Issue with dashboard proxy with non-default cluster domain (!= cluster.local)

[dkulchinsky]

Hey 👋

We're having an issue setting up OpenUnison + Orchestra to work on clusters with non-default cluster domain (i.e. not cluster.local), API impersonation works however access to Dashboard throws an error, looking at the orchestra logs it seems like the hostname that orchestra generates for the dashboard service has the following dynamic format:

"kubernetes-dashboard." + k8sDashboardNamespace + ".svc.cluster.local

Since we use a different cluster domain (not cluster.local) the system is unable to resolve it and throws an UnknownHostException: Caused by: java.net.UnknownHostException: kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local

, would it possible to omit cluster.local from these URLs? (in fact just <service name>.<namespace> is enough for Service Discovery), or perhaps introduce a configuration parameter to specify it in case it's not default?

[dkulchinsky]

took a stab at fixing this, testing it in my cluster seem to work well.

I've also noticed the same issue with the check-certs-orchestra Job containers:

Exception in thread "main" java.net.UnknownHostException: kubernetes.default.svc.cluster.local: Name or service not known
    at java.net.Inet4AddressImpl.lookupAllHostAddr(Native Method)
    at java.net.InetAddress$2.lookupAllHostAddr(InetAddress.java:929)
    at java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1324)
    at java.net.InetAddress.getAllByName0(InetAddress.java:1277)
    at java.net.InetAddress.getAllByName(InetAddress.java:1193)
    at java.net.InetAddress.getAllByName(InetAddress.java:1127)
    at org.apache.http.impl.conn.SystemDefaultDnsResolver.resolve(SystemDefaultDnsResolver.java:45)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:112)
    at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:313)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
    at com.tremolosecurity.kubernetes.artifacts.util.K8sUtils.callWS(K8sUtils.java:464)
    at com.tremolosecurity.kubernetes.artifacts.util.K8sUtils.callWS(K8sUtils.java:281)
    at com.tremolosecurity.kubernetes.artifacts.util.K8sUtils.<init>(K8sUtils.java:226)
    at com.tremolosecurity.kubernetes.artifacts.run.RunDeployment.main(RunDeployment.java:75)

looks like it's in kubernetes-artifact-deployment.

[mlbiam]

this is a remnant of when we ran into lots of issues with folks who's home networks linked up to DNS providers that would resolve everything to their "page not found" server causing all sorts of havoc.

It's not the right way to do it, as you've run into. Our next release is going to eliminate the ".cluster.local" suffix to align with the spec and to support the validating webhooks we're adding for our multi-cluster management. I'd rather not make a change right now if you're working? We can keep this open and once the next release is out (latest end of November) we will make sure this is part of the release.

[dkulchinsky]

Hey @mlbiam! thanks for the reply, sounds like a solid plan to me 👍

I guess the new release will remove .cluster.local from all the other places? I at least had to tweak in the operator and the check-certs-orchestra cron job.

[mlbiam]

The latest release removes .cluster.local from all code references