Add externalIPs in service uws, support external dns

Signed-off-by: Bingtan Lu <[email protected]>

Author: LuBingtan

virtualcluster/config/sampleswithspec/coredns_external.yaml

@@ -0,0 +1,196 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: coredns
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+  name: system:coredns
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  - services
+  - pods
+  - namespaces
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+  name: system:coredns
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:coredns
+subjects:
+- kind: ServiceAccount
+  name: coredns
+  namespace: kube-system
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns
+  namespace: kube-system
+data:
+  Corefile: |
+    .:53 {
+        log    
+        errors
+        health {
+          lameduck 5s
+        }
+        ready
+        kubernetes cluster.virtual in-addr.arpa ip6.arpa {
+          fallthrough in-addr.arpa ip6.arpa
+        }
+        k8s_external svc.cluster.local
+        prometheus :9153
+        forward . /etc/resolv.conf
+        cache 30
+        loop
+        reload
+        loadbalance
+    }
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kube-dns
+  namespace: kube-system
+  annotations:
+    prometheus.io/port: "9153"
+    prometheus.io/scrape: "true"
+  labels:
+    k8s-app: kube-dns
+    kubernetes.io/cluster-service: "true"
+    kubernetes.io/name: "CoreDNS"
+spec:
+  selector:
+    k8s-app: kube-dns
+  ports:
+  - name: dns
+    port: 53
+    protocol: UDP
+  - name: dns-tcp
+    port: 53
+    protocol: TCP
+  - name: metrics
+    port: 9153
+    protocol: TCP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: coredns
+  namespace: kube-system
+  labels:
+    k8s-app: kube-dns
+    kubernetes.io/name: "CoreDNS"
+spec:
+  # replicas: not specified here:
+  # 1. Default is 1.
+  # 2. Will be tuned in real time if DNS horizontal auto-scaling is turned on.
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+  selector:
+    matchLabels:
+      k8s-app: kube-dns
+  template:
+    metadata:
+      labels:
+        k8s-app: kube-dns
+    spec:
+      serviceAccountName: coredns
+      tolerations:
+        - key: "CriticalAddonsOnly"
+          operator: "Exists"
+      nodeSelector:
+        kubernetes.io/os: linux
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: k8s-app
+                operator: In
+                values: ["kube-dns"]
+            topologyKey: kubernetes.io/hostname
+      containers:
+      - name: coredns
+        image: registry.k8s.io/coredns/coredns:v1.9.3
+        imagePullPolicy: IfNotPresent
+        resources:
+          limits:
+            memory: 170Mi
+          requests:
+            cpu: 100m
+            memory: 70Mi
+        args: [ "-conf", "/etc/coredns/Corefile" ]
+        volumeMounts:
+        - name: config-volume
+          mountPath: /etc/coredns
+          readOnly: true
+        ports:
+        - containerPort: 53
+          name: dns
+          protocol: UDP
+        - containerPort: 53
+          name: dns-tcp
+          protocol: TCP
+        - containerPort: 9153
+          name: metrics
+          protocol: TCP
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - all
+          readOnlyRootFilesystem: true
+        livenessProbe:
+          httpGet:
+            path: /health
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 60
+          timeoutSeconds: 5
+          successThreshold: 1
+          failureThreshold: 5
+        readinessProbe:
+          httpGet:
+            path: /ready
+            port: 8181
+            scheme: HTTP
+        env:
+        - name: KUBERNETES_SERVICE_HOST
+          value: kubernetes
+      dnsPolicy: Default
+      volumes:
+        - name: config-volume
+          configMap:
+            name: coredns
+            items:
+            - key: Corefile
+              path: Corefile

virtualcluster/pkg/syncer/conversion/equality.go

@@ -692,6 +692,11 @@ func (e vcEquality) CheckServiceEquality(pObj, vObj *v1.Service) *v1.Service {
 	vSpec.IPFamilies = pSpec.IPFamilies
 	vSpec.IPFamilyPolicy = pSpec.IPFamilyPolicy
 
+	if featuregate.DefaultFeatureGate.Enabled(featuregate.VServiceExternalIP) {
+		// Ignore ExternalIPs
+		vSpec.ExternalIPs = pSpec.ExternalIPs
+	}
+
 	if !equality.Semantic.DeepEqual(vSpec, pSpec) {
 		if updated == nil {
 			updated = pObj.DeepCopy()

virtualcluster/pkg/syncer/resources/service/uws.go

@@ -32,6 +32,7 @@ import (
 	"sigs.k8s.io/cluster-api-provider-nested/virtualcluster/pkg/syncer/constants"
 	"sigs.k8s.io/cluster-api-provider-nested/virtualcluster/pkg/syncer/conversion"
 	"sigs.k8s.io/cluster-api-provider-nested/virtualcluster/pkg/syncer/util"
+	"sigs.k8s.io/cluster-api-provider-nested/virtualcluster/pkg/syncer/util/featuregate"
 )
 
 // StartUWS starts the upward syncer
@@ -105,6 +106,12 @@ func (c *controller) BackPopulate(key string) error {
 	if updatedMeta != nil {
 		newService = vService.DeepCopy()
 		newService.ObjectMeta = *updatedMeta
+		if featuregate.DefaultFeatureGate.Enabled(featuregate.VServiceExternalIP) &&
+			updatedMeta.Annotations[constants.LabelSuperClusterIP] != "" &&
+			len(newService.Spec.ExternalIPs) == 0 {
+			// Add clusterIP to ExternalIPs if it hasn't been set on purpose
+			newService.Spec.ExternalIPs = []string{updatedMeta.Annotations[constants.LabelSuperClusterIP]}
+		}
 		if _, err = tenantClient.CoreV1().Services(vService.Namespace).Update(context.TODO(), newService, metav1.UpdateOptions{}); err != nil {
 			return fmt.Errorf("failed to back populate service %s/%s meta update for cluster %s: %v", vService.Namespace, vService.Name, clusterName, err)
 		}

virtualcluster/pkg/syncer/util/featuregate/gate.go

@@ -80,6 +80,11 @@ const (
 	// RootCACertConfigMapSupport is an experimental feature that allows clusters +1.21 to support
 	// the kube-root-ca.crt dropped into each Namespace
 	RootCACertConfigMapSupport = "RootCACertConfigMapSupport"
+
+	// VServiceExternalIP is an experimental feature that allows the syncer to
+	// add clusterIP of pService to vService's externalIPs.
+	// So that vService can be resolved by using the k8s_external plugin in coredns.
+	VServiceExternalIP = "VServiceExternalIP"
 )
 
 var defaultFeatures = FeatureList{
@@ -94,6 +99,7 @@ var defaultFeatures = FeatureList{
 	TenantAllowResourceNoSync:       {Default: false},
 	DisableCRDPreserveUnknownFields: {Default: false},
 	RootCACertConfigMapSupport:      {Default: false},
+	VServiceExternalIP:              {Default: false},
 }
 
 type Feature string