Merge pull request #270 from gardener/routing-policy

Weighted routing policy support for AWS Route53
gardener · Jul 29, 2022 · 59f5745 · 59f5745
2 parents 1b7d45f + f9cde15
commit 59f5745
Show file tree

Hide file tree

Showing 398 changed files with 29,831 additions and 4,848 deletions.
diff --git a/.gitignore b/.gitignore
@@ -13,6 +13,7 @@ tmp/
 /cmd/dns/dns-controller-manager
 /main
 /test/functional/tmp-*.yaml
+/test/functional/kubebuilder*
 /test/integration/kubebuilder*
 /test/integration/default.etcd
 /test/integration/integration.test

diff --git a/docs/aws-route53/README.md b/docs/aws-route53/README.md
@@ -98,4 +98,160 @@ data:
 ```
 
 You may need to mount an additional volume as the AWS client expects environment variable with token path and volume mount with the token file.
-See Helm chart values `custom.volumes` and `custom.volumeMounts`.
+See Helm chart values `custom.volumes` and `custom.volumeMounts`.
+
+## Routing Policy
+
+The AWS Route53 provider supports currently only the `weighted` routing policy.
+
+### Weighted Routing Policy
+
+Each weighted record set is defined by a separate `DNSEntry`. In this way it is possible to use different dns-controller-manager deployments
+acting on the same domain names. Every record set needs a `SetIdentifier` which must be unique for all used identifier of the domain name.
+Weighted routing policy is supported for all record types, i.e. `A`, `AAAA`, `CNAME`, and `TXT`.
+All entries of the same domain name must have the same record type and TTL.
+
+#### Annotating Ingress or Service Resources with Routing Policy
+
+To specify the routing policy, add an annotation `dns.gardener.cloud/routing-policy`
+containing the routing policy section in JSON format to the `Ingress` or `Service` resource.
+E.g. for an ingress resource:
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    dns.gardener.cloud/dnsnames: '*'
+    # If you are delegating the DNS management to Gardener, uncomment the following line (see https://gardener.cloud/documentation/guides/administer_shoots/dns_names/)
+    #dns.gardener.cloud/class: garden
+    # If you are delegating the certificate management to Gardener, uncomment the following line (see https://gardener.cloud/documentation/guides/administer_shoots/x509_certificates/)
+    #cert.gardener.cloud/purpose: managed
+    # routing-policy annotation provides the `.spec.routingPolicy` section as JSON
+    # Note: Currently only supported for aws-route53 or google-clouddns (see https://github.com/gardener/external-dns-management/tree/master/docs/aws-route53#weighted-routing-policy)
+    dns.gardener.cloud/routing-policy: '{"type": "weighted", "setIdentifier": "my-id", "parameters": {"weight": "10"}}'
+  name: test-ingress-weighted-routing-policy
+  namespace: default
+spec:
+  rules:
+    - host: test.ingress.my-dns-domain.com
+      http:
+        paths:
+          - backend:
+              service:
+                name: my-service
+                port:
+                  number: 9000
+            path: /
+            pathType: Prefix
+  tls:
+    - hosts:
+        - test.ingress.my-dns-domain.com
+      #secretName: my-cert-secret-name
+```
+
+#### Example for A/B testing
+
+You want to perform an A/B testing for a service using the domain name `my.service.example.com`.
+You want that 90% goes to instance A and 10% to instance B.
+You can create these two `DNSEntries` using the same domain name, but different set identifiers
+
+```yaml
+apiVersion: dns.gardener.cloud/v1alpha1
+kind: DNSEntry
+metadata:
+  annotations:
+    # If you are delegating the DNS management to Gardener Shoot DNS Service, uncomment the following line
+    #dns.gardener.cloud/class: garden
+  name: instance-a
+  namespace: default
+spec:
+  dnsName: "my.service.example.com"
+  ttl: 120
+  targets:
+    - instance-a.service.example.com
+  routingPolicy:
+    type: weighted
+    setIdentifier: instance-a
+    parameters:
+      weight: "90"
+```
+
+```yaml
+apiVersion: dns.gardener.cloud/v1alpha1
+kind: DNSEntry
+metadata:
+  annotations:
+    # If you are delegating the DNS management to Gardener Shoot DNS Service, uncomment the following line
+    #dns.gardener.cloud/class: garden  
+  name: instance-a
+  namespace: default
+spec:
+  dnsName: "my.service.example.com"
+  ttl: 120
+  targets:
+    - instance-b.service.example.com
+  routingPolicy:
+    type: weighted
+    setIdentifier: instance-b
+    parameters:
+      weight: "10"
+```
+
+### Example for a blue/green Deployment
+
+You want to use a blue/green deployment for your service.
+Initially you want to activate the `blue` deployment.
+Blue and green deployment are located on different clusters, maybe even using different dns-controller-managers (seeds in case of Gardener)
+
+On the blue cluster create a `DNSEntry` with weight 1:
+
+```yaml
+apiVersion: dns.gardener.cloud/v1alpha1
+kind: DNSEntry
+metadata:
+  annotations:
+    # If you are delegating the DNS management to Gardener Shoot DNS Service, uncomment the following line
+    #dns.gardener.cloud/class: garden
+  name: blue
+  namespace: default
+spec:
+  dnsName: "ha.service.example.com"
+  ttl: 60
+  targets:
+    - 1.2.3.4
+  routingPolicy:
+    type: weighted
+    setIdentifier: blue
+    parameters:
+      weight: "1"
+```
+
+On the green cluster create a `DNSEntry` with weight 0:
+
+```yaml
+apiVersion: dns.gardener.cloud/v1alpha1
+kind: DNSEntry
+metadata:
+  annotations:
+    # If you are delegating the DNS management to Gardener Shoot DNS Service, uncomment the following line
+    #dns.gardener.cloud/class: garden
+  name: green
+  namespace: default
+spec:
+  dnsName: "ha.service.example.com"
+  ttl: 60
+  targets:
+    - 6.7.8.9
+  routingPolicy:
+    type: weighted
+    setIdentifier: green
+    parameters:
+      weight: "0"
+```
+
+The DNS resolution will return the IP address of the `blue` deployment with this configuration.
+
+To switch the service from `blue` to `green`, first change the weight of the `green` `DNSEntry` to `"1"`.
+Wait for DNS propagation according to the TTL (here 60 seconds), then change the weight of the `blue` `DNSEntry` to `"0"`.
+After a second wait round for DNS propagation, all DNS resolution should now only return the IP address of the `green`  deployment.
diff --git a/docs/google-cloud-dns/README.md b/docs/google-cloud-dns/README.md
@@ -50,4 +50,55 @@ data:
   # replace '...' with json key from service account creation (encoded as base64)
   # see https://cloud.google.com/iam/docs/creating-managing-service-accounts
   serviceaccount.json: ...
+```
+
+## Routing Policy
+
+The Google CloudDNS provider supports currently only the `weighted` routing policy.
+
+### Weighted Routing Policy
+
+Each weighted record set is defined by a separate `DNSEntry`. In this way it is possible to use different dns-controller-manager deployments
+acting on the same domain names. Every record set needs a `SetIdentifier` which must be a digit "0", "1", "2", "3", or "4" (representing the index in the 
+resource record set policy).
+Weighted routing policy is supported for all record types, i.e. `A`, `AAAA`, `CNAME`, and `TXT`.
+All entries of the same domain name must have the same record type and TTL. Only integral weights >= 0 are allowed.
+
+#### Annotating Ingress or Service Resources with Routing Policy
+
+To specify the routing policy, add an annotation `dns.gardener.cloud/routing-policy`
+containing the routing policy section in JSON format to the `Ingress` or `Service` resource.
+E.g. for an ingress resource:
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    dns.gardener.cloud/dnsnames: '*'
+    # If you are delegating the DNS management to Gardener, uncomment the following line (see https://gardener.cloud/documentation/guides/administer_shoots/dns_names/)
+    #dns.gardener.cloud/class: garden
+    # If you are delegating the certificate management to Gardener, uncomment the following line (see https://gardener.cloud/documentation/guides/administer_shoots/x509_certificates/)
+    #cert.gardener.cloud/purpose: managed
+    # routing-policy annotation provides the `.spec.routingPolicy` section as JSON
+    # Note: Currently only supported for aws-route53 and google-clouddns
+    dns.gardener.cloud/routing-policy: '{"type": "weighted", "setIdentifier": "0", "parameters": {"weight": "10"}}'
+  name: test-ingress-weighted-routing-policy
+  namespace: default
+spec:
+  rules:
+    - host: test.ingress.my-dns-domain.com
+      http:
+        paths:
+          - backend:
+              service:
+                name: my-service
+                port:
+                  number: 9000
+            path: /
+            pathType: Prefix
+  tls:
+    - hosts:
+        - test.ingress.my-dns-domain.com
+      #secretName: my-cert-secret-name
 ```
diff --git a/examples/41-entry-weighted.yaml b/examples/41-entry-weighted.yaml
@@ -0,0 +1,39 @@
+apiVersion: dns.gardener.cloud/v1alpha1
+kind: DNSEntry
+metadata:
+  annotations:
+  # If you are delegating the DNS management to Gardener Shoot DNS Service, uncomment the following line
+  #dns.gardener.cloud/class: garden
+  name: instance-a
+  namespace: default
+spec:
+  dnsName: "my.service.example.com"
+  ttl: 120
+  targets:
+    - instance-a.service.example.com
+  # routingPolicy is current only supported for AWS Route53 or Google CloudDNS
+  routingPolicy:
+    type: weighted
+    setIdentifier: instance-a
+    parameters:
+      weight: "90"
+---
+apiVersion: dns.gardener.cloud/v1alpha1
+kind: DNSEntry
+metadata:
+  annotations:
+  # If you are delegating the DNS management to Gardener Shoot DNS Service, uncomment the following line
+  #dns.gardener.cloud/class: garden
+  name: instance-b
+  namespace: default
+spec:
+  dnsName: "my.service.example.com"
+  ttl: 120
+  targets:
+    - instance-b.service.example.com
+  # routingPolicy is current only supported for AWS Route53 or Google CloudDNS
+  routingPolicy:
+    type: weighted
+    setIdentifier: instance-b
+    parameters:
+      weight: "10"
diff --git a/examples/51-ingress-weighted.yaml b/examples/51-ingress-weighted.yaml
@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    dns.gardener.cloud/dnsnames: '*'
+    # If you are delegating the DNS management to Gardener, uncomment the following line (see https://gardener.cloud/documentation/guides/administer_shoots/dns_names/)
+    #dns.gardener.cloud/class: garden
+    # If you are delegating the certificate management to Gardener, uncomment the following line (see https://gardener.cloud/documentation/guides/administer_shoots/x509_certificates/)
+    #cert.gardener.cloud/purpose: managed
+    # routing-policy annotation provides the `.spec.routingPolicy` section as JSON
+    # Note: Currently only supported for aws-route53 or google-clouddns (see https://github.com/gardener/external-dns-management/tree/master/docs/aws-route53#weighted-routing-policy)
+    dns.gardener.cloud/routing-policy: '{"type": "weighted", "setIdentifier": "my-id", "parameters": {"weight": "10"}}'
+  name: test-ingress-weighted-routing-policy
+  namespace: default
+spec:
+  rules:
+    - host: test.ingress.my-dns-domain.com
+      http:
+        paths:
+          - backend:
+              service:
+                name: my-service
+                port:
+                  number: 9000
+            path: /
+            pathType: Prefix
+  tls:
+    - hosts:
+        - test.ingress.my-dns-domain.com
+      #secretName: my-cert-secret-name
diff --git a/examples/51-service-weighted.yaml b/examples/51-service-weighted.yaml
@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    dns.gardener.cloud/dnsnames: echo.my-dns-domain.com
+    dns.gardener.cloud/ttl: "500"
+    # If you are delegating the DNS Management to Gardener, uncomment the following line (see https://gardener.cloud/documentation/guides/administer_shoots/dns_names/)
+    #dns.gardener.cloud/class: garden
+    # routing-policy annotation provides the `.spec.routingPolicy` section as JSON
+    # Note: Currently only supported for aws-route53 or google-clouddns (see https://github.com/gardener/external-dns-management/tree/master/docs/aws-route53#weighted-routing-policy)
+    dns.gardener.cloud/routing-policy: '{"type": "weighted", "setIdentifier": "my-id", "parameters": {"weight": "10"}}'
+  name: test-service-weighted
+  namespace: default
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  sessionAffinity: None
+  type: LoadBalancer
diff --git a/examples/controller-registration.yaml b/examples/controller-registration.yaml
diff --git a/go.mod b/go.mod
@@ -25,22 +25,23 @@ require (
 	go.uber.org/atomic v1.9.0
 	go.uber.org/automaxprocs v1.4.0
 	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
-	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	google.golang.org/api v0.63.0
-	google.golang.org/grpc v1.41.0
-	google.golang.org/protobuf v1.27.1
+	golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2
+	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
+	google.golang.org/api v0.88.0
+	google.golang.org/grpc v1.47.0
+	google.golang.org/protobuf v1.28.0
 	k8s.io/api v0.24.1
 	k8s.io/apimachinery v0.24.1
 	k8s.io/client-go v0.24.1
 	k8s.io/code-generator v0.24.1
 	k8s.io/kube-openapi v0.0.0-20220603121420-31174f50af60
+	sigs.k8s.io/controller-runtime v0.11.1
 	sigs.k8s.io/controller-tools v0.8.0
 	sigs.k8s.io/kind v0.11.1
 )
 
 require (
-	cloud.google.com/go v0.99.0 // indirect
+	cloud.google.com/go/compute v1.7.0 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest/adal v0.9.14 // indirect
 	github.com/Azure/go-autorest/autorest/azure/cli v0.4.2 // indirect
@@ -80,10 +81,12 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
-	github.com/google/go-cmp v0.5.6 // indirect
+	github.com/google/go-cmp v0.5.8 // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
 	github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect
-	github.com/googleapis/gax-go/v2 v2.1.1 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
+	github.com/googleapis/gax-go/v2 v2.4.0 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
@@ -112,15 +115,15 @@ require (
 	go.opencensus.io v0.23.0 // indirect
 	golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
-	golang.org/x/net v0.0.0-20220225172249-27dd8689420f // indirect
-	golang.org/x/sys v0.0.0-20220412211240-33da011f77ad // indirect
+	golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e // indirect
+	golang.org/x/sys v0.0.0-20220624220833-87e55d714810 // indirect
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
 	golang.org/x/tools v0.1.10 // indirect
-	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368 // indirect
+	google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.62.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect