Inconsistent behavior between Azure DNS and Azure Private DNS

[khuedoan]

What happened:

Thank you for the project! We use ExternalDNS to manage DNS for our Kubernetes clusters with Azure Private DNS. Here's our setup and example use case (with sensitive values replaced by placeholders):

• Azure Private DNS zone: a single internal.example.com zone
• Kubernetes clusters: cluster-1, cluster-2
• Applications: service-a (deployed to cluster-1) and service-b (deployed to cluster-2)

The applications deployed to each cluster will have the following hosts in their Ingress object (following the $APP.$CLUSTER.internal.example.com convention):

• service-a.cluster-1.internal.example.com
• service-b.cluster-2.internal.example.com

Each cluster has a separate ExternalDNS controller.

Because each cluster is managed by a different team, we want to avoid accidental misconfiguration by specifying --domain-filter to limit the scope of ExternalDNS on each cluster to only Ingress hostnames with the $CLUSTER.internal.example.com suffix.

But when we add --domain-filter=$CLUSTER.internal.example.com, we get the following error:

Ignoring changes to 'service-a.cluster-1.internal.example.com' because a suitable Azure Private DNS zone was not found

(It does work without the --domain-filter flag)

After reading the code we noticed that --domain-filter actually filters the zone name, not the domain name in Ingress object, and the Azure DNS provider (--privider=azure) has an optional --zone-name-filter flag that changes the behaviour of --domain-filter to filter Ingress domains instead (implemented in #1060), but there's no implementation for that flag in the Azure Private DNS provider (--provider=azure-private-dns)

What you expected to happen:

Initially, I expected the --domain-filter flag to filter the hostnames in Ingress spec.rules.*.host, but seems like I misunderstood and it's a design decision.

If I understand correctly, the --zone-name-filter flag was added to Azure DNS to alter the behavior of --domain-filter to make it backward compatible and avoid breaking changes.

If that's the case, I expect Azure Private DNS to have the same consistent behaviour as Azure (public) DNS. I created a PR (#4346) to port the same feature to Azure Private DNS.

How to reproduce it (as minimally and precisely as possible):

Here's the relevant ExternalDNS configuration:

Cluster 1:

--registry=txt
--txt-owner-id=cluster-1
--domain-filter=cluster-1.internal.example.com
--provider=azure-private-dns

Cluster 2:

--registry=txt
--txt-owner-id=cluster-2
--domain-filter=cluster-2.internal.example.com
--provider=azure-private-dns

Anything else we need to know?:

Environment:

• External-DNS version (use external-dns --version): v0.14.1
• DNS provider: Azure Private DNS (not Azure DNS)
• Others: we use AKS

[mloiseleur]

I understand this frustration of different behavior between both Azure providers.
Nonetheless, this current behavior of changing one parameter behavior when a second one is set is bad UserXP.

After reading the code, we noticed that --domain-filter actually filters the zone name, not the domain name in Ingress object

A parameter named domain-filter should filter domain name, not zone name.
So if I follow you correctly, this is that behavior that should be changed and fixed, for both Azure providers.

@Raffo @szuecs Wdyt ?

[khuedoan]

I totally agree with that, if we decide to do so I'm happy to submit a new PR

[szuecs]

@khuedoan For migration purposes, I would say if we want to change the flag behavior, we need to have multiple steps:

1. provide the current (--domain-filter) style by adding --zone-filter
2. add a minor release to notify the other will change and everyone should migrate before the next minor release
3. next minor release will break the --domain-filter behavior.

I think the faster way to enable you would be to review and merge your PR.

[khuedoan]

Sounds good to me 👍