You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In order to mitigate risk of CP users creating domain names with domain labels exceeding the specified limit, we have created an OPA policy to deny the creation of ingress hostnames breaking this rule:
However, we have continued to see AlertManager firing with error: ErrorsInExternalDNS, with message such as:
time="2022-12-15T12:55:39Z" level=error msg="InvalidChangeBatch: FATAL problem: DomainLabelTooLong (Domain label is too long) encountered with 'cname-apply-for-a-property-and-financial-affairs-deputyship-orde'\n\tstatus code: 400, request id: a7e55475-fc20-4b97-a10a-dc08f2a2f0d3"
As of external-dns v0.12, TXT DNS records are being prepended with a record type string (cname-), which in the above example means that an otherwise legal label length of 63 characters breaks Route53 rule, but outside of admission control so the issue is not caught at apply/build time.
Put in place measures to mitigate domain label length issues going undetected outside of kubernetes control, and highlight this restriction in the user guide. Investigate & keep tabs on ongoing issue.
Approach
Reduce OPA character length policy to 57 to account for the cname- prefix
Add documentation for Route53 domain label length restrictions to CP user guide
Background
AWS Route53 has a defined set of rules regarding domain name length limits:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DomainNameFormat.html
In order to mitigate risk of CP users creating domain names with domain labels exceeding the specified limit, we have created an OPA policy to deny the creation of ingress hostnames breaking this rule:
https://github.com/ministryofjustice/cloud-platform-terraform-opa/blob/main/resources/policies/ingress_hostname_length.rego
However, we have continued to see AlertManager firing with error: ErrorsInExternalDNS, with message such as:
time="2022-12-15T12:55:39Z" level=error msg="InvalidChangeBatch: FATAL problem: DomainLabelTooLong (Domain label is too long) encountered with 'cname-apply-for-a-property-and-financial-affairs-deputyship-orde'\n\tstatus code: 400, request id: a7e55475-fc20-4b97-a10a-dc08f2a2f0d3"
As of external-dns v0.12, TXT DNS records are being prepended with a record type string
(cname-)
, which in the above example means that an otherwise legal label length of 63 characters breaks Route53 rule, but outside of admission control so the issue is not caught at apply/build time.This is an open issue with external-dns
kubernetes-sigs/external-dns#2839
Proposed user journey
Put in place measures to mitigate domain label length issues going undetected outside of kubernetes control, and highlight this restriction in the user guide. Investigate & keep tabs on ongoing issue.
Approach
Reduce OPA character length policy to 57 to account for the
cname-
prefixAdd documentation for Route53 domain label length restrictions to CP user guide
Definition of done
Reference
How to write good user stories
The text was updated successfully, but these errors were encountered: