fix(zone): ignore cloudflare email routing dkim txt record

rxbn · rxbn · commit 621a7c35aa69 · 2025-03-26T16:05:37.000+01:00
diff --git a/internal/controller/zone_controller.go b/internal/controller/zone_controller.go
@@ -40,6 +40,16 @@ import (
 	"github.com/fluxcd/pkg/runtime/patch"
 )
 
+// ignoredRecords are records that should not be pruned
+// the key is the record type and the value is a list of prefixes
+// TODO: make this configurable in the Zone CR
+var ignoredRecords = map[string][]string{
+	"TXT": {
+		"_acme-challenge",     // Let's Encrypt DNS-01 challenge
+		"cf2024-1._domainkey", // Cloudflare Email Routing DKIM
+	},
+}
+
 // ZoneReconciler reconciles a Zone object
 type ZoneReconciler struct {
 	client.Client
@@ -153,7 +163,7 @@ func (r *ZoneReconciler) handlePrune(ctx context.Context, zone *cloudflareoperat
 	}
 
 	for _, cfDnsRecord := range cfDnsRecords {
-		if cfDnsRecord.Type == "TXT" && strings.HasPrefix(cfDnsRecord.Name, "_acme-challenge") {
+		if _, found := ignoredRecords[cfDnsRecord.Type]; found && hasPrefix(cfDnsRecord.Name, ignoredRecords[cfDnsRecord.Type]) {
 			continue
 		}
 
@@ -172,3 +182,13 @@ func (r *ZoneReconciler) reconcileDelete(zone *cloudflareoperatoriov1.Zone) {
 	metrics.ZoneFailureCounter.DeleteLabelValues(zone.Name, zone.Spec.Name)
 	controllerutil.RemoveFinalizer(zone, cloudflareoperatoriov1.CloudflareOperatorFinalizer)
 }
+
+// hasPrefix checks if the name has any of the prefixes
+func hasPrefix(name string, prefixes []string) bool {
+	for _, prefix := range prefixes {
+		if strings.HasPrefix(name, prefix) {
+			return true
+		}
+	}
+	return false
+}
diff --git a/internal/controller/zone_controller_test.go b/internal/controller/zone_controller_test.go
@@ -86,15 +86,33 @@ func TestZoneReconciler_reconcileZone(t *testing.T) {
 
 		zone.Spec.Prune = true
 
-		_ = r.reconcileZone(context.TODO(), zone)
+		acmeRecord, err := cf.CreateDNSRecord(context.TODO(), cloudflare.ZoneIdentifier(zoneID), cloudflare.CreateDNSRecordParams{
+			Name:    "_acme-challenge.abc.containeroo-test.org",
+			Type:    "TXT",
+			Content: "test",
+		})
+		g.Expect(err).ToNot(HaveOccurred())
+		dkimRecord, err := cf.CreateDNSRecord(context.TODO(), cloudflare.ZoneIdentifier(zoneID), cloudflare.CreateDNSRecordParams{
+			Name:    "cf2024-1._domainkey.containeroo-test.org",
+			Type:    "TXT",
+			Content: "test",
+		})
+		g.Expect(err).ToNot(HaveOccurred())
 
-		g.Expect(zone.Status.Conditions).To(conditions.MatchConditions([]metav1.Condition{
-			*conditions.TrueCondition(cloudflareoperatoriov1.ConditionTypeReady, cloudflareoperatoriov1.ConditionReasonReady, "Zone is ready"),
-		}))
-		g.Expect(zone.Status.ID).To(Equal(zoneID))
+		_ = r.reconcileZone(context.TODO(), zone)
 
-		_, err := cf.GetDNSRecord(context.TODO(), cloudflare.ZoneIdentifier(zone.Status.ID), testRecord.ID)
+		_, err = cf.GetDNSRecord(context.TODO(), cloudflare.ZoneIdentifier(zone.Status.ID), testRecord.ID)
 		g.Expect(err.Error()).To(ContainSubstring("Record does not exist"))
+
+		_, err = cf.GetDNSRecord(context.TODO(), cloudflare.ZoneIdentifier(zone.Status.ID), acmeRecord.ID)
+		g.Expect(err).ToNot(HaveOccurred())
+		_, err = cf.GetDNSRecord(context.TODO(), cloudflare.ZoneIdentifier(zone.Status.ID), dkimRecord.ID)
+		g.Expect(err).ToNot(HaveOccurred())
+
+		err = cf.DeleteDNSRecord(context.TODO(), cloudflare.ZoneIdentifier(zoneID), acmeRecord.ID)
+		g.Expect(err).ToNot(HaveOccurred())
+		err = cf.DeleteDNSRecord(context.TODO(), cloudflare.ZoneIdentifier(zoneID), dkimRecord.ID)
+		g.Expect(err).ToNot(HaveOccurred())
 	})
 
 	t.Run("reconcile zone error zone not found", func(t *testing.T) {
