cannot create cname for ingress

[yuriipolishchuk]

Hi!
I've got issue with adding cnames in route53 for traefik ingresses.

I have public and private zones with the same name. But I use only private.

A-type and TXT records were correctly created for traefik service. After that I'm trying to add another deployment with ingress. But I've got DNS errors:

RRSet of type TXT with DNS name dashboard.dev.foo.bar. is not permitted because a conflicting RRSet of type  CNAME with the same DNS name already exists in zone foo.bar.

I've already seen this answer https://stackoverflow.com/a/20230670/3253369

After 3 minutes it just stops complaining in a log. CNAME is in place, but there's no TXT.

There's AccessDenied message in the log. But it's related to public zone.

Could you kindly help me figure out what I am doing wrong or maybe is this a bug?

Here's new deployment with ingress I'm trying to create:

apiVersion: v1
kind: Service
metadata:
  name: nginx
spec:
  type: NodePort
  ports:
  - port: 80
    targetPort: 80
  selector:
    app: nginx

---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx
spec:
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx
        name: nginx
        ports:
        - containerPort: 80

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginx
  annotations:
    kubernetes.io/ingress.class: traefik
    external-dns.alpha.kubernetes.io/target: traefik.dev.foo.bar
spec:
  rules:
  - host: nginx.dev.foo.bar
    http:
      paths:
        - path: /
          backend:
            serviceName: nginx
            servicePort: 80

Here's a log from a external-dns pod:

time="2017-08-23T16:26:54Z" level=info msg="Changing records: CREATE {
  Action: "CREATE",
  ResourceRecordSet: {
    Name: "nginx.dev.foo.bar",
    ResourceRecords: [{
        Value: "traefik.dev.foo.bar"
      }],
    TTL: 300,
    Type: "CNAME"
  }

} ..."
time="2017-08-23T16:26:54Z" level=info msg="Changing records: CREATE {
  Action: "CREATE",
  ResourceRecordSet: {
    Name: "nginx.dev.foo.bar",
    ResourceRecords: [{
        Value: "\"heritage=external-dns,external-dns/owner=default\""
      }],
    TTL: 300,
    Type: "TXT"
  }
} ..."
time="2017-08-23T16:26:54Z" level=error msg="InvalidChangeBatch: RRSet of type TXT with DNS name nginx.dev.foo.bar. is not permitted because a conflicting RRSet of type  CNAME with the same DNS name already exists in zone foo.bar.
        status code: 400, request id: e069c027-881f-11e7-8739-0362084424eb"
time="2017-08-23T16:27:55Z" level=info msg="Changing records: CREATE {
  Action: "CREATE",
  ResourceRecordSet: {
    Name: "nginx.dev.foo.bar",
    ResourceRecords: [{
        Value: "traefik.dev.foo.bar"
      }],
    TTL: 300,
    Type: "CNAME"
  }
} ..."
time="2017-08-23T16:27:55Z" level=info msg="Changing records: CREATE {
  Action: "CREATE",
  ResourceRecordSet: {
    Name: "nginx.dev.foo.bar",
    ResourceRecords: [{
        Value: "\"heritage=external-dns,external-dns/owner=default\""
      }],
    TTL: 300,
    Type: "TXT"
  }
} ..."
time="2017-08-23T16:27:55Z" level=error msg="InvalidChangeBatch: RRSet of type TXT with DNS name nginx.dev.foo.bar. is not permitted because a conflicting RRSet of type  CNAME with the same DNS name already exists in zone foo.bar.
        status code: 400, request id: 04abfa01-8820-11e7-932f-f9785c79e8a2"
time="2017-08-23T16:28:56Z" level=info msg="Changing records: CREATE {
  Action: "CREATE",
  ResourceRecordSet: {
    Name: "nginx.dev.foo.bar",
    ResourceRecords: [{
        Value: "traefik.dev.foo.bar"
      }],
    TTL: 300,
    Type: "CNAME"
  }
} ..."
time="2017-08-23T16:28:56Z" level=info msg="Changing records: CREATE {
  Action: "CREATE",
  ResourceRecordSet: {
    Name: "nginx.dev.foo.bar",
    ResourceRecords: [{
        Value: "\"heritage=external-dns,external-dns/owner=default\""
      }],
    TTL: 300,
    Type: "TXT"
  }
} ..."
time="2017-08-23T16:28:56Z" level=error msg="InvalidChangeBatch: RRSet of type TXT with DNS name nginx.dev.foo.bar. is not permitted because a conflicting RRSet of type  CNAME with the same DNS name already exists in zone foo.bar.
        status code: 400, request id: 28ede62f-8820-11e7-b382-736bdf9e594e"
time="2017-08-23T16:29:57Z" level=info msg="Changing records: CREATE {
  Action: "CREATE",
  ResourceRecordSet: {
    Name: "nginx.dev.foo.bar",
    ResourceRecords: [{
        Value: "traefik.dev.foo.bar"
      }],
    TTL: 300,
    Type: "CNAME"
  }
} ..."
time="2017-08-23T16:29:57Z" level=info msg="Record in zone foo.bar. were successfully updated"
time="2017-08-23T16:29:57Z" level=info msg="Changing records: CREATE {
  Action: "CREATE",
  ResourceRecordSet: {
    Name: "nginx.dev.foo.bar",
    ResourceRecords: [{
        Value: "\"heritage=external-dns,external-dns/owner=default\""
      }],
    TTL: 300,
    Type: "TXT"
  }
} ..."
time="2017-08-23T16:29:57Z" level=error msg="AccessDenied: User: arn:aws:sts::319065933276:assumed-role/nodes.k8s.dev.foo.bar/i-006f2305b35e62016 is not authorized to perform: route53:ChangeResourceRecordSets on resource: arn:aws:route53:::hostedzone/Z13V16L8B76L3A
        status code: 403, request id: 4d5709a7-8820-11e7-a6df-974f94ff4217"
time="2017-08-23T16:30:58Z" level=info msg="All records are already up to date"
time="2017-08-23T16:31:58Z" level=info msg="All records are already up to date"
...

Any help is very appreciated!

[jrnt30]

I think this is essentially a duplicate as a few other AWS zone issues #230

There are a few suggestions and #322 is an open PR to address this (I haven't tested this out yet myself).

[yuriipolishchuk]

@jrnt30 I've already seen that issues and resolved that by adding a rule route53:ListResourceRecordSets to IAM policy. After that external-dns can create DNS records for services properly (both A and TXT). But for ingresses it creates CNAME pointing to A of already deployed traefik service, but fails to create a TXT record.

[yuriipolishchuk]

Closing as duplicate of #262