CloudFlare provider continuously recreates apex records

[BrianHicks]

What happened: I have external-dns configured to source from ingresses. This works wonderfully, and all the records get created. However, it updates records for the domain apexes on every run, saying that no hosted zone matches.

What you expected to happen: I expected that external-dns would not change any records that already exist and are in the correct state without filtering out apex-level A records.

How to reproduce it (as minimally and precisely as possible):

The minimum I can find is adding an annotation pointing to a bare domain, then running external-dns in the following configuration:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: external-dns
  namespace: external-dns
spec:
  selector:
    matchLabels:
      app: external-dns
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: external-dns
    spec:
      containers:
      - args:
        - --source=ingress
        - --provider=cloudflare
        - --cloudflare-proxied
        - --cloudflare-dns-records-per-page=5000
        - --log-level=trace
        env:
        - name: CF_API_TOKEN
          valueFrom:
            secretKeyRef:
              key: apiToken
              name: cloudflare-api-key-ae738f46
        image: registry.k8s.io/external-dns/external-dns:v0.14.2
        name: external-dns
      serviceAccount: external-dns

Each update cycle looks like this (changing my domain to be example.com, for clarity):

time="2024-09-03T18:51:11Z" level=debug msg="no zoneIDFilter configured, looking at all zones"                                                                                                                     time="2024-09-03T18:51:11Z" level=debug msg="Skipping record example.com because no hosted zone matching record DNS Name was detected"
time="2024-09-03T18:51:11Z" level=info msg="Changing record." action=UPDATE record=example.com ttl=1 type=A zone=a424b0c212d2d7999b56932ce53a77fb
time="2024-09-03T18:51:12Z" level=info msg="Changing record." action=UPDATE record=example.com ttl=1 type=A zone=a424b0c212d2d7999b56932ce53a77fb
time="2024-09-03T18:51:12Z" level=info msg="Changing record." action=UPDATE record=example.com ttl=1 type=A zone=a424b0c212d2d7999b56932ce53a77fb
time="2024-09-03T18:51:12Z" level=info msg="Changing record." action=UPDATE record=example.com ttl=1 type=TXT zone=a424b0c212d2d7999b56932ce53a77fb

(Worth noting that I do expect to have three IPs for each name; that's fine.)

Anything else we need to know?: Nope, I don't think so!

Environment:

• External-DNS version (use external-dns --version): 0.14.2
• DNS provider: CloudFlare

[darren-recentive]

I've been around this repository long enough and this crops up time-to-time :)
If you're utilizing ingress-nginx there's a known bug, this might help #3799 (comment)

If you don't already, I'd set a Deployment strategy to avoid duplicate Pods or switch to ReplicaSet.

[BrianHicks]

Ah, no, I’m using Traefik. Good to know, though!

[BrianHicks]

oh, that second part of your comment didn't come in the email. Where would you recommend setting that configuration?

[darren-recentive]

oh, that second part of your comment didn't come in the email. Where would you recommend setting that configuration?

Set the Deployment strategy to Recreate to avoid duplicate Pods, see this repositories' helm chart configuration for example.

[BrianHicks]

oh, I see. It's already set to that. This doesn't seem to be a Kubernetes object thing, but the behavior of external-dns within the pod.

[darren-recentive]

oh, I see. It's already set to that. This doesn't seem to be a Kubernetes object thing, but the behavior of external-dns within the pod.

That's 1 less thing to worry about.
Now I had presumed you were utilizing ingress-nginx, but you're utilizing traefik - is it this Helm chart perhaps https://github.com/traefik/traefik-helm-chart?

Some findings that may be helpful:

• Traefik documentation regarding configuring IngressEndpoint with publishedService
• Relevant external-dns GH issue that recommends setting --txt-cache-interval
• Another relevant external-dns GH Issue discussion seems to have identified a potential root cause relating to format and reconciliation of TXT records, this PR tries to fix this New txt registry format #3774

relevant in that both Issue Authors are using traefik for their Ingress Controllers and are seeing similar symptoms of recreated A records.

I'm not utilizing traefik or enternal-dns for managing A records, so I can't reproduce, hope this helps though! :)