Investigate External-DNS Route53 record label length violation issue #4294
Assignees
Comments
|
Updated OPA domain label length value in policy: Documented in user guide: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Background
AWS Route53 has a defined set of rules regarding domain name length limits:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html
In order to mitigate risk of CP users creating domain names with domain labels exceeding the specified limit, we have created an OPA policy to deny the creation of ingress hostnames breaking this rule:
https://github.com/ministryofjustice/cloud-platform-terraform-opa/blob/main/resources/policies/ingress_hostname_length.rego
However, we have continued to see AlertManager firing with error: ErrorsInExternalDNS, with message such as:
time="2022-12-15T12:55:39Z" level=error msg="InvalidChangeBatch: FATAL problem: DomainLabelTooLong (Domain label is too long) encountered with 'cname-apply-for-a-property-and-financial-affairs-deputyship-orde'\n\tstatus code: 400, request id: a7e55475-fc20-4b97-a10a-dc08f2a2f0d3"As of external-dns v0.12, TXT DNS records are being prepended with a record type string
(cname-), which in the above example means that an otherwise legal label length of 63 characters breaks Route53 rule, but outside of admission control so the issue is not caught at apply/build time.This is an open issue with external-dns
kubernetes-sigs/external-dns#2839
Proposed user journey
Put in place measures to mitigate domain label length issues going undetected outside of kubernetes control, and highlight this restriction in the user guide. Investigate & keep tabs on ongoing issue.
Approach
Reduce OPA character length policy to 57 to account for the
cname-prefixAdd documentation for Route53 domain label length restrictions to CP user guide
Definition of done
Reference
How to write good user stories
The text was updated successfully, but these errors were encountered: