feat(cloudflare): Enable DNS record Comment and Tags

[7onn]

Description

This will add two flags to be used on the Cloudflare provider. One for making comment and other tags available for DNS records. That's helpful when you already have a lot of records and you'd like to track what external-dns is provisioning there.

Both comment and tags can be set either

• As a program flag --cloudflare-record-comment=test, --cloudflare-record-tags=kubernetes,external-dns
• Or as Ingress annotations, taking precedence over the program args

annotations:
  external-dns.alpha.kubernetes.io/cloudflare-record-comment: "test"
  external-dns.alpha.kubernetes.io/cloudflare-record-tags: "kubernetes,external-dns,my-app"

Fixes #3934

Checklist

• Unit tests updated
• End user documentation updated

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign raffo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: 7onn / name: tom (bf518c3, ba3a36c, 16d6bf7, b6a2d1a, 193441f, bedfdae, 94f4c69, be42e7f, 35f3202, 299db8d, bd63dc2, 2b4c0ee, 635474f, d077169, def76d6)

[k8s-ci-robot]

Welcome @7onn!

It looks like this is your first PR to kubernetes-sigs/external-dns 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/external-dns has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @7onn. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ivankatliarchuk]

/ok-to-test

[7onn]

@ivankatliarchuk can you provide me some direction on how to build this container so I can use the image on my staging environment to test? :)

Couldn't find anything on this repo. At least not searching quickly.

[ivankatliarchuk]

Here is dev guide https://github.com/kubernetes-sigs/external-dns/blob/master/docs/contributing/dev-guide.md

One of the option is not even build, just run go run main.go with required arguments, as long as cluster context is available from terminal

[ivankatliarchuk]

for _, providerSpecific := range ep.ProviderSpecific {
	if providerSpecific.Name == source.CloudflareRecordCommentKey {
		// Your logic here
	}
}

[7onn]

done :) bedfdae

[ivankatliarchuk]

is there is any validation for tags and comments that we could add? Is this functionality available to all subscriptions?

[morremeyer]

Reference is here: https://developers.cloudflare.com/dns/manage-dns-records/reference/record-attributes/#availability

[ivankatliarchuk]

Ok so this only available for paid Tier.

Feels like this needs testing where or not is not breaking Free tier

[morremeyer]

I agree.

Ideally, the limits can be read from the API for the specific zone and then the comment/tag verified against it.
If it doesn't match, I think a warning should be logged, but the record should still be created/updated.

I couldn't find it in the API documentation, so I've asked the Cloudflare support if that is possible.

[7onn]

Very well raised. This would work for my case but not for people on a free Cloudflare account. I'll will look into such validations and try to make them happen dynamically so if Cloudflare changes, the software won't need to be changed. Thanks everyone.

[7onn]

In order to prevent inappropriate tagging, do you think this is a good direction? 16d6bf7

I wonder how we'd apply the same safety filter for Comments as these are actually for everyone except varying on limited length

[morremeyer]

I think that is a very good direction. I left a comment with 16d6bf7#r156796315 about the log level, other than that it looks good.

Cloudflare support confirmed to me there is no way to get the current subscription level, so for comments it's going to be more difficult.

I think the best value for time and complexity we can get here would be to skip and log a warning for anything over 500 characters.

For a Free zone, anything over 100 will then still error, so that specific error (I'd expect there to be a specific code or error message after all I know about the Cloudflare API) can be handled to print a

Comment for %s too long, see https://developers.cloudflare.com/dns/manage-dns-records/reference/record-attributes/#availability for character limits

This would have the benefit of preventing API errors for all paid plans, and if the limits change in the future, there would still be useful information in there since the only hardcoded value is the 500 character absolute maximum.

[7onn]

Decreased the log level here d077169

[morremeyer]

Nice, even better than what I had in mind.

[7onn]

Had to bring it back though! Because if you put the value and it isn't suitable for you tier, it was producing an endless diff :/ Would welcome some suggestions on how to workaround this.

[ivankatliarchuk]

just one tiny thing left

We need some smoke testing, to make sure if tags-comments not set, the external-dns still works ;-)

[ivankatliarchuk]

source_test is not updated, can we cover added logic there?

[7onn]

done bd63dc2

We need some smoke testing

Where is its Dockerfile? I'd like to build this and simply update my deployment's image in staging registry.k8s.io/external-dns/external-dns:v0.15.1 -> devbytom/external-dns:test. Preferably, building similarly to the official way instead of building as I assume it should be.

[ivankatliarchuk]

Have a loot this job https://github.com/kubernetes-sigs/external-dns/actions/runs/14976420658/job/42069819842?pr=5359. try it could be pullable

other approach is how to build image https://github.com/kubernetes-sigs/external-dns/blob/master/docs/contributing/dev-guide.md#building-local-images

how to run without doing build if you have kubectl access to cluster https://github.com/kubernetes-sigs/external-dns/blob/master/docs/contributing/dev-guide.md#execute-code-without-building-binary

[7onn]

Tested in my staging cluster. Found an apparent bug. The records are stuck on a diff state and every minute, the app is updating it again.

The image is devbytom/external-dns:test-tom built on top of this branch's HEAD with

KO_DOCKER_REPO=devbytom/external-dns \
    VERSION=test-tom \
    ko build --tags test-tom --bare --sbom none \
      --image-label org.opencontainers.image.source="https://github.com/kubernetes-sigs/external-dns" \
      --image-label org.opencontainers.image.revision=bd63dc21cbbfa4a1ac37e51a3cffae77a2e81aca \
      --platform=linux/amd64,linux/arm64,linux/arm/v7  --push=true .

The app logs were

time="2025-05-12T16:55:19Z" level=info msg="GitCommitShort=unknown, GoVersion=go1.24.2, Platform=linux/amd64, UserAgent=ExternalDNS/test-tom"
time="2025-05-12T16:55:19Z" level=info msg="Instantiating new Kubernetes client"
time="2025-05-12T16:55:19Z" level=info msg="Using inCluster-config based on serviceaccount-token"
time="2025-05-12T16:55:19Z" level=info msg="Created Kubernetes client https://172.20.0.1:443"
time="2025-05-12T16:55:23Z" level=info msg="All records are already up to date"
time="2025-05-12T16:56:23Z" level=info msg="All records are already up to date"
time="2025-05-12T16:57:23Z" level=info msg="All records are already up to date"
time="2025-05-12T16:58:28Z" level=info msg="Changing record." action=UPDATE record=app.<redacted>.com ttl=1 type=CNAME zone=<redacted>
time="2025-05-12T16:58:30Z" level=info msg="Changing record." action=UPDATE record=app.<redacted>.com ttl=1 type=TXT zone=<redacted>
time="2025-05-12T16:58:32Z" level=info msg="Changing record." action=UPDATE record=cname-app.<redacted>.com ttl=1 type=TXT zone=<redacted>
time="2025-05-12T16:59:29Z" level=info msg="Changing record." action=UPDATE record=app.<redacted>.com ttl=1 type=CNAME zone=<redacted>
time="2025-05-12T16:59:31Z" level=info msg="Changing record." action=UPDATE record=app.<redacted>.com ttl=1 type=TXT zone=<redacted>
time="2025-05-12T16:59:33Z" level=info msg="Changing record." action=UPDATE record=cname-app.<redacted>.com ttl=1 type=TXT zone=<redacted>
... repeat

The records are correctly updated at least.

[ivankatliarchuk]

Ignore the image. Images from pull requests not pushed to registries. You need to build one youerself. I'm usually just running code against sandbox clusters with fixtures.

[7onn]

Replacing the container image and then updating existing Ingresses in staging via ArgoCD worked for me (or at least felt like the least effort). It was able to reveal this bug 🐛 . I need to understand what is holding the record on a diff state for the app to update it ceaselessly.

[ivankatliarchuk]

A negative result is still a result. So from the code side of things it looks ok, but it does not do it correctly 😊

[ivankatliarchuk]

It sounds like we do modification in the wrong location. You need to modify it in Records() method. What you are looking is to add tags and comments in this function groupByNameAndTypeWithCustomHostnames

[7onn]

This have fixed the loop for good users: 052760b

But if you keep the len(comment) > 500, the diff naturally keeps happening as it compares the full string configured with the trimmed one on Cloudflare.

[7onn]

Interestingly, I just discovered another infinite loop issue. This time, credited to the tag sorting :)

In cloudflare, I have

But In code:

So I have to sort in order to avoid this behavior.

[ivankatliarchuk]

/test go

[k8s-ci-robot]

@ivankatliarchuk: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

/test pull-external-dns-licensecheck

/test pull-external-dns-unit-test

Use /test all to run all jobs.

In response to this:

/test go

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ivankatliarchuk]

/test all

[ivankatliarchuk]

/retest

[ivankatliarchuk]

/label tide/merge-method-squash

[ivankatliarchuk]

The code works, I just not too sure if the changes are in the right location. If you ok, have a look at proposed changes. Just review them. For whatever reason cloudflare is quite different to other providers in terms of how Records and ApplyChanges are used.

[ivankatliarchuk]

Step 2. This will all get replaced with something like

if e.GetProviderSpecificProperty("cloudflare-is-subscribed") == "true" {
  comment = extract from provider properties
  tags = extract from provider properties 
}

Example how simple is AWS Apply

external-dns/provider/aws/aws.go

Lines 637 to 652 in 5eb0c9f

	// ApplyChanges applies a given set of changes in a given zone.
	func (p *AWSProvider) ApplyChanges(ctx context.Context, changes *plan.Changes) error {
	zones, err := p.zones(ctx)
	if err != nil {
	return provider.NewSoftErrorf("failed to list zones, not applying changes: %w", err)
	}
	updateChanges := p.createUpdateChanges(changes.UpdateNew, changes.UpdateOld)
	combinedChanges := make(Route53Changes, 0, len(changes.Delete)+len(changes.Create)+len(updateChanges))
	combinedChanges = append(combinedChanges, p.newChanges(route53types.ChangeActionCreate, changes.Create)...)
	combinedChanges = append(combinedChanges, p.newChanges(route53types.ChangeActionDelete, changes.Delete)...)
	combinedChanges = append(combinedChanges, updateChanges...)
	return p.submitChanges(ctx, combinedChanges, zones)
	}

[ivankatliarchuk]

Have a look at method apply

func (p *CloudFlareProvider) ApplyChanges(ctx context.Context, changes *plan.Changes)

changes should already contain all the required information

[ivankatliarchuk]

Same. Advice is not correct

[ivankatliarchuk]

Step 3. This no longer required

[ivankatliarchuk]

My advice wass wrong

[7onn]

I ended up testing just to understand more. But indeed, the WithProviderSpecific in groupByNameAndTypeWithCustomHostnames() wasn't turned available in newCloudFlareChange(), so it was impossible to read wether the zone was subscribed. So I brought the function back. But I'm still stuck with endless updates on the tagged resource 🤔 Even after sorting the user tags input to make sure we'll sort alphabetically like Cloudflare does. I'm suspecting of this function that compares endpoints: https://github.com/7onn/external-dns/blob/299db8d0c54fad2a75e04881d53098c0161bbb3a/internal/testutils/endpoint.go#L119

If I sort the annotation myself,

external-dns.alpha.kubernetes.io/cloudflare-record-tags: editor,external-dns
# instead of
external-dns.alpha.kubernetes.io/cloudflare-record-tags: external-dns,editor

I get the desired time="2025-05-13T11:34:19Z" level=info msg="All records are already up to date"

[ivankatliarchuk]

I would say documentation is missing . Rest seems lgtm

https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/cloudflare.md

[ivankatliarchuk]

It's a warning

[ivankatliarchuk]

could be single line

[k8s-ci-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ivankatliarchuk]

With this bug #5359 (comment) wdyt, to split a pull request and add a support for clouflare comment first?

[7onn]

With this bug #5359 (comment) wdyt, to split a pull request and add a support for clouflare comment first?

@ivankatliarchuk I have split it: https://github.com/kubernetes-sigs/external-dns/pull/5411/files

this way we can focus on what the open issue wants; and then I'll focus on my wanted tags on a smaller-scoped PR.

[ivankatliarchuk]

Review as part of this PR #5411 (comment)

[mloiseleur]

I close this PR since the Comments one has been merged and there is an other opened on Tags
Feel free to re-open it or open a new one if I missed something.
/close

[k8s-ci-robot]

@mloiseleur: Closed this PR.

In response to this:

I close this PR since the Comments one has been merged and there is an other opened on Tags
Feel free to re-open it or open a new one if I missed something.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.