Route53 controller can't import readonly HostedZone resource

[mano1233]

Describe the bug
When Using the ReadOnlyResources Feature flag, When trying to create a hosted zone with read-only annotation. The controller sends an error that the hosted zone is not found.

Steps to reproduce

• Setup controller with ReadOnlyResources feature flag enabled.
• Create a hostedZone resource with annotation services.k8s.aws/read-only: "true"
• Controller produces an error the given hosted zone is not found.

Expected outcome
Manage to find the resource and update the status field with the relevant hosted zone id.

HostedZone CR

apiVersion: route53.services.k8s.aws/v1alpha1
kind: HostedZone
metadata:
  name: hostedzone-readonly
  annotations: 
    services.k8s.aws/read-only: "true"
spec:
  name: "euw1.dev.company.outside"

Error logs

{"level":"error","ts":"2025-02-17T11:31:13.038Z","msg":"Reconciler error","controller":"hostedzone","controllerGroup":"route53.services.k8s.aws","controllerKind":"HostedZone","HostedZone":{"name":"hostedzone-readonly","namespace":"ack"},"namespace":"ack","name":"hostedzone-readonly","reconcileID":"10006d19-461f-403b-86ca-0e79f2572470","error":"read-only resource not found","stacktrace":"[sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler](http://sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler)\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:316\[nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem](http://nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem)\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:263\[nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2](http://nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2)\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:224"}
{"level":"error","ts":"2025-02-17T11:31:14.323Z","msg":"Reconciler error","controller":"hostedzone","controllerGroup":"route53.services.k8s.aws","controllerKind":"HostedZone","HostedZone":{"name":"hostedzone-readonly","namespace":"ack"},"namespace":"ack","name":"hostedzone-readonly","reconcileID":"84661bf9-3dd0-47b3-bc23-823c65e0d9d0","error":"read-only resource not found","stacktrace":"[sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler](http://sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler)\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:316\[nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem](http://nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem)\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:263\[nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2](http://nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2)\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:224"}
{"level":"error","ts":"2025-02-17T11:31:16.888Z","msg":"Reconciler error","controller":"hostedzone","controllerGroup":"route53.services.k8s.aws","controllerKind":"HostedZone","HostedZone":{"name":"hostedzone-readonly","namespace":"ack"},"namespace":"ack","name":"hostedzone-readonly","reconcileID":"d6a7a947-7d10-45b2-8e21-28dd859554b9","error":"read-only resource not found","stacktrace":"[sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler](http://sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler)\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:316\[nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem](http://nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem)\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:263\[nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2](http://nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2)\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:224"}
{"level":"error","ts":"2025-02-17T11:31:22.017Z","msg":"Reconciler error","controller":"hostedzone","controllerGroup":"route53.services.k8s.aws","controllerKind":"HostedZone","HostedZone":{"name":"hostedzone-readonly","namespace":"ack"},"namespace":"ack","name":"hostedzone-readonly","reconcileID":"33230c17-f85f-40a2-a178-427a710e6cb1","error":"read-only resource not found","stacktrace":"[sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler](http://sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler)\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:316\[nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem](http://nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem)\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:263\[nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2](http://nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2)\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:224"}
{"level":"error","ts":"2025-02-17T11:31:32.265Z","msg":"Reconciler error","controller":"hostedzone","controllerGroup":"route53.services.k8s.aws","controllerKind":"HostedZone","HostedZone":{"name":"hostedzone-readonly","namespace":"ack"},"namespace":"ack","name":"hostedzone-readonly","reconcileID":"afcbcb44-c630-40d2-b6a5-63015f28ea5a","error":"read-only resource not found","stacktrace":"[sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler](http://sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler)\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:316\[nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem](http://nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem)\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:263\[nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2](http://nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2)\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:224"}

Environment

• Kubernetes version 1.31
• Using EKS (yes/no), if so version? yes 1.31
• AWS service targeted (S3, RDS, etc.) route53

[michaelhtm]

Hello @mano1233, the way ReadOnlyResources works is by annotating an already existing resource with read-only. So you would need to create the resource first, and once it's synced, annotate it as readOnly.

[candonov]

Hi @mano1233,

You would have to enable the following values when you install the helm chart:
https://github.com/aws-controllers-k8s/route53-controller/blob/5a1504869470337885b439552cc775d818f46e3c/helm/values.yaml#L160-L168

featureGates:
  ReadOnlyResources: true
  ResourceAdoption: true

Then to import the resource, you need to create the following yaml with empty spec:

apiVersion: route53.services.k8s.aws/v1alpha1
kind: HostedZone
metadata:
  name: hostedzone-readonly
  annotations:
    services.k8s.aws/read-only: "true"
    services.k8s.aws/adoption-policy: "adopt"
    services.k8s.aws/adoption-fields: |
      {
        "id": "YOURZONEID"
      }

That will import the hosted zone, and you should see the name of the hosted zone under spec.

[mano1233]

Hey, Good to know, Is this the same for all controllers?
and if so, what fields should be part of the adoption-fields annotation? could it be resource tags?

[candonov]

This is a feature flag that needs to be enabled for each controller.

At the moment import only supports by id, tag is not supported. Working with the team to review #2297

[michaelhtm]

Hey @mano1233, i don't think all services support adoption/import by tags, the only one i know of is ec2..
About the fields needed to be defined for adoption, we currently don't have documentation on that, but for now the best place to see it is here. Each controller's resource has a function in pkg/resource/<resource_name>/resource.go called PopulateResourceFromAnnotation, and for now that is the best place to see what fields you need. Hope that helps!

[michaelhtm]

Hey @mano1233, i'm marking this issue as stale, please feel free to remove it if the issue is not resolved for you and reply on this thread for any more questions. Thanks!
/lifecycle stale