Support for DNS names in egress routes

[pravisankar]

Introduced dns-proxy egress router mode that allows specifying DNS name for EGRESS_DESTINATION.
Currently, dns-proxy egress mode implementation is based on HAProxy.
HAProxy 1.6+ version is used to leverage DNS resolution at runtime.

Trello Card: https://trello.com/c/407uoUFz

[pravisankar]

@openshift/networking PTAL

[pravisankar]

[test]

[openshift-bot]

Evaluated for origin test up to caae214

[openshift-bot]

continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/3408/) (Base Commit: e97ba37) (PR Branch Commit: caae214)

[pravisankar]

/unassign kargakis
/assign danwinship

[danwinship]

eek... Not sure about this. We don't do anything like that anywhere else...

What exactly is different if we don't have the new haproxy?

[pravisankar]

Dynamic DNS resolution feature is only available in HAProxy 1.6+ version (currently we are running haproxy 1.5). I don't know if this method is acceptable currently or not but we have done similar stuff in release-1.3 (https://github.com/openshift/origin/blob/release-1.3/images/router/haproxy/Dockerfile)

[danwinship]

"Dynamic DNS resolution" meaning that if we used haproxy 1.5, it would only do the DNS resolution at startup and not notice any changes after that?

[danwinship]

I feel like we need some sort of higher-up (ie, not just networking team) approval for actually building binaries from source in the images like this...

(Another possibility maybe is to pre-build the package into an RPM and make it available in a COPR, like we do for the openvswitch packages for the dind image.)

[pravisankar]

Yes, haproxy 1.5.x resolves DNS at startup and will fail if the IP changes.

[pravisankar]

@eparis @smarterclayton is this acceptable? (building haproxy from source)..if not, how should we proceed?
Having haproxy 1.6+ will also solve this card: https://trello.com/c/J1ODldZK/516-move-to-a-version-of-haproxy-with-lua-capability

[danwinship]

origin style is to put declaration and initialization on separate lines. (IIRC because if you write it the way you did here, and there's an error, the error gets ignored)

also, you don't need cat and grep: $(awk '/nameserver/ {print $2}' /etc/resolv.conf)

also, actually you need a ^ before nameserver so it doesn't get tripped up by the comments NetworkManager sometimes adds:

# NOTE: the libc resolver may not support more than 3 nameservers.
# The nameservers listed below may not be recognized.

[danwinship]

oh no, don't do that. The user may not want to leak their DNS requests to google.

[pravisankar]

Ok, I will remove.

[danwinship]

Ugh. There's no way to get it to just log to stdout/stderr?

We might want to make it not bother doing this unless the pod spec sets some sort of "debug" variable...

[pravisankar]

By default it is not logging stuff to stdout/stderr, I will enable this stuff when 'debug' variable is set.

[danwinship]

"${CONF}" (everywhere)

[danwinship]

Why do you need the pod_ip match here? We don't do that in the standard egress-router.

[pravisankar]

In the standard egress-router, iptables rules are set on the pod and packets from service IP to pod IP will hit the iptables on the pod that does the actual job.
In this dns proxy case, haproxy is running on the macvlan interface and packets from service IP will only reach the pod IP. This additional rule will forward all tcp packets from pod to macvlan interface which has the egress source IP.

[pravisankar]

Actually haproxy doesn't need to listen on macvlan interface. It can listen on pod/all interfaces and we don't need this additional iptables forward rule.

[danwinship]

This doesn't verify that there are no unexpected additional frontend/backend rules

[pravisankar]

I will add this test

[danwinship]

Did you fix this? Basically I was suggesting you should parse the output into static config, resolvers, and frontends sections, so you could then just check for equality rather than just "contains". (This might be easier if you had multiple testing modes; eg, one that just runs generate_dns_resolvers and nothing else, and one that just runs generate_haproxy_frontends_backends and nothing else.)

[pravisankar]

We may have multiple frontends and backends and equality check will work if the order is predefined among the frontends/backends. We don't have to enforce the order when generating these frontends/backends, instead we are checking for exact number of frontends and backends expected. Lines 137 to 140 and 147 to 150 validates this case.

[danwinship]

I don't think this is really testing anything useful. OTOH, it might be good to test the resolver code

[pravisankar]

I was trying to catch the case where config file was overwritten by some write instead of append('>' instead of '>>' in the script). I will add the resolver test.

[pravisankar]

@danwinship updated, ptal

[dcbw]

@pravisankar maybe need ot rebase to get an update to contrib/completions/OWNERS? It's failing the verify there with FAILURE: Generated completions out of date. Please run hack/update-generated-completions.sh

[danwinship]

"Dynamic DNS resolution" meaning that if we used haproxy 1.5, it would only do the DNS resolution at startup and not notice any changes after that?

[danwinship]

I feel like we need some sort of higher-up (ie, not just networking team) approval for actually building binaries from source in the images like this...

(Another possibility maybe is to pre-build the package into an RPM and make it available in a COPR, like we do for the openvswitch packages for the dind image.)

[danwinship]

if we are doing this, can we verify the md5sum as well before building?

[danwinship]

will this cause problems if the debug logging isn't enabled?

[pravisankar]

Tested with and without debug logging and found no issues.

[danwinship]

Did you fix this? Basically I was suggesting you should parse the output into static config, resolvers, and frontends sections, so you could then just check for equality rather than just "contains". (This might be easier if you had multiple testing modes; eg, one that just runs generate_dns_resolvers and nothing else, and one that just runs generate_haproxy_frontends_backends and nothing else.)

[ghyde]

Now that the router has been updated to HAProxy 1.8 (#18053), can the egress router be updated to support dynamic DNS resolution?

[pravisankar]

@openshift/sig-networking @danwinship @knobunc ready for re-review, PTAL

[pravisankar]

/retest

[danwinship]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danwinship, pravisankar

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these OWNERS Files:

• hack/lib/OWNERS [danwinship]
• images/egress/OWNERS [danwinship,pravisankar]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[eparis]

/hold
looks like a 3.10 thing...

[pravisankar]

/hold cancel
master is open for 3.10

[openshift-merge-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[pravisankar]

/retest

[openshift-merge-robot]

Automatic merge from submit-queue (batch tested with PRs 15409, 18763).

[openshift-ci-robot]

@pravisankar: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/openshift-jenkins/extended_templates	9e4afb1	link	/test extended_templates
ci/openshift-jenkins/extended_conformance_install_update	9e4afb1	link	/test extended_conformance_install_update
ci/openshift-jenkins/extended_networking_minimal	5a94143	link	/test extended_networking_minimal

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.