Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Route53 txt-prefix does not create registry heritage records #1416

Closed
masterkain opened this issue Feb 11, 2020 · 14 comments
Closed

Route53 txt-prefix does not create registry heritage records #1416

masterkain opened this issue Feb 11, 2020 · 14 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. kind/documentation Categorizes issue or PR as related to documentation. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. provider/aws

Comments

@masterkain
Copy link

masterkain commented Feb 11, 2020
edited

I had to make a root CNAME (ALIAS) co exists with a TXT record for external domain verification.

Given the TXT record was already taken by external-dns I tried to reach for the --txt-prefix flag.

What happened:

I deploy external dns with Helm, so I changed txtPrefix: k8s, deployed and verified that indeed the external dns image starts up with this new parameter.

I went on, deleted the current CNAME and TXT and waited for external dns to sync again.

external dns created the CNAME correctly, however there's no TXT record as I expected.

In all the existing entries I have this as TXT content:

"heritage=external-dns,external-dns/owner=my-kubernetes,external-dns/resource=ingress/prod/my-prod-blog-wordpress"

but those are not being created anymore.

With --txt-prefix

I wiped existing records before this test, there were no related records leftover in console.

│ time="2020-02-11T09:50:45Z" level=info msg="Instantiating new Kubernetes client"
│ time="2020-02-11T09:50:45Z" level=info msg="Using inCluster-config based on serviceaccount-token"
│ time="2020-02-11T09:50:45Z" level=info msg="Created Kubernetes client https://10.100.0.1:443"
│ time="2020-02-11T09:50:47Z" level=info msg="All records are already up to date, there are no changes for the matching hosted zones"
│ time="2020-02-11T09:51:47Z" level=info msg="Desired change: CREATE my.com A [Id: /hostedzone/Z1KM8PR0TJR5XX]"
│ time="2020-02-11T09:51:47Z" level=info msg="1 record(s) in zone my.com. [Id: /hostedzone/Z1KM8PR0TJR5XX] were successfully updated"

Without --txt-prefix

Wiped the record again (only CNAME from previous creation) and this time without specifying a --txt-prefix the registry record TXT gets created.

│ time="2020-02-11T10:00:46Z" level=info msg="Instantiating new Kubernetes client"
│ time="2020-02-11T10:00:46Z" level=info msg="Using inCluster-config based on serviceaccount-token"
│ time="2020-02-11T10:00:46Z" level=info msg="Created Kubernetes client https://10.100.0.1:443"
│ time="2020-02-11T10:00:48Z" level=info msg="All records are already up to date, there are no changes for the matching hosted zones"
│ time="2020-02-11T10:01:49Z" level=info msg="Desired change: CREATE my.com A [Id: /hostedzone/Z1KM8PR0TJR5XX]"
│ time="2020-02-11T10:01:49Z" level=info msg="Desired change: CREATE my.com TXT [Id: /hostedzone/Z1KM8PR0TJR5XX]"
│ time="2020-02-11T10:01:49Z" level=info msg="2 record(s) in zone my.com. [Id: /hostedzone/Z1KM8PR0TJR5XX] were successfully updated"

spec:
  releaseName: external-dns
  chart:
    repository: https://charts.bitnami.com/bitnami
    name: external-dns
    version: 2.16.1
  values:
    policy: upsert-only
    replicas: 1
    sources: [ingress]
    provider: aws
    aws:
      zoneType: public
      region: eu-west-1
      credentials:
        accessKey: xxx
        secretKey: xxx
    txtOwnerId: my-kubernetes
    # txtPrefix: k8s
@vutny
Copy link

vutny commented Apr 13, 2020
edited

I cannot reproduce this issue. Using --txt-prefix=prefix- parameter with ExternalDNS 0.6.0.

time="2020-04-13T16:36:50Z" level=info msg="Desired change: CREATE test.example.com CNAME [Id: /hostedzone/ZXXXXXXXXXXXXX]"
time="2020-04-13T16:36:50Z" level=info msg="Desired change: CREATE prefix-test.example.com TXT [Id: /hostedzone/ZXXXXXXXXXXXXX]"
time="2020-04-13T16:36:51Z" level=info msg="2 record(s) in zone example.com. [Id: /hostedzone/ZXXXXXXXXXXXXX] were successfully updated"

Got both CNAME and prefixed TXT record in Route53.

@jgreat
Copy link

jgreat commented Jun 17, 2020

I'm seeing the same behavior.

Bitnami helm chart: external-dns-3.2.1 app version 0.7.2

values.yaml

provider: aws
policy: sync
txtOwnerId: production-u1-a
txtPrefix: externaldns
domainFilters:
  - .com
aws:
  zoneType: public
  evaluateTargetHealth: "true"
sources:
  - ingress

Logs

time="2020-06-17T19:57:20Z" level=info msg="config: {Master: KubeConfig: RequestTimeout:30s IstioIngressGatewayServices:[] ContourLoadBalancerService:heptio-contour/contour SkipperRouteGroupVersion:zalando.org/v1 Sources:[ingress] Namespace: AnnotationFilter: FQDNTemplate: CombineFQDNAndAnnotation:false IgnoreHostnameAnnotation:false Compatibility: PublishInternal:false PublishHostIP:false AlwaysPublishNotReadyAddresses:false ConnectorSourceServer:localhost:8080 Provider:aws GoogleProject: GoogleBatchChangeSize:1000 GoogleBatchChangeInterval:1s DomainFilter:[.com] ExcludeDomains:[] ZoneIDFilter:[] AlibabaCloudConfigFile:/etc/kubernetes/alibaba-cloud.json AlibabaCloudZoneType: AWSZoneType:public AWSZoneTagFilter:[] AWSAssumeRole: AWSBatchChangeSize:1000 AWSBatchChangeInterval:1s AWSEvaluateTargetHealth:true AWSAPIRetries:3 AWSPreferCNAME:false AzureConfigFile:/etc/kubernetes/azure.json AzureResourceGroup: AzureSubscriptionID: AzureUserAssignedIdentityClientID: CloudflareProxied:false CloudflareZonesPerPage:50 CoreDNSPrefix:/skydns/ RcodezeroTXTEncrypt:false AkamaiServiceConsumerDomain: AkamaiClientToken: AkamaiClientSecret: AkamaiAccessToken: InfobloxGridHost: InfobloxWapiPort:443 InfobloxWapiUsername:admin InfobloxWapiPassword: InfobloxWapiVersion:2.3.1 InfobloxSSLVerify:true InfobloxView: InfobloxMaxResults:0 DynCustomerName: DynUsername: DynPassword: DynMinTTLSeconds:0 OCIConfigFile:/etc/kubernetes/oci.yaml InMemoryZones:[] OVHEndpoint:ovh-eu PDNSServer:http://localhost:8081 PDNSAPIKey: PDNSTLSEnabled:false TLSCA: TLSClientCert: TLSClientCertKey: Policy:sync Registry:txt TXTOwnerID:production-u1-a TXTPrefix:externaldns TXTSuffix: Interval:1m0s Once:false DryRun:false UpdateEvents:false LogFormat:text MetricsAddress::7979 LogLevel:info TXTCacheInterval:0s ExoscaleEndpoint:https://api.exoscale.ch/dns ExoscaleAPIKey: ExoscaleAPISecret: CRDSourceAPIVersion:externaldns.k8s.io/v1alpha1 CRDSourceKind:DNSEndpoint ServiceTypeFilter:[] CFAPIEndpoint: CFUsername: CFPassword: RFC2136Host: RFC2136Port:0 RFC2136Zone: RFC2136Insecure:false RFC2136TSIGKeyName: RFC2136TSIGSecret: RFC2136TSIGSecretAlg: RFC2136TAXFR:false RFC2136MinTTL:0s NS1Endpoint: NS1IgnoreSSL:false TransIPAccountName: TransIPPrivateKeyFile:}"
time="2020-06-17T19:57:20Z" level=info msg="Instantiating new Kubernetes client"
time="2020-06-17T19:57:20Z" level=info msg="Using inCluster-config based on serviceaccount-token"
time="2020-06-17T19:57:20Z" level=info msg="Created Kubernetes client https://10.43.0.1:443"
time="2020-06-17T19:59:30Z" level=info msg="Desired change: CREATE .com A [Id: /hostedzone/ZX]"
time="2020-06-17T19:59:30Z" level=info msg="1 record(s) in zone .com. [Id: /hostedzone/ZX] were successfully updated"

@lossanarch
Copy link

Also seeing this on 0.7.3 using raw yaml install

relevant container config:

       - name: external-dns
          image: "asia.gcr.io/k8s-artifacts-prod/external-dns/external-dns:v0.7.3"
          args:
            - --log-level=info
            - --log-format=text
            - --policy=upsert-only
            - --provider=$(PROVIDER)
            - --txt-owner-id=$(TXT_OWNER_ID)
            - --txt-prefix=external-dns-
            - --registry=txt
            - --interval=1m
            - --source=service
            - --source=ingress
            - --aws-batch-change-size=1000

logs:

external-dns-7dccf489ff-h4tvp external-dns time="2020-08-11T06:24:27Z" level=info msg="Desired change: CREATE <redacted>.com.au A [Id: /hostedzone/<redacted>]"
external-dns-7dccf489ff-h4tvp external-dns time="2020-08-11T06:24:27Z" level=info msg="1 record(s) in zone <redacted>.com.au. [Id: /hostedzone/<redacted>] were successfully updated"

(note the lack of logs for creating the TXT record)

@lossanarch
Copy link

Ahh actually i believe this is more useful:

external-dns-6d95f8c8b5-mcph5 external-dns time="2020-08-11T06:37:47Z" level=debug msg="Adding <redacted>.com.au. to zone <redacted>.com.au. [Id: /hostedzone/<zoneid>]"
external-dns-6d95f8c8b5-mcph5 external-dns time="2020-08-11T06:37:47Z" level=debug msg="Skipping record {\n  Action: \"CREATE\",\n  ResourceRecordSet: {\n    Name: \"external-dns-<redacted>.com.au\",\n    ResourceRecords: [{\n        Value: \"\\\"heritage=external-dns,external-dns/owner=<ownerString>,external-dns/resource=ingress/<namespace>/<ingress>\\\"\"\n      }],\n    TTL: 300,\n    Type: \"TXT\"\n  }\n} because no hosted zone matching record DNS Name was detected"

Apologies for all the redaction, if you take all the domains as being the same it should make sense.

So it would appear that once the prefix is added it doesn't match the record it's signalling heritage for anymore. I'll try to take a look at the code tonight and figure out where this is happening.

@lossanarch
Copy link

Ok, I believe I've found the issue: without a trailing . in the txt-prefix value, attempts to attach the prefix to a root domain will fail.
So in my case, I'm using --txt-prefix=external-dns- and the resulting txt record for example.com is external-dns-example.com, which throws this error:

DEBU[0046] Skipping record {
  Action: "CREATE",
  ResourceRecordSet: {
    Name: "external-dns-example.com",
    ResourceRecords: [{
        Value: "\"heritage=external-dns,external-dns/owner=foobar\""
      }],
    TTL: 300,
    Type: "TXT"
  }
} because no hosted zone matching record DNS Name was detected

Which is perfectly reasonable, because I have no zone external-dns-example.com in my aws account.

I believe this will also be the issue for the previous two posts as well - both prefixes lack the trailing dot and at least the first is against a root domain. It looks to me like the domain has been stripped from the second example but my guess is it would also be a root.
I think a safe assumption would be that @masterkain 's example would result in k8smy.com.

This also explains why @vutny 's test could not reproduce the issue as it was not against example.com but test.example.com.

Changing to --txt-prefix=external-dns. produced the following:

DEBU[0047] Adding example.com.au. to zone example.com.au. [Id: /hostedzone/<zoneid>]
DEBU[0047] Adding external-dns.example.com.au. to zone example.com.au. [Id: /hostedzone/<zoneid>]
INFO[0047] Desired change: CREATE external-dns.example.com.au TXT [Id: /hostedzone/<zoneid>]
INFO[0047] Desired change: CREATE example.com.au A [Id: /hostedzone/<zoneid>]

So in summary, I think it's functioning as intended and either a documentation update is needed to note the trailing dot requirement or perhaps some validation of the flag value (or both).
It doesn't really make sense to accept a prefix without the trailing dot, as without it any root domain registry record would always fail.

@seanmalloy
Copy link
Member

/kind documentation
/kind bug

@k8s-ci-robot k8s-ci-robot added kind/documentation Categorizes issue or PR as related to documentation. kind/bug Categorizes issue or PR as related to a bug. labels Aug 17, 2020
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 15, 2020
@seanmalloy
Copy link
Member

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 18, 2020
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 16, 2021
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Apr 15, 2021
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-contributor-experience at kubernetes/community.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-contributor-experience at kubernetes/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@nefelim4ag
Copy link
Contributor

/reopen
Same with root domain on GoDaddy, but with TXT Postfix

@k8s-ci-robot
Copy link
Contributor

@nefelim4ag: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

/reopen
Same with root domain on GoDaddy, but with TXT Postfix

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@nefelim4ag nefelim4ag mentioned this issue Nov 2, 2021
Closed
@rofreytag rofreytag mentioned this issue Jan 27, 2023
Closed
@lukaso lukaso mentioned this issue Feb 29, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. kind/documentation Categorizes issue or PR as related to documentation. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. provider/aws
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@masterkain @seanmalloy @njuettner @nefelim4ag @jgreat @lossanarch @vutny @k8s-ci-robot @fejta-bot