feat(annotations): Support multiple annotation prefixes

[vflaux]

What does it do ?

This PR adds support for multiple annotation prefixes, with transparent normalization to a single internal prefix.

Key changes:

• Replaces single --annotation-prefix handling with multi-value support (repeatable flag).
• Introduces annotation prefix list in config (primary prefix + additional accepted prefixes).
• Adds normalization logic so annotations using extra prefixes (including legacy alpha) are resolved to the primary prefix before source processing.
• Keeps conflict handling deterministic: if both primary and extra-prefixed keys exist, the primary-prefixed value wins.
• Wires normalization through informer transforms so supported sources consume consistent annotation keys.
• Updates validation to enforce that all configured prefixes are non-empty and end with /.
• Updates flag documentation.

Motivation

This PR improves backward compatibility and migration ergonomics to the new GA annotation prefix introduced in #6424 by allowing external-dns to accept multiple prefixes while processing them consistently as one canonical prefix.

More

• Yes, this PR title follows Conventional Commits
• Yes, I added unit tests
• Yes, I updated end user documentation accordingly

[k8s-ci-robot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign mloiseleur for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coveralls]

Coverage Report for CI Build 26315605530

Coverage increased (+0.09%) to 80.707%

Details

• Coverage increased (+0.09%) from the base build.
• Patch coverage: No coverable lines changed in this PR.
• 346 coverage regressions across 10 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

346 previously-covered lines in 10 files lost coverage.

File	Lines Losing Coverage	Coverage
traefik_proxy.go	107	68.02%
gateway.go	69	86.86%
kong_tcpingress.go	55	49.54%
execute.go	21	74.5%
ambassador_host.go	18	84.25%
openshift_route.go	17	83.59%
contour_httpproxy.go	16	84.44%
f5_transportserver.go	16	79.79%
f5_virtualserver.go	16	80.81%
informers/transformers.go	11	88.42%

---

Coverage Stats

Relevant Lines:	21500
Covered Lines:	17352
Line Coverage:	80.71%
Coverage Strength:	1446.33 hits per line

---

💛 - Coveralls

[vflaux]

Tests

Flags

--source=ingress
--provider=aws

Manifests

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-conflict
  namespace: test
  annotations:
    external-dns.alpha.kubernetes.io/target: "1.1.1.1"
    external-dns.kubernetes.io/target: "1.1.1.2"
spec:
  rules:
  - host: test-conflict.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: test
            port:
              number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-alpha
  namespace: test
  annotations:
    external-dns.alpha.kubernetes.io/target: "1.1.1.1"
spec:
  rules:
  - host: test-alpha.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: test
            port:
              number: 80

Results

$ aws route53 list-resource-record-sets --hosted-zone-id /hostedzone/xxx --query 'ResourceRecordSets[?Name==`test-conflict.example.com.`]'
[
    {
        "Name": "test-conflict.example.com.",
        "Type": "A",
        "TTL": 300,
        "ResourceRecords": [
            {
                "Value": "1.1.1.2"
            }
        ]
    }
]
$ aws route53 list-resource-record-sets --hosted-zone-id /hostedzone/xxx --query 'ResourceRecordSets[?Name==`test-alpha.example.com.`]'
[
    {
        "Name": "test-conflict.example.com.",
        "Type": "A",
        "TTL": 300,
        "ResourceRecords": [
            {
                "Value": "1.1.1.1"
            }
        ]
    }
]

[k8s-ci-robot]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ivankatliarchuk]

Dual-prefix lookup creates undefined behavior. When a resource has BOTH external-dns.alpha.kubernetes.io/hostname: a.example.com AND external-dns.kubernetes.io/hostname: b.example.com (which is possible mid-migration), which value wins? The "first wins" fallback is arbitrary and silent. We now have one more failure mode.

We now have to maintain dual-prefix semantics, test every annotation in two modes, and reason about it in every bug report - indefinitely. Flags added for "temporary migration" in infrastructure tools routinely survive for years. The migration window you're designing for becomes permanent operational complexity.

Annotation migration is one off operation. It should not be part of a controller