dnspolicy section name support (#961)

dnspolicy section name support * fix dsnpolicy: Don't change owner ref on update DNSRecords are currently owned by the DNSPolicy that created them. We can't just update the ownership on policy change since the new policy may not be compatible with the current DNSRecord, instead we must re-create the DNSRecord resource. This is not ideal, issue to look into changing this Kuadrant/dns-operator#287 * Add canUpdateDNSRecord function Returns true if an existing record can knowingly be updated to a desired state based on the differences of the specs. Current known reasons for not being able to update are: * RootHost updates * Endpoint record type changes (A -> CNAME etc..) In both these cases, and any others that may be added to `canUpdateDNSRecord` the current record should be deleted before doing a create of the desired record. --------- Signed-off-by: Michael Nairn <[email protected]>
Kuadrant · Oct 31, 2024 · daa8473 · daa8473
1 parent 5fa1c90
commit daa8473
Show file tree

Hide file tree

Showing 11 changed files with 388 additions and 22 deletions.
diff --git a/api/v1alpha1/dnspolicy_types.go b/api/v1alpha1/dnspolicy_types.go
@@ -26,6 +26,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 	gatewayapiv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
@@ -58,7 +59,7 @@ type DNSPolicySpec struct {
 	// targetRef identifies an API object to apply policy to.
 	// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'",message="Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'"
 	// +kubebuilder:validation:XValidation:rule="self.kind == 'Gateway'",message="Invalid targetRef.kind. The only supported values are 'Gateway'"
-	TargetRef gatewayapiv1alpha2.LocalPolicyTargetReference `json:"targetRef"`
+	TargetRef gatewayapiv1alpha2.LocalPolicyTargetReferenceWithSectionName `json:"targetRef"`
 
 	// +optional
 	HealthCheck *dnsv1alpha1.HealthCheckSpec `json:"healthCheck,omitempty"`
@@ -190,7 +191,7 @@ func (p *DNSPolicy) GetRulesHostnames() []string {
 }
 
 func (p *DNSPolicy) GetTargetRef() gatewayapiv1alpha2.LocalPolicyTargetReference {
-	return p.Spec.TargetRef
+	return p.Spec.TargetRef.LocalPolicyTargetReference
 }
 
 func (p *DNSPolicy) GetStatus() kuadrantgatewayapi.PolicyStatus {
@@ -252,7 +253,7 @@ func NewDNSPolicy(name, ns string) *DNSPolicy {
 	}
 }
 
-func (p *DNSPolicy) WithTargetRef(targetRef gatewayapiv1alpha2.LocalPolicyTargetReference) *DNSPolicy {
+func (p *DNSPolicy) WithTargetRef(targetRef gatewayapiv1alpha2.LocalPolicyTargetReferenceWithSectionName) *DNSPolicy {
 	p.Spec.TargetRef = targetRef
 	return p
 }
@@ -290,13 +291,22 @@ func (p *DNSPolicy) WithExcludeAddresses(excluded []string) *DNSPolicy {
 //TargetRef
 
 func (p *DNSPolicy) WithTargetGateway(gwName string) *DNSPolicy {
-	return p.WithTargetRef(gatewayapiv1alpha2.LocalPolicyTargetReference{
-		Group: gatewayapiv1.GroupName,
-		Kind:  "Gateway",
-		Name:  gatewayapiv1.ObjectName(gwName),
+	return p.WithTargetRef(gatewayapiv1alpha2.LocalPolicyTargetReferenceWithSectionName{
+		LocalPolicyTargetReference: gatewayapiv1alpha2.LocalPolicyTargetReference{
+			Group: gatewayapiv1.GroupName,
+			Kind:  "Gateway",
+			Name:  gatewayapiv1.ObjectName(gwName),
+		},
+		SectionName: nil,
 	})
 }
 
+func (p *DNSPolicy) WithTargetGatewayListener(gwName string, lName string) *DNSPolicy {
+	p.WithTargetGateway(gwName)
+	p.Spec.TargetRef.SectionName = ptr.To(gatewayapiv1.SectionName(lName))
+	return p
+}
+
 //HealthCheck
 
 func (p *DNSPolicy) WithHealthCheckFor(endpoint string, port int, protocol string, failureThreshold int) *DNSPolicy {

diff --git a/api/v1alpha1/topology.go b/api/v1alpha1/topology.go
@@ -18,9 +18,9 @@ var _ machinery.Policy = &DNSPolicy{}
 
 func (p *DNSPolicy) GetTargetRefs() []machinery.PolicyTargetReference {
 	return []machinery.PolicyTargetReference{
-		machinery.LocalPolicyTargetReference{
-			LocalPolicyTargetReference: p.Spec.TargetRef,
-			PolicyNamespace:            p.Namespace,
+		machinery.LocalPolicyTargetReferenceWithSectionName{
+			LocalPolicyTargetReferenceWithSectionName: p.Spec.TargetRef,
+			PolicyNamespace: p.Namespace,
 		},
 	}
 }

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml b/bundle/manifests/kuadrant-operator.clusterserviceversion.yaml
@@ -106,7 +106,7 @@ metadata:
     capabilities: Basic Install
     categories: Integration & Delivery
     containerImage: quay.io/kuadrant/kuadrant-operator:latest
-    createdAt: "2024-10-22T09:01:33Z"
+    createdAt: "2024-10-25T15:27:18Z"
     description: A Kubernetes Operator to manage the lifecycle of the Kuadrant system
     operators.operatorframework.io/builder: operator-sdk-v1.32.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3

diff --git a/bundle/manifests/kuadrant.io_dnspolicies.yaml b/bundle/manifests/kuadrant.io_dnspolicies.yaml
@@ -194,6 +194,25 @@ spec:
                     maxLength: 253
                     minLength: 1
                     type: string
+                  sectionName:
+                    description: |-
+                      SectionName is the name of a section within the target resource. When
+                      unspecified, this targetRef targets the entire resource. In the following
+                      resources, SectionName is interpreted as the following:
+
+
+                      * Gateway: Listener name
+                      * HTTPRoute: HTTPRouteRule name
+                      * Service: Port name
+
+
+                      If a SectionName is specified, but does not exist on the targeted object,
+                      the Policy must fail to attach, and the policy implementation should record
+                      a `ResolvedRefs` or similar Condition in the Policy's status.
+                    maxLength: 253
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                    type: string
                 required:
                 - group
                 - kind

diff --git a/charts/kuadrant-operator/templates/manifests.yaml b/charts/kuadrant-operator/templates/manifests.yaml
@@ -6962,6 +6962,25 @@ spec:
                     maxLength: 253
                     minLength: 1
                     type: string
+                  sectionName:
+                    description: |-
+                      SectionName is the name of a section within the target resource. When
+                      unspecified, this targetRef targets the entire resource. In the following
+                      resources, SectionName is interpreted as the following:
+
+
+                      * Gateway: Listener name
+                      * HTTPRoute: HTTPRouteRule name
+                      * Service: Port name
+
+
+                      If a SectionName is specified, but does not exist on the targeted object,
+                      the Policy must fail to attach, and the policy implementation should record
+                      a `ResolvedRefs` or similar Condition in the Policy's status.
+                    maxLength: 253
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                    type: string
                 required:
                 - group
                 - kind

diff --git a/config/crd/bases/kuadrant.io_dnspolicies.yaml b/config/crd/bases/kuadrant.io_dnspolicies.yaml
@@ -193,6 +193,25 @@ spec:
                     maxLength: 253
                     minLength: 1
                     type: string
+                  sectionName:
+                    description: |-
+                      SectionName is the name of a section within the target resource. When
+                      unspecified, this targetRef targets the entire resource. In the following
+                      resources, SectionName is interpreted as the following:
+
+
+                      * Gateway: Listener name
+                      * HTTPRoute: HTTPRouteRule name
+                      * Service: Port name
+
+
+                      If a SectionName is specified, but does not exist on the targeted object,
+                      the Policy must fail to attach, and the policy implementation should record
+                      a `ResolvedRefs` or similar Condition in the Policy's status.
+                    maxLength: 253
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                    type: string
                 required:
                 - group
                 - kind

diff --git a/controllers/effective_dnspolicies_reconciler.go b/controllers/effective_dnspolicies_reconciler.go
@@ -138,7 +138,7 @@ func (r *EffectiveDNSPoliciesReconciler) reconcile(ctx context.Context, _ []cont
 
 				existingRecord := existingRecordObj.(*controller.RuntimeObject).Object.(*kuadrantdnsv1alpha1.DNSRecord)
 
-				//Deal with the potential deletion of a record first
+				// Deal with the potential deletion of a record first
 				if !hasAttachedRoute || len(desiredRecord.Spec.Endpoints) == 0 {
 					if !hasAttachedRoute {
 						rLogger.V(1).Info("listener has no attached routes, deleting record for listener")
@@ -149,28 +149,25 @@ func (r *EffectiveDNSPoliciesReconciler) reconcile(ctx context.Context, _ []cont
 					continue
 				}
 
-				if desiredRecord.Spec.RootHost != existingRecord.Spec.RootHost {
-					rLogger.V(1).Info("listener hostname has changed, deleting record for listener")
+				if !canUpdateDNSRecord(ctx, existingRecord, desiredRecord) {
+					rLogger.V(1).Info("unable to update record, deleting record for listener and re-creating")
 					r.deleteRecord(ctx, existingRecordObj)
-					//Break to allow it to try the creation of the desired record
 					break
 				}
 
-				if reflect.DeepEqual(existingRecord.Spec, desiredRecord.Spec) &&
-					reflect.DeepEqual(existingRecord.OwnerReferences, desiredRecord.OwnerReferences) {
+				if reflect.DeepEqual(existingRecord.Spec, desiredRecord.Spec) {
 					rLogger.V(1).Info("dns record is up to date, nothing to do")
 					continue
 				}
 				existingRecord.Spec = desiredRecord.Spec
-				existingRecord.OwnerReferences = desiredRecord.OwnerReferences
 
 				un, err := controller.Destruct(existingRecord)
 				if err != nil {
 					lLogger.Error(err, "unable to destruct dns record")
 					continue
 				}
 
-				rLogger.V(1).Info("updating DNS record for listener")
+				rLogger.V(1).Info("updating record for listener")
 				if _, uErr := resource.Update(ctx, un, metav1.UpdateOptions{}); uErr != nil {
 					rLogger.Error(uErr, "unable to update dns record")
 				}
@@ -300,3 +297,30 @@ func (r *EffectiveDNSPoliciesReconciler) deleteRecord(ctx context.Context, obj m
 		logger.Error(err, "failed to delete DNSRecord", "record", obj.GetLocator())
 	}
 }
+
+// canUpdateDNSRecord returns true if the current record can be updated to the desired.
+func canUpdateDNSRecord(ctx context.Context, current, desired *kuadrantdnsv1alpha1.DNSRecord) bool {
+	logger := controller.LoggerFromContext(ctx)
+
+	// DNSRecord doesn't currently support rootHost changes
+	if current.Spec.RootHost != desired.Spec.RootHost {
+		logger.V(1).Info("root host for existing record has changed")
+		return false
+	}
+
+	// DNSRecord doesn't currently support record type changes due to a limitation of the dns operator
+	// https://github.com/Kuadrant/dns-operator/issues/287
+	for _, curEp := range current.Spec.Endpoints {
+		for _, desEp := range desired.Spec.Endpoints {
+			if curEp.DNSName == desEp.DNSName {
+				if curEp.RecordType != desEp.RecordType {
+					logger.V(1).Info("record type for existing endpoint has changed",
+						"dnsName", curEp.DNSName, "current", curEp.RecordType, "desired", desEp.RecordType)
+					return false
+				}
+			}
+		}
+	}
+
+	return true
+}
diff --git a/controllers/effective_dnspolicies_reconciler_test.go b/controllers/effective_dnspolicies_reconciler_test.go
@@ -0,0 +1,135 @@
+package controllers
+
+import (
+	"context"
+	"testing"
+
+	externaldns "sigs.k8s.io/external-dns/endpoint"
+
+	kuadrantdnsv1alpha1 "github.com/kuadrant/dns-operator/api/v1alpha1"
+)
+
+func Test_canUpdateDNSRecord(t *testing.T) {
+	tests := []struct {
+		name    string
+		current *kuadrantdnsv1alpha1.DNSRecord
+		desired *kuadrantdnsv1alpha1.DNSRecord
+		want    bool
+	}{
+		{
+			name: "different root hosts",
+			current: &kuadrantdnsv1alpha1.DNSRecord{
+				Spec: kuadrantdnsv1alpha1.DNSRecordSpec{
+					RootHost: "foo.example.com",
+				},
+			},
+			desired: &kuadrantdnsv1alpha1.DNSRecord{
+				Spec: kuadrantdnsv1alpha1.DNSRecordSpec{
+					RootHost: "bar.example.com",
+				},
+			},
+			want: false,
+		},
+		{
+			name: "same root hosts",
+			current: &kuadrantdnsv1alpha1.DNSRecord{
+				Spec: kuadrantdnsv1alpha1.DNSRecordSpec{
+					RootHost: "foo.example.com",
+				},
+			},
+			desired: &kuadrantdnsv1alpha1.DNSRecord{
+				Spec: kuadrantdnsv1alpha1.DNSRecordSpec{
+					RootHost: "foo.example.com",
+				},
+			},
+			want: true,
+		},
+		{
+			name: "different record type same dnsnames",
+			current: &kuadrantdnsv1alpha1.DNSRecord{
+				Spec: kuadrantdnsv1alpha1.DNSRecordSpec{
+					Endpoints: []*externaldns.Endpoint{
+						{
+							DNSName:    "foo.example.com",
+							RecordType: "A",
+						},
+					},
+				},
+			},
+			desired: &kuadrantdnsv1alpha1.DNSRecord{
+				Spec: kuadrantdnsv1alpha1.DNSRecordSpec{
+					Endpoints: []*externaldns.Endpoint{
+						{
+							DNSName:    "foo.example.com",
+							RecordType: "CNAME",
+						},
+					},
+				},
+			},
+			want: false,
+		},
+		{
+			name: "same record type same dnsnames",
+			current: &kuadrantdnsv1alpha1.DNSRecord{
+				Spec: kuadrantdnsv1alpha1.DNSRecordSpec{
+					Endpoints: []*externaldns.Endpoint{
+						{
+							DNSName:    "foo.example.com",
+							RecordType: "A",
+						},
+					},
+				},
+			},
+			desired: &kuadrantdnsv1alpha1.DNSRecord{
+				Spec: kuadrantdnsv1alpha1.DNSRecordSpec{
+					Endpoints: []*externaldns.Endpoint{
+						{
+							DNSName:    "foo.example.com",
+							RecordType: "A",
+						},
+					},
+				},
+			},
+			want: true,
+		},
+		{
+			name: "multiple endpoints",
+			current: &kuadrantdnsv1alpha1.DNSRecord{
+				Spec: kuadrantdnsv1alpha1.DNSRecordSpec{
+					Endpoints: []*externaldns.Endpoint{
+						{
+							DNSName:    "foo.example.com",
+							RecordType: "A",
+						},
+						{
+							DNSName:    "baz.example.com",
+							RecordType: "CNAME",
+						},
+					},
+				},
+			},
+			desired: &kuadrantdnsv1alpha1.DNSRecord{
+				Spec: kuadrantdnsv1alpha1.DNSRecordSpec{
+					Endpoints: []*externaldns.Endpoint{
+						{
+							DNSName:    "foo.example.com",
+							RecordType: "A",
+						},
+						{
+							DNSName:    "bar.example.com",
+							RecordType: "CNAME",
+						},
+					},
+				},
+			},
+			want: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := canUpdateDNSRecord(context.Background(), tt.current, tt.desired); got != tt.want {
+				t.Errorf("canUpdateDNSRecord() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}