cloudflare-tunnel-ingress-controller icon indicating copy to clipboard operation
cloudflare-tunnel-ingress-controller copied to clipboard

Published 20 hours ago • verified publisher icon STRRL

The wrong Cloudflare zone is being updated

Open CCoffie opened this issue 9 months ago • 2 comments

I have a bunch of domains within my Cloudflare account. Some of the domains are subsets of other domains. Unfortunately, this is causing issues with the ingress controller. For example:

I'm looking to run the tunnels on myexampledomain.com but it's updating the records on exampledomain.com.

Any idea what causing this? I was able to restrict which zones were exposed to the API token but I figured I should probably report the bug here as well.

CCoffie avatar May 08 '24 05:05 CCoffie

this controller would use the exactly matched hostname introduced in the ingress objects, maybe make a double-check on the ingress objects?

in addition, if you could provide the more detailed information like the ingress object in yaml, logs of this controller, and how DNS records looks in cloudflare, it would very helpful to address this issue.

STRRL avatar May 08 '24 07:05 STRRL

Yeah. I re-added the zone to the api token and here are the logs from the controller:

2024/05/08 16:56:22 controller-runtime: "caller"={"file":"controller.go","line":324} "msg"="Reconciler error" "error"="put exposures: update DNS CNAME record: update DNS CNAME record for zone [example.com myexample.com]: create DNS record for zone example.com, hostname test.myexample.com: An A, AAAA, or CNAME record with that host already exists. For more details, refer to <https://developers.cloudflare.com/dns/manage-dns-records/troubleshooting/records-with-same-name/>. (81053)" "controller"="ingress" "controllerGroup"="networking.k8s.io" "controllerKind"="Ingress" "Ingress"={"name":"argocd-server-http-ingress","namespace":"argocd"} "namespace"="argocd" "name"="argocd-server-http-ingress" "reconcileID"="3e01300e-fbff-4d16-bd08-0efe9555c5da"
2024/05/08 16:56:23 main/ingress-controller: "caller"={"file":"ingress-controller.go","line":67} "level"=0 "msg"="update cloudflare tunnel config" "triggered-by"={"name":"test-ingress","namespace":"default"}
2024/05/08 16:56:24 main/tunnel-client: "caller"={"file":"tunnel-client.go","line":129} "level"=0 "msg"="create DNS record" "type"="CNAME" "hostname"="argocd-grpc.myexample.com" "content"="4d270321-28b0-4686-b1bc-7ecd07c2a1c0.cfargotunnel.com"
2024/05/08 16:56:24 controller-runtime: "caller"={"file":"controller.go","line":324} "msg"="Reconciler error" "error"="put exposures: update DNS CNAME record: update DNS CNAME record for zone [example.com myexample.com]: create DNS record for zone example.com, hostname argocd-grpc.myexample.com: An A, AAAA, or CNAME record with that host already exists. For more details, refer to <https://developers.cloudflare.com/dns/manage-dns-records/troubleshooting/records-with-same-name/>. (81053)" "controller"="ingress" "controllerGroup"="networking.k8s.io" "controllerKind"="Ingress" "Ingress"={"name":"test-ingress","namespace":"default"} "namespace"="default" "name"="test-ingress" "reconcileID"="db5c6880-0d85-46eb-82d2-ae2a7df0b6a1"
2024/05/08 16:56:24 main/ingress-controller: "caller"={"file":"ingress-controller.go","line":67} "level"=0 "msg"="update cloudflare tunnel config" "triggered-by"={"name":"argocd-server-grpc-ingress","namespace":"argocd"}
2024/05/08 16:56:25 main/tunnel-client: "caller"={"file":"tunnel-client.go","line":129} "level"=0 "msg"="create DNS record" "type"="CNAME" "hostname"="argocd-grpc.myexample.com" "content"="4d270321-28b0-4686-b1bc-7ecd07c2a1c0.cfargotunnel.com"
2024/05/08 16:56:26 controller-runtime: "caller"={"file":"controller.go","line":324} "msg"="Reconciler error" "error"="put exposures: update DNS CNAME record: update DNS CNAME record for zone [example.com myexample.com]: create DNS record for zone example.com, hostname argocd-grpc.myexample.com: An A, AAAA, or CNAME record with that host already exists. For more details, refer to <https://developers.cloudflare.com/dns/manage-dns-records/troubleshooting/records-with-same-name/>. (81053)" "controller"="ingress" "controllerGroup"="networking.k8s.io" "controllerKind"="Ingress" "Ingress"={"name":"argocd-server-grpc-ingress","namespace":"argocd"} "namespace"="argocd" "name"="argocd-server-grpc-ingress" "reconcileID"="f0165a8c-28a9-40bc-a437-4b0bdbfbdf49"

Here's the ingress manifest:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: argocd-server-http-ingress
  namespace: argocd
  annotations:
    cloudflare-tunnel-ingress-controller.strrl.dev/backend-protocol: "http"
    cloudflare-tunnel-ingress-controller.strrl.dev/proxy-ssl-verify: "off"
spec:
  ingressClassName: cloudflare-tunnel
  rules:
  - host: argocd.myexample.com
    http:
      paths:
      - backend:
          service:
            name: argocd-server
            port:
              name: http
        path: /
        pathType: Prefix

I did change the domain to example.com and myexample.com to for security reasons. If you need the original the original logs I can share them privately. The original domains are very similar to myexample.com and example.com where the longer domain is just the shorter domain with a string prepended to it.

CCoffie avatar May 08 '24 17:05 CCoffie

Sorry for the late response, I think it is bug, because when this controller only match the suffix of the domain.

This suffix-matching policy was introduced for matching sub domains like, "site1.example.com", "site2.example.com", and it would also match "site1.myexample.com" and "site2.myexample.com" by mistake.

reference:

https://github.com/STRRL/cloudflare-tunnel-ingress-controller/blob/master/pkg/cloudflare-controller/tunnel-client.go#L182-L189

I would try to fix it soon.

STRRL avatar Sep 14 '24 21:09 STRRL