Question: No way to only allow subdomains under a domain using --domain-filter?

[gustav-b]

Tested with 0.5.0-alpha.0 (and 0.4.8), using AWS provider.

This is my use case: I want external-dns to only attempt to create records under the domain dev.example.com, e.g.:

• foo.dev.example.com should be created
• foo-dev.example.com should not be created
• bar.example.com should not be created

Using the argument--domain-filter dev.example.com. will prevent bar.example.com from being created, but will still try to create foo-dev.example.com. Using --domain-filter .dev.example.com., somewhat surprisingly, won't allow any of the domains above to be created.

In my use case I have an nginx ingress like this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: foo
spec:
  rules:
  - host: foo.dev.example.com # I want this record to be created
  - host: foo-dev.example.com # I don't want this to be created
    http:
      paths:
      - path: /
        backend:
          serviceName: foo
          servicePort: http
…

I don't want external-dns to create foo-dev.example.com, it's in a hosted zone it doesn't have permissons in, but I want nginx to register it's server name. However I want external-dns to create foo.dev.example.com, and I use the work around above mentioned in #402. (foo-dev.example.com is actually a CNAME to foo.dev.example.com, because I only have wildcard TLS cert for *.example.com, I want foo-dev. to be used and not foo.dev.)

My issue is that when external-dns fails to create foo-dev.example.com it will also fail to create foo.dev.example.com. I've tried the new --zone-id-filter with the zone ID for dev.example.com, but it makes no difference, external-dns still tries to create foo-dev.example.com.

[linki]

Seems like a bug to me. Maybe @ideahitme has some quick idea what's going on?

@gustav-b Please also paste your ExternalDNS manifest and the list of your hosted zones.

[gustav-b]

My external-dns Deployment manifest:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: external-dns
  namespace: external-dns
spec:
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: external-dns
    spec:
      serviceAccountName: external-dns
      containers:
      - name: external-dns
        image: registry.opensource.zalan.do/teapot/external-dns:v0.5.0-alpha.0
        args:
        - --source=service
        - --source=ingress
        - --domain-filter=dev.example.com.
        - --provider=aws
        - --policy=upsert-only
        - --registry=txt

There is one hosted zone at AWS Route53 accessible by external-dns: dev.example.com.

Logs from external-dns:

time="2018-02-22T15:25:39Z" level=info msg="Desired change: CREATE foo.dev.example.com A"
time="2018-02-22T15:25:39Z" level=info msg="Desired change: CREATE foo-dev.example.com A"
time="2018-02-22T15:25:39Z" level=info msg="Desired change: CREATE foo.dev.example.com TXT"
time="2018-02-22T15:25:39Z" level=info msg="Desired change: CREATE foo-dev.example.com TXT"
time="2018-02-22T15:25:39Z" level=error msg="InvalidChangeBatch: RRSet with DNS name foo-dev.example.com. is not permitted in zone dev.example.com.\n\tstatus code: 400, request id: a318215e-17e4-11e8-8ea9-0fff67e7b286"

[linki]

Ok, this case is a bad cornercase of the simple suffix match. Can you also paste the output when you use --domain-filter=.dev.example.com.. Please also include the lines that say something like Considering zone ....

[linki]

Scratch that, in that case it won't find your dev.example.com hosted zone in the first place because it doesn't match the precending dot, great.

I remember we discussed something like this. Let's hear if @ideahitme has some good way of solving this.

[gustav-b]

Thanks, I just saw #446 and it looks like it's the same issue. The solution proposed in that issue seems sane (not that I'm familiar with the code)…

[linki]

Possible fix: #478

[linki]

We merged #478 but this is still an issue, see #478 (comment).

[spohner]

This PR #1375 tries to solve this with a dedicated subdomain filter for the AWS provider.