-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question: No way to only allow subdomains under a domain using --domain-filter? #474
Comments
Seems like a bug to me. Maybe @ideahitme has some quick idea what's going on? @gustav-b Please also paste your ExternalDNS manifest and the list of your hosted zones. |
My external-dns Deployment manifest: apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: external-dns
namespace: external-dns
spec:
strategy:
type: Recreate
template:
metadata:
labels:
app: external-dns
spec:
serviceAccountName: external-dns
containers:
- name: external-dns
image: registry.opensource.zalan.do/teapot/external-dns:v0.5.0-alpha.0
args:
- --source=service
- --source=ingress
- --domain-filter=dev.example.com.
- --provider=aws
- --policy=upsert-only
- --registry=txt There is one hosted zone at AWS Route53 accessible by external-dns: Logs from external-dns:
|
Ok, this case is a bad cornercase of the simple suffix match. Can you also paste the output when you use |
Scratch that, in that case it won't find your I remember we discussed something like this. Let's hear if @ideahitme has some good way of solving this. |
Thanks, I just saw #446 and it looks like it's the same issue. The solution proposed in that issue seems sane (not that I'm familiar with the code)… |
Possible fix: #478 |
We merged #478 but this is still an issue, see #478 (comment). |
This PR #1375 tries to solve this with a dedicated subdomain filter for the AWS provider. |
Tested with 0.5.0-alpha.0 (and 0.4.8), using AWS provider.
This is my use case: I want external-dns to only attempt to create records under the domain
dev.example.com
, e.g.:foo.dev.example.com
should be createdfoo-dev.example.com
should not be createdbar.example.com
should not be createdUsing the argument
--domain-filter dev.example.com.
will preventbar.example.com
from being created, but will still try to createfoo-dev.example.com
. Using--domain-filter .dev.example.com.
, somewhat surprisingly, won't allow any of the domains above to be created.In my use case I have an nginx ingress like this:
I don't want external-dns to create
foo-dev.example.com
, it's in a hosted zone it doesn't have permissons in, but I want nginx to register it's server name. However I want external-dns to createfoo.dev.example.com
, and I use the work around above mentioned in #402. (foo-dev.example.com
is actually a CNAME tofoo.dev.example.com
, because I only have wildcard TLS cert for*.example.com
, I wantfoo-dev.
to be used and notfoo.dev
.)My issue is that when external-dns fails to create
foo-dev.example.com
it will also fail to createfoo.dev.example.com
. I've tried the new--zone-id-filter
with the zone ID fordev.example.com
, but it makes no difference, external-dns still tries to createfoo-dev.example.com
.The text was updated successfully, but these errors were encountered: