gateway-httproute endpoint generated but Azure Private DNS record is never created

[Frans-Calvi]

What happened?

ExternalDNS discovers Gateway API HTTPRoutes and generates endpoints correctly, but never creates missing records in Azure Private DNS.

A test HTTPRoute was created with:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: external-dns-test
  namespace: odidob2b-calvi-apps-acc
spec:
  parentRefs:
    - name: gateway
      namespace: istio-gateway
  hostnames:
    - external-dns-test.calvi-internal.com
  rules:
    - backendRefs:
        - name: portal-4
          port: 80

The route is accepted by the Gateway controller:

Accepted=True

ExternalDNS generates the endpoint:

Endpoints generated from HTTPRoute odidob2b-calvi-apps-acc/external-dns-test:
[external-dns-test.calvi-internal.com 0 IN A 10.117.0.46 []]

However, ExternalDNS immediately reports:

All records are already up to date

No A record is created in Azure Private DNS.

Verification:

az network private-dns record-set a show `
  --resource-group calvi-platform-euw-rg `
  --zone-name calvi-internal.com `
  --name external-dns-test

returns:

NotFound

No CREATE, UPDATE, DELETE, plan or desired-change log messages are produced.

What you expected to happen?

ExternalDNS should create:

external-dns-test.calvi-internal.com -> 10.117.0.46

in Azure Private DNS.

How to reproduce it (as minimally and precisely as possible)?

1. Deploy ExternalDNS v0.21.0.

2. Configure:

   --source=gateway-httproute
   --provider=azure-private-dns
   --policy=sync
   --registry=noop
   --gateway-namespace=istio-gateway
   --domain-filter=calvi-internal.com
   

3. Create a HTTPRoute with hostname:

   external-dns-test.calvi-internal.com
   

4. Wait for ExternalDNS reconciliation.

5. Observe:

   Endpoints generated from HTTPRoute ...
   All records are already up to date
   

6. Verify that the Azure Private DNS record does not exist.

Anything else we need to know?

The following have been verified:

• HTTPRoute is Accepted=True.

• Gateway is programmed and healthy.

• ExternalDNS can list HTTPRoutes.

• ExternalDNS can list Gateways.

• Azure Private DNS records are successfully read.

• Domain filter matches.

• Azure zone, subscription and resource group are correct.

• No annotation-filter configured.

• No label-filter configured.

• Behaviour is identical for newly created hostnames.

• Searching logs for:

  plan
  desired
  create
  update
  delete
  

  returns no planner/write operations.

RBAC checks:

kubectl auth can-i list httproutes.gateway.networking.k8s.io -A \
--as=system:serviceaccount:external-dns:calvi-external-dns

yes

kubectl auth can-i list gateways.gateway.networking.k8s.io -A \
--as=system:serviceaccount:external-dns:calvi-external-dns

yes

Environment

ExternalDNS version:

v0.21.0

Provider:

azure-private-dns

Arguments:

--log-level=debug
--log-format=text
--interval=1m
--events
--source=gateway-httproute
--policy=sync
--registry=noop
--gateway-namespace=istio-gateway
--domain-filter=calvi-internal.com
--provider=azure-private-dns
--azure-resource-group=calvi-platform-euw-rg
--azure-subscription-id=<redacted>
--managed-record-types=A,CNAME

Platform:

AKS
Azure Workload Identity
Azure Private DNS
Gateway API HTTPRoute source

[Frans-Calvi]

A small follow-up after additional testing:

This is reproducible with both registry=noop and registry=txt (with policy=sync). In both cases, ExternalDNS discovers the HTTPRoute, generates the expected endpoint, and then immediately logs "All records are already up to date" without creating the missing Azure Private DNS A record.

I also verified the same behavior with a completely new probe hostname that did not previously exist in the zone, so this does not appear to depend on stale state or a pre-existing record.

If useful, I can also provide the exact probe HTTPRoute manifest and the corresponding debug log output for that isolated reproduction.