28b76001a8
The guac-k8s-sync CronJob has been crash-looping (exit 7) since the 2026-04-11 run. Root cause: CoreDNS has an `*.iamworkin.lan` template wildcard, and the Kubernetes pod resolv.conf ships with `ndots:5` plus a search list that includes `iamworkin.lan`. Resolving `guacamole.guacamole.svc.cluster.local` (4 dots < 5) goes through search-suffix expansion BEFORE the bare FQDN. The iamworkin.lan suffix makes it `guacamole.guacamole.svc.cluster.local.iamworkin.lan`, which matches the template and answers with Traefik LB VIP 10.0.56.200. That VIP has no pod-network hairpin route, so curl exits with 'No route to host'. Using the short name `http://guacamole:8080` keeps the query at 0 dots, search expansion runs on the bare name, and the in-namespace `guacamole.svc.cluster.local` suffix hits the Kubernetes CoreDNS plugin directly (ClusterIP 10.43.229.31). Alt fixes considered but not taken: trim the CoreDNS template regex to exclude `.svc.cluster.local.` prefixes (cross-cutting, higher blast radius); trailing-dot FQDN in the URL (curl/Java HTTP clients handle inconsistently). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
437 KiB
437 KiB