search

kashalls / external-dns-unifi-webhook

External-DNS Webhook to manage UniFi DNS Records
Apache License 2.0
118 stars 8 forks source link

UniFi will not handle wildcard cname's #58

Closed kashalls closed 1 month ago

kashalls commented 1 month ago

Bug Description

The webhook will return 400 when trying to create a CNAME record with a wildcard key. Ex: *.coder.ok8.sh

UniFi returns the following output when attempting to create the record:

{"record_type":"CNAME","value":"external.ok8.sh","key":"*.codeap2l.ok8.sh","enabled":true}
{
    "code": "api.err.StaticDnsRecordInvalidParameters",
    "details": {
        "invalid_fields": [
            "key"
        ]
    },
    "errorCode": 400,
    "message": "Invalid hostname"
}

This should function with the External-DNS Cloudflare Provider (with warnings).

ExternalDNS Configuration

This issue relies on the configuration of external-dns outside of the helm values. 

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: coder
  namespace: coder
spec:
  ingressClassName: external
  rules:
  - host: coder.ok8.sh
    http:
      paths:
      - backend:
          service:
            name: coder
            port:
              name: http
        path: /
        pathType: Prefix
  - host: '*.coder.ok8.sh'
    http:
      paths:
      - backend:
          service:
            name: coder
            port:
              name: http
        path: /
        pathType: Prefix
status:
  loadBalancer:
    ingress:
    - ip: 10.69.0.149

When External DNS encounters this issue, it doesn't understand what the 400 is doing per the docs

Not sure what we should do, but it seems like our options are:

  1. Notice the issue, attempt to warn in logs.
  2. Reject it with a 500?
  3. Automatically change it from a CNAME record to an A record?

ExternalDNS Logs

time="2024-09-12T19:42:08Z" level=debug msg="Endpoints generated from ingress: coder/coder: [coder.ok8.sh 0 IN CNAME  external.ok8.sh [] *.coder.ok8.sh 0 IN CNAME  external.ok8.sh []]"
time="2024-09-12T19:42:08Z" level=debug msg="No endpoints could be generated from service coder/coder"
time="2024-09-12T19:42:08Z" level=debug msg="Failed to apply changes with code 500"
time="2024-09-12T19:42:08Z" level=error msg="Failed to do run once: soft error\nfailed to apply changes with code 500"

Webhook Logs

{"level":"debug","ts":1726478457.1915169,"caller":"unifi/client.go:97","msg":"Client Preforming Request","req_method":"POST","req_path":"https://10.1.0.2/proxy/network/v2/api/site/default/static-dns/"}
{"level":"debug","ts":1726478457.1915534,"caller":"log/log.go:53","msg":"Requesting https://10.1.0.2/proxy/network/v2/api/site/default/static-dns/ cookies: 1"}
{"level":"debug","ts":1726478457.2286205,"caller":"unifi/client.go:115","msg":"Client Returning Request","req_method":"POST","req_path":"https://10.1.0.2/proxy/network/v2/api/site/default/static-dns/","res_code":400}

UniFiOS Version

v4.0.18

UniFi Network Version

v8.5.1

ExternalDNS Version

0.15.0

Search

Code of Conduct

kashalls commented 1 month ago

🛎️ @onedr0p @buroa

onedr0p commented 1 month ago
  1. Are you trying something new here or,
  2. Did this work prior to the 0.15.0 changes, or
  3. Did you try create a wildcard cname record with the API only to test?

Sounds like it could be a limitation of unifi not supporting wildcard DNS?

kashalls commented 1 month ago

  1. Are you trying something new here or,

    1. Did this work prior to the 0.15.0 changes, or

    2. Did you try create a wildcard cname record with the API only to test?

Sounds like it could be a limitation of unifi not supporting wildcard DNS?

I tried doing it through the API, yes. The response above is what it resulted in. I am pretty sure it is not supported unless it is the primary reason why the cname option is grayed out on the panel.

onedr0p commented 1 month ago

If that's the case, maybe it's worth putting in the README that wildcard DNS isn't supported?

kashalls commented 1 month ago

If that's the case, maybe it's worth putting in the README that wildcard DNS isn't supported?

And just let it error out itself?

In our home cluster setups, we need to set the annotation to make the record a cname. If we remove it, it changes it to an A record for the internal ingresses but also breaks external ingresses because it tries to point the wildcard to our tunnel as an A record (which points a external address to an internal ip range). Very interesting issue here.

onedr0p commented 1 month ago

And just let it error out itself?

Sounds good to me, the error that already happens is good enough to start debugging what's wrong. Plus this issue exists for the next person that comes along the problem.

buroa commented 1 month ago

If that's the case, maybe it's worth putting in the README that wildcard DNS isn't supported?

And just let it error out itself?

In our home cluster setups, we need to set the annotation to make the record a cname. If we remove it, it changes it to an A record for the internal ingresses but also breaks external ingresses because it tries to point the wildcard to our tunnel as an A record (which points a external address to an internal ip range). Very interesting issue here.

The real issue is upstream Unifi does not support wildcard addresses, therefore, just say that in the README.

kashalls commented 1 month ago

So adding a line to the pre-existing warning like this?

[!WARNING] This software is experimental and NOT FIT FOR PRODUCTION USE!

UniFi does not support Wildcard (*.) CNAME records at this time.

onedr0p commented 1 month ago

Maybe create a limitations section in the README somewhere and put it there.

kashalls commented 1 month ago

Was completed in https://github.com/kashalls/external-dns-unifi-webhook/commit/2ea4b68293a3394ed8eeb09bccaf09bd7ca69fda