search

kubernetes-sigs / external-dns

Configure external DNS servers (AWS Route53, Google CloudDNS and others) for Kubernetes Ingresses and Services
Apache License 2.0
7.55k stars 2.54k forks source link

Handling multiple Istio virtualservices with wildcard hostname in gateway #4558

Open benbouillet opened 2 months ago

benbouillet commented 2 months ago

What would you like to be added:

We'd like external-dns to be able to manage DNS record for multiple Istio virtualservices behind an Istio gateway with a wildcard hostname configuration. As of now, if the hostname configuration is delegated to the virtualservices (ie. the Gateway is configured with a wildcard hostname, and virtualservices manages multiple paths on one hostname) , external-dns will loop over the virtualservice and endlessly try to update the DNS records

Why is this needed: SRE team here, we'd like to avoid managing the DNS records for each new API/app release, so the gateway is configured this way:

...
spec:
  selector:
    app: gateway-api
  servers:
  - hosts:
    - '*'
    port:
      name: https
      number: 443
      protocol: HTTPS
...

The associated virtualservice are configured this way:

% k get virtualservice -A
NAMESPACE   NAME                        GATEWAYS                    HOSTS                                                                  AGE
apps        service1                    ["gateway-api"]             ["api.ourdomain.com"]                                          80d
apps        service2                    ["gateway-api"]             ["api.ourdomain.com"]                                          80d
apps        service3                    ["gateway-api"]             ["api.ourdomain.com"]                                          80d
...
spec:
  gateways:
  - gateway-api
  hosts:
  - api.ourdomain.com
...
    match:
    - uri:
        prefix: /service1/
    rewrite:
      uri: /
    route:
    - destination:
        host: service1-http
...

As hosts are defined at the virtualservice level (and as "*" at the gateway level), we configured the sources as following in the external-dns helm chart:

  sources:
  - istio-virtualservice
  - ingress

When deploying external-dns, looping on each virtualservice, each virtualservice wants to manage the DNS entry and rewrite the previous one:

time="2024-06-18T09:44:04Z" level=info msg="Del records: api.domain.com. TXT [\"heritage=external-dns,external-dns/owner=external-dns-staging,external-dns/resource=virtualservice/apps/service1\"] 300"
time="2024-06-18T09:44:04Z" level=info msg="Del records: a-api.domain.com. TXT [\"heritage=external-dns,external-dns/owner=external-dns-staging,external-dns/resource=virtualservice/apps/service1\"] 300"
time="2024-06-18T09:44:04Z" level=info msg="Add records: api.domain.com. A [<REDACTED_IP>] 300"
time="2024-06-18T09:44:04Z" level=info msg="Add records: a-api.domain.com. TXT [\"heritage=external-dns,external-dns/owner=external-dns-staging,external-dns/resource=virtualservice/apps/service2\"] 300"
time="2024-06-18T09:44:04Z" level=info msg="Add records: api.domain.com. TXT [\"heritage=external-dns,external-dns/owner=external-dns-staging,external-dns/resource=virtualservice/apps/service2\"] 300"

Note: some details were redacted for IP reasons (eg. service names, FQDNs & IP addresses)

bkonicek commented 1 month ago

I'd love to rollout external-dns at work but I'm running into the same roadblock. Maybe something like an optional flag to configure external-dns to ignore records where the name and target already match could help here?