External DNS throwing error when creating DNS record from istio virtual service

11/4/2021

Hello I have installed istio on my EKS cluster where I'm trying to link to external DNS and create dns records on the fly, I'm having this issue

RRSet of type TXT with DNS name pr-1667.eks.comrade.com. is not permitted because a conflicting RRSet of type CNAME with the same DNS name already exists in zone eks.comrade.com.]\n\tstatus code: 400, request id: 9a4bfe6b-7c84..."

This is my virtual service

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: app-waf-entrypoint
  annotations:
    external-dns.alpha.kubernetes.io/target: {{substr 8 22 .Values.comrade.api.appDomain }}
    external-dns.alpha.kubernetes.io/external: 'true'
spec:
  hosts:
    - "{{ .Values.comrade.api.appDomain }}"
  gateways:
    - comrade-istio-gateway
  http:
    - route:
        - destination:
            host: app-waf-entrypoint.{{ .Values.comrade.namespace }}.svc.cluster.local
            port:
                number: {{ .Values.comrade.waf.port }}

This is my external DNS manifest

apiVersion: apps/v1
kind: Deployment
metadata:
  name: external-dns
spec:
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: external-dns
  template:
    metadata:
      labels:
        app: external-dns
    spec:
      serviceAccountName: external-dns
      containers:
      - name: external-dns
        image: k8s.gcr.io/external-dns/external-dns:v0.7.6
        args:
        - --source=service
        - --source=ingress
        - --source=istio-virtualservice # or both
        - --domain-filter=eks.myapp.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones
        - --provider=aws
        - --policy=sync
        - --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both)
        - --registry=txt
        - --txt-owner-id=######
      securityContext:
        fsGroup: 65534 # For ExternalDNS to be able to read Kubernetes and AWS token files
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: external-dns
  # If you're using Amazon EKS with IAM Roles for Service Accounts, specify the following annotation.
  # Otherwise, you may safely omit it.
  annotations:
    # Substitute your account ID and IAM service role name below.
    eks.amazonaws.com/role-arn: #########
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: external-dns
rules:
- apiGroups: [""]
  resources: ["services","endpoints","pods"]
  verbs: ["get","watch","list"]
- apiGroups: ["extensions","networking.k8s.io"]
  resources: ["ingresses"]
  verbs: ["get","watch","list"]
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["list","watch"]
- apiGroups: ["networking.istio.io"]
  resources: ["virtualservices"]
  verbs: ["get","watch","list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: external-dns-viewer
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: external-dns
subjects:
- kind: ServiceAccount
  name: external-dns
  namespace: default

finally here is my istio gateway

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: comrade-istio-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
        - "{{ .Values.comrade.api.appDomain }}"

I was using the same service with an ingress and it was working just fine, so I'm not really sure, I can't see anything under my hosted zone like an already created record or anything.

Thanks in advance.

-- Anas Hassari
amazon-eks
external-dns
istio
kubernetes

0 Answers