Merge pull request #3433 from jwenz723/master

Add AWS VPC endpoint canonical hosted zone IDs
2025-08-06 01:26:59 +02:00 · 2023-03-08 12:50:09 -08:00 · 2023-03-08 12:50:09 -08:00 · 38e786203c
commit 38e786203c
parent f4acab18a8 31f06153f6
3 changed files with 48 additions and 55 deletions
--- a/docs/tutorials/aws.md
+++ b/docs/tutorials/aws.md
@ -557,6 +557,10 @@ Annotations which are specific to AWS.

 `external-dns.alpha.kubernetes.io/alias` if set to `true` on an ingress, it will create an ALIAS record when the target is an ALIAS as well. To make the target an alias, the ingress needs to be configured correctly as described in [the docs](./nginx-ingress.md#with-a-separate-tcp-load-balancer). In particular, the argument `--publish-service=default/nginx-ingress-controller` has to be set on the `nginx-ingress-controller` container. If one uses the `nginx-ingress` Helm chart, this flag can be set with the `controller.publishService.enabled` configuration option.

+### target-hosted-zone
+
+`external-dns.alpha.kubernetes.io/aws-target-hosted-zone` can optionally be set to the ID of a Route53 hosted zone. This will force external-dns to use the specified hosted zone when creating an ALIAS target.
+
 ## Verify ExternalDNS works (Service example)

 Create the following sample application to test that ExternalDNS works.
@ -833,6 +837,14 @@ You can configure Route53 to associate DNS records with healthchecks for automat

 Note: ExternalDNS does not support creating healthchecks, and assumes that `<health-check-id>` already exists.

+## Canonical Hosted Zones
+
+When creating ALIAS type records in Route53 it is required that external-dns be aware of the canonical hosted zone in which
+the specified hostname is created. External-dns is able to automatically identify the canonical hosted zone for many
+hostnames based upon known hostname suffixes which are defined in [aws.go](../../provider/aws/aws.go). If a hostname
+does not have a known suffix then the suffix can be added into `aws.go` or the [target-hosted-zone annotation](#target-hosted-zone)
+can be used to manually define the ID of the canonical hosted zone.
+
 ## Govcloud caveats

 Due to the special nature with how Route53 runs in Govcloud, there are a few tweaks in the deployment settings.
--- a/provider/aws/aws.go
+++ b/provider/aws/aws.go
@ -127,6 +127,36 @@ var canonicalHostedZones = map[string]string{
 	"awsglobalaccelerator.com": "Z2BJ6XQ5FK7U4H",
 	// Cloudfront
 	"cloudfront.net": "Z2FDTNDATAQYW2",
+	// VPC Endpoint (PrivateLink)
+	"eu-west-2.vpce.amazonaws.com":      "Z7K1066E3PUKB",
+	"us-east-2.vpce.amazonaws.com":      "ZC8PG0KIFKBRI",
+	"af-south-1.vpce.amazonaws.com":     "Z09302161J80N9A7UTP7U",
+	"ap-east-1.vpce.amazonaws.com":      "Z2LIHJ7PKBEMWN",
+	"ap-northeast-1.vpce.amazonaws.com": "Z2E726K9Y6RL4W",
+	"ap-northeast-2.vpce.amazonaws.com": "Z27UANNT0PRK1T",
+	"ap-northeast-3.vpce.amazonaws.com": "Z376B5OMM2JZL2",
+	"ap-south-1.vpce.amazonaws.com":     "Z2KVTB3ZLFM7JR",
+	"ap-south-2.vpce.amazonaws.com":     "Z0952991RWSF5AHIQDIY",
+	"ap-southeast-1.vpce.amazonaws.com": "Z18LLCSTV4NVNL",
+	"ap-southeast-2.vpce.amazonaws.com": "ZDK2GCRPAFKGO",
+	"ap-southeast-3.vpce.amazonaws.com": "Z03881013RZ9BYYZO8N5W",
+	"ap-southeast-4.vpce.amazonaws.com": "Z07508191CO1RNBX3X3AU",
+	"ca-central-1.vpce.amazonaws.com":   "ZRCXCF510Y6P9",
+	"eu-central-1.vpce.amazonaws.com":   "Z273ZU8SZ5RJPC",
+	"eu-central-2.vpce.amazonaws.com":   "Z045369019J4FUQ4S272E",
+	"eu-north-1.vpce.amazonaws.com":     "Z3OWWK6JFDEDGC",
+	"eu-south-1.vpce.amazonaws.com":     "Z2A5FDNRLY7KZG",
+	"eu-south-2.vpce.amazonaws.com":     "Z014396544HENR57XQCJ",
+	"eu-west-1.vpce.amazonaws.com":      "Z38GZ743OKFT7T",
+	"eu-west-3.vpce.amazonaws.com":      "Z1DWHTMFP0WECP",
+	"me-central-1.vpce.amazonaws.com":   "Z07122992YCEUCB9A9570",
+	"me-south-1.vpce.amazonaws.com":     "Z3B95P3VBGEQGY",
+	"sa-east-1.vpce.amazonaws.com":      "Z2LXUWEVLCVZIB",
+	"us-east-1.vpce.amazonaws.com":      "Z7HUB22UULQXV",
+	"us-gov-east-1.vpce.amazonaws.com":  "Z2MU5TEIGO9WXB",
+	"us-gov-west-1.vpce.amazonaws.com":  "Z12529ZODG2B6H",
+	"us-west-1.vpce.amazonaws.com":      "Z12I86A8N7VCZO",
+	"us-west-2.vpce.amazonaws.com":      "Z1YSA3EXCYUU9Z",
 }

 // Route53API is the subset of the AWS Route53 API that we actually use.  Add methods as required. Signatures must match exactly.
--- a/provider/aws/aws_test.go
+++ b/provider/aws/aws_test.go
@ -1183,62 +1183,13 @@ func TestAWSisAWSAlias(t *testing.T) {
 }

 func TestAWSCanonicalHostedZone(t *testing.T) {
-	for _, tc := range []struct {
-		hostname string
-		expected string
-	}{
-		// Application Load Balancers and Classic Load Balancers
-		{"foo.us-east-2.elb.amazonaws.com", "Z3AADJGX6KTTL2"},
-		{"foo.us-east-1.elb.amazonaws.com", "Z35SXDOTRQ7X7K"},
-		{"foo.us-west-1.elb.amazonaws.com", "Z368ELLRRE2KJ0"},
-		{"foo.us-west-2.elb.amazonaws.com", "Z1H1FL5HABSF5"},
-		{"foo.ca-central-1.elb.amazonaws.com", "ZQSVJUPU6J1EY"},
-		{"foo.ap-east-1.elb.amazonaws.com", "Z3DQVH9N71FHZ0"},
-		{"foo.ap-south-1.elb.amazonaws.com", "ZP97RAFLXTNZK"},
-		{"foo.ap-northeast-2.elb.amazonaws.com", "ZWKZPGTI48KDX"},
-		{"foo.ap-northeast-3.elb.amazonaws.com", "Z5LXEXXYW11ES"},
-		{"foo.ap-southeast-1.elb.amazonaws.com", "Z1LMS91P8CMLE5"},
-		{"foo.ap-southeast-2.elb.amazonaws.com", "Z1GM3OXH4ZPM65"},
-		{"foo.ap-southeast-3.elb.amazonaws.com", "Z08888821HLRG5A9ZRTER"},
-		{"foo.ap-northeast-1.elb.amazonaws.com", "Z14GRHDCWA56QT"},
-		{"foo.eu-central-1.elb.amazonaws.com", "Z215JYRZR1TBD5"},
-		{"foo.eu-west-1.elb.amazonaws.com", "Z32O12XQLNTSW2"},
-		{"foo.eu-west-2.elb.amazonaws.com", "ZHURV8PSTC4K8"},
-		{"foo.eu-west-3.elb.amazonaws.com", "Z3Q77PNBQS71R4"},
-		{"foo.eu-south-1.elb.amazonaws.com", "Z3ULH7SSC9OV64"},
-		{"foo.sa-east-1.elb.amazonaws.com", "Z2P70J7HTTTPLU"},
-		{"foo.cn-north-1.elb.amazonaws.com.cn", "Z1GDH35T77C1KE"},
-		{"foo.cn-northwest-1.elb.amazonaws.com.cn", "ZM7IZAIOVVDZF"},
-		{"foo.af-south-1.elb.amazonaws.com", "Z268VQBMOI5EKX"},
-		// Network Load Balancers
-		{"foo.elb.us-east-2.amazonaws.com", "ZLMOA37VPKANP"},
-		{"foo.elb.us-east-1.amazonaws.com", "Z26RNL4JYFTOTI"},
-		{"foo.elb.us-west-1.amazonaws.com", "Z24FKFUX50B4VW"},
-		{"foo.elb.us-west-2.amazonaws.com", "Z18D5FSROUN65G"},
-		{"foo.elb.ca-central-1.amazonaws.com", "Z2EPGBW3API2WT"},
-		{"foo.elb.ap-east-1.amazonaws.com", "Z12Y7K3UBGUAD1"},
-		{"foo.elb.ap-south-1.amazonaws.com", "ZVDDRBQ08TROA"},
-		{"foo.elb.ap-northeast-3.amazonaws.com", "Z1GWIQ4HH19I5X"},
-		{"foo.elb.ap-northeast-2.amazonaws.com", "ZIBE1TIR4HY56"},
-		{"foo.elb.ap-southeast-1.amazonaws.com", "ZKVM4W9LS7TM"},
-		{"foo.elb.ap-southeast-2.amazonaws.com", "ZCT6FZBF4DROD"},
-		{"foo.elb.ap-southeast-3.amazonaws.com", "Z01971771FYVNCOVWJU1G"},
-		{"foo.elb.ap-northeast-1.amazonaws.com", "Z31USIVHYNEOWT"},
-		{"foo.elb.eu-central-1.amazonaws.com", "Z3F0SRJ5LGBH90"},
-		{"foo.elb.eu-west-1.amazonaws.com", "Z2IFOLAFXWLO4F"},
-		{"foo.elb.eu-west-2.amazonaws.com", "ZD4D7Y8KGAS4G"},
-		{"foo.elb.eu-west-3.amazonaws.com", "Z1CMS0P5QUZ6D5"},
-		{"foo.elb.eu-south-1.amazonaws.com", "Z23146JA1KNAFP"},
-		{"foo.elb.sa-east-1.amazonaws.com", "ZTK26PT1VY4CU"},
-		{"foo.elb.cn-north-1.amazonaws.com.cn", "Z3QFB96KMJ7ED6"},
-		{"foo.elb.cn-northwest-1.amazonaws.com.cn", "ZQEIKTCZ8352D"},
-		{"foo.elb.af-south-1.amazonaws.com", "Z203XCE67M25HM"},
-		// No Load Balancer
-		{"foo.example.org", ""},
-	} {
-		zone := canonicalHostedZone(tc.hostname)
-		assert.Equal(t, tc.expected, zone)
+	for suffix, id := range canonicalHostedZones {
+		zone := canonicalHostedZone(fmt.Sprintf("foo.%s", suffix))
+		assert.Equal(t, id, zone)
 	}
+
+	zone := canonicalHostedZone("foo.example.org")
+	assert.Equal(t, "", zone, "no canonical zone should be returned for a non-aws hostname")
 }

 func TestAWSSuitableZones(t *testing.T) {