-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: configure arbitrary provider-specific properties via annotations #4875
base: master
Are you sure you want to change the base?
feat: configure arbitrary provider-specific properties via annotations #4875
Conversation
Hi @Dadeos-Menlo. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I've just discovered the existence of CRD Source, which appears to involve the crd source interrogating Kubernetes custom-resource objects of type DNSEndpoint. Unfortunately, the This design is very unfortunate and hopefully, given its "alpha" status, can still be addressed. A far better approach would be to have end-users apply annotations on the I suggest that part of the confusion surrounding these provider-specific annotations/properties is that Endpoint.ProviderSpecific fulfils two distinct roles:
This commingling of responsibilities can easily result in unintended consequences; the most readily reproducible ones being that specifying an unsupported provider-specific property, such as suggested in the CRD source example (i.e. specifying a Cloudflare provider-specific property when using any provider other than Cloudflare) results in the DNS records generated being perpetually out-of-sync with the source object (i.e. the |
/ok-to-test |
I think I agree with you: it would be more consistent to use annotations, maybe in a v1alpha2 version of the CRD. For the webhook annotation, it was introduced because some webhook providers needs it. See for example mikrotik. |
The logic seems better to me with this logic, thanks 👍 . |
2d6fb18
to
c2041db
Compare
I've reinstated the documentation of webhook annotations, but still consider this approach misguided. The provider-properties associated with the mikrotik example cited should be named
). Imagine scenarios if/when the AWS provider was to be repackaged to use the Webhook provider architecture; one wouldn't expect to have to rename all of the existing annotations on one's Kubernetes objects. Not to mention the preclusion of deploying a single instance of external-dns, managing multiple providers deployed via the Webhook architecture, whose |
b21b0ff adds annotation support to the The only potential benefit for supporting the |
You're right. It makes sense to include the provider name instead of webhook. |
@mircea-pavel-anton as the author of microtik external provider, Wdyt ? Would it make sense for you ? |
So there are a couple of things to address here.
First off, I am not so sure about changing the I understand it from the point of view of consistency, both from the user experience point of view (though I would argue that using the CRD directly is much less common) as well as the developer experience one (the value that gets passed to the webhook provider ends up being different when we're using annotations), but I don't really like this solution. Secondly, I do agree that changing the prefix for webhook providers is a good idea. This is also similar to this PR #4951 that I have already commented on. I think that, more importantly, each webhook should have a customizable prefix specified upon installation and ONLY the annotations with that prefix should be passed in as provider specific configurations (optionally, in the form of the substring that comes AFTER the prefix). What I mean by this is that there should be a configuration option when installing external-dns with a webhook provider, maybe something like: ...
provider:
name: webhook
webhook:
name: custom-name-here
image:
repository: ghcr.io/mirceanton/external-dns-provider-mikrotik
... and then only unrecognized annotations that start with This will likely solve this issue i have also ran into, that @Dadeos-Menlo also mentioned: mirceanton/external-dns-provider-mikrotik#140 As for the second part, i.e. "optionally, in the form of the substring that comes AFTER the prefix" I mean that when we are passing in provider-specific annotations to a webhook provider via CRD configs vs annotations, the webhook itself receives different For example:
and ---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-demo
annotations:
external-dns.alpha.kubernetes.io/hostname: "some.example.com"
external-dns.alpha.kubernetes.io/ttl: "180"
external-dns.alpha.kubernetes.io/webhook-comment: "This is a comment" annotations!"
Might seem the same, but for the DNS Endpoint object, the webhook receives So TL;DR: yes, I do think custom annotation prefixes per provider are a good idea. I also think they should be customizable. @kashalls do you have some thoughts on this topic? IIRC you were also impacted by this cloudflare annotation issue that kept records perpetually out of sync |
Yes, my unifi webhook provider and pretty much all of the webhook providers are affected by this. I am leaning more towards the idea that each provider can negotiate with external-dns to determine what features are allowed / disabled / unsupported. (Maybe we can provide a list of valid annotations that the webhook expects to handle?) We already support this using the As for the annotation specific's I think adding a name to specifically only pass the prefixed annotations would be a good start. The user deploying the provider should be the one to create the prefix key as there might be some cases where the user wants to run two different instances of a provider. I do like this approach here because it gives the user the configuration option to choose their prefix keys for each provider. ...
provider:
name: webhook
webhook:
name: custom-name-here
image:
repository: ghcr.io/mirceanton/external-dns-provider-mikrotik
... Perhaps we could do more with the provide negotiate endpoint? Apologies if it seems more like a ramble, I am currently on a holiday trip. |
@Dadeos-Menlo I'm back from vacation, do you need any help with this? |
I'm not sure I understand; I don't feel that I need any specific help regarding this issue. Upon consideration of the existing implementation of the handling of provider-specific annotations I concluded that it might be improved and hence have proposed the changes associated with this pull-request. I presume that the matter is now in the hands of the maintainers/reviewers to, accept, reject, or otherwise comment on the changes proposed. Regarding the wider issues raised surrounding the usage of annotations to represent provider-specific configuration, my opinions for what they're worth are:
|
…herwise recognised, as provider properties.
b21b0ff
to
6753540
Compare
Description
Support for provider-specific annotations, that manifest as Endpoint.ProviderSpecific properties, is currently restricted to a subset of pre-defined providers. This functionality should be available to all providers, without requirement for special-case registration within the getProviderSpecificAnnotations(…) function.
The proposed changes include:
getProviderSpecificAnnotations(…)
function so as to treat all annotations prefixed withexternal-dns.alpha.kubernetes.io/
, but that are not otherwise recognised, as provider-specific propertiesNotes:
provider/property
orprovider-property
) is an internal implementation detail, and therefore the proposed renaming does not represent any backwards-incompatibility…/webhook-<custom-annotation>
is considered unwise - provider-specific properties are considered to be provider-specific, whereas the Webhook provider is considered to be a wrapper of providers, rather than a provider in and of itself (see: Moving providers out of tree #4347)webhook-property
towebhook/property
has not been implemented - implementation would be trivial, but given the conclusion that provider-specific properties associated with a Webhook provider are nonsensical, such an implementation is not being initially proposedChecklist