Installer: AWS Shared VPC#1397
Conversation
|
First draft is up for early review, |
patrickdillon
force-pushed
the
aws-shared-vpc
branch
2 times, most recently
from
03710fd to
1fa3e62
Compare
|
Bumped this to make the primary suggestion updating the DNS config rather than the infrastructure config, which has been moved to the alternative section. Also added some minor discussion around how we have a very limited number of existing clusters using this setup that might benefit from adopting the functionality outlined here. My biggest questions are around day 2 support. |
patrickdillon
force-pushed
the
aws-shared-vpc
branch
from
1fa3e62 to
15de98a
Compare
mtulio
left a comment
mtulio
left a comment
There was a problem hiding this comment.
Overall looks good, I have minimal suggestions with regard to the further possibilities of using external credentials.
| hostedZone: #deprecated | ||
| privateHostedZone: | ||
| id: Z0743278N5ELJPLYA3H6 | ||
| role: arn:aws:iam::<account-a>:role/<role-name> |
There was a problem hiding this comment.
@patrickdillon is there any claim for having the Public Hosted Zone (baseDomain) in another account?
Is the installer search for baseDomain to discover the HostedZoneId and create the records?
I wonder if there are restrictive customers that would like to keep the publicHostedZone in another account too (I can see in Azure that has a field specifying the Resource Group of the baseDomain/zone).
Thinking about that as we are introducing that external/extra authentication on installer, do you think that would be a good idea to structure the config for future requests? Having something like:
platform:
aws:
hostedZone: Z0743278N5ELJPLYA3H6
externalCredentials:
hostedZone:
iamRole: arn:aws:iam::<account-a>:role/<role-name>Thinking on that structure, we could allow us to expand for future needs for something like:
baseDomain: example.com
platform:
aws:
hostedZone: Z0743278N5ELJPLYA3H6
externalCredentials:
hostedZone:
role: arn:aws:iam::<account-a>:role/<role-name>
baseDomain:
role: arn:aws:iam::<account-x>:role/<role-name>Expanding a little bit more, but may require more permissions in external accounts: if we would like to teach the installer to create a cluster in shared VPC, creating the resources (fully automated), the following structure may be more flexible:
baseDomain: example.com
platform:
aws:
externalResources:
sharedVPC: # triggers the automation to create the VPC, subnets, GWs, and subnet resource sharing
role: arn:aws:iam::<account-a>:role/<role-name>
hostedZone:
role: arn:aws:iam::<account-a>:role/<role-name>
baseDomain:
role: arn:aws:iam::<account-x>:role/<role-name>I know that the last scenario could generate a lot of changes on installer, but it seems some scenario that could be exercised by our customers.
There was a problem hiding this comment.
is there any claim for having the Public Hosted Zone (baseDomain) in another account?
I don't believe so, but I am also looking for a definitive answer. The reason I don't believe this is the case, is because with a public zone, if the authoritative dns zone belongs to a different account, users should already be able to delegate to another public DNS zone in the cluster account.
|
@deads2k @JoelSpeed ptal for API review. |
patrickdillon
force-pushed
the
aws-shared-vpc
branch
from
e4ac83c to
913d483
Compare
JoelSpeed
left a comment
JoelSpeed
left a comment
There was a problem hiding this comment.
API structure generally looks good and anything I would add would likely be nits, can iron those out via the o/api PR
Few other nits while reading through but no major concerns from my side
|
|
||
| ### Graduation Criteria | ||
|
|
||
| This functionality is targeted for 4.14 GA and for backporting to previous releases. |
There was a problem hiding this comment.
Have you considered a feature gate?
Do we often backport features? Especially when they include API changes as described here?
There was a problem hiding this comment.
Added details on feature gate.
Do we often backport features? Especially when they include API changes as described here?
No, but this is being prioritized as an exception.
patrickdillon
force-pushed
the
aws-shared-vpc
branch
from
913d483 to
ec1ff8a
Compare
with private hosted zones in a separate account.
patrickdillon
force-pushed
the
aws-shared-vpc
branch
from
ec1ff8a to
3b55ed3
Compare
patrickdillon
force-pushed
the
aws-shared-vpc
branch
from
fa0ea94 to
7f30957
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mrunalp The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@patrickdillon: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
7 participants
with private hosted zones in a separate account.
Installer poc PR: openshift/installer#7161