From 316040ff03939e1e7e76a2d49453e63c98c13a80 Mon Sep 17 00:00:00 2001 From: igoramf Date: Mon, 8 Jun 2026 12:27:28 -0300 Subject: [PATCH] fix(decoredirect): log reason when isDNSReady returns false MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously isDNSReady failed silently, making it impossible to diagnose whether the HTTP check, the X-Redirect-By header, or the AAAA lookup was the culprit — as seen when a stuck operator pod required a restart. Co-Authored-By: Claude Sonnet 4.6 --- internal/controller/decoredirect_controller.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/internal/controller/decoredirect_controller.go b/internal/controller/decoredirect_controller.go index 16a4482..38c4c1d 100644 --- a/internal/controller/decoredirect_controller.go +++ b/internal/controller/decoredirect_controller.go @@ -262,20 +262,25 @@ func isCertFailed(cert *cmv1.Certificate) bool { // 2. No AAAA record falls within any BlockedIPv6CIDRs range, which would cause // Let's Encrypt's IPv6 validation to reach the wrong server and fail the challenge. func (r *DecoRedirectReconciler) isDNSReady(ctx context.Context, domain string) bool { + log := logf.FromContext(ctx) + httpClient := &http.Client{ CheckRedirect: func(*http.Request, []*http.Request) error { return http.ErrUseLastResponse }, Timeout: 5 * time.Second, } req, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://"+domain+"/", nil) if err != nil { + log.Error(err, "isDNSReady: failed to build HTTP request", "domain", domain) return false } resp, err := httpClient.Do(req) if err != nil { + log.Error(err, "isDNSReady: HTTP check failed", "domain", domain) return false } _ = resp.Body.Close() - if resp.Header.Get("X-Redirect-By") != "deco" { + if h := resp.Header.Get("X-Redirect-By"); h != "deco" { + log.Info("isDNSReady: X-Redirect-By header mismatch", "domain", domain, "got", h) return false } @@ -285,6 +290,7 @@ func (r *DecoRedirectReconciler) isDNSReady(ctx context.Context, domain string) addrs, err := net.DefaultResolver.LookupIPAddr(ctx, domain) if err != nil { + log.Error(err, "isDNSReady: DNS lookup failed", "domain", domain) return false } for _, a := range addrs { @@ -294,6 +300,7 @@ func (r *DecoRedirectReconciler) isDNSReady(ctx context.Context, domain string) } for _, blocked := range r.BlockedIPv6CIDRs { if blocked.Contains(ip) { + log.Info("isDNSReady: blocked IPv6 found", "domain", domain, "ip", ip, "cidr", blocked) return false } }