Bug 1877693

Summary:	dnsrecords specify recordTTL as 30 but the value is null in AWS Route 53
Product:	OpenShift Container Platform	Reporter:	Hongan Li <hongli>
Component:	Networking	Assignee:	Candace Holman <cholman>
Networking sub component:	router	QA Contact:	Hongan Li <hongli>
Status:	CLOSED ERRATA	Docs Contact:
Severity:	medium
Priority:	medium	CC:	aos-bugs, mfisher, mmasters
Version:	4.6	Keywords:	Reopened
Target Milestone:	---
Target Release:	4.7.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-02-24 15:17:43 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Hongan Li 2020-09-10 08:15:40 UTC

Description of problem:
When checking https://bugzilla.redhat.com/show_bug.cgi?id=1869387#c4 and found that the DNSRecords shows incorrect Type and TTL for non-gov AWS cluster. e.g.

$ aws route53 list-resource-record-sets --hosted-zone-id $zone_id --query 'ResourceRecordSets[?contains(Name,`apps`)==`true`]' 
[
    {
        "Name": "\\052.apps.hongli-46bv.qe.devcluster.openshift.com.",
        "Type": "A",
        "AliasTarget": {
            "HostedZoneId": "ZLMOA37VPKANP",
            "DNSName": "a6bf1bd31181a4d64b3e8bd31d375aff-e3c151ab4f44d630.elb.us-east-2.amazonaws.com.",
            "EvaluateTargetHealth": false
        }
    }
]

$ oc -n openshift-ingress-operator get dnsrecords/default-wildcard -oyaml
spec:
  dnsName: '*.apps.hongli-46bv.qe.devcluster.openshift.com.'
  recordTTL: 30
  recordType: CNAME
  targets:
  - a6bf1bd31181a4d64b3e8bd31d375aff-e3c151ab4f44d630.elb.us-east-2.amazonaws.com



Version-Release number of selected component (if applicable):
4.6.0-0.nightly-2020-09-08-123737

How reproducible:
100%

Steps to Reproduce:
1. spin up a cluster on AWS (non-gov)
2. check the DNSRecords
   $ oc -n openshift-ingress-operator get dnsrecords/default-wildcard -oyaml
3. check the records that created by dns controller on AWS console (or by aws cli) 

Actual results:
The DNSRecords says Type is CNAME and TTL is 30, but actually the Type is A and TTL is null on AWS Route 53. 

Expected results:
1. The Type in DNSRecords should be "A".
2. Should set the TTL of apps records to 30 in AWS Route 53.

Additional info:

Comment 1 Andrew McDermott 2020-09-10 11:55:15 UTC

I’m adding UpcomingSprint, because I was occupied by fixing bugs with
higher priority/severity, developing new features with higher
priority, or developing new features to improve stability at a macro
level. I will revisit this bug next sprint.

Comment 2 mfisher 2020-09-15 16:15:28 UTC

Target set to 4.7 while investigation is either ongoing or pending.  Will be considered for earlier release versions when diagnosed and resolved.

Comment 3 Daneyon Hansen 2020-09-15 16:35:59 UTC

Hongan,

This is expected behavior. Ingress Operator will always create a CNAME record type and the provider implementation will convert the type if needed. We decided on this approach since Alias records are specific to AWS.

Comment 4 Hongan Li 2020-09-17 07:23:19 UTC

Hi Daneyon,
There are two issues listed in this BZ (since both in `dnsrecords.spec`, but if that confused then I can file new one)

First issue is about the CNAME, I agree with you that Alias is specific to AWS and provider implementation indeed create A (or CNAME for GovCloud) type.

And another issue is the TTL, seems it is not configured on AWS side. I'm updating the title to make it clearer.

Comment 5 Daneyon Hansen 2020-10-01 16:23:46 UTC

I’m adding UpcomingSprint because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.

Comment 6 Daneyon Hansen 2020-10-23 15:52:09 UTC

I’m adding UpcomingSprint because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.

Comment 7 Daneyon Hansen 2020-11-12 16:52:39 UTC

I’m adding UpcomingSprint because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.

Comment 8 Candace Holman 2020-11-16 20:03:10 UTC

Hi Hongan,

Thanks for noticing that the TTL did not show up on the AWS side.  However, in this case, the TTL actually should not appear, as TTL is not allowed for a Route 53 AliasTarget type. In summary, for non-gov-cloud Route 53, a CNAME record with TTL becomes an A record with no TTL. We have updated the comments in the code to reflect this special case.

Best Regards,
Candace

Comment 10 Hongan Li 2020-11-26 03:12:39 UTC

Tested with 4.7.0-0.nightly-2020-11-25-114114 and passed.

# oc explain dnsrecords.spec.recordTTL
KIND:     DNSRecord
VERSION:  ingress.operator.openshift.io/v1

FIELD:    recordTTL <integer>

DESCRIPTION:
     recordTTL is the record TTL in seconds. If zero, the default is 30.
     RecordTTL will not be used in AWS regions Alias targets, but will be used
     in CNAME targets, per AWS API contract.

Comment 13 errata-xmlrpc 2021-02-24 15:17:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633