Hello I have installed istio on my EKS cluster where I'm trying to link to external DNS and create dns records on the fly, I'm having this issue
RRSet of type TXT with DNS name pr-1667.eks.comrade.com. is not permitted because a conflicting RRSet of type CNAME with the same DNS name already exists in zone eks.comrade.com.]\n\tstatus code: 400, request id: 9a4bfe6b-7c84..."
This is my virtual service
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: app-waf-entrypoint
annotations:
external-dns.alpha.kubernetes.io/target: {{substr 8 22 .Values.comrade.api.appDomain }}
external-dns.alpha.kubernetes.io/external: 'true'
spec:
hosts:
- "{{ .Values.comrade.api.appDomain }}"
gateways:
- comrade-istio-gateway
http:
- route:
- destination:
host: app-waf-entrypoint.{{ .Values.comrade.namespace }}.svc.cluster.local
port:
number: {{ .Values.comrade.waf.port }}
This is my external DNS manifest
apiVersion: apps/v1
kind: Deployment
metadata:
name: external-dns
spec:
strategy:
type: Recreate
selector:
matchLabels:
app: external-dns
template:
metadata:
labels:
app: external-dns
spec:
serviceAccountName: external-dns
containers:
- name: external-dns
image: k8s.gcr.io/external-dns/external-dns:v0.7.6
args:
- --source=service
- --source=ingress
- --source=istio-virtualservice # or both
- --domain-filter=eks.myapp.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones
- --provider=aws
- --policy=sync
- --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both)
- --registry=txt
- --txt-owner-id=######
securityContext:
fsGroup: 65534 # For ExternalDNS to be able to read Kubernetes and AWS token files
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-dns
# If you're using Amazon EKS with IAM Roles for Service Accounts, specify the following annotation.
# Otherwise, you may safely omit it.
annotations:
# Substitute your account ID and IAM service role name below.
eks.amazonaws.com/role-arn: #########
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: external-dns
rules:
- apiGroups: [""]
resources: ["services","endpoints","pods"]
verbs: ["get","watch","list"]
- apiGroups: ["extensions","networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get","watch","list"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["list","watch"]
- apiGroups: ["networking.istio.io"]
resources: ["virtualservices"]
verbs: ["get","watch","list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: external-dns-viewer
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: external-dns
subjects:
- kind: ServiceAccount
name: external-dns
namespace: default
finally here is my istio gateway
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: comrade-istio-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "{{ .Values.comrade.api.appDomain }}"
I was using the same service with an ingress and it was working just fine, so I'm not really sure, I can't see anything under my hosted zone like an already created record or anything.
Thanks in advance.