handle apex domain through gandi ALIAS

[tommy31]

Description

This PR allow gandi provider to redirect apex domain to an FQDN.

From my understanding, CNAME record only can be used for subdomains and external-dns force CNAME if record value is an FQDN. To fill this gap some DNS provider introduce a new record type ALIAS. ALIAS record is a type of DNS record that points your domain name to a hostname instead of an IP address. The ALIAS record is similar to a CNAME record, which is used to point subdomains to a hostname. This allow us to register a record an apex domain @ with a FQDN.

So back on this PR, the fix convert an CNAME to an ALIAS, if the record.RrsetName == "@" and record.RrsetType == "CNAME". And env var (GANDI_PREFER_ALIAS) has been added to keep old things working as expected.

What Are ALIAS Records?

This fix has been tested in our preproduction environment and work as expected.

Checklist

• Unit tests updated
• End user documentation updated

[k8s-ci-robot]

Hi @tommy31. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[mloiseleur]

Hello @tommy31,

Thanks for this PR. Alias seems tested.
This PR also introduces TXTPrefix & TXTSuffix support, shouldn't this be tested also ?

[tommy31]

Hey @mloiseleur, thank for reaching me.

TXTPrefix and TXTSuffix are only used in inferZone function, to infer requested zone by removing prefix and suffix from TXT record name. Usage should be trivial.

// inferZone determines the zone based on the RrsetName
func inferZone(RrsetName string, TXTPrefix string, TXTSuffix string) string {
	cleanRrsetName := strings.Replace(RrsetName, TXTPrefix, "", 1)
	cleanRrsetName = strings.Replace(cleanRrsetName, TXTSuffix, "", 1)
	cleanRrsetName = strings.Replace(cleanRrsetName, "cname-", "", 1)

	return cleanRrsetName
} 

To better answer your question, of course we should add more tests, but my understanding of gandi_test.go... is near 0.

Maybe you could help as gandi provider miss mainteners.

[johngmyers]

You might want to take a look at how the AWS provider handles aliases, with providerSpecificAlias and the external-dns.alpha.kubernetes.io/alias annotation.

[johngmyers]

Why are we taking configuration from environment variables? Shouldn't we be using the flags mechanism that everything else uses?

[gfaugere]

The "PREFER_ALIAS" config was added to be "retro-compatible" with previous behaviour - which is to fail and raise an error. If it's alright we'd like to get rid of this config altogether and use the "CNAME is an ALIAS in gandi" feature by default
(I'll be working on this PR with @tommy31 - thanks for your review!)

[gfaugere]

Updated in 2892142 - the fixed behaviour is now the default, and we stopped using an extra environment variable for this

[johngmyers]

Why does the setting of preferAlias affect whether an existing DomainRecord is an alias?

[gfaugere]

Since we removed the "prefer alias" mechanism, I think this is no longer an issue?

[johngmyers]

Shouldn't this set a provider-specific property to indicate the underlying record is an alias?

[gfaugere]

This is already manipulating a provider-specific object - Gandi's livedns.DomainRecord

Do you think this should be set before in the endpoint.ProviderSpecificProperty prop and reused later?

[johngmyers]

This just screams layering violation to me. Why is the provider mucking about with things that are in the purview of the TXT registry? Why is this only removing a prefix of cname-?

[gfaugere]

There probably is a better way to do it but not sure how - the issue is that gandi's API requires us explicitly declare which "zone" the records we are manipulating are in.
When working on a CNAME on an apex domain, TXTRegistry creates the old and new txt records, with and without the type prefix. When we receive the endpoint with value cname-example.com 0 IN TXT \"heritage=external-dns,external-dns/owner=default\" [], we have no way to reliability find the zone without this kind of tomfoolery, do we?

[gfaugere]

I have tried to improve this with 83a1fcd - I still feel like we have no better way to compute a "zone" from an Endpoint

We can spin this change in a new PR if you think it is necessary?

[johngmyers]

If the zone is example.com and the change.Record.RrsetName is example.com.example.com, then this code will incorrectly replace recordName with @.

[gfaugere]

To reduce noise on this PR, I have fixed this in #3893

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: gfaugere / name: Gaëtan Faugère (ff45612)

[gfaugere]

This has been updated with new tests following #3893 !

[mloiseleur]

/ok-to-test

[mloiseleur]

I understand from this PR that MX record type is not supported.
=> If that's the case, I guess you need to improve documentation about this.

For TXT registry, we are trying to fix it. See #3757 and #3774.
Wdyt about adding the zone at the end of the record when it's not here ?

[gfaugere]

Regarding MX records, I think the current doc (https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/mx-record.md) is clear enough about the providers that support this record type?

[gfaugere]

Thanks for your work on the TXT registry side! It is the only confusing thing about external-dns for me

I have added test cases (in 48e9d6d), I think we are handling them correctly?

[gfaugere]

Wdyt about adding the zone at the end of the record when it's not here ?

During which actions? Not sure what you mean here

[mloiseleur]

Wdyt about adding the zone at the end of the record when it's not here ?

During which actions? Not sure what you mean here

I agree with @johngmyers that we should try our best to avoid dependency between Txt Registry logic and provider logic.

Following this, adding Gandi constraints you described:

gandi's API requires us explicitly declare which "zone" the records we are manipulating are in.

The idea would be instead of adding the zone (L174)

				name := r.RrsetName + "." + zone

and removing it a few lines after if/when it comes from TXT registry.

Something like

  if ! strings.HasSuffix(r.RrsetName, zone) {
     r.RrsetName := r.RrsetName + "." + zone
  }

Without any need to check wheither it's coming from TXT Registry or not.

It seems quite a naive idea, so I'm unsure and I feel I missed something.

[gfaugere]

You're right, this is hair-pulling for no benefits - I'll update this today to drop the prefix/suffix part

Should we mark this as holding for #3774? I feel like it is cleaner to wait for it to drop

[mloiseleur]

/hold for #3774

[mloiseleur]

/lgtm

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[mloiseleur]

/remove-lifecycle stale

[k8s-ci-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle rotten
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Reopen this PR with /reopen
• Mark this PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

[k8s-ci-robot]

@k8s-triage-robot: Closed this PR.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Reopen this PR with /reopen
• Mark this PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tommy31]

Can we reopen this PR ? As we still wait for #3774

[mloiseleur]

/reopen

[k8s-ci-robot]

@mloiseleur: Reopened this PR.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from mloiseleur. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment