* fix(aws): warn on TXT AccessDenied due to ABAC
ExternalDNS writes TXT ownership records. ABAC missing TXT can cause 403
AccessDenied from Route 53.
* Update AWS ABAC docs to include TXT in record types
* Log entries when AccessDenied occurs and batch contains TXT
* Added unit tests for AccessDenied detection, TXT detection and logging
Refs: #5773
Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch>
* fix(aws): Drop prescriptive IAM warning
* Return the first Route 53 error from `submitChanges` so operators see
the original AWS message
* Remove IAM-guessing branch while keeping split-and-retry submission
* Tidy error test and fall back to `provider.NewSoftErrorf` when no AWS
error was captured
* Add tests for error return on failures upon zone submission
Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch>
* fix(aws): Remove TXT-specific error handling
Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch>
* fix(aws): Remove Route53 final error message
Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch>
* fix(aws): Remove unused import of `error`
Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch>
---------
Signed-off-by: Tobias Harnickell <tobias.harnickell@bedag.ch>
* scoping the AWS IAM policy to explicitely defined AWS Route53 zones
* Apply suggestions from code review
Co-authored-by: Michel Loiseleur <97035654+mloiseleur@users.noreply.github.com>
* Update aws.md
* Update docs/tutorials/aws.md
Co-authored-by: Michel Loiseleur <97035654+mloiseleur@users.noreply.github.com>
* Update aws.md
breaking up lines to make it pass markdown linting
---------
Co-authored-by: Michel Loiseleur <97035654+mloiseleur@users.noreply.github.com>
* feat(aws): add support for geoproximity routing
* remove the invalid test
* make some changes based on review comments
* fix linting errors
* make changes based on review feedback
* add more tests to get better coverage
* update docs
* make the linter happy
* address review feedback
This commit addresses the review feedback by making the following changes:
- use a more object-oriented approach for geoProximity handling
- change log levels to warnings instead of errors
- add more test cases for geoProximity
* fix linting error
* use shorter annotation names
* First pass based on existing PR, what is currently on master and some
extra tests.
* Try to resolve AWS service documentation
* Add documentation on how to opt-out of AAAA record creation
* Address documentation concerns
* Add some IPv6 tests to sources
* Make recommended changes to documentation
The existing docs described how to configure the DynamoDB registry, but
didn't have a tutorial for someone to walk through.
Signed-off-by: Michael Shen <mishen@umich.edu>
Co-authored-by: Michel Loiseleur <97035654+mloiseleur@users.noreply.github.com>
**Description**
In the current implementation, DNS providers are called to list all
records on every loop. This is expensive in terms of number of requests
to the provider and may result in being rate limited, as reported in 1293
and 3397.
In our case, we have approximately 20,000 records in our AWS Hosted Zone.
The ListResourceRecordSets API call allows a maximum of 300 items per call.
That requires 67 API calls per external-dns deployment during every sync period
With this, we introduce an optional generic caching mechanism at the provider
level, that re-uses the latest known list of records for a given time.
This prevents from expensive Provider calls to list all records for each
object modification that does not change the actual record (annotations,
statuses, ingress routing, ...)
This introduces 2 trade-offs:
1. Any changes or corruption directly on the provider side will be
longer to detect and to resolve, up to the cache time
2. Any conflicting records in the DNS provider (such as a different
external-dns instance) injected during the cache validity will cause
the first iteration of the next reconcile loop to fail, and hence add a
delay until the next retry
**Checklist**
- [X] Unit tests updated
- [X] End user documentation updated
Change-Id: I0bdcfa994ac1b76acedb05d458a97c080284c5aa
The secret includes keys/value pair and a secret, when mounted as a
volume, will generate a file for each of the pair where the name of the
file is the key and the content of the file, the value.
This hopefully makes the doc clear on how to configured credentials.
The Helm section includes templates files that aren't needed as those
values can all be generated from the values.yaml file. It seems that the
current documentation also missed the role arn annotation so it was
added as well.
