feat: resolve load balancer hostname to A/AAAA records

Author: Apoorva64

docs/annotations/annotations.md

@@ -299,6 +299,52 @@ spec:
 
 > ExternalDNS will create an internal DNS record for `my-pod.internal.example.com` targeting the Pod `Status.PodIP`.
 
+## external-dns.alpha.kubernetes.io/resolve-target
+
+Controls whether load balancer hostname targets when they are CNAME records. When the annotation is set to `"true"` the CNAME records are resolved to their underlying
+A/AAAA records at sync time, ExternalDNS performs a DNS lookup for each hostname target and emits the
+resulting IP addresses as A and/or AAAA endpoints. If resolution fails (e.g. the hostname is
+temporarily unresolvable), that target is silently skipped.
+
+This is useful when a DNS provider does not support CNAME flattening
+or ALIAS records and a flat IP address record is required.
+
+### Use Cases for `external-dns.alpha.kubernetes.io/resolve-target` annotation
+
+#### Opt in to resolution for a single Source
+
+Resolve load balancer hostnames to IPs for one Ingress:
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: test-ingress
+  namespace: default
+  annotations:
+    external-dns.alpha.kubernetes.io/resolve-target: "true"
+spec:
+  rules:
+    - host: svc.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: my-service
+                port:
+                  number: 80
+status:
+  loadBalancer:
+    ingress:
+      - hostname: example.com
+```
+
+> ExternalDNS will resolve the Ingress load balancer hostname and publish A/AAAA records instead of a CNAME.
+Let's take an example, "example.com" CNAME resolves to A record "104.20.23.154" and AAAA record "2606:4700:10::ac42:93f3".
+ExternalDNS will create an A record for "svc.example.com" with target "104.20.23.154" and an AAAA record for "svc.example.com" with target "2606:4700:10::ac42:93f3".
+
 ## external-dns.alpha.kubernetes.io/target
 
 Specifies a comma-separated list of values to override the resource's DNS record targets (RDATA).
@@ -420,9 +466,9 @@ spec:
 ## Gateway API Annotation Placement
 
 When using Gateway API sources (`gateway-httproute`, `gateway-grpcroute`, `gateway-tlsroute`, etc.), annotations
-are read from different resources: **Gateway resource** reads only `target` annotation, while **Route resources**
-(HTTPRoute, GRPCRoute, TLSRoute, etc.) read all other annotations (`hostname`, `ttl`, `controller`, and
-provider-specific annotations like `cloudflare-*`, `aws-*`, `scw-*`).
+are read from different resources: **Gateway resource** reads only the `target` annotation, while **Route resources**
+(HTTPRoute, GRPCRoute, TLSRoute, etc.) read all other annotations (`hostname`, `ttl`, `controller`,
+`resolve-target`, and provider-specific annotations like `cloudflare-*`, `aws-*`, `scw-*`).
 
 **ListenerSet resources** also support the `target` annotation. When a Route references a ListenerSet
 as its parent, the ListenerSet's target annotation takes precedence over the parent Gateway's target annotation.

docs/contributing/source-wrappers.md

@@ -29,6 +29,7 @@ Wrappers solve these key challenges:
 |:--------------------:|:----------------------------------------|:----------------------------------------------------|
 |    `MultiSource`     | Combine multiple sources.               | Aggregate `Ingress`, `Service`, etc.                |
 |    `DedupSource`     | Remove duplicate DNS records.           | Avoid duplicate records from sources.               |
+|   `ResolveTarget`    | Resolve CNAME targets to A/AAAA values. | Source hostnames into IP records.                   |
 | `TargetFilterSource` | Include/exclude targets based on CIDRs. | Exclude internal IPs.                               |
 |    `NAT64Source`     | Add NAT64-prefixed AAAA records.        | Support IPv6 with NAT64.                            |
 |   `PostProcessor`    | Add records post-processing.            | Configure TTL, filter provider-specific properties. |
@@ -57,6 +58,12 @@ Converts IPv4 targets to IPv6 using NAT64 prefixes.
 --nat64-prefix=64:ff9b::/96
 ```
 
+### 2.2 `ResolveTarget`
+
+Resolves `CNAME` targets to concrete IP targets when the endpoint has the `resolve-target` provider-specific property set to `true`. If all target resolutions fail, the endpoint is skipped.
+
+📌 **Use case**: A Service or Gateway exposes a load balancer hostname (for example, `xxx.elb.amazonaws.com`), but the desired DNS output should be `A`/`AAAA` records rather than a `CNAME`.
+
 ### 3.1 `PostProcessor`
 
 Applies post-processing to all endpoints after they are collected from sources.
@@ -116,6 +123,7 @@ Wrappers are often composed like this:
 ```go
 source := NewMultiSource(actualSources, defaultTargets)
 source = NewDedupSource(source)
+source = NewResolveTarget(source)
 source = NewNAT64Source(source, cfg.NAT64Networks)
 source = NewTargetFilterSource(source, targetFilter)
 source = NewPostProcessor(source, WithTTL(minTTL), WithPostProcessorPreferAlias(preferAlias))

endpoint/endpoint.go

@@ -313,6 +313,26 @@ func (e *Endpoint) WithSetIdentifier(setIdentifier string) *Endpoint {
 	return e
 }
 
+// WithTargets returns a shallow copy of the endpoint with only Targets and RecordType replaced.
+// The RecordType is derived from the first target using SuitableType.
+// All other fields remain intact (shared with the original endpoint).
+func (e *Endpoint) WithTargets(targets Targets) *Endpoint {
+	recordType := e.RecordType
+	if len(targets) > 0 {
+		recordType = SuitableType(targets[0])
+	}
+	return &Endpoint{
+		DNSName:          e.DNSName,
+		Targets:          targets,
+		RecordType:       recordType,
+		SetIdentifier:    e.SetIdentifier,
+		RecordTTL:        e.RecordTTL,
+		Labels:           e.Labels,
+		ProviderSpecific: e.ProviderSpecific,
+		refObject:        e.refObject,
+	}
+}
+
 // WithProviderSpecific attaches a key/value pair to the Endpoint and returns the Endpoint.
 // This can be used to pass additional data through the stages of ExternalDNS's Endpoint processing.
 // The assumption is that most of the time this will be provider specific metadata that doesn't

endpoint/endpoint_test.go

@@ -201,6 +201,43 @@ func TestEndpoint_WithLabel(t *testing.T) {
 	})
 }
 
+func TestEndpoint_WithTargets(t *testing.T) {
+	t.Run("non-empty targets derives record type from first target and preserves other fields", func(t *testing.T) {
+		labels := Labels{"owner": "team-a"}
+		providerSpecific := ProviderSpecific{{Name: "foo", Value: "bar"}}
+		ref := &events.ObjectReference{Kind: "Service", Name: "svc-1", Namespace: "default"}
+
+		ep := &Endpoint{
+			DNSName:          "example.com",
+			Targets:          Targets{"old.example.net"},
+			RecordType:       RecordTypeCNAME,
+			SetIdentifier:    "set-1",
+			RecordTTL:        TTL(300),
+			Labels:           labels,
+			ProviderSpecific: providerSpecific,
+			refObject:        ref,
+		}
+
+		newTargets := Targets{"1.2.3.4", "example.net"}
+		got := ep.WithTargets(newTargets)
+
+		require.NotNil(t, got)
+		assert.NotSame(t, ep, got)
+		assert.Equal(t, "example.com", got.DNSName)
+		assert.Equal(t, newTargets, got.Targets)
+		assert.Equal(t, RecordTypeA, got.RecordType)
+		assert.Equal(t, "set-1", got.SetIdentifier)
+		assert.Equal(t, TTL(300), got.RecordTTL)
+		assert.Equal(t, labels, got.Labels)
+		assert.Equal(t, providerSpecific, got.ProviderSpecific)
+		assert.Equal(t, ref, got.refObject)
+
+		// Original endpoint remains unchanged.
+		assert.Equal(t, Targets{"old.example.net"}, ep.Targets)
+		assert.Equal(t, RecordTypeCNAME, ep.RecordType)
+	})
+}
+
 func TestSame_ParseErrorLogged(t *testing.T) {
 	hook := logtest.LogsUnderTestWithLogLevel(log.DebugLevel, t)
 

source/annotations/annotations.go

@@ -70,6 +70,9 @@ var (
 	InternalHostnameKey = AnnotationKeyPrefix + "internal-hostname"
 	// The annotation used for defining the desired hostname source for gateways
 	GatewayHostnameSourceKey = AnnotationKeyPrefix + "gateway-hostname-source"
+	// ResolveTargetKey is the per-resource annotation that controls whether
+	// the resolveTarget Wrapper should resolve the LoadBalancer hostname to IP addresses
+	ResolveTargetKey = AnnotationKeyPrefix + "resolve-target"
 )
 
 // SetAnnotationPrefix sets a custom annotation prefix and rebuilds all annotation keys.
@@ -109,4 +112,5 @@ func SetAnnotationPrefix(prefix string) {
 	IngressHostnameSourceKey = AnnotationKeyPrefix + "ingress-hostname-source"
 	InternalHostnameKey = AnnotationKeyPrefix + "internal-hostname"
 	GatewayHostnameSourceKey = AnnotationKeyPrefix + "gateway-hostname-source"
+	ResolveTargetKey = AnnotationKeyPrefix + "resolve-target"
 }

source/annotations/annotations_test.go

@@ -51,6 +51,7 @@ func TestSetAnnotationPrefix(t *testing.T) {
 	assert.Equal(t, "custom.io/endpoints-type", EndpointsTypeKey)
 	assert.Equal(t, "custom.io/ingress", Ingress)
 	assert.Equal(t, "custom.io/ingress-hostname-source", IngressHostnameSourceKey)
+	assert.Equal(t, "custom.io/resolve-target", ResolveTargetKey)
 
 	// ControllerValue should remain constant
 	assert.Equal(t, "dns-controller", ControllerValue)

source/annotations/provider_specific.go

@@ -100,5 +100,11 @@ func ProviderSpecificAnnotations(annotations map[string]string) (endpoint.Provid
 			}
 		}
 	}
+	if v, ok := annotations[ResolveTargetKey]; ok {
+		providerSpecificAnnotations = append(providerSpecificAnnotations, endpoint.ProviderSpecificProperty{
+			Name:  "resolve-target",
+			Value: v,
+		})
+	}
 	return providerSpecificAnnotations, setIdentifier
 }

source/annotations/provider_specific_test.go

@@ -121,6 +121,22 @@ func TestProviderSpecificAnnotations(t *testing.T) {
 			},
 			setIdentifier: "",
 		},
+		{
+			name: "resolve-target annotation",
+			annotations: map[string]string{
+				ResolveTargetKey: "true",
+			},
+			expected: endpoint.ProviderSpecific{
+				{Name: "resolve-target", Value: "true"},
+			},
+			setIdentifier: "",
+		},
+		{
+			name:          "resolve-target annotation absent",
+			annotations:   map[string]string{},
+			expected:      endpoint.ProviderSpecific{},
+			setIdentifier: "",
+		},
 	}
 
 	for _, tt := range tests {

source/wrappers/build.go

@@ -25,7 +25,8 @@ import (
 // Build creates all named sources using cfg's ClientGenerator and wraps them
 // with the standard pipeline (dedup, optional NAT64, optional target filter,
 // post-processor). Inject a custom ClientGenerator via source.WithClientGenerator.
-func Build(ctx context.Context, cfg *source.Config) (source.Source, error) {
+// Additional Options can be passed to customize the wrapper behavior (e.g., custom lookupIP).
+func Build(ctx context.Context, cfg *source.Config, extraOpts ...Option) (source.Source, error) {
 	sources, err := source.ByNames(ctx, cfg, cfg.ClientGenerator())
 	if err != nil {
 		return nil, err
@@ -42,5 +43,9 @@ func Build(ctx context.Context, cfg *source.Config) (source.Source, error) {
 		WithPTRSupported(cfg.PTRSupported),
 		WithCreatePTR(cfg.CreatePTR),
 	)
+	// Apply any extra options passed by the caller.
+	for _, opt := range extraOpts {
+		opt(opts)
+	}
 	return wrapSources(sources, opts)
 }

source/wrappers/build_test.go

@@ -104,3 +104,11 @@ func TestBuildWrappedSource(t *testing.T) {
 		})
 	}
 }
+
+func TestBuildAppliesExtraOptions(t *testing.T) {
+	cfg := stubConfig(t, &externaldns.Config{Sources: []string{types.Fake}})
+
+	_, err := Build(t.Context(), cfg, WithNAT64Networks([]string{"not-a-cidr"}))
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "failed to create NAT64 source wrapper")
+}