search

STRRL / cloudflare-tunnel-ingress-controller

🚀 Expose the website directly into the internet! The Kuberntes Ingress Controller based on Cloudflare Tunnel.
MIT License
644 stars 37 forks source link

The wrong Cloudflare zone is being updated #74

Closed CCoffie closed 2 weeks ago

CCoffie commented 5 months ago

I have a bunch of domains within my Cloudflare account. Some of the domains are subsets of other domains. Unfortunately, this is causing issues with the ingress controller. For example:

I'm looking to run the tunnels on myexampledomain.com but it's updating the records on exampledomain.com.

Any idea what causing this? I was able to restrict which zones were exposed to the API token but I figured I should probably report the bug here as well.

STRRL commented 5 months ago

this controller would use the exactly matched hostname introduced in the ingress objects, maybe make a double-check on the ingress objects?

in addition, if you could provide the more detailed information like the ingress object in yaml, logs of this controller, and how DNS records looks in cloudflare, it would very helpful to address this issue.

CCoffie commented 4 months ago

Yeah. I re-added the zone to the api token and here are the logs from the controller:

2024/05/08 16:56:22 controller-runtime: "caller"={"file":"controller.go","line":324} "msg"="Reconciler error" "error"="put exposures: update DNS CNAME record: update DNS CNAME record for zone [example.com myexample.com]: create DNS record for zone example.com, hostname test.myexample.com: An A, AAAA, or CNAME record with that host already exists. For more details, refer to <https://developers.cloudflare.com/dns/manage-dns-records/troubleshooting/records-with-same-name/>. (81053)" "controller"="ingress" "controllerGroup"="networking.k8s.io" "controllerKind"="Ingress" "Ingress"={"name":"argocd-server-http-ingress","namespace":"argocd"} "namespace"="argocd" "name"="argocd-server-http-ingress" "reconcileID"="3e01300e-fbff-4d16-bd08-0efe9555c5da"
2024/05/08 16:56:23 main/ingress-controller: "caller"={"file":"ingress-controller.go","line":67} "level"=0 "msg"="update cloudflare tunnel config" "triggered-by"={"name":"test-ingress","namespace":"default"}
2024/05/08 16:56:24 main/tunnel-client: "caller"={"file":"tunnel-client.go","line":129} "level"=0 "msg"="create DNS record" "type"="CNAME" "hostname"="argocd-grpc.myexample.com" "content"="4d270321-28b0-4686-b1bc-7ecd07c2a1c0.cfargotunnel.com"
2024/05/08 16:56:24 controller-runtime: "caller"={"file":"controller.go","line":324} "msg"="Reconciler error" "error"="put exposures: update DNS CNAME record: update DNS CNAME record for zone [example.com myexample.com]: create DNS record for zone example.com, hostname argocd-grpc.myexample.com: An A, AAAA, or CNAME record with that host already exists. For more details, refer to <https://developers.cloudflare.com/dns/manage-dns-records/troubleshooting/records-with-same-name/>. (81053)" "controller"="ingress" "controllerGroup"="networking.k8s.io" "controllerKind"="Ingress" "Ingress"={"name":"test-ingress","namespace":"default"} "namespace"="default" "name"="test-ingress" "reconcileID"="db5c6880-0d85-46eb-82d2-ae2a7df0b6a1"
2024/05/08 16:56:24 main/ingress-controller: "caller"={"file":"ingress-controller.go","line":67} "level"=0 "msg"="update cloudflare tunnel config" "triggered-by"={"name":"argocd-server-grpc-ingress","namespace":"argocd"}
2024/05/08 16:56:25 main/tunnel-client: "caller"={"file":"tunnel-client.go","line":129} "level"=0 "msg"="create DNS record" "type"="CNAME" "hostname"="argocd-grpc.myexample.com" "content"="4d270321-28b0-4686-b1bc-7ecd07c2a1c0.cfargotunnel.com"
2024/05/08 16:56:26 controller-runtime: "caller"={"file":"controller.go","line":324} "msg"="Reconciler error" "error"="put exposures: update DNS CNAME record: update DNS CNAME record for zone [example.com myexample.com]: create DNS record for zone example.com, hostname argocd-grpc.myexample.com: An A, AAAA, or CNAME record with that host already exists. For more details, refer to <https://developers.cloudflare.com/dns/manage-dns-records/troubleshooting/records-with-same-name/>. (81053)" "controller"="ingress" "controllerGroup"="networking.k8s.io" "controllerKind"="Ingress" "Ingress"={"name":"argocd-server-grpc-ingress","namespace":"argocd"} "namespace"="argocd" "name"="argocd-server-grpc-ingress" "reconcileID"="f0165a8c-28a9-40bc-a437-4b0bdbfbdf49"

Here's the ingress manifest:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: argocd-server-http-ingress
  namespace: argocd
  annotations:
    cloudflare-tunnel-ingress-controller.strrl.dev/backend-protocol: "http"
    cloudflare-tunnel-ingress-controller.strrl.dev/proxy-ssl-verify: "off"
spec:
  ingressClassName: cloudflare-tunnel
  rules:
  - host: argocd.myexample.com
    http:
      paths:
      - backend:
          service:
            name: argocd-server
            port:
              name: http
        path: /
        pathType: Prefix

I did change the domain to example.com and myexample.com to for security reasons. If you need the original the original logs I can share them privately. The original domains are very similar to myexample.com and example.com where the longer domain is just the shorter domain with a string prepended to it.

STRRL commented 2 weeks ago

Sorry for the late response, I think it is bug, because when this controller only match the suffix of the domain.

This suffix-matching policy was introduced for matching sub domains like, "site1.example.com", "site2.example.com", and it would also match "site1.myexample.com" and "site2.myexample.com" by mistake.

reference:

https://github.com/STRRL/cloudflare-tunnel-ingress-controller/blob/master/pkg/cloudflare-controller/tunnel-client.go#L182-L189

I would try to fix it soon.