Skip to content

[cloudflare] first try success, second try fail #5198

New issue
New issue
Open
Open
[cloudflare] first try success, second try fail#5198
Labels
kind/bugCategorizes issue or PR as related to a bug.
@pasztorl

Description

@pasztorl
pasztorl
opened on Mar 19, 2025

When coredns wants to update the A on example.com (so no subdomain), in first try it is successful:

{"level":"info","msg":"config: {APIServerURL: KubeConfig: RequestTimeout:30s DefaultTargets:[] GlooNamespaces:[gloo-system] SkipperRouteGroupVersion:zalando.org/v1 Sources:[service ingress crd] Namespace: AnnotationFilter: LabelFilter:dns.example.com/public in (true) IngressClassNames:[] FQDNTemplate: CombineFQDNAndAnnotation:false IgnoreHostnameAnnotation:false IgnoreIngressTLSSpec:false IgnoreIngressRulesSpec:false GatewayNamespace: GatewayLabelFilter: Compatibility: PublishInternal:false PublishHostIP:false AlwaysPublishNotReadyAddresses:false ConnectorSourceServer:localhost:8080 Provider:cloudflare ProviderCacheTime:0s GoogleProject: GoogleBatchChangeSize:1000 GoogleBatchChangeInterval:1s GoogleZoneVisibility: DomainFilter:[example.com] ExcludeDomains:[] RegexDomainFilter: RegexDomainExclusion: ZoneNameFilter:[] ZoneIDFilter:[] TargetNetFilter:[] ExcludeTargetNets:[] AlibabaCloudConfigFile:/etc/kubernetes/alibaba-cloud.json AlibabaCloudZoneType: AWSZoneType: AWSZoneTagFilter:[] AWSAssumeRole: AWSProfiles:[] AWSAssumeRoleExternalID: AWSBatchChangeSize:1000 AWSBatchChangeSizeBytes:32000 AWSBatchChangeSizeValues:1000 AWSBatchChangeInterval:1s AWSEvaluateTargetHealth:true AWSAPIRetries:3 AWSPreferCNAME:false AWSZoneCacheDuration:0s AWSSDServiceCleanup:false AWSSDCreateTag:map[] AWSZoneMatchParent:false AWSDynamoDBRegion: AWSDynamoDBTable:external-dns AzureConfigFile:/etc/kubernetes/azure.json AzureResourceGroup: AzureSubscriptionID: AzureUserAssignedIdentityClientID: AzureActiveDirectoryAuthorityHost: AzureZonesCacheDuration:0s CloudflareProxied:false CloudflareDNSRecordsPerPage:100 CloudflareRegionKey: CoreDNSPrefix:/skydns/ AkamaiServiceConsumerDomain: AkamaiClientToken: AkamaiClientSecret: AkamaiAccessToken: AkamaiEdgercPath: AkamaiEdgercSection: OCIConfigFile:/etc/kubernetes/oci.yaml OCICompartmentOCID: OCIAuthInstancePrincipal:false OCIZoneScope:GLOBAL OCIZoneCacheDuration:0s InMemoryZones:[] OVHEndpoint:ovh-eu OVHApiRateLimit:20 PDNSServer:http://localhost:8081 PDNSServerID:localhost PDNSAPIKey: PDNSSkipTLSVerify:false TLSCA: TLSClientCert: TLSClientCertKey: Policy:upsert-only Registry:txt TXTOwnerID:default TXTPrefix: TXTSuffix: TXTEncryptEnabled:false TXTEncryptAESKey: Interval:1m0s MinEventSyncInterval:5s Once:false DryRun:false UpdateEvents:false LogFormat:json MetricsAddress::7979 LogLevel:debug TXTCacheInterval:0s TXTWildcardReplacement: ExoscaleEndpoint: ExoscaleAPIKey: ExoscaleAPISecret: ExoscaleAPIEnvironment:api ExoscaleAPIZone:ch-gva-2 CRDSourceAPIVersion:externaldns.k8s.io/v1alpha1 CRDSourceKind:DNSEndpoint ServiceTypeFilter:[] CFAPIEndpoint: CFUsername: CFPassword: ResolveServiceLoadBalancerHostname:false RFC2136Host: RFC2136Port:0 RFC2136Zone:[] RFC2136Insecure:false RFC2136GSSTSIG:false RFC2136CreatePTR:false RFC2136KerberosRealm: RFC2136KerberosUsername: RFC2136KerberosPassword: RFC2136TSIGKeyName: RFC2136TSIGSecret: RFC2136TSIGSecretAlg: RFC2136TAXFR:false RFC2136MinTTL:0s RFC2136BatchChangeSize:50 RFC2136UseTLS:false RFC2136SkipTLSVerify:false NS1Endpoint: NS1IgnoreSSL:false NS1MinTTLSeconds:0 TransIPAccountName: TransIPPrivateKeyFile: DigitalOceanAPIPageSize:50 ManagedDNSRecordTypes:[A AAAA CNAME] ExcludeDNSRecordTypes:[] GoDaddyAPIKey: GoDaddySecretKey: GoDaddyTTL:0 GoDaddyOTE:false OCPRouterName: IBMCloudProxied:false IBMCloudConfigFile:/etc/kubernetes/ibmcloud.json TencentCloudConfigFile:/etc/kubernetes/tencent-cloud.json TencentCloudZoneType: PiholeServer: PiholePassword: PiholeTLSInsecureSkipVerify:false PluralCluster: PluralProvider: WebhookProviderURL:http://localhost:8888 WebhookProviderReadTimeout:5s WebhookProviderWriteTimeout:10s WebhookServer:false TraefikDisableLegacy:false TraefikDisableNew:false NAT64Networks:[]}","time":"2025-03-19T15:51:26Z"}
{"level":"info","msg":"Instantiating new Kubernetes client","time":"2025-03-19T15:51:26Z"}
{"level":"debug","msg":"apiServerURL: ","time":"2025-03-19T15:51:26Z"}
{"level":"debug","msg":"kubeConfig: ","time":"2025-03-19T15:51:26Z"}
{"level":"info","msg":"Using inCluster-config based on serviceaccount-token","time":"2025-03-19T15:51:26Z"}
{"level":"info","msg":"Created Kubernetes client https://10.15.28.32:443","time":"2025-03-19T15:51:26Z"}
{"level":"debug","msg":"no zoneIDFilter configured, looking at all zones","time":"2025-03-19T15:51:26Z"}
{"level":"debug","msg":"Endpoints generated from ingress: prod/x-app: [example.com 60 IN A  1.2.3.4 []]","time":"2025-03-19T15:51:28Z"}
{"level":"debug","msg":"Endpoints generated from ingress: prod/rabbitmq-service: [mq.prod.example.com 60 IN A  1.2.3.4 []]","time":"2025-03-19T15:51:28Z"}
{"level":"debug","msg":"no zoneIDFilter configured, looking at all zones","time":"2025-03-19T15:51:28Z"}
{"level":"debug","msg":"Skipping record a-example.com because no hosted zone matching record DNS Name was detected","time":"2025-03-19T15:51:29Z"}
{"action":"CREATE","level":"info","msg":"Changing record.","record":"example.com","time":"2025-03-19T15:51:29Z","ttl":60,"type":"A","zone":"xxx"}
{"action":"CREATE","level":"info","msg":"Changing record.","record":"mq.prod.example.com","time":"2025-03-19T15:51:30Z","ttl":60,"type":"A","zone":"xxx"}
{"action":"CREATE","level":"info","msg":"Changing record.","record":"example.com","time":"2025-03-19T15:51:31Z","ttl":1,"type":"TXT","zone":"xxx"}
{"action":"CREATE","level":"info","msg":"Changing record.","record":"mq.prod.example.com","time":"2025-03-19T15:51:31Z","ttl":1,"type":"TXT","zone":"xxx"}
{"action":"CREATE","level":"info","msg":"Changing record.","record":"a-mq.prod.example.com","time":"2025-03-19T15:51:32Z","ttl":1,"type":"TXT","zone":"xxx"}

In the next iteration it failed with forbidden:

{"action":"UPDATE","level":"info","msg":"Changing record.","record":"example.com","time":"2025-03-19T15:45:45Z","ttl":60,"type":"A","zone":"xxx"}
{"action":"UPDATE","level":"error","msg":"failed to update record: forbidden (1002)","record":"example.com","time":"2025-03-19T15:45:46Z","ttl":60,"type":"A","zone":"xxx"}
{"action":"UPDATE","level":"info","msg":"Changing record.","record":"example.com","time":"2025-03-19T15:45:46Z","ttl":1,"type":"TXT","zone":"xxx"}
{"action":"UPDATE","level":"error","msg":"failed to update record: forbidden (1002)","record":"example.com","time":"2025-03-19T15:45:47Z","ttl":1,"type":"TXT","zone":"xxx"}
{"level":"fatal","msg":"Failed to do run once: failed to submit all changes for the following zones: [xxx]","time":"2025-03-19T15:45:47Z"}

Are there something special if we update the domain address?
Also, why it wants to update the domain since in first try it registerred the correct records?
Why it wants to create the same A record with TTL=60 (default) and TTL=1?

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions