider variables. So that was my fault. Eventually got it to work great.

Only questions and small doc nits, otherwise, LGTM.

pkg/operator/controller/externaldns/pod.go Outdated
Name: boundSATokenVolumeName,
VolumeSource: corev1.VolumeSource{
Projected: &corev1.ProjectedVolumeSource{
//DefaultMode: pointer.Int32(420),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason this is commented out?

I see with ALBO we used 292: https://github.com/openshift/aws-load-balancer-operator/pull/82/files#diff-ce0d597a9e5f20a8fe61c3ba5e6185a6b90cfef2c00bb5b5ef3e97b15b79f480R94

And the default appears to be 420 anyways.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason this is commented out?

I wanted to remove it but forgot. ExternalDNS Operator volumes don't use defaultMode so I didn't want to make a new case out of it.

I see with ALBO we used 292: https://github.com/openshift/aws-load-balancer-operator/pull/82/files#diff-ce0d597a9e5f20a8fe61c3ba5e6185a6b90cfef2c00bb5b5ef3e97b15b79f480R94

Yes for ALBO I followed Miciah's proposal for the completeness sake. The mounting is still readonly by default as mentioned in the issue I posted as response to Miciah, so we don't really risk anything.

We will need to rethink the defaultMode for ExternalDNS Operator. Setting it explicitly on all the volumes seems to be the way to go. But for this we need to get rid of the filtering we do during the comparison.

pkg/operator/controller/externaldns/pod.go
@@ -581,6 +592,21 @@ func (b *externalDNSVolumeBuilder) awsVolumes() []corev1.Volume {
},
},
},
{
Name: boundSATokenVolumeName,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens on non-STS clusters? This is included right? Will it be just a dummy volume that does nothing? I see we also always included it with ALBO, so I presume it's not a big deal.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will it be just a dummy volume that does nothing?

Yeah, I believe it's a common approach to keep harmful things for all the deployments. C-I-O keeps it for any deployment type too.

docs/usage.md Outdated

1. Generate the trusted policy file using your identity provider:

```bash
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BTW you can indent these code blocks ```` by adding at least 3 spaces before every line. It will display the code block logically under the number list. Up to you. Looks like we do that in ALBO docs a bit.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

pkg/operator/controller/externaldns/deployment.go
@@ -201,8 +201,7 @@ func desiredExternalDNSDeployment(cfg *deploymentConfig) (*appsv1.Deployment, er
}

nodeSelectorLbl := map[string]string{
osLabel: linuxOS,
masterNodeRoleLabel: "",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change seems pretty reasonable. I don't know any reason why we would restrict to just the masters. It's a deployment, with 1 replica hardcoded, and as far as I know, the External DNS pod is a pretty simple pod, just needs to make API calls to the platform API.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I added this label maybe because I saw it on some cluster operators' operands. I don't remember any strong reason for it and we cannot come up with any. But we see problems related to it. RIP then.

docs/usage.md
@@ -16,22 +18,22 @@ the namespace where the _external-dns_ deployments are created so that they can

# AWS
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that we STS, following the instructions isn't very clear that this section isn't for STS clusters.

About about adding a ## Non-STS clusters section? Just like ALBO. I'd also suggest reorganizing, pulling STS up to be right after## Non-STS clusters section.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just wanted to keep the same structure as before with 1 chapter named after each provider. AWS one became bloated of course. I think the reorg for the AWS chapter will come in the near future when we will have to do the same "STS enablement" as on ALBO. I propose to postpone it to these times.

docs/usage.md Outdated
@@ -86,18 +88,100 @@ spec:
The operator makes the assumption that `ExternalDNS` instances which target GovCloud DNS also run on the GovCloud. This is needed to detect the AWS region.
As for the rest: the usage is exactly the same as for `AWS`.

## STS
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## STS
## STS Clusters

More aligned with ALBO docs? And provide a tiny bit more context that STS is cluster wide.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@alebedev87
OCPBUGS-37059: Add bound service account token to operand deployment
59db266 
In order to enable the usage of the STS-enabled credentials secret which
contains the path to the web token, the service account token should be
mounted into the ExternalDNS container.
@alebedev87
OCPBUGS-37059: Update docs with STS clusters chapter
2dcb2ac 
- Add a new chapter specific to STS clusters
- Add IAM policy artifact needed for AWS STS credentials
- Update usage doc to align chapters from different providers
@alebedev87
OCPBUGS-37059: Relax node placement for operand
285074d 
Remove the master node label from the node selector to relax scheduling
constraints. This change enables proper installation on Hosted Control Plane clusters.
The toleration of the NoSchedule taint remains intact to fit the Single Node
OpenShift usecase.
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jul 30, 2024

@alebedev87: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@gcs278
Copy link
Contributor

gcs278 commented Jul 30, 2024

Thanks for the responses. Looks good to me!
/approve
/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 30, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jul 30, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gcs278

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 30, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit 1ea7602 into openshift:main Jul 30, 2024
10 checks passed
@openshift-ci-robot
Copy link

@alebedev87: Jira Issue OCPBUGS-37059: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-37059 has been moved to the MODIFIED state.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@melvinjoseph86
Copy link

melvinjoseph86 commented Jul 31, 2024
edited
Loading

verified using the image created from the external-dns-operator repo

melvinjoseph@mjoseph-mac external-dns-operator % export CONTAINER_ENGINE=podman
melvinjoseph@mjoseph-mac external-dns-operator % export REGISTRY=quay.io
melvinjoseph@mjoseph-mac external-dns-operator % export REPOSITORY=rhn_support_mjoseph
melvinjoseph@mjoseph-mac external-dns-operator % export VERSION=1.0.0
melvinjoseph@mjoseph-mac external-dns-operator % ${CONTAINER_ENGINE} login ${REGISTRY} -u ${REPOSITORY}
Password: 
Login Succeeded!
melvinjoseph@mjoseph-mac external-dns-operator % export IMG=${REGISTRY}/${REPOSITORY}/external-dns-operator:${VERSION}

melvinjoseph@mjoseph-mac external-dns-operator % make image-build image-push
Makefile:221: warning: overriding commands for target `/Users/melvinjoseph/Git'
Makefile:217: warning: ignoring old commands for target `/Users/melvinjoseph/Git'
go run sigs.k8s.io/controller-tools/cmd/controller-gen "crd:preserveUnknownFields=false" rbac:roleName=external-dns-operator webhook paths="./..." output:crd:artifacts:config=config/crd/bases
go run sigs.k8s.io/controller-tools/cmd/controller-gen object:headerFile="hack/boilerplate.go.txt" paths="./..."
go fmt ./...
go vet ./...
mkdir -p "/Users/melvinjoseph/Git  Repos/external-dns-operator/testbin"
KUBEBUILDER_ASSETS="/Users/melvinjoseph/Git  Repos/external-dns-operator/testbin/k8s/1.21.4-darwin-amd64" go test ./... -race -covermode=atomic -coverprofile coverage.out
?   	github.com/openshift/external-dns-operator	[no test files]
?   	github.com/openshift/external-dns-operator/api/v1alpha1	[no test files]
?   	github.com/openshift/external-dns-operator/pkg/operator	[no test files]
?   	github.com/openshift/external-dns-operator/pkg/operator/config	[no test files]
?   	github.com/openshift/external-dns-operator/pkg/operator/controller/utils/test	[no test files]
?   	github.com/openshift/external-dns-operator/pkg/utils	[no test files]
?   	github.com/openshift/external-dns-operator/pkg/version	[no test files]
ok  	github.com/openshift/external-dns-operator/api/v1beta1	24.096s	coverage: 28.0% of statements
ok  	github.com/openshift/external-dns-operator/pkg/operator/controller	6.508s	coverage: 21.7% of statements
ok  	github.com/openshift/external-dns-operator/pkg/operator/controller/ca-configmap	4.937s	coverage: 64.6% of statements
ok  	github.com/openshift/external-dns-operator/pkg/operator/controller/credentials-secret	19.034s	coverage: 51.6% of statements
ok  	github.com/openshift/external-dns-operator/pkg/operator/controller/externaldns	9.661s	coverage: 83.6% of statements
ok  	github.com/openshift/external-dns-operator/pkg/operator/controller/utils	10.230s	coverage: 100.0% of statements
podman build -t quay.io/rhn_support_mjoseph/external-dns-operator:1.0.0 .
[1/2] STEP 1/4: FROM golang:1.19 AS builder
[1/2] STEP 2/4: WORKDIR /opt/app-root/src
--> Using cache 25a36005109a2a7d67749a9f21d311f1e61ac7efcde4079997b72a554e92f831
--> 25a36005109a
[1/2] STEP 3/4: COPY . .
--> 780e04d28f6b
[1/2] STEP 4/4: RUN make build-operator
GO111MODULE=on GOFLAGS=-mod=vendor CGO_ENABLED=0 go build -ldflags "-X github.com/openshift/external-dns-operator/pkg/version.SHORTCOMMIT=1ea7602 -X github.com/openshift/external-dns-operator/pkg/version.COMMIT=1ea76023704857c46ae0426bc90d2d919633295f" -o bin/external-dns-operator github.com/openshift/external-dns-operator
--> 4c9620b6e8c2
[2/2] STEP 1/4: FROM registry.access.redhat.com/ubi8/ubi-micro:latest
[2/2] STEP 2/4: WORKDIR /
--> Using cache 1a39956ef7308335af0bc627ec0d08d9395b802f0c9f9f4f1007aa8fde55d4a6
--> 1a39956ef730
[2/2] STEP 3/4: COPY --from=builder /opt/app-root/src/bin/external-dns-operator .
--> dae57fd62195
[2/2] STEP 4/4: ENTRYPOINT ["/external-dns-operator"]
[2/2] COMMIT quay.io/rhn_support_mjoseph/external-dns-operator:1.0.0
--> 8ad12626b629
Successfully tagged quay.io/rhn_support_mjoseph/external-dns-operator:1.0.0
8ad12626b629fbea5b440002c875eb288058de4656820713b021df35d3f65595
podman push quay.io/rhn_support_mjoseph/external-dns-operator:1.0.0  --tls-verify=true
Getting image source signatures
Copying blob sha256:9234fcb738470872077d21eb477142e6a501beaaa86b49503c1549c3a37a4e96
Copying blob sha256:5d956355c7105d23c9b5f597bb28d08685e46aa00d677d813ca14fc3f02be1f9
Copying config sha256:8ad12626b629fbea5b440002c875eb288058de4656820713b021df35d3f65595
Writing manifest to image destination

melvinjoseph@mjoseph-mac external-dns-operator % make deploy
Makefile:221: warning: overriding commands for target `/Users/melvinjoseph/Git'
Makefile:217: warning: ignoring old commands for target `/Users/melvinjoseph/Git'
go run sigs.k8s.io/controller-tools/cmd/controller-gen "crd:preserveUnknownFields=false" rbac:roleName=external-dns-operator webhook paths="./..." output:crd:artifacts:config=config/crd/bases
# do not commit the following 2 changes
cd config/manager && go run sigs.k8s.io/kustomize/kustomize/v4 edit set image quay.io/openshift/origin-external-dns-operator=quay.io/rhn_support_mjoseph/external-dns-operator:1.0.0
# sigs.k8s.io/kustomize/kustomize/v4
ld: warning: -bind_at_load is deprecated on macOS
# webhook volume and service are added explicilty so that they don't land in the bundle where it's managed by OLM
cd config/default && go run sigs.k8s.io/kustomize/kustomize/v4 edit add patch --path=manager_webhook_volume_patch.yaml
# sigs.k8s.io/kustomize/kustomize/v4
ld: warning: -bind_at_load is deprecated on macOS
2024/07/31 10:46:01 patch types.Patch{Path:"manager_webhook_volume_patch.yaml", Patch:"", Target:(*types.Selector)(nil), Options:map[string]bool(nil)} already in kustomization file
# disable tls config in service monitor
cd config/prometheus && go run sigs.k8s.io/kustomize/kustomize/v4 edit add patch --path=insecure_tls_patch.yaml
# sigs.k8s.io/kustomize/kustomize/v4
ld: warning: -bind_at_load is deprecated on macOS
2024/07/31 10:46:04 patch types.Patch{Path:"insecure_tls_patch.yaml", Patch:"", Target:(*types.Selector)(nil), Options:map[string]bool(nil)} already in kustomization file
# consume certificate from the service serving certificate
cd config/default && go run sigs.k8s.io/kustomize/kustomize/v4 edit add patch --path=manager_insecure_tls_auth_proxy_patch.yaml
# sigs.k8s.io/kustomize/kustomize/v4
ld: warning: -bind_at_load is deprecated on macOS
2024/07/31 10:46:07 patch types.Patch{Path:"manager_insecure_tls_auth_proxy_patch.yaml", Patch:"", Target:(*types.Selector)(nil), Options:map[string]bool(nil)} already in kustomization file
go run sigs.k8s.io/kustomize/kustomize/v4 build config/default | kubectl apply -f -
# sigs.k8s.io/kustomize/kustomize/v4
ld: warning: -bind_at_load is deprecated on macOS
namespace/external-dns-operator created
customresourcedefinition.apiextensions.k8s.io/externaldnses.externaldns.olm.openshift.io created
serviceaccount/external-dns-operator created
role.rbac.authorization.k8s.io/external-dns-operator created
role.rbac.authorization.k8s.io/leader-election created
role.rbac.authorization.k8s.io/prometheus-k8s created
clusterrole.rbac.authorization.k8s.io/external-dns created
clusterrole.rbac.authorization.k8s.io/external-dns-operator created
clusterrole.rbac.authorization.k8s.io/external-dns-operator-auth-proxy created
clusterrole.rbac.authorization.k8s.io/external-dns-operator-metrics-reader created
clusterrole.rbac.authorization.k8s.io/externaldns-editor created
clusterrole.rbac.authorization.k8s.io/externaldns-viewer created
rolebinding.rbac.authorization.k8s.io/external-dns-operator created
rolebinding.rbac.authorization.k8s.io/external-dns-operator-leader-election created
rolebinding.rbac.authorization.k8s.io/prometheus-k8s created
clusterrolebinding.rbac.authorization.k8s.io/external-dns created
clusterrolebinding.rbac.authorization.k8s.io/external-dns-operator created
clusterrolebinding.rbac.authorization.k8s.io/external-dns-operator-auth-proxy created
service/external-dns-operator-metrics-service created
service/webhook-service created
deployment.apps/external-dns-operator created
servicemonitor.monitoring.coreos.com/external-dns-operator-metrics-monitor created
validatingwebhookconfiguration.admissionregistration.k8s.io/validating-webhook-configuration created

melvinjoseph@mjoseph-mac external-dns-operator % hack/generate-certs.sh --service webhook-service --webhook validating-webhook-configuration --secret webhook-server-cert --namespace external-dns-operator`
bquote> hack/generate-certs.sh --service webhook-service --webhook validating-webhook-configuration --secret webhook-server-cert --namespace external-dns-operator 
bquote> 
melvinjoseph@mjoseph-mac external-dns-operator % hack/generate-certs.sh --service webhook-service --webhook validating-webhook-configuration --secret webhook-server-cert --namespace external-dns-operator
INFO: Creating certs in tmpdir /var/folders/7f/yh5cb4n953jf7bjbkr2vy0840000gn/T/tmp.YXytSHANVx 
.........+...+.....+............+....+..+++++++++++++++++++++++++++++++++++++++++++++*.+..+.+...+.........+++++++++++++++++++++++++++++++++++++++++++++*..........................+.........+...................+......+..+.......+......+..+....+...+..+...............+...+...+...+....+............+.....+......+...+......+....+......+...+..+....+..............+.......+....................................+.........+...+...+...+.............................+.+....................+.+.....+...+.+.....................+...+.....+...+...+..........+..............+.+.........+..+..........+......+..+.+..............+.+......+..................+...+............+..+.+...+.....+.......+..+...+++++
............+..+.......+...+...+..+...+.+.....+....+.....+.+.........+++++++++++++++++++++++++++++++++++++++++++++*..+...+++++++++++++++++++++++++++++++++++++++++++++*..+.....+.+..............+......+.........+..................+............+.+.................+.+..+....+.....+...+......+.+.......................+............+...+..........+........+...+..........+...........+...+...+...+.+...+..+.........+....+..+....+.....+......+.+....................+...+.......+..+......+....+.................+.+.....+...+....+..+.+..+............+....+.....+..................................+.....+..........+...+..+.+...........+.+...............+........+....+..+...............+......+.........+......+.......+.....+.+............+.........+........+.+.........+........+....+.....+....+.........+.......................+...+..........+.....+.+......+..+.............+........+.+..............+....+...........+.......+..+.......+........+..............................+.......+...............+.....+.........+.......+...+.....+....+........+.............+..+...+.+...+.....+.+..+.........+.........+.+.....+....+.................+.......+........+.......+.....+...+..................+.+...+...+............+.....+.......+.....+...+..........+..+......+.............+..+............+.+...............+...............+..............+.+.....+......+..................+.......+++++
-----
secret/webhook-server-cert created
INFO: Trying to patch webhook adding the caBundle.
validatingwebhookconfiguration.admissionregistration.k8s.io/validating-webhook-configuration patched

Create secret in STS cluster

https://rh-oidc.s3.us-east-1.amazonaws.com/27bd6cg0vs7nn08mue83fbof94dj4m9a%                                                                                                                              melvinjoseph@mjoseph-mac external-dns-operator %  IDP="rh-oidc.s3.us-east-1.amazonaws.com/27bd6cg0vs7nn08mue83fbof94dj4m9a"
melvinjoseph@mjoseph-mac external-dns-operator % ACCOUNT="301721915996"
melvinjoseph@mjoseph-mac external-dns-operator % IDP_ARN="arn:aws:iam::${ACCOUNT}:oidc-provider/${IDP}"
melvinjoseph@mjoseph-mac external-dns-operator % EXTERNAL_DNS_NAME="sample-external-dns"
melvinjoseph@mjoseph-mac external-dns-operator % cat <<EOF > external-dns-trusted-policy.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "${IDP_ARN}"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "${IDP}:sub": "system:serviceaccount:external-dns-operator:external-dns-${EXTERNAL_DNS_NAME}"
                }
            }
        }
    ]
}
EOF

melvinjoseph@mjoseph-mac external-dns-operator % aws iam create-role --role-name external-dns --assume-role-policy-document file://external-dns-trusted-policy.json
ROLE    arn:aws:iam::301721915996:role/external-dns     2024-07-31T07:32:14+00:00       /       AROAUMQAHCJOBSPXKGU7T   external-dns
ASSUMEROLEPOLICYDOCUMENT        2012-10-17
STATEMENT       sts:AssumeRoleWithWebIdentity   Allow
STRINGEQUALS    system:serviceaccount:external-dns-operator:external-dns-sample-external-dns
PRINCIPAL       arn:aws:iam::301721915996:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/27bd6cg0vs7nn08mue83fbof94dj4m9a
melvinjoseph@mjoseph-mac external-dns-operator % EXTERNAL_DNS_ROLEARN='arn:aws:iam::301721915996:role/external-dns'
melvinjoseph@mjoseph-mac external-dns-operator % curl -o external-dns-permission-policy.json https://raw.githubusercontent.com/openshift/external-dns-operator/main/assets/iam_policy.json
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   448  100   448    0     0    827      0 --:--:-- --:--:-- --:--:--   837
melvinjoseph@mjoseph-mac external-dns-operator % cat <<EOF | oc apply -f -
pipe heredoc> apiVersion: v1
kind: Secret
metadata:
  name: aws-sts-creds
  namespace: external-dns-operator
stringData:
  credentials: |-
    [default]
    sts_regional_endpoints = regional
    role_arn = ${EXTERNAL_DNS_ROLEARN}
    web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
pipe heredoc> EOF
secret/aws-sts-creds created
melvinjoseph@mjoseph-mac external-dns-operator % oc get secret -n external-dns-operator
NAME                                    TYPE                      DATA   AGE
aws-sts-creds                           Opaque                    1      4s
builder-dockercfg-wjg85                 kubernetes.io/dockercfg   1      69m
default-dockercfg-9x4ws                 kubernetes.io/dockercfg   1      69m
deployer-dockercfg-grpjl                kubernetes.io/dockercfg   1      69m
external-dns-operator-dockercfg-s68kv   kubernetes.io/dockercfg   1      69m
external-dns-operator-metrics           kubernetes.io/tls         2      69m
webhook-server-cert                     kubernetes.io/tls         2      68m

melvinjoseph@mjoseph-mac external-dns-operator %  cat <<EOF | oc apply -f -
pipe heredoc> apiVersion: externaldns.olm.openshift.io/v1beta1
kind: ExternalDNS
metadata:
  name: ${EXTERNAL_DNS_NAME}
spec:
  provider:
    type: AWS
    aws:
      credentials:
        name: aws-sts-creds
  zones:
    - "Z07329472OINHQ62WTLYO"
  source:
    type: Service
    fqdnTemplate:
    - '{{.Name}}.mydomain.net'
pipe heredoc> EOF
externaldns.externaldns.olm.openshift.io/sample-external-dns created
melvinjoseph@mjoseph-mac external-dns-operator % oc -n external-dns-operator get pod
NAME                                               READY   STATUS              RESTARTS   AGE
external-dns-operator-5454cdd7db-d76h6             2/2     Running             0          70m
external-dns-sample-external-dns-b6955c955-k96l8   0/1     ContainerCreating   0          5s
melvinjoseph@mjoseph-mac external-dns-operator % oc -n external-dns-operator get pod
NAME                                               READY   STATUS    RESTARTS   AGE
external-dns-operator-5454cdd7db-d76h6             2/2     Running   0          96m
external-dns-sample-external-dns-b6955c955-k96l8   1/1     Running   0          26m

HENCE marking as verified
/label qe-approved

@openshift-ci-robot openshift-ci-robot mentioned this pull request Aug 2, 2024
Merged
@alebedev87 alebedev87 mentioned this pull request Aug 6, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gcs278 gcs278 gcs278 left review comments

@frobware frobware Awaiting requested review from frobware

@melvinjoseph86 melvinjoseph86 Awaiting requested review from melvinjoseph86

Assignees

@rfredette rfredette

@gcs278 gcs278

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@alebedev87 @openshift-ci-robot @rfredette @gcs278 @melvinjoseph86