kubernetes-sigs · alen-z · Apr 22, 2025 · Apr 22, 2025 · May 18, 2025 · May 18, 2025
diff --git a/controller/execute.go b/controller/execute.go
@@ -126,7 +126,7 @@ func Execute() {
 	targetFilter := endpoint.NewTargetNetFilterWithExclusions(cfg.TargetNetFilter, cfg.ExcludeTargetNets)
 
 	// Combine multiple sources into a single, deduplicated source.
-	endpointsSource := source.NewDedupSource(source.NewMultiSource(sources, sourceCfg.DefaultTargets))
+	endpointsSource := source.NewDedupSource(source.NewMultiSource(sources, sourceCfg.DefaultTargets, cfg.ForceDefaultTargets))
 	endpointsSource = source.NewNAT64Source(endpointsSource, cfg.NAT64Networks)
 	endpointsSource = source.NewTargetFilterSource(endpointsSource, targetFilter)
 

diff --git a/docs/flags.md b/docs/flags.md
@@ -49,6 +49,7 @@
 | `--service-type-filter=SERVICE-TYPE-FILTER` | The service types to take care about (default: all, expected: ClusterIP, NodePort, LoadBalancer or ExternalName) |
 | `--source=source` | The resource types that are queried for endpoints; specify multiple times for multiple sources (required, options: service, ingress, node, pod, fake, connector, gateway-httproute, gateway-grpcroute, gateway-tlsroute, gateway-tcproute, gateway-udproute, istio-gateway, istio-virtualservice, cloudfoundry, contour-httpproxy, gloo-proxy, crd, empty, skipper-routegroup, openshift-route, ambassador-host, kong-tcpingress, f5-virtualserver, f5-transportserver, traefik-proxy) |
 | `--target-net-filter=TARGET-NET-FILTER` | Limit possible targets by a net filter; specify multiple times for multiple possible nets (optional) |
+| `--[no-]force-default-targets` | Force the application of --default-targets, overriding any targets provided by the source (DEPRECATED: This reverts to legacy behavior, default is false) |
 | `--[no-]traefik-disable-legacy` | Disable listeners on Resources under the traefik.containo.us API Group |
 | `--[no-]traefik-disable-new` | Disable listeners on Resources under the traefik.io API Group |
 | `--provider=provider` | The DNS provider where the DNS records will be created (required, options: akamai, alibabacloud, aws, aws-sd, azure, azure-dns, azure-private-dns, civo, cloudflare, coredns, digitalocean, dnsimple, exoscale, gandi, godaddy, google, ibmcloud, inmemory, linode, ns1, oci, ovh, pdns, pihole, plural, rfc2136, scaleway, skydns, tencentcloud, transip, ultradns, webhook) |

diff --git a/pkg/apis/externaldns/types.go b/pkg/apis/externaldns/types.go
@@ -215,6 +215,7 @@ type Config struct {
 	TraefikDisableNew                             bool
 	NAT64Networks                                 []string
 	ExcludeUnschedulable                          bool
+	ForceDefaultTargets                           bool
 }
 
 var defaultConfig = &Config{
@@ -381,6 +382,7 @@ var defaultConfig = &Config{
 	WebhookProviderWriteTimeout:  10 * time.Second,
 	WebhookServer:                false,
 	ZoneIDFilter:                 []string{},
+	ForceDefaultTargets:          false,
 }
 
 // NewConfig returns new Config object
@@ -489,6 +491,7 @@ func App(cfg *Config) *kingpin.Application {
 	app.Flag("service-type-filter", "The service types to take care about (default: all, expected: ClusterIP, NodePort, LoadBalancer or ExternalName)").StringsVar(&cfg.ServiceTypeFilter)
 	app.Flag("source", "The resource types that are queried for endpoints; specify multiple times for multiple sources (required, options: service, ingress, node, pod, fake, connector, gateway-httproute, gateway-grpcroute, gateway-tlsroute, gateway-tcproute, gateway-udproute, istio-gateway, istio-virtualservice, cloudfoundry, contour-httpproxy, gloo-proxy, crd, empty, skipper-routegroup, openshift-route, ambassador-host, kong-tcpingress, f5-virtualserver, f5-transportserver, traefik-proxy)").Required().PlaceHolder("source").EnumsVar(&cfg.Sources, "service", "ingress", "node", "pod", "gateway-httproute", "gateway-grpcroute", "gateway-tlsroute", "gateway-tcproute", "gateway-udproute", "istio-gateway", "istio-virtualservice", "cloudfoundry", "contour-httpproxy", "gloo-proxy", "fake", "connector", "crd", "empty", "skipper-routegroup", "openshift-route", "ambassador-host", "kong-tcpingress", "f5-virtualserver", "f5-transportserver", "traefik-proxy")
 	app.Flag("target-net-filter", "Limit possible targets by a net filter; specify multiple times for multiple possible nets (optional)").StringsVar(&cfg.TargetNetFilter)
+	app.Flag("force-default-targets", "Force the application of --default-targets, overriding any targets provided by the source (DEPRECATED: This reverts to legacy behavior, default is false)").Default(strconv.FormatBool(defaultConfig.ForceDefaultTargets)).BoolVar(&cfg.ForceDefaultTargets)
 	app.Flag("traefik-disable-legacy", "Disable listeners on Resources under the traefik.containo.us API Group").Default(strconv.FormatBool(defaultConfig.TraefikDisableLegacy)).BoolVar(&cfg.TraefikDisableLegacy)
 	app.Flag("traefik-disable-new", "Disable listeners on Resources under the traefik.io API Group").Default(strconv.FormatBool(defaultConfig.TraefikDisableNew)).BoolVar(&cfg.TraefikDisableNew)
 

diff --git a/source/crd.go b/source/crd.go
@@ -180,14 +180,12 @@ func (cs *crdSource) Endpoints(ctx context.Context) ([]*endpoint.Endpoint, error
 	}
 
 	for _, dnsEndpoint := range result.Items {
-		// Make sure that all endpoints have targets for A or CNAME type
-		crdEndpoints := []*endpoint.Endpoint{}
+		crdEndpoints := []*endpoint.Endpoint{} // Temporary list for endpoints from this specific CRD
 		for _, ep := range dnsEndpoint.Spec.Endpoints {
-			if (ep.RecordType == "CNAME" || ep.RecordType == "A" || ep.RecordType == "AAAA") && len(ep.Targets) < 1 {
-				log.Warnf("Endpoint %s with DNSName %s has an empty list of targets", dnsEndpoint.Name, ep.DNSName)
-				continue
-			}
+			// Note: Target validation (like empty target check for A/CNAME) is removed here
+			// to allow default-targets logic to function correctly.
 
+			// Validate target format (e.g., trailing dots)
 			illegalTarget := false
 			for _, target := range ep.Targets {
 				if ep.RecordType != "NAPTR" && strings.HasSuffix(target, ".") {
@@ -200,18 +198,23 @@ func (cs *crdSource) Endpoints(ctx context.Context) ([]*endpoint.Endpoint, error
 				}
 			}
 			if illegalTarget {
-				log.Warnf("Endpoint %s with DNSName %s has an illegal target. The subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com')", dnsEndpoint.Name, ep.DNSName)
-				continue
+				log.Warnf("Endpoint %s/%s with DNSName %s has an illegal target format.", dnsEndpoint.Namespace, dnsEndpoint.Name, ep.DNSName)
+				continue // Skip this specific endpoint
 			}
 
+			// Ensure labels are initialized
 			if ep.Labels == nil {
 				ep.Labels = endpoint.NewLabels()
 			}
 
+			// Add the valid endpoint to a temporary list for this CRD
 			crdEndpoints = append(crdEndpoints, ep)
 		}
 
+		// Add resource label to all valid endpoints from this CRD
 		cs.setResourceLabel(&dnsEndpoint, crdEndpoints)
+
+		// Add the processed endpoints for this CRD to the main list
 		endpoints = append(endpoints, crdEndpoints...)
 
 		if dnsEndpoint.Status.ObservedGeneration == dnsEndpoint.Generation {

diff --git a/source/crd_test.go b/source/crd_test.go
@@ -216,7 +216,7 @@ func testCRDSourceEndpoints(t *testing.T) {
 			expectError:     false,
 		},
 		{
-			title:                "invalid crd with no targets",
+			title:                "valid crd with no targets (relies on default-targets)",
 			registeredAPIVersion: "test.k8s.io/v1alpha1",
 			apiVersion:           "test.k8s.io/v1alpha1",
 			registeredKind:       "DNSEndpoint",
@@ -225,13 +225,13 @@ func testCRDSourceEndpoints(t *testing.T) {
 			registeredNamespace:  "foo",
 			endpoints: []*endpoint.Endpoint{
 				{
-					DNSName:    "abc.example.org",
-					Targets:    endpoint.Targets{},
+					DNSName:    "no-targets.example.org",
+					Targets:    endpoint.Targets{}, // Empty targets, should rely on default-targets later
 					RecordType: endpoint.RecordTypeA,
 					RecordTTL:  180,
 				},
 			},
-			expectEndpoints: false,
+			expectEndpoints: true, // Expect the endpoint to be processed, default targets applied later
 			expectError:     false,
 		},
 		{

diff --git a/source/multisource.go b/source/multisource.go
@@ -18,34 +18,54 @@
 
 import (
 	"context"
+	"strings"
 
+	log "github.com/sirupsen/logrus"
 	"sigs.k8s.io/external-dns/endpoint"
 )
 
 // multiSource is a Source that merges the endpoints of its nested Sources.
 type multiSource struct {
-	children       []Source
-	defaultTargets []string
+	children            []Source
+	defaultTargets      []string
+	forceDefaultTargets bool
 }
 
 // Endpoints collects endpoints of all nested Sources and returns them in a single slice.
 func (ms *multiSource) Endpoints(ctx context.Context) ([]*endpoint.Endpoint, error) {
 	result := []*endpoint.Endpoint{}
+	hasDefaultTargets := len(ms.defaultTargets) > 0
 
 	for _, s := range ms.children {
 		endpoints, err := s.Endpoints(ctx)
 		if err != nil {
 			return nil, err
 		}
-		if len(ms.defaultTargets) > 0 {
+
+		if hasDefaultTargets {
 			for i := range endpoints {
-				eps := endpointsForHostname(endpoints[i].DNSName, ms.defaultTargets, endpoints[i].RecordTTL, endpoints[i].ProviderSpecific, endpoints[i].SetIdentifier, "")
-				for _, ep := range eps {
-					ep.Labels = endpoints[i].Labels
+				hasSourceTargets := len(endpoints[i].Targets) > 0
+
+				if !ms.forceDefaultTargets && hasSourceTargets {
+					// New behavior (default): Source targets exist, use them and ignore defaults.
+					// Log a warning every time this happens if defaults are configured.
+					log.Warnf("Source provided targets for %q (%s), ignoring default targets [%s] due to new behavior. Use --force-default-targets to revert to old behavior.", endpoints[i].DNSName, endpoints[i].RecordType, strings.Join(ms.defaultTargets, ", "))
+					result = append(result, endpoints[i])
+					continue
+				} else if ms.forceDefaultTargets || !hasSourceTargets {
+					// Old behavior (forced via flag) OR New behavior (source targets are empty): Apply default targets.
+					eps := endpointsForHostname(endpoints[i].DNSName, ms.defaultTargets, endpoints[i].RecordTTL, endpoints[i].ProviderSpecific, endpoints[i].SetIdentifier, "")
+					for _, ep := range eps {
+						ep.Labels = endpoints[i].Labels
+					}
+					result = append(result, eps...)
+				} else {
+					// This case should logically not be reached given the conditions above, but handles completeness.
+					result = append(result, endpoints[i])
 				}
-				result = append(result, eps...)
 			}
 		} else {
+			// No default targets configured, just append source endpoints.
 			result = append(result, endpoints...)
 		}
 	}
@@ -60,6 +80,6 @@
 }
 
 // NewMultiSource creates a new multiSource.
-func NewMultiSource(children []Source, defaultTargets []string) Source {
-	return &multiSource{children: children, defaultTargets: defaultTargets}
+func NewMultiSource(children []Source, defaultTargets []string, forceDefaultTargets bool) Source {
+	return &multiSource{children: children, defaultTargets: defaultTargets, forceDefaultTargets: forceDefaultTargets}
 }
diff --git a/source/multisource_test.go b/source/multisource_test.go
@@ -89,7 +89,7 @@ func testMultiSourceEndpoints(t *testing.T) {
 			}
 
 			// Create our object under test and get the endpoints.
-			source := NewMultiSource(sources, nil)
+			source := NewMultiSource(sources, nil, false)
 
 			// Get endpoints from the source.
 			endpoints, err := source.Endpoints(context.Background())
@@ -116,7 +116,7 @@ func testMultiSourceEndpointsWithError(t *testing.T) {
 	src.On("Endpoints").Return(nil, errSomeError)
 
 	// Create our object under test and get the endpoints.
-	source := NewMultiSource([]Source{src}, nil)
+	source := NewMultiSource([]Source{src}, nil, false)
 
 	// Get endpoints from our source.
 	_, err := source.Endpoints(context.Background())
@@ -127,44 +127,144 @@ func testMultiSourceEndpointsWithError(t *testing.T) {
 }
 
 func testMultiSourceEndpointsDefaultTargets(t *testing.T) {
-	// Create the expected default targets
-	defaultTargetsA := []string{"127.0.0.1", "127.0.0.2"}
-	defaultTargetsAAAA := []string{"2001:db8::1"}
-	defaultTargetsCName := []string{"foo.example.org"}
-	defaultTargets := append(defaultTargetsA, defaultTargetsCName...)
-	defaultTargets = append(defaultTargets, defaultTargetsAAAA...)
-	labels := endpoint.Labels{"foo": "bar"}
-
-	// Create the expected endpoints
-	expectedEndpoints := []*endpoint.Endpoint{
-		{DNSName: "foo", Targets: defaultTargetsA, RecordType: "A", Labels: labels},
-		{DNSName: "bar", Targets: defaultTargetsA, RecordType: "A", Labels: labels},
-		{DNSName: "foo", Targets: defaultTargetsAAAA, RecordType: "AAAA", Labels: labels},
-		{DNSName: "bar", Targets: defaultTargetsAAAA, RecordType: "AAAA", Labels: labels},
-		{DNSName: "foo", Targets: defaultTargetsCName, RecordType: "CNAME", Labels: labels},
-		{DNSName: "bar", Targets: defaultTargetsCName, RecordType: "CNAME", Labels: labels},
-	}
-
-	// Create the source endpoints with different targets
-	sourceEndpoints := []*endpoint.Endpoint{
-		{DNSName: "foo", Targets: endpoint.Targets{"8.8.8.8"}, Labels: labels},
-		{DNSName: "bar", Targets: endpoint.Targets{"8.8.4.4"}, Labels: labels},
-	}
+	t.Run("Defaults applied when source targets are empty", func(t *testing.T) {
+		defaultTargetsA := []string{"127.0.0.1", "127.0.0.2"}
+		defaultTargetsAAAA := []string{"2001:db8::1"}
+		defaultTargetsCName := []string{"foo.example.org"}
+		defaultTargets := append(defaultTargetsA, defaultTargetsCName...)
+		defaultTargets = append(defaultTargets, defaultTargetsAAAA...)
+		labels := endpoint.Labels{"foo": "bar"}
+
+		// Endpoints FROM SOURCE has NO targets
+		sourceEndpoints := []*endpoint.Endpoint{
+			{DNSName: "foo", Targets: endpoint.Targets{}, Labels: labels},
+			{DNSName: "bar", Targets: endpoint.Targets{}, Labels: labels},
+		}
+
+		// Expected endpoints SHOULD HAVE the default targets applied
+		expectedEndpoints := []*endpoint.Endpoint{
+			{DNSName: "foo", Targets: defaultTargetsA, RecordType: "A", Labels: labels},
+			{DNSName: "bar", Targets: defaultTargetsA, RecordType: "A", Labels: labels},
+			{DNSName: "foo", Targets: defaultTargetsAAAA, RecordType: "AAAA", Labels: labels},
+			{DNSName: "bar", Targets: defaultTargetsAAAA, RecordType: "AAAA", Labels: labels},
+			{DNSName: "foo", Targets: defaultTargetsCName, RecordType: "CNAME", Labels: labels},
+			{DNSName: "bar", Targets: defaultTargetsCName, RecordType: "CNAME", Labels: labels},
+		}
+
+		src := new(testutils.MockSource)
+		src.On("Endpoints").Return(sourceEndpoints, nil)
+
+		// Test with forceDefaultTargets=false (default behavior)
+		source := NewMultiSource([]Source{src}, defaultTargets, false)
+
+		endpoints, err := source.Endpoints(context.Background())
+		require.NoError(t, err)
+
+		validateEndpoints(t, endpoints, expectedEndpoints)
+
+		src.AssertExpectations(t)
+	})
+
+	t.Run("Defaults NOT applied when source targets exist", func(t *testing.T) {
+		defaultTargets := []string{"127.0.0.1"} // Default target
+		labels := endpoint.Labels{"foo": "bar"}
+
+		// Endpoints FROM SOURCE HAS targets
+		sourceEndpoints := []*endpoint.Endpoint{
+			{DNSName: "foo", Targets: endpoint.Targets{"8.8.8.8"}, Labels: labels},
+			{DNSName: "bar", Targets: endpoint.Targets{"8.8.4.4"}, Labels: labels},
+		}
+
+		// Expected endpoints SHOULD MATCH the source endpoints (defaults ignored)
+		expectedEndpoints := []*endpoint.Endpoint{
+			{DNSName: "foo", Targets: endpoint.Targets{"8.8.8.8"}, Labels: labels},
+			{DNSName: "bar", Targets: endpoint.Targets{"8.8.4.4"}, Labels: labels},
+		}
+
+		src := new(testutils.MockSource)
+		src.On("Endpoints").Return(sourceEndpoints, nil)
+
+		// Test with forceDefaultTargets=false (default behavior)
+		source := NewMultiSource([]Source{src}, defaultTargets, false)
+
+		endpoints, err := source.Endpoints(context.Background())
+		require.NoError(t, err)
+
+		validateEndpoints(t, endpoints, expectedEndpoints)
+
+		src.AssertExpectations(t)
+	})
+
+	t.Run("Defaults forced when source targets exist and flag is set", func(t *testing.T) {
+		defaultTargetsA := []string{"127.0.0.1", "127.0.0.2"}
+		defaultTargetsAAAA := []string{"2001:db8::1"}
+		defaultTargetsCName := []string{"foo.example.org"}
+		defaultTargets := append(defaultTargetsA, defaultTargetsCName...)
+		defaultTargets = append(defaultTargets, defaultTargetsAAAA...)
+		labels := endpoint.Labels{"foo": "bar"}
+
+		// Endpoints FROM SOURCE HAS targets
+		sourceEndpoints := []*endpoint.Endpoint{
+			{DNSName: "foo", Targets: endpoint.Targets{"8.8.8.8"}, Labels: labels},
+			{DNSName: "bar", Targets: endpoint.Targets{"8.8.4.4"}, Labels: labels},
+		}
+
+		// Expected endpoints SHOULD HAVE the default targets applied (old behavior)
+		expectedEndpoints := []*endpoint.Endpoint{
+			{DNSName: "foo", Targets: defaultTargetsA, RecordType: "A", Labels: labels},
+			{DNSName: "bar", Targets: defaultTargetsA, RecordType: "A", Labels: labels},
+			{DNSName: "foo", Targets: defaultTargetsAAAA, RecordType: "AAAA", Labels: labels},
+			{DNSName: "bar", Targets: defaultTargetsAAAA, RecordType: "AAAA", Labels: labels},
+			{DNSName: "foo", Targets: defaultTargetsCName, RecordType: "CNAME", Labels: labels},
+			{DNSName: "bar", Targets: defaultTargetsCName, RecordType: "CNAME", Labels: labels},
+		}
+
+		src := new(testutils.MockSource)
+		src.On("Endpoints").Return(sourceEndpoints, nil)
+
+		// Test with forceDefaultTargets=true (legacy behavior)
+		source := NewMultiSource([]Source{src}, defaultTargets, true)
+
+		endpoints, err := source.Endpoints(context.Background())
+		require.NoError(t, err)
+
+		validateEndpoints(t, endpoints, expectedEndpoints)
+
+		src.AssertExpectations(t)
+	})
+
+	t.Run("Defaults applied when source targets are empty and flag is set", func(t *testing.T) {
+		defaultTargetsA := []string{"127.0.0.1", "127.0.0.2"}
+		defaultTargetsAAAA := []string{"2001:db8::1"}
+		defaultTargetsCName := []string{"foo.example.org"}
+		defaultTargets := append(defaultTargetsA, defaultTargetsAAAA...)
+		defaultTargets = append(defaultTargets, defaultTargetsCName...)
+
+		labels := endpoint.Labels{"foo": "bar"}
+
+		// Endpoints FROM SOURCE has NO targets
+		sourceEndpoints := []*endpoint.Endpoint{
+			{DNSName: "empty-target-test", Targets: endpoint.Targets{}, Labels: labels},
+		}
 
-	// Create a mocked source returning source targets
-	src := new(testutils.MockSource)
-	src.On("Endpoints").Return(sourceEndpoints, nil)
+		// Expected endpoints SHOULD HAVE the default targets applied
+		expectedEndpoints := []*endpoint.Endpoint{
+			{DNSName: "empty-target-test", Targets: defaultTargetsA, RecordType: "A", Labels: labels},
+			{DNSName: "empty-target-test", Targets: defaultTargetsAAAA, RecordType: "AAAA", Labels: labels},
+			{DNSName: "empty-target-test", Targets: defaultTargetsCName, RecordType: "CNAME", Labels: labels},
+		}
 
-	// Create our object under test with non-empty defaultTargets and get the endpoints.
-	source := NewMultiSource([]Source{src}, defaultTargets)
+		src := new(testutils.MockSource)
+		src.On("Endpoints").Return(sourceEndpoints, nil)
 
-	// Get endpoints from our source.
-	endpoints, err := source.Endpoints(context.Background())
-	require.NoError(t, err)
+		// Test with forceDefaultTargets=true
+		source := NewMultiSource([]Source{src}, defaultTargets, true)
 
-	// Validate returned endpoints against desired endpoints.
-	validateEndpoints(t, endpoints, expectedEndpoints)
+		endpoints, err := source.Endpoints(context.Background())
+		require.NoError(t, err)
+
+		validateEndpoints(t, endpoints, expectedEndpoints)
 
-	// Validate that the nested sources were called.
-	src.AssertExpectations(t)
+		src.AssertExpectations(t)
+	})
 }