diff --git a/dnsprovider/pkg/dnsprovider/rrstype/rrstype.go b/dnsprovider/pkg/dnsprovider/rrstype/rrstype.go index 562b93c438..dd997388b4 100644 --- a/dnsprovider/pkg/dnsprovider/rrstype/rrstype.go +++ b/dnsprovider/pkg/dnsprovider/rrstype/rrstype.go @@ -24,5 +24,6 @@ const ( A = RrsType("A") AAAA = RrsType("AAAA") CNAME = RrsType("CNAME") + TXT = RrsType("TXT") // TODO: Add other types as required ) diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index 8bb60fb03e..75316813ee 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -1058,7 +1058,7 @@ func AddDNSControllerPermissions(b *PolicyBuilder, p *Policy) { wildcard := stringorslice.Slice([]string{"*"}) p.Statement = append(p.Statement, &Statement{ Effect: StatementEffectAllow, - Action: stringorslice.Slice([]string{"route53:ListHostedZones"}), + Action: stringorslice.Slice([]string{"route53:ListHostedZones", "route53:ListTagsForResource"}), Resource: wildcard, }) } diff --git a/pkg/resources/aws/aws.go b/pkg/resources/aws/aws.go index f58ebebc7f..b8be7ea4c9 100644 --- a/pkg/resources/aws/aws.go +++ b/pkg/resources/aws/aws.go @@ -1775,7 +1775,9 @@ func ListRoute53Records(cloud fi.Cloud, clusterName string) ([]*resources.Resour } err := c.Route53().ListResourceRecordSetsPages(request, func(p *route53.ListResourceRecordSetsOutput, lastPage bool) bool { for _, rrs := range p.ResourceRecordSets { - if aws.StringValue(rrs.Type) != "A" && aws.StringValue(rrs.Type) != "AAAA" { + if aws.StringValue(rrs.Type) != "A" && + aws.StringValue(rrs.Type) != "AAAA" && + aws.StringValue(rrs.Type) != "TXT" { continue } diff --git a/tests/integration/update_cluster/apiservernodes/cloudformation.json b/tests/integration/update_cluster/apiservernodes/cloudformation.json index 450dfd44f2..9f9b2e0f34 100644 --- a/tests/integration/update_cluster/apiservernodes/cloudformation.json +++ b/tests/integration/update_cluster/apiservernodes/cloudformation.json @@ -1302,7 +1302,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_dns-controller.kube-system.sa.minimal.example.com_policy b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_dns-controller.kube-system.sa.minimal.example.com_policy index 6e706aa3a7..cba43e9e06 100644 --- a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_dns-controller.kube-system.sa.minimal.example.com_policy +++ b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_dns-controller.kube-system.sa.minimal.example.com_policy @@ -22,7 +22,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy index 836bf55565..460db9eb43 100644 --- a/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy index 080dad7fc9..49c5d54289 100644 --- a/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy +++ b/tests/integration/update_cluster/bastionadditional_user-data/data/aws_iam_role_policy_masters.bastionuserdata.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/complex/cloudformation.json b/tests/integration/update_cluster/complex/cloudformation.json index 4b5516e0b9..c265738bb5 100644 --- a/tests/integration/update_cluster/complex/cloudformation.json +++ b/tests/integration/update_cluster/complex/cloudformation.json @@ -1666,7 +1666,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy b/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy index 2fe0a611e6..66d4530cb6 100644 --- a/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy +++ b/tests/integration/update_cluster/complex/data/aws_iam_role_policy_masters.complex.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy b/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy index 53ade670c1..01c7ccf358 100644 --- a/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy +++ b/tests/integration/update_cluster/compress/data/aws_iam_role_policy_masters.compress.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/containerd-custom/cloudformation.json b/tests/integration/update_cluster/containerd-custom/cloudformation.json index 6b27628a50..240f381c28 100644 --- a/tests/integration/update_cluster/containerd-custom/cloudformation.json +++ b/tests/integration/update_cluster/containerd-custom/cloudformation.json @@ -1038,7 +1038,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/containerd/cloudformation.json b/tests/integration/update_cluster/containerd/cloudformation.json index 6b27628a50..240f381c28 100644 --- a/tests/integration/update_cluster/containerd/cloudformation.json +++ b/tests/integration/update_cluster/containerd/cloudformation.json @@ -1038,7 +1038,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/docker-custom/cloudformation.json b/tests/integration/update_cluster/docker-custom/cloudformation.json index ecb92a789f..84b97a81c2 100644 --- a/tests/integration/update_cluster/docker-custom/cloudformation.json +++ b/tests/integration/update_cluster/docker-custom/cloudformation.json @@ -1038,7 +1038,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy b/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy index bf13f34069..9f928c04d1 100644 --- a/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy +++ b/tests/integration/update_cluster/existing_sg/data/aws_iam_role_policy_masters.existingsg.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/externallb/cloudformation.json b/tests/integration/update_cluster/externallb/cloudformation.json index cc637475a9..5dfca8e476 100644 --- a/tests/integration/update_cluster/externallb/cloudformation.json +++ b/tests/integration/update_cluster/externallb/cloudformation.json @@ -1054,7 +1054,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy b/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy index 93261014f0..87a01ed614 100644 --- a/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy +++ b/tests/integration/update_cluster/externallb/data/aws_iam_role_policy_masters.externallb.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy b/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy index 2954677812..4c25150dde 100644 --- a/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy +++ b/tests/integration/update_cluster/externalpolicies/data/aws_iam_role_policy_masters.externalpolicies.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy b/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy index 1103f3bf35..3ccd4f18dd 100644 --- a/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy +++ b/tests/integration/update_cluster/ha/data/aws_iam_role_policy_masters.ha.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy index 9e61589bdf..45727582a8 100644 --- a/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_dns-controller.kube-system.sa.minimal.example.com_policy b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_dns-controller.kube-system.sa.minimal.example.com_policy index 6e706aa3a7..cba43e9e06 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_dns-controller.kube-system.sa.minimal.example.com_policy +++ b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_dns-controller.kube-system.sa.minimal.example.com_policy @@ -22,7 +22,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy index 3f8a9c41d3..487d37558b 100644 --- a/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/many-addons-ccm/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/many-addons-ccm/data/aws_iam_role_policy_masters.minimal.example.com_policy index cc0e0791ca..d73cc4746c 100644 --- a/tests/integration/update_cluster/many-addons-ccm/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/many-addons-ccm/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy index c9d77ce224..fd4e509ad0 100644 --- a/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/minimal-etcd/cloudformation.json b/tests/integration/update_cluster/minimal-etcd/cloudformation.json index abc0ce3706..d33da2cd17 100644 --- a/tests/integration/update_cluster/minimal-etcd/cloudformation.json +++ b/tests/integration/update_cluster/minimal-etcd/cloudformation.json @@ -1038,7 +1038,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/minimal-gp3/cloudformation.json b/tests/integration/update_cluster/minimal-gp3/cloudformation.json index e1959dbdca..34a855e177 100644 --- a/tests/integration/update_cluster/minimal-gp3/cloudformation.json +++ b/tests/integration/update_cluster/minimal-gp3/cloudformation.json @@ -1034,7 +1034,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy index 9e61589bdf..45727582a8 100644 --- a/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal-gp3/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json index b45589f312..607733a2a8 100644 --- a/tests/integration/update_cluster/minimal-ipv6/cloudformation.json +++ b/tests/integration/update_cluster/minimal-ipv6/cloudformation.json @@ -1215,7 +1215,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy index e4550eceb3..af4449f0fa 100644 --- a/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy +++ b/tests/integration/update_cluster/minimal-ipv6/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy b/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy index e365f7f8ec..2ac80ddaa5 100644 --- a/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy +++ b/tests/integration/update_cluster/minimal-json/data/aws_iam_role_policy_masters.minimal-json.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy b/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy index a590afec15..0054a352d7 100644 --- a/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy +++ b/tests/integration/update_cluster/minimal-warmpool/data/aws_iam_role_policy_masters.minimal-warmpool.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/minimal/cloudformation.json b/tests/integration/update_cluster/minimal/cloudformation.json index daa2f5a74c..b95f0f8a64 100644 --- a/tests/integration/update_cluster/minimal/cloudformation.json +++ b/tests/integration/update_cluster/minimal/cloudformation.json @@ -1038,7 +1038,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy index 9e61589bdf..45727582a8 100644 --- a/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/minimal/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/mixed_instances/cloudformation.json b/tests/integration/update_cluster/mixed_instances/cloudformation.json index 794c9fc1ad..636e23d217 100644 --- a/tests/integration/update_cluster/mixed_instances/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances/cloudformation.json @@ -1757,7 +1757,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy b/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy index 9d8d855ec6..d598892bc3 100644 --- a/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy +++ b/tests/integration/update_cluster/mixed_instances/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json index e909e395a1..68ae6a14b3 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json +++ b/tests/integration/update_cluster/mixed_instances_spot/cloudformation.json @@ -1758,7 +1758,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy b/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy index 9d8d855ec6..d598892bc3 100644 --- a/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy +++ b/tests/integration/update_cluster/mixed_instances_spot/data/aws_iam_role_policy_masters.mixedinstances.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json b/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json index 521fdd967d..d18044202e 100644 --- a/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json +++ b/tests/integration/update_cluster/nth_sqs_resources/cloudformation.json @@ -1148,7 +1148,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy b/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy index 0369b69e7a..a7a4f0896e 100644 --- a/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy +++ b/tests/integration/update_cluster/nth_sqs_resources/data/aws_iam_role_policy_masters.nthsqsresources.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/private-shared-ip/cloudformation.json b/tests/integration/update_cluster/private-shared-ip/cloudformation.json index 2e4d65a730..2ae7c7874f 100644 --- a/tests/integration/update_cluster/private-shared-ip/cloudformation.json +++ b/tests/integration/update_cluster/private-shared-ip/cloudformation.json @@ -1554,7 +1554,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy index 3e6f10ff4d..d973543ef1 100644 --- a/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy +++ b/tests/integration/update_cluster/private-shared-ip/data/aws_iam_role_policy_masters.private-shared-ip.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy index 8dc9c6c123..2cd75ac47a 100644 --- a/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy +++ b/tests/integration/update_cluster/private-shared-subnet/data/aws_iam_role_policy_masters.private-shared-subnet.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/privatecalico/cloudformation.json b/tests/integration/update_cluster/privatecalico/cloudformation.json index cf7459831b..07144ad581 100644 --- a/tests/integration/update_cluster/privatecalico/cloudformation.json +++ b/tests/integration/update_cluster/privatecalico/cloudformation.json @@ -1710,7 +1710,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy index 29b566e01b..dae9dcdd57 100644 --- a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy +++ b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy index 31fac5b213..8fdb5ca775 100644 --- a/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy +++ b/tests/integration/update_cluster/privatecanal/data/aws_iam_role_policy_masters.privatecanal.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/privatecilium/cloudformation.json b/tests/integration/update_cluster/privatecilium/cloudformation.json index 384c7a67cd..602bc92f63 100644 --- a/tests/integration/update_cluster/privatecilium/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium/cloudformation.json @@ -1696,7 +1696,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy index 820d65d3b6..4e6a4c9f2f 100644 --- a/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy +++ b/tests/integration/update_cluster/privatecilium/data/aws_iam_role_policy_masters.privatecilium.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/privatecilium2/cloudformation.json b/tests/integration/update_cluster/privatecilium2/cloudformation.json index 5855979c0a..c0f2e02095 100644 --- a/tests/integration/update_cluster/privatecilium2/cloudformation.json +++ b/tests/integration/update_cluster/privatecilium2/cloudformation.json @@ -1696,7 +1696,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy index 820d65d3b6..4e6a4c9f2f 100644 --- a/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy +++ b/tests/integration/update_cluster/privatecilium2/data/aws_iam_role_policy_masters.privatecilium.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json index c9f565b432..72ff0632c3 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json +++ b/tests/integration/update_cluster/privateciliumadvanced/cloudformation.json @@ -1739,7 +1739,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy index 0fac10a832..96f56fd8d6 100644 --- a/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy +++ b/tests/integration/update_cluster/privateciliumadvanced/data/aws_iam_role_policy_masters.privateciliumadvanced.example.com_policy @@ -96,7 +96,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy index 75df11b15c..854204f48a 100644 --- a/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy +++ b/tests/integration/update_cluster/privatedns1/data/aws_iam_role_policy_masters.privatedns1.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy index c1206b9ef6..022caf2554 100644 --- a/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy +++ b/tests/integration/update_cluster/privatedns2/data/aws_iam_role_policy_masters.privatedns2.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy index 764e945687..7cfd3b214b 100644 --- a/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy +++ b/tests/integration/update_cluster/privateflannel/data/aws_iam_role_policy_masters.privateflannel.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy index 432320541c..ee662de9e9 100644 --- a/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy +++ b/tests/integration/update_cluster/privatekopeio/data/aws_iam_role_policy_masters.privatekopeio.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy index 3b78bf99bb..78234e3f3e 100644 --- a/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy +++ b/tests/integration/update_cluster/privateweave/data/aws_iam_role_policy_masters.privateweave.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_dns-controller.kube-system.sa.minimal.example.com_policy b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_dns-controller.kube-system.sa.minimal.example.com_policy index 6e706aa3a7..cba43e9e06 100644 --- a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_dns-controller.kube-system.sa.minimal.example.com_policy +++ b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_dns-controller.kube-system.sa.minimal.example.com_policy @@ -22,7 +22,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy index 836bf55565..460db9eb43 100644 --- a/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/public-jwks-apiserver/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy b/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy index 6a17231680..6271e67a47 100644 --- a/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy +++ b/tests/integration/update_cluster/shared_subnet/data/aws_iam_role_policy_masters.sharedsubnet.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy b/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy index 72357beb1e..e0a6911a64 100644 --- a/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy +++ b/tests/integration/update_cluster/shared_vpc/data/aws_iam_role_policy_masters.sharedvpc.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy index b260ea9bcd..2b634bdada 100644 --- a/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy +++ b/tests/integration/update_cluster/unmanaged/data/aws_iam_role_policy_masters.unmanaged.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy b/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy index 9e61589bdf..45727582a8 100644 --- a/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy +++ b/tests/integration/update_cluster/vfs-said/data/aws_iam_role_policy_masters.minimal.example.com_policy @@ -86,7 +86,8 @@ }, { "Action": [ - "route53:ListHostedZones" + "route53:ListHostedZones", + "route53:ListTagsForResource" ], "Effect": "Allow", "Resource": [ diff --git a/upup/models/cloudup/resources/addons/external-dns.addons.k8s.io/k8s-1.12.yaml.template b/upup/models/cloudup/resources/addons/external-dns.addons.k8s.io/k8s-1.12.yaml.template index e000a4c32a..d0dc46e5dc 100644 --- a/upup/models/cloudup/resources/addons/external-dns.addons.k8s.io/k8s-1.12.yaml.template +++ b/upup/models/cloudup/resources/addons/external-dns.addons.k8s.io/k8s-1.12.yaml.template @@ -26,17 +26,25 @@ spec: tolerations: - key: "node-role.kubernetes.io/master" effect: NoSchedule + - key: "node.kubernetes.io/not-ready" + effect: NoSchedule nodeSelector: node-role.kubernetes.io/master: "" dnsPolicy: Default # Don't use cluster DNS (we are likely running before kube-dns) hostNetwork: true containers: - name: external-dns - image: k8s.gcr.io/external-dns/external-dns:v0.7.6 + image: k8s.gcr.io/external-dns/external-dns:v0.9.0 + imagePullPolicy: Always args: {{ range $arg := ExternalDnsArgv }} - "{{ $arg }}" {{ end }} + env: + - name: KUBERNETES_SERVICE_HOST + value: "127.0.0.1" + - name: KUBERNETES_SERVICE_PORT + value: "443" resources: requests: cpu: 50m diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go index 7737b3a392..7394749e79 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder/bootstrapchannelbuilder.go @@ -422,6 +422,7 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann }) } + if !featureflag.EnableExternalDNS.Enabled() { // @check the dns-controller has not been disabled externalDNS := b.Cluster.Spec.ExternalDNS if externalDNS == nil || !externalDNS.Disable { @@ -446,8 +447,7 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann serviceAccountRoles = append(serviceAccountRoles, &dnscontroller.ServiceAccount{}) } } - - if featureflag.EnableExternalDNS.Enabled() { +}else { { key := "external-dns.addons.k8s.io" diff --git a/upup/pkg/fi/cloudup/dns.go b/upup/pkg/fi/cloudup/dns.go index 961db9a60c..2a4e636783 100644 --- a/upup/pkg/fi/cloudup/dns.go +++ b/upup/pkg/fi/cloudup/dns.go @@ -210,6 +210,9 @@ func precreateDNS(ctx context.Context, cluster *kops.Cluster, cloud fi.Cloud) er changeset.Add(rrs.New(dnsHostname, []string{PlaceholderIP}, PlaceholderTTLDigitialOcean, rrstype.A)) } else { changeset.Add(rrs.New(dnsHostname, []string{PlaceholderIP}, PlaceholderTTL, rrstype.A)) + if featureflag.EnableExternalDNS.Enabled() { + changeset.Add(rrs.New(dnsHostname, []string{fmt.Sprintf("\"heritage=external-dns,external-dns/owner=%s\"", cluster.GetClusterName())}, PlaceholderTTL, rrstype.TXT)) + } } created = append(created, dnsHostname) diff --git a/upup/pkg/fi/cloudup/template_functions.go b/upup/pkg/fi/cloudup/template_functions.go index 2091548356..00a50bb779 100644 --- a/upup/pkg/fi/cloudup/template_functions.go +++ b/upup/pkg/fi/cloudup/template_functions.go @@ -583,7 +583,14 @@ func (tf *TemplateFunctions) ExternalDNSArgv() ([]string, error) { return nil, fmt.Errorf("unhandled cloudprovider %q", cluster.Spec.CloudProvider) } + argv = append(argv, "--events") argv = append(argv, "--source=ingress") + argv = append(argv, "--source=pod") + argv = append(argv, "--source=service") + argv = append(argv, "--compatibility=kops-dns-controller") + argv = append(argv, "--registry=txt") + argv = append(argv, "--txt-owner-id=kops-"+tf.ClusterName()) + argv = append(argv, "--zone-id-filter="+tf.Cluster.Spec.DNSZone) return argv, nil }