fix(issue-4448): aws route53 inconsistent domain name handling - octal escapes

[ivankatliarchuk]

Description

External DNS doesn't fully decode domain names retrieved from AWS Route 53, potentially leading to issues with mismatched characters due to unhandled octal escape sequences.

aws route53 list-resource-record-sets --hosted-zone-id ASDFASFASFASDF
{
    "ResourceRecordSets": [
        {
            "Name": "wiremock-\\045\\041s\\050\\074nil\\076\\051-internal-eks--internal-eks.example.com.",
            "Type": "CNAME",
            "TTL": 60,
            "ResourceRecords": [
                {
                    "Value": "eks.example.com"
                }
            ]
        },
        {
            "Name": "x-cname-vault.example.com.",
            "Type": "TXT",
            "TTL": 300,
            "ResourceRecords": [
                {
                    "Value": "\"heritage=external-dns,external-dns/owner=extdns,external-dns/resource=crd/vault/vault.example.com\""
                }
            ]
        },
        {
            "Name": "x-cname-wiremock-\\045\\041s\\050\\074nil\\076\\051-internal-eks--internal-eks.example.com.",
            "Type": "TXT",
            "TTL": 300,
            "ResourceRecords": [
                {
                    "Value": "\"heritage=external-dns,external-dns/owner=extdns,external-dns/resource=crd/apps/wiremock.example.com\""
                }
            ]
        },
        {
            "Name": "x-vault.example.com.",
            "Type": "TXT",
            "TTL": 300,
            "ResourceRecords": [
                {
                    "Value": "\"heritage=external-dns,external-dns/owner=extdns,external-dns/resource=crd/vault/vault.example.com\""
                }
            ]
        },
        {
            "Name": "x-wiremock-\\045\\041s\\050\\074nil\\076\\051-internal-eks--internal-eks.example.com.",
            "Type": "TXT",
            "TTL": 300,
            "ResourceRecords": [
                {
                    "Value": "\"heritage=external-dns,external-dns/owner=extdns,external-dns/resource=crd/apps/wiremock.example.com\""
                }
            ]
        }
    ]
}

Record actually created. Rollback does not help. External dns swallow this poison..... crashloopbackoffff....
The only way to recover external-dns is to remove records from Route53 with command aws route53 change-resource-record-sets --hosted-zone-id $HOSTED_ZONE_ID --change-batch file:///delete.json and from kubernetes

The issue arises from how the AWS Route 53 API handles domain names with special characters. According to the AWS Route 53 Developer Guide on Domain Name Format, the API escapes special characters into their ASCII representations using three-digit octal codes.

When the AWS Route 53 API returns domain names containing special characters, these characters are escaped into their octal ASCII format. However, the current implementation in the external-dns codebase does not correctly handle this conversion. As a result, the domain names returned by the API are not properly converted back to their original format, leading to discrepancies and potential issues in the functionality relying on these domain names.

For example, a domain name such as wiremock-%!s(<nil>) with a special character would be returned as wiremock-\\045\\041s\\050\\074nil\\076\\051 by the API. The current code does not decode octals \\050 back to ), thus causing an incorrect representation of the domain name.

To resolve this issue, the code needs to be updated to include a mechanism that correctly decodes these escaped special characters back into their original ASCII format.

Original name is 48 characters long x-wiremock-%!s(<nil>)-internal-eks--internal-eks
when encoded is 64 e.g. wiremock-\\045\\041s\\050\\074nil\\076\051-internal-eks--internal-eks

Fixes #4448

Expected behavior:

• do not crash extearnal dns

Tested on AWS EKS cluster 1.26 and 1.28

Checklist

• Unit tests updated
• Tested from local against real AWS EKS cluster
• End user documentation updated

[k8s-ci-robot]

Hi @ivankatliarchuk. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[mloiseleur]

/lgtm

[ivankatliarchuk]

When can we expect this to be released or added to the next release milestone?

[szuecs]

A small comment and please rebase, then I am happy to approve this PR.

[ivankatliarchuk]

Rebased and removed whitespace changes to licence block . Lost ltgm label, do you I need to request of /lgtm again?

[mloiseleur]

/lgtm
I'll let @szuecs do the final approve. Thanks @ivankatliarchuk !

[szuecs]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: szuecs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [szuecs]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[szuecs]

Thank you!