support aws china for managed dns

[staebler]

Use a custom endpoint for route53 when the region is a "cn-" region.

A region field has been added to .spec.managedDomains[].aws in HiveConfig. When the managed domain is handled by AWS China, the region field should be set to "cn-northwest-1" so that the route53 requests are sent to AWS China instead of regular AWS.

https://issues.redhat.com/browse/CO-769

[staebler]

cc @dofinn

[dofinn]

cc @dofinn

/lgtm :)

[joelddiaz]

Is it is a hard requirement for this field to be 'cn-northwest-1' when wanting to interact with AWS China? It appears that putting in 'cn-north-1' would also result in using the alternative API endpoint (with the region overridden to use 'cn-northwest-1' for the created AWS client).

[staebler]

That was an open question that I had that I have not gotten an answer for yet. I don't have the capability to really test out whether it must be cn-northwest-1, can be cn-northwest-1, or must be cn-north-1 when the cluster is being installed into cn-north-1. If I understood, @dofinn correctly, he indicated to me that it can be northwest-1

[joelddiaz]

I can confirm that the client requires it to be set to cn-northwest-1. I'm just observing that if you put cn-north-1 in the DNSZone, the client gets created with a region set to cn-northwest-1 b/c the DNSZone region has the magic cn- prefix.

[dofinn]

AWS China tends to have a default region endpoint depending on the service. Unfortunately, its best to figure this out using trial and error at the moment. aws --debug route53 --endpoint-url https://api.route53.cn list-hosted-zones is very helpful.

[staebler]

So, @joelddiaz, I am a bit confused. Are you suggesting that there are changes that need to be made to the code? The way I see the code working now is that the clusterdeployment controller always sets the region in the DNSZone to cn-northwest-1 if the region of the ClusterDeployment is a China region. If I understand your second comment correctly, that is what we want to happen since the region used must be cn-northwest-1 when making route53 requests. If a user creates their own DNSZone, then they can set the region to whatever they like and that will be used to make the route53 requests--for better or worse.

[wanghaoran1988]

We should use "cn-northwest-1", just get confirmation from AWS China SA, this service is hosted in "cn-northwest-1" region, here is some test I did"

Failed when using cn-north-1:
aws route53  list-hosted-zones  --region cn-north-1 --endpoint-url https://route53.amazonaws.com.cn 
aws route53   list-tags-for-resources  --region cn-north-1 --endpoint-url https://route53.amazonaws.com.cn --resource-id <id> --resource-type hostedzone
Succeed with cn-northwest-1:
aws route53  list-hosted-zones  --region cn-northwest-1 --endpoint-url https://route53.amazonaws.com.cn --> succeed
aws route53   list-tags-for-resources  --region cn-northwest-1 --endpoint-url https://route53.amazonaws.com.cn --resource-id <id> --resource-type hostedzone

[joelddiaz]

I'm sorry, I misread where the cn- prefix checking is going on. I see now that the clusterdeployment controller will put in cn-northwest-1 for any clusterDeployment with the cn- region.

[joelddiaz]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dofinn, joelddiaz, staebler

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [joelddiaz,staebler]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment