remove external DNS from MGMT cluster (#916)

* remove external DNS from MGMT cluster * remove external DNS managed identity and DNS zone permissions * remove external DNS deployment from MGMT cluster https://issues.redhat.com/browse/ARO-12551
Azure · Dec 4, 2024 · ab04e11 · ab04e11
1 parent 7f10a13
commit ab04e11
Show file tree

Hide file tree

Showing 21 changed files with 12 additions and 294 deletions.
diff --git a/config/config.msft.yaml b/config/config.msft.yaml
@@ -20,8 +20,6 @@ defaults:
   hypershift:
     namespace: hypershift
     additionalInstallArg: '--tech-preview-no-upgrade'
-    externalDNSManagedIdentityName: external-dns
-    externalDNSServiceAccountName: external-dns
 
   svc:
     subscription: hcp-{{ .ctx.region }}
@@ -81,7 +79,7 @@ defaults:
     rg: hcp-underlay-imagesync
     acrRG: '{{ .ctx.region }}-shared-resources'
     environmentName: aro-hcp-image-sync
-    repositories: registry.k8s.io/external-dns/external-dns,quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package
+    repositories: quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package
     imageRepo: image-sync/component-sync
     imageTag: latest
   ocMirror:
@@ -131,8 +129,6 @@ clouds:
         imageRepo: app-sre/uhc-clusters-service
       hypershiftOperator:
         imageTag: 9aca808
-      externalDNS:
-        imageTag: v0.14.2
 
     environments:
       int:

diff --git a/config/config.schema.json b/config/config.schema.json
@@ -83,18 +83,6 @@
           "softDelete"
         ]
       },
-      "externalDNS": {
-        "type": "object",
-        "properties": {
-          "imageTag": {
-            "type": "string"
-          }
-        },
-        "additionalProperties": false,
-        "required": [
-          "imageTag"
-        ]
-      },
       "extraVars": {
         "type": "object",
         "properties": {},
@@ -151,21 +139,13 @@
           "additionalInstallArg": {
             "type": "string"
           },
-          "externalDNSManagedIdentityName": {
-            "type": "string"
-          },
-          "externalDNSServiceAccountName": {
-            "type": "string"
-          },
           "namespace": {
             "type": "string"
           }
         },
         "additionalProperties": false,
         "required": [
           "additionalInstallArg",
-          "externalDNSManagedIdentityName",
-          "externalDNSServiceAccountName",
           "namespace"
         ]
       },
@@ -607,7 +587,6 @@
       "baseDnsZoneRG",
       "clusterService",
       "cxKeyVault",
-      "externalDNS",
       "firstPartyAppClientId",
       "frontend",
       "globalRG",

diff --git a/config/config.yaml b/config/config.yaml
@@ -20,8 +20,6 @@ defaults:
   hypershift:
     namespace: hypershift
     additionalInstallArg: '--tech-preview-no-upgrade'
-    externalDNSManagedIdentityName: external-dns
-    externalDNSServiceAccountName: external-dns
 
   svc:
     subscription: hcp-{{ .ctx.region }}
@@ -80,7 +78,7 @@ defaults:
     rg: hcp-underlay-{{ .ctx.regionShort }}-imagesync
     acrRG: global
     environmentName: aro-hcp-image-sync
-    repositories: registry.k8s.io/external-dns/external-dns,quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package
+    repositories: quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package
     imageRepo: image-sync/component-sync
     imageTag: latest
   ocMirror:
@@ -129,13 +127,11 @@ clouds:
         imageTag: ea066c250a002f0cc458711945165591bc9f6d3f
       # Cluster Service
       clusterService:
-        imageTag: ecd15ad
+        imageTag: 6157c57
         imageRepo: app-sre/uhc-clusters-service
       # Hypershift Operator
       hypershiftOperator:
         imageTag: 9aca808
-      externalDNS:
-        imageTag: v0.14.2
       # Shared SVC KV
       serviceKeyVault:
         name: 'aro-hcp-dev-svc-kv'

diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json
@@ -7,7 +7,7 @@
   "clusterService": {
     "acrRG": "global",
     "imageRepo": "app-sre/uhc-clusters-service",
-    "imageTag": "ecd15ad",
+    "imageTag": "6157c57",
     "postgres": {
       "deploy": true,
       "minTLSVersion": "TLSV1.2",
@@ -20,9 +20,6 @@
     "private": false,
     "softDelete": false
   },
-  "externalDNS": {
-    "imageTag": "v0.14.2"
-  },
   "extraVars": {},
   "firstPartyAppClientId": "57e54810-3138-4f38-bd3b-29cb33f4c358",
   "frontend": {
@@ -36,8 +33,6 @@
   "globalRG": "global",
   "hypershift": {
     "additionalInstallArg": "--tech-preview-no-upgrade",
-    "externalDNSManagedIdentityName": "external-dns",
-    "externalDNSServiceAccountName": "external-dns",
     "namespace": "hypershift"
   },
   "hypershiftOperator": {
@@ -48,7 +43,7 @@
     "environmentName": "aro-hcp-image-sync",
     "imageRepo": "image-sync/component-sync",
     "imageTag": "latest",
-    "repositories": "registry.k8s.io/external-dns/external-dns,quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package",
+    "repositories": "quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package",
     "rg": "hcp-underlay-westus3-imagesync-dev"
   },
   "istioVersion": "asm-1-22",

diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json
@@ -7,7 +7,7 @@
   "clusterService": {
     "acrRG": "global",
     "imageRepo": "app-sre/uhc-clusters-service",
-    "imageTag": "ecd15ad",
+    "imageTag": "6157c57",
     "postgres": {
       "deploy": true,
       "minTLSVersion": "TLSV1.2",
@@ -20,9 +20,6 @@
     "private": false,
     "softDelete": false
   },
-  "externalDNS": {
-    "imageTag": "v0.14.2"
-  },
   "extraVars": {},
   "firstPartyAppClientId": "57e54810-3138-4f38-bd3b-29cb33f4c358",
   "frontend": {
@@ -36,8 +33,6 @@
   "globalRG": "global",
   "hypershift": {
     "additionalInstallArg": "--tech-preview-no-upgrade",
-    "externalDNSManagedIdentityName": "external-dns",
-    "externalDNSServiceAccountName": "external-dns",
     "namespace": "hypershift"
   },
   "hypershiftOperator": {
@@ -48,7 +43,7 @@
     "environmentName": "aro-hcp-image-sync",
     "imageRepo": "image-sync/component-sync",
     "imageTag": "latest",
-    "repositories": "registry.k8s.io/external-dns/external-dns,quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package",
+    "repositories": "quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package",
     "rg": "hcp-underlay-westus3-imagesync-dev"
   },
   "istioVersion": "asm-1-22",

diff --git a/config/public-cloud-msft-int.json b/config/public-cloud-msft-int.json
@@ -20,9 +20,6 @@
     "private": false,
     "softDelete": false
   },
-  "externalDNS": {
-    "imageTag": "v0.14.2"
-  },
   "extraVars": {},
   "firstPartyAppClientId": "??? the one used by CS to do first party stuff ???",
   "frontend": {
@@ -36,8 +33,6 @@
   "globalRG": "global-shared-resources",
   "hypershift": {
     "additionalInstallArg": "--tech-preview-no-upgrade",
-    "externalDNSManagedIdentityName": "external-dns",
-    "externalDNSServiceAccountName": "external-dns",
     "namespace": "hypershift"
   },
   "hypershiftOperator": {
@@ -48,7 +43,7 @@
     "environmentName": "aro-hcp-image-sync",
     "imageRepo": "image-sync/component-sync",
     "imageTag": "latest",
-    "repositories": "registry.k8s.io/external-dns/external-dns,quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package",
+    "repositories": "quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package",
     "rg": "hcp-underlay-imagesync"
   },
   "istioVersion": "asm-1-22",

diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json
@@ -7,7 +7,7 @@
   "clusterService": {
     "acrRG": "global",
     "imageRepo": "app-sre/uhc-clusters-service",
-    "imageTag": "ecd15ad",
+    "imageTag": "6157c57",
     "postgres": {
       "deploy": false,
       "minTLSVersion": "TLSV1.2",
@@ -20,9 +20,6 @@
     "private": false,
     "softDelete": false
   },
-  "externalDNS": {
-    "imageTag": "v0.14.2"
-  },
   "extraVars": {},
   "firstPartyAppClientId": "57e54810-3138-4f38-bd3b-29cb33f4c358",
   "frontend": {
@@ -36,8 +33,6 @@
   "globalRG": "global",
   "hypershift": {
     "additionalInstallArg": "--tech-preview-no-upgrade",
-    "externalDNSManagedIdentityName": "external-dns",
-    "externalDNSServiceAccountName": "external-dns",
     "namespace": "hypershift"
   },
   "hypershiftOperator": {
@@ -48,7 +43,7 @@
     "environmentName": "aro-hcp-image-sync",
     "imageRepo": "image-sync/component-sync",
     "imageTag": "latest",
-    "repositories": "registry.k8s.io/external-dns/external-dns,quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package",
+    "repositories": "quay.io/acm-d/rhtap-hypershift-operator,quay.io/app-sre/uhc-clusters-service,quay.io/package-operator/package-operator-package",
     "rg": "hcp-underlay-westus3-imagesync-dev"
   },
   "istioVersion": "asm-1-22",

diff --git a/dev-infrastructure/configurations/mgmt-cluster.tmpl.bicepparam b/dev-infrastructure/configurations/mgmt-cluster.tmpl.bicepparam
@@ -23,14 +23,6 @@ param maestroConsumerName = '{{ .maestro.consumerName }}'
 param maestroEventGridNamespacesName = '{{ .maestro.eventGrid.name }}'
 param maestroCertDomain = '{{ .maestro.certDomain }}'
 
-// Hypershift
-param hypershiftNamespace = '{{ .hypershift.namespace }}'
-param externalDNSManagedIdentityName = '{{ .hypershift.externalDNSManagedIdentityName }}'
-param externalDNSServiceAccountName = '{{ .hypershift.externalDNSServiceAccountName }}'
-
-// DNS
-param regionalDNSZoneName = '{{ .regionalDNSSubdomain}}.{{ .baseDnsZoneName }}'
-
 // ACR
 param acrPullResourceGroups = ['{{ .serviceComponentAcrResourceGroups }}']
 

diff --git a/dev-infrastructure/templates/mgmt-cluster.bicep b/dev-infrastructure/templates/mgmt-cluster.bicep
@@ -59,15 +59,6 @@ param aksKeyVaultName string
 @description('Manage soft delete setting for AKS etcd key-value store')
 param aksEtcdKVEnableSoftDelete bool = true
 
-@description('The name of the hypershift namespace.')
-param hypershiftNamespace string
-
-@description('The name of the external DNS managed identity.')
-param externalDNSManagedIdentityName string
-
-@description('The name of the external DNS service account.')
-param externalDNSServiceAccountName string
-
 @description('The name of the maestro consumer.')
 param maestroConsumerName string
 
@@ -77,9 +68,6 @@ param maestroCertDomain string
 @description('The name of the eventgrid namespace for Maestro.')
 param maestroEventGridNamespacesName string
 
-@description('This is a regional DNS zone')
-param regionalDNSZoneName string
-
 @description('The resource group that hosts the regional zone')
 param regionalResourceGroup string
 
@@ -148,11 +136,6 @@ module mgmtCluster '../modules/aks-cluster-base.bicep' = {
         namespace: 'maestro'
         serviceAccountName: 'maestro'
       }
-      external_dns_wi: {
-        uamiName: externalDNSManagedIdentityName
-        namespace: hypershiftNamespace
-        serviceAccountName: externalDNSServiceAccountName
-      }
     })
     aksKeyVaultName: aksKeyVaultName
     acrPullResourceGroups: acrPullResourceGroups
@@ -193,24 +176,6 @@ module maestroConsumer '../modules/maestro/maestro-consumer.bicep' = {
   ]
 }
 
-//
-//  E X T E R N A L   D N S
-//
-
-var externalDnsManagedIdentityPrincipalId = filter(
-  mgmtCluster.outputs.userAssignedIdentities,
-  id => id.uamiName == externalDNSManagedIdentityName
-)[0].uamiPrincipalID
-
-module dnsZoneContributor '../modules/dns/zone-contributor.bicep' = {
-  name: guid(regionalDNSZoneName, mgmtCluster.name, externalDNSManagedIdentityName)
-  scope: resourceGroup(regionalResourceGroup)
-  params: {
-    zoneName: regionalDNSZoneName
-    zoneContributerManagedIdentityPrincipalId: externalDnsManagedIdentityPrincipalId
-  }
-}
-
 //
 //   K E Y V A U L T S
 //

diff --git a/hypershiftoperator/Makefile b/hypershiftoperator/Makefile
@@ -4,8 +4,7 @@ $(shell ../templatize.sh $(DEPLOY_ENV) config.tmpl.mk config.mk)
 include config.mk
 
 deploy:
-	@EXTERNAL_DNS_OPERATOR_MI_CLIENT_ID=$(shell az identity show -g ${RESOURCEGROUP} -n ${EXTERNAL_DNS_MI_NAME} --query clientId -o tsv) && \
-	AZURE_TENANT_ID=$(shell az account show --query tenantId --output tsv) && \
+	@AZURE_TENANT_ID=$(shell az account show --query tenantId --output tsv) && \
 	AZURE_SUBSCRIPTION_ID=$(shell az account show --query id --output tsv) && \
 	CSI_SECRET_STORE_CLIENT_ID=$(shell az aks show -n ${AKS_NAME} -g ${RESOURCEGROUP} --query 'addonProfiles.azureKeyvaultSecretsProvider.identity.clientId' -o tsv) && \
 	helm upgrade --install hypershift deploy/helm \
@@ -14,14 +13,6 @@ deploy:
 		--set imageTag=${HO_IMAGE_TAG} \
 		--set registryOverrides="quay.io/openshift-release-dev/ocp-v4.0-art-dev=${ARO_HCP_OCP_ACR}.azurecr.io/openshift/release\,quay.io/openshift-release-dev/ocp-release=${ARO_HCP_OCP_ACR}.azurecr.io/openshift/release-images\,registry.redhat.io/redhat=${ARO_HCP_OCP_ACR}.azurecr.io/redhat" \
 		--set additionalArgs="${HO_ADDITIONAL_INSTALL_ARG}" \
-		--set azureKeyVaultClientId=$${CSI_SECRET_STORE_CLIENT_ID} \
-		--set external-dns.image=${ED_IMAGE_BASE} \
-		--set external-dns.imageTag=${ED_IMAGE_TAG} \
-		--set external-dns.txtOwnerId=${RESOURCEGROUP} \
-		--set external-dns.domain=${ZONE_NAME} \
-		--set external-dns.credentials.tenantId=$${AZURE_TENANT_ID} \
-		--set external-dns.credentials.subscriptionId=$${AZURE_SUBSCRIPTION_ID} \
-		--set external-dns.credentials.resourceGroup=${REGIONAL_RESOURCEGROUP} \
-		--set external-dns.credentials.userAssignedIdentityID=$${EXTERNAL_DNS_OPERATOR_MI_CLIENT_ID}
+		--set azureKeyVaultClientId=$${CSI_SECRET_STORE_CLIENT_ID}
 
 .PHONY: helm-chart deploy
diff --git a/hypershiftoperator/config.tmpl.mk b/hypershiftoperator/config.tmpl.mk
@@ -3,17 +3,12 @@ ARO_HCP_OCP_ACR ?= {{ .ocpAcrName }}
 HO_IMAGE_TAG ?= {{ .hypershiftOperator.imageTag }}
 HO_IMAGE_BASE ?= ${ARO_HCP_SVC_ACR}.azurecr.io/acm-d/rhtap-hypershift-operator
 HO_IMAGE ?= ${HO_IMAGE_BASE}:${HO_IMAGE_TAG}
-ED_IMAGE ?= ${ARO_HCP_SVC_ACR}.azurecr.io/external-dns/external-dns:${ED_IMAGE_TAG}
-ED_IMAGE_TAG ?= {{ .externalDNS.imageTag }}
-ED_IMAGE_BASE ?= ${ARO_HCP_SVC_ACR}.azurecr.io/external-dns/external-dns
-ED_IMAGE ?= ${ED_IMAGE_BASE}:${ED_IMAGE_TAG}
 
 RESOURCEGROUP ?= {{ .mgmt.rg }}
 REGIONAL_RESOURCEGROUP ?= {{ .regionRG }}
 ZONE_NAME ?= {{ .regionalDNSSubdomain }}.{{ .baseDnsZoneName }}
 AKS_NAME ?= {{ .aksName }}
 HYPERSHIFT_NAMESPACE ?= {{ .hypershift.namespace}}
-EXTERNAL_DNS_MI_NAME ?= {{ .hypershift.externalDNSManagedIdentityName }}
 
 HO_CHART_DIR ?= deploy/helm/charts/hypershift-operator
 HO_ADDITIONAL_INSTALL_ARG ?= {{ .hypershift.additionalInstallArg }}
diff --git a/hypershiftoperator/deploy/helm/Chart.yaml b/hypershiftoperator/deploy/helm/Chart.yaml
@@ -3,7 +3,3 @@ description: A Helm chart to install the Hypershift Operator and deps for ARO
 name: aro-hcp-hypershift-operator
 type: application
 version: 0.1.0
-
-dependencies:
-- name: "external-dns"
-  version: "0.14.2"
diff --git a/hypershiftoperator/deploy/helm/charts/external-dns/Chart.yaml b/hypershiftoperator/deploy/helm/charts/external-dns/Chart.yaml