Add ExternalDNS deployment for OpenShift clusters

README.md

@@ -2,6 +2,7 @@
 
 ACS fleet-manager repository for the ACS managed service.
 
+
 ## Quickstart
 
 ### Overview

dev/env/manifests/external-dns-operator/00-application.yaml

@@ -0,0 +1,30 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: rhacs-external-dns-operator
+  namespace: "$ARGOCD_NAMESPACE"
+spec:
+  destination:
+    namespace: external-dns-operator
+    server: https://kubernetes.default.svc
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    managedNamespaceMetadata:
+      labels:
+        argocd.argoproj.io/managed-by: "$ARGOCD_NAMESPACE"
+        app.kubernetes.io/managed-by: "$ARGOCD_NAMESPACE"
+    retry:
+      limit: -1
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+  source:
+    repoURL: https://github.com/stackrox/acscs-manifests
+    targetRevision: HEAD
+    path: external-dns-operator

dev/env/manifests/external-dns/00-namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: external-dns-operator

dev/env/manifests/external-dns/01-external-dns.yaml

@@ -0,0 +1,23 @@
+apiVersion: externaldns.olm.openshift.io/v1beta1
+kind: ExternalDNS
+metadata:
+  name: "${EXTERNAL_DNS_NAME}"
+spec:
+  domains:
+    - filterType: Include
+      matchType: Pattern
+      pattern: ".*\\.dev\\.rhcloud.com"
+  provider:
+    type: AWS
+    aws:
+      credentials:
+        name: "${EXTERNAL_DNS_NAME}-aws-credentials"
+  source:
+    type: OpenShiftRoute
+    labelFilter:
+      matchLabels:
+        external-dns.rhacs.redhat.com/enabled: "true"
+    openshiftRouteOptions:
+      routerName: default
+  zones:
+    - "${ROUTE53_ZONE_ID}"

dev/env/manifests/external-dns/02-secret.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "${EXTERNAL_DNS_NAME}-aws-credentials"
+  namespace: external-dns-operator
+stringData:
+  credentials: |-
+    [default]
+    aws_access_key_id = ${AWS_ACCESS_KEY_ID}
+    aws_secret_access_key = ${AWS_SECRET_ACCESS_KEY}

dev/env/manifests/openshift-gitops/04-clusterrole.yaml

@@ -17,6 +17,10 @@ rules:
   - apiGroups: [ "admissionregistration.k8s.io" ]
     resources: [ "validatingwebhookconfigurations" ]
     verbs: [ "*" ]
+  # Allow managing external dnses
+  - apiGroups: [ "externaldns.olm.openshift.io" ]
+    resources: [ "externaldnses" ]
+    verbs: [ "*" ]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

dev/env/scripts/bootstrap.sh

@@ -22,11 +22,29 @@ fi
 log "** Preparing ACSCS Environment **"
 print_env
 
-if ! kc_output=$($KUBECTL api-versions 2>&1); then
-    die "Error: Sanity check for contacting Kubernetes cluster failed:
+# Retry for up to 30 minutes to contact the Kubernetes cluster
+MAX_RETRIES=180  # 30 minutes with 10 second intervals
+RETRY_COUNT=0
+RETRY_DELAY=10
+
+log "Attempting to contact Kubernetes cluster..."
+while [ $RETRY_COUNT -lt $MAX_RETRIES ]; do
+    if kc_output=$($KUBECTL api-versions 2>&1); then
+        log "Successfully contacted Kubernetes cluster"
+        break
+    fi
+
+    RETRY_COUNT=$((RETRY_COUNT + 1))
+    ELAPSED=$((RETRY_COUNT * RETRY_DELAY))
+    log "Failed to contact cluster (attempt $RETRY_COUNT/$MAX_RETRIES, elapsed: ${ELAPSED}s). Retrying in ${RETRY_DELAY}s..."
+    sleep $RETRY_DELAY
+done
+
+if [ $RETRY_COUNT -eq $MAX_RETRIES ]; then
+    die "Error: Sanity check for contacting Kubernetes cluster failed after $((MAX_RETRIES * RETRY_DELAY)) seconds:
 
 Command tried: '$KUBECTL api-versions'
-Output:
+Last output:
 ${kc_output:-(no output)}"
 fi
 
@@ -85,8 +103,24 @@ if ! is_openshift_cluster "$CLUSTER_TYPE"; then
     apply "${MANIFESTS_DIR}/monitoring"
 fi
 
+apply "${MANIFESTS_DIR}/addons/00-addon-crd.yaml"
+wait_for_crd "addons.addons.managed.openshift.io"
 apply "${MANIFESTS_DIR}/addons"
 
+if is_openshift_cluster "$CLUSTER_TYPE"; then
+    log "Installing ExternalDNS for OpenShift"
+    wait_for_crd "applications.argoproj.io"
+
+    apply "${MANIFESTS_DIR}/external-dns-operator"
+    wait_for_crd externaldnses.externaldns.olm.openshift.io
+
+    source "${GITROOT}/dev/env/scripts/get-infrastructure-name.sh"
+    export EXTERNAL_DNS_NAME=${INFRASTRUCTURE_NAME}
+    chamber exec e2e-external-dns -- apply "${MANIFESTS_DIR}/external-dns"
+else
+    log "Skipping installation of ExternalDNS (only installed on openshift)"
+fi
+
 if [[ "$CLUSTER_TYPE"  == "kind" ]]; then
     log "Ensuring operator images exist from dev GitOps config"
     ensure_operator_image_exists.sh

dev/env/scripts/get-infrastructure-name.sh

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+# This script retrieves the Infrastructure CR's infrastructureName from the cluster
+# and exports it as INFRASTRUCTURE_NAME for use in manifest templating.
+
+set -euo pipefail
+
+GITROOT="$(git rev-parse --show-toplevel)"
+export GITROOT
+# shellcheck source=/dev/null
+source "${GITROOT}/scripts/lib/log.sh"
+
+KUBECTL_BIN=${KUBECTL:-kubectl}
+
+INFRASTRUCTURE_NAME=$($KUBECTL_BIN get infrastructures.config.openshift.io cluster -o jsonpath='{.status.infrastructureName}')
+
+if [[ -z "$INFRASTRUCTURE_NAME" ]]; then
+    die "Error: Could not retrieve infrastructure name from cluster"
+fi
+
+export INFRASTRUCTURE_NAME
+log "Infrastructure name: $INFRASTRUCTURE_NAME"