redhat-cop / global-load-balancer-operator

A global load balancer operator for OpenShift
Apache License 2.0
53 stars 16 forks source link

Allow custom route specification on GlobalRouteDiscovery #39

Open gomesar9 opened 3 years ago

gomesar9 commented 3 years ago

Hi all,

we are trying to configure the operator in a cloud infrastructure (AWS) and are facing problems to use custom OCP routes:

We've create a custom service to enable valid HTTPS traffic, with custom certs, through global load balancer and keep our (also valid, not self-signed) cluster certs working.

In this way we can use endpoints from our cluster domain, and use endpoints with a "global" domain, pointing to another Load Balancer, managed by this new service, and configured with the relevant cert/key.

Like:

  1. On cluster1:

    ---
    kind: Service
    apiVersion: v1
    metadata:
    name: router-custom
    namespace: openshift-ingress
    labels:
    app: router-custom
    router: router-custom
    annotations:
    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '1800'
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: '2'
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval: '5'
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-timeout: '4'
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold: '2'
    service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
    spec:
    ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: http
    - name: https
      protocol: TCP
      port: 443
      targetPort: https
    selector:
    ingresscontroller.operator.openshift.io/deployment-ingresscontroller: glb
    type: LoadBalancer
    externalTrafficPolicy: Local
  2. On cluster-manager:

    ---
    apiVersion: redhatcop.redhat.io/v1alpha1
    kind: GlobalDNSRecord
    metadata:
    name: glb-manual-test
    namespace: global-load-balancer-operator
    labels:
    app: frontend
    spec:
    endpoints:
    - clusterCredentialRef:
        name: cluster1
        namespace: cluster1
      clusterName: cluster1
      loadBalancerServiceRef:
        name: router-custom
        namespace: openshift-ingress
    globalZoneRef:
    name: route53-global-dns-zone
    loadBalancingPolicy: Multivalue
    name: glb-test.glb.my.domain.here
    ttl: 60

It works fine, but we loose the Auto Discovery because can not set these parameters in the GlobalRouteDiscovery resource:

    loadBalancerServiceRef:
        name: router-custom
        namespace: openshift-ingress

Can we have this option? to auto create GlobalDNSRecord with specific router names/namespaces?

Thanks

raffaelespazzoli commented 3 years ago

The configuration you describe should actually be supported by the operator, so the addition you mention should not be needed. Just as a sanity check, I assume you have router sharding and that the global routes are picked up only by your router-custom. Can you confirm that? Also do you see anything in the logs regarding the route discovery controller?

gomesar9 commented 3 years ago

Hi, yes the global route may only be assigned to routes labeled, lets say, router: router-custom and picked up by router-custom service.

What I mean is, just correctly labeling an application route, the operator must automatically build a new GlobalDNSRecord (via GlobalRouteDiscovery) with:

    loadBalancerServiceRef:
        name: router-custom
        namespace: openshift-ingress

But It's not listed as a configurable spec in GlobalRouteDiscovery resources. (It seems to be configurable only directly in GlobalDNSRecord)

Can you confirm this is already possible? Our running version is: 1.2.0

raffaelespazzoli commented 3 years ago

it should already work, the route discovery operator should correctly populate those fields. Can you attach the following:

  1. route definition with status
  2. global route discovery
  3. generated global dns record.
raffaelespazzoli commented 3 years ago

may I close this?