external-dns icon indicating copy to clipboard operation
external-dns copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Domain exclusion filter not being considered since >= v0.9.0

Open orirawlings opened this issue 3 years ago • 2 comments

What happened:

Since upgrading to versions after or including v0.9.0, external-dns is trying to manage domains that I've explicitly configured for exclusion.

To summarize, my goal is to allow external-dns to manage any domain for which I have a Route53 hosted zone available, except those I list in an exclusion filter. I've been operating external-dns in this manner for a while. My domain filter, therefore, has an empty allow list and a non-empty exclusion list.

It appears that since the refactoring in #2010, there are now IsConfigured() checks being made against our domain filter that weren't in the call path before (via the wrapping in the MatchAllDomainFilters). Any domain filter, like mine, that is only concerned with an exclusion list is considered "not configured". Only domain filters with either a regexp inclusion pattern or an explicit inclusion list are considered "configured".

What you expected to happen:

I'd expect the exclusion list on my domain filter to be enforced even though it is not accompanied by a corresponding inclusion/allow list.

How to reproduce it (as minimally and precisely as possible):

  1. Create Route53 hosted zones for foo.example.com and bar.example.com.
  2. Create a Kubernetes Service with annotation external-dns.alpha.kubernetes.io/hostname: my.foo.example.com
  3. Create a Kubernetes Service with annotation external-dns.alpha.kubernetes.io/hostname: my.bar.example.com
  4. Start external-dns with an exclusion-only domain filter for bar.example.com:
external-dns --dry-run --once --policy sync --source service --provider aws --registry txt --txt-owner-id=my-cluster --exclude-domains bar.example.com

I'd expect that external-dns would only try to create DNS records for my.foo.example.com.

Anything else we need to know?:

Environment:

  • External-DNS version (use external-dns --version): >= v0.9.0
  • DNS provider: aws
  • Others:

orirawlings avatar Jun 17 '22 20:06 orirawlings

I'm open to suggestions for rephrasing the configuration to achieve my intended setup if this isn't an actual bug.

I'm currently able to work around this by setting multiple empty domain filter entries to trick the domain filter into passing the IsConfigured() check. Yes, surprising, I know.

It's because "" is an overloaded value in the configuration system. In one part of the code, it means "permit everything" and in another part of the code it means "this hasn't been configured yet, ignore".

external-dns --dry-run --once --policy sync --source service --provider aws --registry txt --txt-owner-id=my-cluster --domain-filter '' --domain-filter '' --exclude-domains bar.example.com

orirawlings avatar Jun 17 '22 21:06 orirawlings

We can see issues in 0.12.0, ExternalDNS not looking into regular expression for domains to include (--regex-domain-filter). Any domain goes. Any update here?

Edit: And in currently latest 0.12.2.

alen-z avatar Sep 07 '22 21:09 alen-z