Bug 1768847

Summary: [4.2]The DNS provider failed to ensure the record: caused by: Post https://route53.amazonaws.com/xxx: dial tcp x.x.x.x:443: i/o timeout
Product: OpenShift Container Platform Reporter: Johnny Liu <jialiu>
Component: DocumentationAssignee: Daneyon Hansen <dhansen>
Status: CLOSED EOL QA Contact: Hongan Li <hongli>
Severity: high Docs Contact:
Priority: high    
Version: 4.2.0CC: aos-bugs, dhansen, dmace, gpei, hongli, jialiu, jokerman, kalexand, piqin
Target Milestone: ---Keywords: TestBlocker
Target Release: 4.2.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1765044 Environment:
Last Closed: 2021-04-07 19:34:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1765044, 1782829    
Bug Blocks:    

Comment 1 Daneyon Hansen 2019-11-07 18:13:39 UTC
Users are required to manually manage dns by following https://github.com/openshift/installer/blob/master/docs/user/aws/install_upi.md#adjust-dns-zones. Moving to the doc's team to confirm this requirement is documented.

Comment 4 Daneyon Hansen 2019-11-08 17:04:41 UTC
Johnny,

Can TestBlocker be removed from the bug? You can see how the proxy upi test job [1] automates the dns record creation.

[1] https://github.com/openshift/release/pull/4719/files

Comment 5 Johnny Liu 2019-11-11 05:27:09 UTC
(In reply to Daneyon Hansen from comment #4)
> Johnny,
> 
> Can TestBlocker be removed from the bug? You can see how the proxy upi test
> job [1] automates the dns record creation.
> 
> [1] https://github.com/openshift/release/pull/4719/files

1. From [1], I did not see how dns record is created for apps. Do I miss something? Could you point me the detailed lines?
2. If you was saying https://github.com/openshift/installer/blob/master/docs/user/aws/install_upi.md#adjust-dns-zones, yeah, that is kinds of workaround. But the purpose of this bug is requesting the same thing in https://jira.coreos.com/browse/NE-182.
3. In QE's testing, we are running proxy testing in some 'black-hole' private subnet. Every operator should be able to reach to cloud API via proxy. In this bug, ingress-router operator does not. I think this is some important things in customer scenario.

Comment 6 Daneyon Hansen 2019-11-11 17:50:06 UTC
Johnny,

The limitation identified in this bug was previously discovered. At that time it was agreed upon that manually creating the ingress operator dns records is an acceptable 4.3 workaround. https://jira.coreos.com/browse/NE-182 was created to fix this limitation in a future release. Hence my request to remove "TestBlocker" by manually creating the records for testing. [2] is the code in the proxy CI job that creates the ingress dns wildcard alias record. QE should be able to take the same approach for testing.

[2] https://github.com/openshift/release/pull/5308/files#diff-2b1b845b92f8062711789a2bfdb27290R2673-R2691

Comment 7 Johnny Liu 2019-11-12 01:35:01 UTC
For UPI, I think manually adding dns record is some acceptable workaround. But for IPI, it feels like tricky. 

Steps like this:
1. user prepare a restricted network VPC.
2. user create a proxy server in this VPC
3. run IPI install with proxy enabled.
4. installation is failed, due to no dns record is provisioned.
5. after the failure, user have to add dns record manually as workaround.

Comment 8 Johnny Liu 2019-11-12 02:33:17 UTC
And from https://github.com/openshift/release/pull/5308/files#diff-2b1b845b92f8062711789a2bfdb27290R2673-R2691, the workaround is only for UPI, no IPI.

Comment 9 Daneyon Hansen 2019-11-13 19:50:19 UTC
UPI is the only supported installer for proxy.