feat(pdns): support GetDomainFilter interface

[clwluvw]

What does it do ?

Overrides GetDomainFilter() for PDNSProvider to return real domain filters. before it was returning empty as of the BaseProvider struct.

Motivation

From #6232 (comment)

More

• Yes, this PR title follows Conventional Commits
• Yes, I added unit tests
• Yes, I updated end user documentation accordingly

[k8s-ci-robot]

Hi @clwluvw. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[vflaux]

/ok-to-test

[clwluvw]

Should we remove domainFilter from PDNSAPIClient{} as well and pass it from PDNSProvider to PartitionZones()?

[ivankatliarchuk]

Should we remove domainFilter from PDNSAPIClient{} as well and pass it from PDNSProvider to PartitionZones()?

Most likely yes.

I'm not too sure about the state of this PR. Adding this

func (p *PDNSProvider) GetDomainFilter() endpoint.DomainFilterInterface {
	return p.domainFilter
}

What capabilities we are getting? Have you executed a code against a cluster, what is the gain?

[ivankatliarchuk]

Have a look at this PR #6249. It contains contributor guidlines related to provider domainfilters and blueprints

[ivankatliarchuk]

Worth to execute against infrastructure, add unit tests, and review if case is missing add unit test(s) here too https://github.com/kubernetes-sigs/external-dns/blob/master/endpoint/domain_filter_test.go

Provider manages a.com, b.com. User sets --domain-filter=c.com.

With a dynamic GetDomainFilter() the plan sees:

  MatchAllDomainFilters{
      c.com,
      [a.com, .a.com, b.com, .b.com],
  }

Nothing satisfies both - the plan is empty, the controller does nothing. That is the correct and safe outcome.

When GetDomainFilter() returns &endpoint.DomainFilter{}, the plan sees:

  MatchAllDomainFilters{
      c.com,
      <empty>,   // matches everything — silently fell open
  }

The controller proceeds to reconcile c.com against a provider that may not manage it at all. It's not catastrophic — Records() will return nothing for c.com — but it's a silent fail-open that can cause confusion.

[clwluvw]

@ivankatliarchuk - Could take another look? i hope i get it right.

[coveralls]

Pull Request Test Coverage Report for Build 22730895426

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• 45 unchanged lines in 1 file lost coverage.
• Overall coverage increased (+0.02%) to 79.183%

---

Files with Coverage Reduction	New Missed Lines	%
pdns/pdns.go	45	72.9%

Totals
Change from base Build 22540459008:	0.02%
Covered Lines:	16071
Relevant Lines:	20296

---

💛 - Coveralls

[ivankatliarchuk]

Could you as well share results of smoke test, similar to #5085 (comment)

[clwluvw]

Could you as well share results of smoke test, similar to #5085 (comment)

@ivankatliarchuk - Is there a reason why we don't have e2e tests in the project for such cases?

[ivankatliarchuk]

Resources infra + plus maintainers time we all just volunteers here. We slowly adding end-2-end tests but for coredns #6162. The project owners decided while back to move providers out of tree, due to maintenance complexity of providers reasons.

So at the moment unit test coverage + smoke tests evidences, this is what we rely on. Not ideal, but better then nothing.

[ivankatliarchuk]

Pull Request Test Coverage Report for Build 22730895426

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• 45 unchanged lines in 1 file lost coverage.
• Overall coverage increased (+0.02%) to 79.183%

Files with Coverage Reduction New Missed Lines %
pdns/pdns.go 45 72.9%
Totals
Change from base Build 22540459008: 0.02%
Covered Lines: 16071
Relevant Lines: 20296

💛 - Coveralls

Could you have a look. The code coverage shows new missing lines

[clwluvw]

Could you have a look. The code coverage shows new missing lines

@ivankatliarchuk - Hmm, that is weird. in my coverage report, everything misses are unrelated to the changes here:
coverage.html

[clwluvw]

Could you as well share results of smoke test, similar to #5085 (comment)

Tested with this script and tests are passing: e2e.sh

[INFO] === ExternalDNS logs ===
time="2026-03-05T19:21:42Z" level=debug msg="Records fetched:\n[a-app.example.local 300 IN TXT  \"heritage=external-dns,external-dns/owner=external-dns,external-dns/resource=crd/default/test-domain-a\" [] app.example.local 300 IN A  192.168.1.10 [] a-api.example.local 300 IN TXT  \"heritage=external-dns,external-dns/owner=external-dns,external-dns/resource=crd/default/test-domain-a\" [] api.example.local 300 IN A  192.168.1.20 [] example.local 3600 IN SOA  ns1.example.local. hostmaster.example.local. 2026030501 10800 3600 604800 3600 [] example.local 3600 IN NS  ns1.example.local []]"
time="2026-03-05T19:21:42Z" level=debug msg="dedupSource: collecting endpoints and removing duplicates"
time="2026-03-05T19:21:42Z" level=debug msg="multiSource: collecting endpoints from 3 child sources and removing duplicates"
time="2026-03-05T19:21:42Z" level=debug msg="No endpoints could be generated from 'service/default/kubernetes'"
time="2026-03-05T19:21:42Z" level=debug msg="No endpoints could be generated from 'service/external-dns/external-dns'"
time="2026-03-05T19:21:42Z" level=debug msg="No endpoints could be generated from 'service/ingress-nginx/ingress-nginx-controller'"
time="2026-03-05T19:21:42Z" level=debug msg="No endpoints could be generated from 'service/ingress-nginx/ingress-nginx-controller-admission'"
time="2026-03-05T19:21:42Z" level=debug msg="No endpoints could be generated from 'service/kube-system/kube-dns'"
time="2026-03-05T19:21:42Z" level=debug msg="No endpoints could be generated from 'service/powerdns/powerdns'"
time="2026-03-05T19:21:42Z" level=debug msg="ignoring record app.other.local that does not match domain filter"
time="2026-03-05T19:21:42Z" level=debug msg="ignoring record api.other.local that does not match domain filter"
time="2026-03-05T19:21:42Z" level=info msg="All records are already up to date"
time="2026-03-05T19:21:52Z" level=debug msg="Records fetched:\n[a-app.example.local 300 IN TXT  \"heritage=external-dns,external-dns/owner=external-dns,external-dns/resource=crd/default/test-domain-a\" [] app.example.local 300 IN A  192.168.1.10 [] a-api.example.local 300 IN TXT  \"heritage=external-dns,external-dns/owner=external-dns,external-dns/resource=crd/default/test-domain-a\" [] api.example.local 300 IN A  192.168.1.20 [] example.local 3600 IN SOA  ns1.example.local. hostmaster.example.local. 2026030501 10800 3600 604800 3600 [] example.local 3600 IN NS  ns1.example.local []]"
time="2026-03-05T19:21:52Z" level=debug msg="dedupSource: collecting endpoints and removing duplicates"
time="2026-03-05T19:21:52Z" level=debug msg="multiSource: collecting endpoints from 3 child sources and removing duplicates"
time="2026-03-05T19:21:52Z" level=debug msg="No endpoints could be generated from 'service/ingress-nginx/ingress-nginx-controller-admission'"
time="2026-03-05T19:21:52Z" level=debug msg="No endpoints could be generated from 'service/kube-system/kube-dns'"
time="2026-03-05T19:21:52Z" level=debug msg="No endpoints could be generated from 'service/powerdns/powerdns'"
time="2026-03-05T19:21:52Z" level=debug msg="No endpoints could be generated from 'service/default/kubernetes'"
time="2026-03-05T19:21:52Z" level=debug msg="No endpoints could be generated from 'service/external-dns/external-dns'"
time="2026-03-05T19:21:52Z" level=debug msg="No endpoints could be generated from 'service/ingress-nginx/ingress-nginx-controller'"
time="2026-03-05T19:21:52Z" level=debug msg="ignoring record app.other.local that does not match domain filter"
time="2026-03-05T19:21:52Z" level=debug msg="ignoring record api.other.local that does not match domain filter"
time="2026-03-05T19:21:52Z" level=info msg="All records are already up to date"
time="2026-03-05T19:22:03Z" level=debug msg="Records fetched:\n[a-app.example.local 300 IN TXT  \"heritage=external-dns,external-dns/owner=external-dns,external-dns/resource=crd/default/test-domain-a\" [] app.example.local 300 IN A  192.168.1.10 [] a-api.example.local 300 IN TXT  \"heritage=external-dns,external-dns/owner=external-dns,external-dns/resource=crd/default/test-domain-a\" [] api.example.local 300 IN A  192.168.1.20 [] example.local 3600 IN SOA  ns1.example.local. hostmaster.example.local. 2026030501 10800 3600 604800 3600 [] example.local 3600 IN NS  ns1.example.local []]"
time="2026-03-05T19:22:03Z" level=debug msg="dedupSource: collecting endpoints and removing duplicates"
time="2026-03-05T19:22:03Z" level=debug msg="multiSource: collecting endpoints from 3 child sources and removing duplicates"
time="2026-03-05T19:22:03Z" level=debug msg="No endpoints could be generated from 'service/powerdns/powerdns'"
time="2026-03-05T19:22:03Z" level=debug msg="No endpoints could be generated from 'service/default/kubernetes'"
time="2026-03-05T19:22:03Z" level=debug msg="No endpoints could be generated from 'service/external-dns/external-dns'"
time="2026-03-05T19:22:03Z" level=debug msg="No endpoints could be generated from 'service/ingress-nginx/ingress-nginx-controller'"
time="2026-03-05T19:22:03Z" level=debug msg="No endpoints could be generated from 'service/ingress-nginx/ingress-nginx-controller-admission'"
time="2026-03-05T19:22:03Z" level=debug msg="No endpoints could be generated from 'service/kube-system/kube-dns'"
time="2026-03-05T19:22:03Z" level=debug msg="ignoring record app.other.local that does not match domain filter"
time="2026-03-05T19:22:03Z" level=debug msg="ignoring record api.other.local that does not match domain filter"
time="2026-03-05T19:22:03Z" level=info msg="All records are already up to date"
time="2026-03-05T19:22:13Z" level=debug msg="Records fetched:\n[a-app.example.local 300 IN TXT  \"heritage=external-dns,external-dns/owner=external-dns,external-dns/resource=crd/default/test-domain-a\" [] app.example.local 300 IN A  192.168.1.10 [] a-api.example.local 300 IN TXT  \"heritage=external-dns,external-dns/owner=external-dns,external-dns/resource=crd/default/test-domain-a\" [] api.example.local 300 IN A  192.168.1.20 [] example.local 3600 IN SOA  ns1.example.local. hostmaster.example.local. 2026030501 10800 3600 604800 3600 [] example.local 3600 IN NS  ns1.example.local []]"
time="2026-03-05T19:22:13Z" level=debug msg="dedupSource: collecting endpoints and removing duplicates"
time="2026-03-05T19:22:13Z" level=debug msg="multiSource: collecting endpoints from 3 child sources and removing duplicates"
time="2026-03-05T19:22:13Z" level=debug msg="No endpoints could be generated from 'service/default/kubernetes'"
time="2026-03-05T19:22:13Z" level=debug msg="No endpoints could be generated from 'service/external-dns/external-dns'"
time="2026-03-05T19:22:13Z" level=debug msg="No endpoints could be generated from 'service/ingress-nginx/ingress-nginx-controller'"
time="2026-03-05T19:22:13Z" level=debug msg="No endpoints could be generated from 'service/ingress-nginx/ingress-nginx-controller-admission'"
time="2026-03-05T19:22:13Z" level=debug msg="No endpoints could be generated from 'service/kube-system/kube-dns'"
time="2026-03-05T19:22:13Z" level=debug msg="No endpoints could be generated from 'service/powerdns/powerdns'"
time="2026-03-05T19:22:13Z" level=debug msg="ignoring record app.other.local that does not match domain filter"
time="2026-03-05T19:22:13Z" level=debug msg="ignoring record api.other.local that does not match domain filter"
time="2026-03-05T19:22:13Z" level=info msg="All records are already up to date"
time="2026-03-05T19:22:24Z" level=debug msg="Records fetched:\n[a-app.example.local 300 IN TXT  \"heritage=external-dns,external-dns/owner=external-dns,external-dns/resource=crd/default/test-domain-a\" [] app.example.local 300 IN A  192.168.1.10 [] a-api.example.local 300 IN TXT  \"heritage=external-dns,external-dns/owner=external-dns,external-dns/resource=crd/default/test-domain-a\" [] api.example.local 300 IN A  192.168.1.20 [] example.local 3600 IN SOA  ns1.example.local. hostmaster.example.local. 2026030501 10800 3600 604800 3600 [] example.local 3600 IN NS  ns1.example.local []]"
time="2026-03-05T19:22:24Z" level=debug msg="dedupSource: collecting endpoints and removing duplicates"
time="2026-03-05T19:22:24Z" level=debug msg="multiSource: collecting endpoints from 3 child sources and removing duplicates"
time="2026-03-05T19:22:24Z" level=debug msg="No endpoints could be generated from 'service/kube-system/kube-dns'"
time="2026-03-05T19:22:24Z" level=debug msg="No endpoints could be generated from 'service/powerdns/powerdns'"
time="2026-03-05T19:22:24Z" level=debug msg="No endpoints could be generated from 'service/default/kubernetes'"
time="2026-03-05T19:22:24Z" level=debug msg="No endpoints could be generated from 'service/external-dns/external-dns'"
time="2026-03-05T19:22:24Z" level=debug msg="No endpoints could be generated from 'service/ingress-nginx/ingress-nginx-controller'"
time="2026-03-05T19:22:24Z" level=debug msg="No endpoints could be generated from 'service/ingress-nginx/ingress-nginx-controller-admission'"
time="2026-03-05T19:22:24Z" level=debug msg="ignoring record app.other.local that does not match domain filter"
time="2026-03-05T19:22:24Z" level=debug msg="ignoring record api.other.local that does not match domain filter"
time="2026-03-05T19:22:24Z" level=info msg="All records are already up to date"

[INFO] === Querying PowerDNS API for records ===
Forwarding from 127.0.0.1:8081 -> 8081
Forwarding from [::1]:8081 -> 8081

[INFO] --- Forward zone: example.local (filtered — expect A + TXT records) ---
Handling connection for 8081
{
    "account": "",
    "api_rectify": false,
    "catalog": "",
    "dnssec": false,
    "edited_serial": 2026030502,
    "id": "example.local.",
    "kind": "Native",
    "last_check": 0,
    "master_tsig_key_ids": [],
    "masters": [],
    "name": "example.local.",
    "notified_serial": 0,
    "nsec3narrow": false,
    "nsec3param": "",
    "rrsets": [
        {
            "comments": [],
            "name": "a-app.example.local.",
            "records": [
                {
                    "content": "\"heritage=external-dns,external-dns/owner=external-dns,external-dns/resource=crd/default/test-domain-a\"",
                    "disabled": false
                }
            ],
            "ttl": 300,
            "type": "TXT"
        },
        {
            "comments": [],
            "name": "app.example.local.",
            "records": [
                {
                    "content": "192.168.1.10",
                    "disabled": false
                }
            ],
            "ttl": 300,
            "type": "A"
        },
        {
            "comments": [],
            "name": "a-api.example.local.",
            "records": [
                {
                    "content": "\"heritage=external-dns,external-dns/owner=external-dns,external-dns/resource=crd/default/test-domain-a\"",
                    "disabled": false
                }
            ],
            "ttl": 300,
            "type": "TXT"
        },
        {
            "comments": [],
            "name": "api.example.local.",
            "records": [
                {
                    "content": "192.168.1.20",
                    "disabled": false
                }
            ],
            "ttl": 300,
            "type": "A"
        },
        {
            "comments": [],
            "name": "example.local.",
            "records": [
                {
                    "content": "ns1.example.local. hostmaster.example.local. 2026030501 10800 3600 604800 3600",
                    "disabled": false
                }
            ],
            "ttl": 3600,
            "type": "SOA"
        },
        {
            "comments": [],
            "name": "example.local.",
            "records": [
                {
                    "content": "ns1.example.local.",
                    "disabled": false
                }
            ],
            "ttl": 3600,
            "type": "NS"
        }
    ],
    "serial": 2026030501,
    "slave_tsig_key_ids": [],
    "soa_edit": "",
    "soa_edit_api": "DEFAULT",
    "url": "/api/v1/servers/localhost/zones/example.local."
}

[INFO] --- Forward zone: other.local (NOT filtered — expect NO extra records) ---
Handling connection for 8081
{
    "account": "",
    "api_rectify": false,
    "catalog": "",
    "dnssec": false,
    "edited_serial": 2026030501,
    "id": "other.local.",
    "kind": "Native",
    "last_check": 0,
    "master_tsig_key_ids": [],
    "masters": [],
    "name": "other.local.",
    "notified_serial": 0,
    "nsec3narrow": false,
    "nsec3param": "",
    "rrsets": [
        {
            "comments": [],
            "name": "other.local.",
            "records": [
                {
                    "content": "ns1.example.local. hostmaster.example.local. 0 10800 3600 604800 3600",
                    "disabled": false
                }
            ],
            "ttl": 3600,
            "type": "SOA"
        },
        {
            "comments": [],
            "name": "other.local.",
            "records": [
                {
                    "content": "ns1.other.local.",
                    "disabled": false
                }
            ],
            "ttl": 3600,
            "type": "NS"
        }
    ],
    "serial": 0,
    "slave_tsig_key_ids": [],
    "soa_edit": "",
    "soa_edit_api": "DEFAULT",
    "url": "/api/v1/servers/localhost/zones/other.local."
}

[INFO] =============================================
[INFO]  PR #6234 Test Results: GetDomainFilter
[INFO] =============================================

[PASS] app.example.local A record exists in zone example.local
[PASS] api.example.local A record exists in zone example.local
[PASS] app.other.local A record correctly absent from zone other.local
[PASS] api.other.local A record correctly absent from zone other.local

[INFO] =============================================
[INFO]  Results: 4 passed, 0 failed
[INFO] =============================================
[INFO] All tests passed!

[ivankatliarchuk]

How to view your fixtures without downloading them ;-). Sry I do not trust random scripts on internet, and have no sandbox to hand.

I'll try to review over weekend once again.

[clwluvw]

@ivankatliarchuk - Please take a look at https://pastes.io/usrbinenv-52981

[clwluvw]

also accessible via https://gist.github.com/clwluvw/33c72331ea33d53cda8befe81dd93a6d

[ivankatliarchuk]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ivankatliarchuk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [ivankatliarchuk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ivankatliarchuk]

I did no know that powerdns could run in kind/minikube. In regards e2e for powerdns it is possible. But most of the provider do require infrastructure and resources. If you want, 100% code coverage, then tutorial similar to #6048 and you could create e2e framework for powerdns, but this will require project owners review.