feat(source): add Nomad service

docs/flags.md

@@ -17,6 +17,10 @@
 | `--cf-password=""` | The password to log into the cloud foundry API |
 | `--gloo-namespace=gloo-system` | The Gloo Proxy namespace; specify multiple times for multiple namespaces. (default: gloo-system) |
 | `--skipper-routegroup-groupversion="zalando.org/v1"` | The resource version for skipper routegroup |
+| `--nomad-address=""` | Nomad endpoint address, if empty it defaults to NOMAD_ADDR or http://127.0.0.1:4646 |
+| `--nomad-region=""` | Nomad region to use. If not provided, the default agent region is used |
+| `--nomad-token=NOMAD-TOKEN` | Nomad per-request ACL token |
+| `--nomad-wait-time=0s` | WaitTime limits how long a Watch will block. If not provided, the agent default values will be used |
 | `--[no-]always-publish-not-ready-addresses` | Always publish also not ready addresses for headless services (optional) |
 | `--annotation-filter=""` | Filter resources queried for endpoints by annotation, using label selector semantics |
 | `--[no-]combine-fqdn-annotation` | Combine FQDN template and Annotations instead of overwriting |

docs/sources/nomad-source.md

@@ -0,0 +1,197 @@
+# Nomad Service Source
+
+This tutorial explains how to configure ExternalDNS to use Nomad services as a source.
+
+The Nomad service source reads metadata from services registered with the Nomad agent and uses it to determine DNS configuration.
+
+By using `--source=nomad-service`, ExternalDNS can discover DNS endpoints from applications registered in a [HashiCorp Nomad](https://www.nomadproject.io/) cluster.
+This allows DNS records to be dynamically created and updated based on the state of Nomad services, similar to how ExternalDNS works with Kubernetes resources.
+
+## CLI Flags
+
+This source respects these external-dns CLI flags:
+
+```bash
+--namespace=""                     # Limit resources queried for endpoints to a specific namespace (default: all namespaces)
+--fqdn-template=""                 # A templated string that's used to generate DNS names from sources that don't define a hostname themselves
+--[no-]combine-fqdn-annotation     # Combine FQDN template and Annotations instead of overwriting
+--[no-]ignore-hostname-annotation  # Ignore hostname annotation when generating DNS names, valid only when --fqdn-template is set
+```
+
+The following flags are available for customizing Nomad integration (all optional):
+
+```bash
+--nomad-address=""         # Nomad API address. Defaults to $NOMAD_ADDR or http://127.0.0.1:4646
+--nomad-region=""          # Nomad region. Defaults to agent's configured region
+--nomad-token=NOMAD-TOKEN  # Nomad ACL token for authentication
+--nomad-wait-time=0s       # API blocking timeout (Watch WaitTime)
+```
+
+Also, Nomad agent connection and authentication options can be configured via environment variables (e.g., `NOMAD_ADDR`, `NOMAD_REGION`, `NOMAD_TOKEN`, etc.)
+
+### Example: Run ExternalDNS with Nomad source
+
+You can run ExternalDNS with the Nomad service source and any supported DNS provider:
+
+```bash
+external-dns \
+  --source=nomad-service \
+  --provider=inmemory \
+  --nomad-address=http://127.0.0.1:4646
+```
+
+## Nomad Service Tags
+
+The `nomad-service` source uses Nomad [service tags](https://developer.hashicorp.com/nomad/docs/job-specification/service#tags) to define configuration that is typically specified using Kubernetes annotations in other sources.
+
+Unlike Kubernetes annotations, which are a key-value map, Nomad tags are represented as a flat array of strings. To work around this difference, the implementation expects tags to follow a `key=value` format under the `external-dns.` prefix.
+
+For example:
+
+```hcl
+tags = [
+  "external-dns.hostname=example.nomad.internal.",
+  "external-dns.ttl=300",
+  "external-dns.controller=dns-controller",
+  "external-dns.set-identifier=my-id"
+]
+```
+
+These tags are interpreted by ExternalDNS in the same way it would interpret Kubernetes annotations:
+
+```yaml
+annotations:
+  external-dns.alpha.kubernetes.io/hostname: "example.nomad.internal."
+  external-dns.alpha.kubernetes.io/ttl: "300"
+  external-dns.alpha.kubernetes.io/controller: "dns-controller"
+  external-dns.alpha.kubernetes.io/set-identifier: "my-id"
+```
+
+To reduce verbosity and improve clarity, the Nomad tag keys are shortened versions of their corresponding Kubernetes annotations. This source supports next ExternalDNS annotation equivalents set via service tags:
+
+| Nomad Tag | Kubernetes Annotation Equivalent |
+|-----------|----------------------------------|
+| external-dns.hostname | external-dns.alpha.kubernetes.io/hostname |
+| external-dns.target | external-dns.alpha.kubernetes.io/target |
+| external-dns.ttl | external-dns.alpha.kubernetes.io/ttl |
+| external-dns.controller | external-dns.alpha.kubernetes.io/controller |
+| external-dns.set-identifier | external-dns.alpha.kubernetes.io/set-identifier |
+
+Additionally, provider-specific configuration is also supported via tags. For example:
+
+```hcl
+tags = [
+  "external-dns.hostname=app.example.org.",
+  "external-dns.aws-weight=100",
+  "external-dns.cloudflare-proxied=true"
+]
+```
+
+### Example service block in a Nomad job
+
+```hcl
+service {
+  name = "whoami-demo"
+  port = "http"
+  provider = "nomad"
+  tags = [
+    "external-dns.hostname=whoami.example.org.",
+    "external-dns.target=${attr.unique.network.ip-address}",
+  ]
+}
+```
+
+This configuration will result in an A record for whoami.example.org. pointing to the IP of the service port.
+
+## Example Nomad Job
+
+Here's a complete job spec to demonstrate usage:
+
+```hcl
+job "whoami" {
+  group "demo" {
+    network {
+      mode = "host"
+
+      port "http" {
+        static = 80
+      }
+    }
+
+    service {
+      name = "whoami-demo"
+      port = "http"
+      provider = "nomad"
+      tags = [
+        "external-dns.alpha.kubernetes.io/hostname=whoami.example.org.",
+        "external-dns.alpha.kubernetes.io/ttl=60"
+      ]
+    }
+
+    task "server" {
+      driver = "docker"
+
+      config {
+        image = "traefik/whoami"
+        ports = ["http"]
+      }
+
+      env {
+        WHOAMI_PORT_NUMBER = "${NOMAD_PORT_http}"
+      }
+    }
+  }
+}
+```
+
+The ExternalDNS itself can be deployed to a Nomad cluster as a regular job:
+
+```hcl
+job "external-dns" {
+  group "external-dns" {
+    network {
+      mode = "bridge"
+
+      port "http" {
+        to = 7979
+      }
+    }
+
+    task "controller" {
+      driver = "docker"
+
+      config {
+        image = "registry.k8s.io/external-dns/external-dns:latest"
+        ports = ["http"]
+
+        args = [
+          "--source=nomad-service",
+          "--nomad-address=http://${attr.unique.network.ip-address}:4646",
+        ]
+      }
+
+      resources {
+        cpu    = 50
+        memory = 32
+      }
+
+      service {
+        provider = "nomad"
+        port = "http"
+
+        check {
+          type = "http"
+          path = "/healthz"
+          interval = "10s"
+          timeout = "3s"
+        }
+      }
+    }
+  }
+}
+```
+
+## Notes
+
+* This source does not require Kubernetes; it works directly with the Nomad HTTP API.
+* Integration with DNS providers (e.g., AWS Route 53, Cloudflare, etc.) is handled the same as with other ExternalDNS sources.

go.mod

@@ -40,6 +40,7 @@ require (
 	github.com/goccy/go-yaml v1.17.1
 	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.0
+	github.com/hashicorp/nomad/api v0.0.0-20250321175057-34ae5d5ae66b
 	github.com/linki/instrumented_http v0.3.0
 	github.com/linode/linodego v1.49.0
 	github.com/maxatome/go-testdeep v1.14.0
@@ -137,10 +138,13 @@ require (
 	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
 	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
 	github.com/gopherjs/gopherjs v1.17.2 // indirect
+	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
+	github.com/hashicorp/cronexpr v1.1.2 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/jcmturner/aescts/v2 v2.0.0 // indirect
 	github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect

go.sum

@@ -273,6 +273,8 @@ github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5Xh
 github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
 github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
 github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
@@ -549,6 +551,8 @@ github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/z
 github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
+github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
 github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo=
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
@@ -560,6 +564,8 @@ github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 h1:2VTzZjLZBgl62/EtslC
 github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI=
 github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE=
 github.com/hashicorp/consul/sdk v0.3.0/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
+github.com/hashicorp/cronexpr v1.1.2 h1:wG/ZYIKT+RT3QkOdgYc+xsKWVRgnxJ1OJtjjy84fJ9A=
+github.com/hashicorp/cronexpr v1.1.2/go.mod h1:P4wA0KBl9C5q2hABiMO7cp6jcIg96CDh1Efb3g1PWA4=
 github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
@@ -578,6 +584,8 @@ github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9
 github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
 github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
 github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
+github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
+github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
 github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
 github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
 github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
@@ -594,6 +602,8 @@ github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
 github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
+github.com/hashicorp/nomad/api v0.0.0-20250321175057-34ae5d5ae66b h1:R7hwhe8P7Fg3NVZiYwdBl+w/QglPbSxRDeWdiWnVyG8=
+github.com/hashicorp/nomad/api v0.0.0-20250321175057-34ae5d5ae66b/go.mod h1:svtxn6QnrQ69P23VvIWMR34tg3vmwLz4UdUzm1dSCgE=
 github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/huandu/xstrings v1.3.1/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
@@ -758,6 +768,8 @@ github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrk
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
+github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU=
+github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8=
 github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
 github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg=
 github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
@@ -952,6 +964,8 @@ github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
 github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
+github.com/shoenig/test v1.7.1 h1:UJcjSAI3aUKx52kfcfhblgyhZceouhvvs3OYdWgn+PY=
+github.com/shoenig/test v1.7.1/go.mod h1:UxJ6u/x2v/TNs/LoLxBNJRV9DiwBBKYxXSyczsBHFoI=
 github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8=
 github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=

pkg/apis/externaldns/types.go

@@ -214,6 +214,10 @@ type Config struct {
 	TraefikDisableNew                             bool
 	NAT64Networks                                 []string
 	ExcludeUnschedulable                          bool
+	NomadAddress                                  string
+	NomadRegion                                   string
+	NomadToken                                    string `secure:"yes"`
+	NomadWaitTime                                 time.Duration
 }
 
 var defaultConfig = &Config{
@@ -306,6 +310,10 @@ var defaultConfig = &Config{
 	MinEventSyncInterval:         5 * time.Second,
 	Namespace:                    "",
 	NAT64Networks:                []string{},
+	NomadAddress:                 "",
+	NomadRegion:                  "",
+	NomadToken:                   "",
+	NomadWaitTime:                0,
 	NS1Endpoint:                  "",
 	NS1IgnoreSSL:                 false,
 	OCIConfigFile:                "/etc/kubernetes/oci.yaml",
@@ -453,6 +461,13 @@ func App(cfg *Config) *kingpin.Application {
 	// Flags related to Skipper RouteGroup
 	app.Flag("skipper-routegroup-groupversion", "The resource version for skipper routegroup").Default(defaultConfig.SkipperRouteGroupVersion).StringVar(&cfg.SkipperRouteGroupVersion)
 
+	// Flags related to Nomad
+	app.Flag("nomad-address", "Nomad endpoint address, if empty it defaults to NOMAD_ADDR or http://127.0.0.1:4646").Default(defaultConfig.NomadAddress).StringVar(&cfg.NomadAddress)
+	app.Flag("nomad-region", "Nomad region to use. If not provided, the default agent region is used").Default(defaultConfig.NomadRegion).StringVar(&cfg.NomadRegion)
+	// app.Flag("nomad-namespace", "Nomad namespace to use. If not provided the default namespace is used").Default(defaultConfig.NomadNamespace).StringVar(&cfg.NomadNamespace)
+	app.Flag("nomad-token", "Nomad per-request ACL token").StringVar(&cfg.NomadToken)
+	app.Flag("nomad-wait-time", "WaitTime limits how long a Watch will block. If not provided, the agent default values will be used").Default(defaultConfig.NomadWaitTime.String()).DurationVar(&cfg.NomadWaitTime)
+
 	// Flags related to processing source
 	app.Flag("always-publish-not-ready-addresses", "Always publish also not ready addresses for headless services (optional)").BoolVar(&cfg.AlwaysPublishNotReadyAddresses)
 	app.Flag("annotation-filter", "Filter resources queried for endpoints by annotation, using label selector semantics").Default(defaultConfig.AnnotationFilter).StringVar(&cfg.AnnotationFilter)