OCPBUGS-37220: Fix DNS for Gateway API on AWS

[candita]

Before this change, a new Gateway API dnsRecord created on AWS was being deleted right after it was published.

pkg/operator/controller/gateway-service-dns/controller.go - add a predicate to ensure only dnsRecords for Gateway API are watched; export the ManagedByIstioLabelKey for use by the general dns controller; add logging to ensureDNSRecordsForGateway and deleteStaleDNSRecordsForGateway

pkg/resources/dnsrecord/dns.go - minor tweak and logging added to EnsureDNSRecord
pkg/dns/aws/dns.go - add logging

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@candita: This pull request references Jira Issue OCPBUGS-37220, which is invalid:

• expected the bug to target the "4.17.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Before this change, a new Gateway API dnsRecord created on AWS was being deleted right after it was published.

pkg/operator/controller/dns/controller.go - make the general watch for dnsRecords skip Gateway API dnsRecords

pkg/operator/controller/gateway-service-dns/controller.go - add a predicate to ensure only dsnRecords for Gateway API are watched; remove the restriction that watched only Services in openshift-ingress namespace; export the ManagedByIstioLabelKey for use by the general dns controller; add logging to ensureDNSRecordsForGateway and deleteStaleDNSRecordsForGateway

pkg/resources/dnsrecord/dns.go - minor tweak and logging added to EnsureDNSRecord
pkg/dns/aws/dns.go - add logging

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[candita]

/test all

[candita]

/jira refresh

[openshift-ci-robot]

@candita: This pull request references Jira Issue OCPBUGS-37220, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.17.0) matches configured target version for branch (4.17.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lihongan

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[candita]

/test all

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[candita]

/lifecycle-remove stale

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

[lihongan]

/remove-lifecycle rotten

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from candita. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[candita]

/test all

[candita]

level=fatal msg=failed to fetch Cluster Infrastructure Variables: failed to fetch dependency of "Cluster Infrastructure Variables": failed to generate asset "Platform Provisioning Check": metadata.name: Invalid value: "ci-op-qgjbb60q-d9859": record(s) ["api.ci-op-qgjbb60q-d9859.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX."] already exists in DNS Zone (XXXXXXXXXXXXXXXXXXXXXX/origin-ci-int-gce) and might be in use by another cluster, please remove it to continue
Installer exit with code 1

/test e2e-gcp-ovn

[candita]

/retest

[candita]

https://issues.redhat.com/browse/HOSTEDCP-2236
/test hypershift-e2e-aks

[bryan-cox]

/test hypershift-e2e-aks
VAP flake

[rhamini3]

Pre-merge verified, mark as approved

Create a gateway using listeners and a secret

oc create -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gateway
  namespace: openshift-ingress
spec:
  gatewayClassName: openshift-default
  listeners:
  - name: http
    hostname: "*.$gwapi_domain"
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: All
  - name: https
    hostname: "*.$gwapi_domain"
    port: 443
    protocol: HTTPS
    tls:
      mode: Terminate
      certificateRefs:
      - name: gwapi-wildcard
    allowedRoutes:
      namespaces:
        from: All
EOF

check the DNSRecord and confirm that it is published, and not automatically deleted

% oc -n openshift-ingress get dnsrecord -o yaml
apiVersion: v1
items:
- apiVersion: ingress.operator.openshift.io/v1
  kind: DNSRecord
  metadata:
    annotations:
      ingress.operator.openshift.io/target-hosted-zone-id: Z1H1FL5HABSF5
    creationTimestamp: "2025-01-13T17:51:19Z"
    finalizers:
    - operator.openshift.io/ingress-dns
    generation: 1
    labels:
      gateway.istio.io/managed: openshift.io-gateway-controller
      istio.io/gateway-name: gateway
    name: gateway-756bfb4988-wildcard
    namespace: openshift-ingress
    ownerReferences:
    - apiVersion: v1
      kind: Service
      name: gateway-openshift-default
      uid: 2fb04bf5-7dc8-422a-b1f7-564ba9112110
    resourceVersion: "89489"
    uid: 86eefd2e-2e17-4c4e-87aa-338dc806bd26
  spec:
    dnsManagementPolicy: Managed
    dnsName: '*.gwapi.ci-ln-mmjjxht-76ef8.aws-2.ci.openshift.org.'
    recordTTL: 30
    recordType: CNAME
    targets:
    - a2fb04bf57dc8422ab1f7564ba911211-1876664505.us-west-2.elb.amazonaws.com
  status:
    observedGeneration: 1
    zones:
    - conditions:
      - lastTransitionTime: "2025-01-13T17:51:19Z"
        message: The DNS provider succeeded in ensuring the record
        reason: ProviderSuccess
        status: "True"
        type: Published <--
      dnsZone:
        tags:
          Name: ci-ln-mmjjxht-76ef8-j59lj-int
          kubernetes.io/cluster/ci-ln-mmjjxht-76ef8-j59lj: owned
    - conditions:
      - lastTransitionTime: "2025-01-13T17:51:19Z"
        message: The DNS provider succeeded in ensuring the record
        reason: ProviderSuccess
        status: "True"
        type: Published <--
      dnsZone:
        id: Z00287062J1ITQ61DDU2Z
kind: List
metadata:
  resourceVersion: ""

/label qe-approved

[openshift-ci-robot]

@candita: This pull request references Jira Issue OCPBUGS-37220, which is invalid:

• expected the bug to target either version "4.19." or "openshift-4.19.", but it targets "4.17.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Before this change, a new Gateway API dnsRecord created on AWS was being deleted right after it was published.

pkg/operator/controller/dns/controller.go - make the general watch for dnsRecords skip Gateway API dnsRecords

pkg/operator/controller/gateway-service-dns/controller.go - add a predicate to ensure only dsnRecords for Gateway API are watched; remove the restriction that watched only Services in openshift-ingress namespace; export the ManagedByIstioLabelKey for use by the general dns controller; add logging to ensureDNSRecordsForGateway and deleteStaleDNSRecordsForGateway

pkg/resources/dnsrecord/dns.go - minor tweak and logging added to EnsureDNSRecord
pkg/dns/aws/dns.go - add logging

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bryan-cox]

HyperShift AKS test is failing due to a CRIO/RHCOS issue. More info here - https://redhat-internal.slack.com/archives/C01CQA76KMX/p1736790655245439?thread_ts=1736785822.924329&cid=C01CQA76KMX.

[candita]

/retest

[openshift-ci]

@candita: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[candita]

/jira refresh

[openshift-ci-robot]

@candita: This pull request references Jira Issue OCPBUGS-37220, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.0) matches configured target version for branch (4.19.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira ([email protected]), skipping review request.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[Miciah]

/assign

[candita]

/assign @grzpiotrowski

[grzpiotrowski]

/lgtm

Just one thing, should we add the commit description/body?

Leaving out the /approve to @Miciah

Also I think this case could be good to test for in e2e?