separate public and private domains, allow to choose for stacks #698
+21
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
linki
commented
Jul 7, 2025
| @@ -64,7 +64,9 @@ type StackSetContainer struct { | |||
|
|
|||
| // clusterDomains stores the main domain names of the cluster; | |||
| // per-stack ingress hostnames are not generated for names outside of them | |||
There was a problem hiding this comment.
Looks like "per-stack" is already somewhat supported. I'm getting quite the same (correct) results on the master branch when running with: --cluster-domain ingress.cluster.local. Maybe worth looking into if that already solves our problem.
There was a problem hiding this comment.
I think if we define only the --cluster-domain ingress.cluster.local then we will indeed get the correct behavior as you point out. If we have multiple domains, then of course the per-stack domains generated will be multiple, like you also describe in the PR description.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Alternative for #696 so we can compare what the difference is.
It introduces two more flags and should be fully backwards compatible. The first new flag
--cluster-internal-domainworks similar to--cluster-domainbut tells stackset-controller that it's an internal domain (e.g.ingress.cluster.local). By default external and internal domains are both processed (like today) so there's no change when moving a domain from--cluster-domainto--cluster-internal-domain.However, the second flag
--ignore-public-domains-on-stackscan be used to tell stackset-controller to not use public domains for stack hosts. So, once the domains have been split into two separate groups, this flag can be used to change the behaviour.Below is the intended usage. The first example is the setup on current clusters, the second one will be the setup on legacy clusters and the third one will be the setup for EKS clusters (only difference is the value of the flag).
Imagine a stackset specifying the following ingress section:
Running stackset-controller with the following configuration will result in the following:
--cluster-domain teapot.zalan.do --cluster-domain ingress.cluster.local(current setting)That's the current result and backwards compatible.
Then, split cluster domains into a public and private group. There's no change and therefore backwards compatible.
--cluster-domain teapot.zalan.do --cluster-internal-domain ingress.cluster.local(future setting for legacy clusters)Finally, switch the flip on EKS clusters to skip public domains on Stacks.
--cluster-domain teapot.zalan.do --cluster-internal-domain ingress.cluster.local --ignore-public-domains-on-stacks(future setting for EKS clusters)The idea is to run with the public/private split and without
--ignore-public-domains-on-stacks(false) on legacy clusters. On EKS clusters we would run it with--ignore-public-domains-on-stacks.If the Stackset doesn't make use of the
ingress.cluster.localdomain in its definition, then the results above are the same but with the internal domain (i.e. just theteapot.zalan.doDNS names and no DNS name at all for the stack on EKS).