ghp/helm-charts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

external-dns: bump to 0.19.0, helm chart 9.1.0

Browse Source
This commit is contained in:
ace
2026-01-03 22:33:32 +03:00
parent 8beedbb3bd
commit 8a2cd4f590
52 changed files with 2497 additions and 1612 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
external-dns/.helmignore
View File

@@ -19,3 +19,7 @@
.project
.idea/
*.tmproj
# img folder
img/
# Changelog
CHANGELOG.md

8
external-dns/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies:
- name: common
repository: https://charts.bitnami.com/bitnami
version: 2.0.1
digest: sha256:46553c7194313fd9ce2e1e86422eef4dab3defb450e20c692f865924eacb8fb1
generated: "2022-08-23T21:17:43.285411696Z"
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.31.4
digest: sha256:fc442e77200e1914dd46fe26490dcf62f44caa51db673c2f8e67d5319cd4c163
generated: "2025-08-13T14:51:56.613207941Z"

21
external-dns/Chart.yaml
View File

@@ -1,27 +1,30 @@
annotations:
category: DeveloperTools
images: |
- name: external-dns
image: registry.k8s.io/external-dns/external-dns
licenses: Apache-2.0
tanzuCategory: clusterUtility
apiVersion: v2
appVersion: 0.7.6
appVersion: 0.19.0
dependencies:
- name: common
repository: https://charts.bitnami.com/bitnami
repository: oci://registry-1.docker.io/bitnamicharts
tags:
- bitnami-common
version: 2.x.x
description: ExternalDNS is a Kubernetes addon that configures public DNS servers
with information about exposed Kubernetes services to make them discoverable.
home: https://github.com/bitnami/charts/tree/master/bitnami/external-dns
icon: https://bitnami.com/assets/stacks/external-dns/img/external-dns-stack-220x234.png
home: https://bitnami.com
icon: https://dyltqmyl993wv.cloudfront.net/assets/stacks/external-dns/img/external-dns-stack-220x234.png
keywords:
- external-dns
- network
- dns
maintainers:
- name: Bitnami
- name: Broadcom, Inc. All Rights Reserved.
url: https://github.com/bitnami/charts
name: external-dns
sources:
- https://github.com/kubernetes-sigs/external-dns
- https://github.com/bitnami/containers/tree/main/bitnami/external-dns
- https://github.com/kubernetes-sigs/external-dns
version: 6.8.1
- https://github.com/bitnami/charts/tree/main/bitnami/external-dns
version: 9.1.0

798
external-dns/README.md
View File

@@ -1,366 +1,144 @@
<!--- app-name: ExternalDNS -->
# ExternalDNS packaged by Bitnami
# Bitnami package for ExternalDNS
ExternalDNS is a Kubernetes addon that configures public DNS servers with information about exposed Kubernetes services to make them discoverable.
[Overview of ExternalDNS](https://github.com/kubernetes-incubator/external-dns)
Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.
## TL;DR
```console
$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm install my-release bitnami/external-dns
helm install my-release oci://registry-1.docker.io/bitnamicharts/external-dns
```
Looking to use ExternalDNS in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog.
## ⚠️ Important Notice: Upcoming changes to the Bitnami Catalog
Beginning August 28th, 2025, Bitnami will evolve its public catalog to offer a curated set of hardened, security-focused images under the new [Bitnami Secure Images initiative](https://news.broadcom.com/app-dev/broadcom-introduces-bitnami-secure-images-for-production-ready-containerized-applications). As part of this transition:
- Granting community users access for the first time to security-optimized versions of popular container images.
- Bitnami will begin deprecating support for non-hardened, Debian-based software images in its free tier and will gradually remove non-latest tags from the public catalog. As a result, community users will have access to a reduced number of hardened images. These images are published only under the “latest” tag and are intended for development purposes
- Starting August 28th, over two weeks, all existing container images, including older or versioned tags (e.g., 2.50.0, 10.6), will be migrated from the public catalog (docker.io/bitnami) to the “Bitnami Legacy” repository (docker.io/bitnamilegacy), where they will no longer receive updates.
- For production workloads and long-term support, users are encouraged to adopt Bitnami Secure Images, which include hardened containers, smaller attack surfaces, CVE transparency (via VEX/KEV), SBOMs, and enterprise support.
These changes aim to improve the security posture of all Bitnami users by promoting best practices for software supply chain integrity and up-to-date deployments. For more details, visit the [Bitnami Secure Images announcement](https://github.com/bitnami/containers/issues/83267).
## Introduction
This chart bootstraps a [ExternalDNS](https://github.com/bitnami/containers/tree/main/bitnami/external-dns) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
## Prerequisites
- Kubernetes 1.19+
- Helm 3.2.0+
- Kubernetes 1.23+
- Helm 3.8.0+
## Installing the Chart
To install the chart with the release name `my-release`:
```bash
$ helm install my-release bitnami/external-dns
```console
helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/external-dns
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
The command deploys ExternalDNS on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```console
$ helm delete my-release
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Parameters
### Global parameters
| Name | Description | Value |
| ------------------------- | ----------------------------------------------- | ----- |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
### Common parameters
| Name | Description | Value |
| ----------------------- | -------------------------------------------------------------------------------------------- | --------------- |
| `nameOverride` | String to partially override external-dns.fullname template (will maintain the release name) | `""` |
| `fullnameOverride` | String to fully override external-dns.fullname template | `""` |
| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` |
| `commonLabels` | Labels to add to all deployed objects | `{}` |
| `commonAnnotations` | Annotations to add to all deployed objects | `{}` |
| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template). | `[]` |
| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` |
| `watchReleaseNamespace` | Watch only namepsace used for the release | `false` |
### external-dns parameters
| Name | Description | Value |
| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- |
| `image.registry` | ExternalDNS image registry | `docker.io` |
| `image.repository` | ExternalDNS image repository | `bitnami/external-dns` |
| `image.tag` | ExternalDNS Image tag (immutable tags are recommended) | `0.12.2-debian-11-r5` |
| `image.digest` | ExternalDNS image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `image.pullPolicy` | ExternalDNS image pull policy | `IfNotPresent` |
| `image.pullSecrets` | ExternalDNS image pull secrets | `[]` |
| `hostAliases` | Deployment pod host aliases | `[]` |
| `updateStrategy` | update strategy type | `{}` |
| `command` | Override kiam default command | `[]` |
| `args` | Override kiam default args | `[]` |
| `sources` | K8s resources type to be observed for new DNS entries by ExternalDNS | `[]` |
| `provider` | DNS provider where the DNS records will be created. | `aws` |
| `initContainers` | Attach additional init containers to the pod (evaluated as a template) | `[]` |
| `sidecars` | Attach additional containers to the pod (evaluated as a template) | `[]` |
| `namespace` | Limit sources of endpoints to a specific namespace (default: all namespaces) | `""` |
| `fqdnTemplates` | Templated strings that are used to generate DNS names from sources that don't define a hostname themselves | `[]` |
| `containerPorts.http` | HTTP Container port | `7979` |
| `combineFQDNAnnotation` | Combine FQDN template and annotations instead of overwriting | `false` |
| `ignoreHostnameAnnotation` | Ignore hostname annotation when generating DNS names, valid only when fqdn-template is set | `false` |
| `publishInternalServices` | Allow external-dns to publish DNS records for ClusterIP services | `false` |
| `publishHostIP` | Allow external-dns to publish host-ip for headless services | `false` |
| `serviceTypeFilter` | The service types to take care about (default: all, options: ClusterIP, NodePort, LoadBalancer, ExternalName) | `[]` |
| `alibabacloud.accessKeyId` | When using the Alibaba Cloud provider, set `accessKeyId` in the Alibaba Cloud configuration file (optional) | `""` |
| `alibabacloud.accessKeySecret` | When using the Alibaba Cloud provider, set `accessKeySecret` in the Alibaba Cloud configuration file (optional) | `""` |
| `alibabacloud.regionId` | When using the Alibaba Cloud provider, set `regionId` in the Alibaba Cloud configuration file (optional) | `""` |
| `alibabacloud.vpcId` | Alibaba Cloud VPC Id | `""` |
| `alibabacloud.secretName` | Use an existing secret with key "alibaba-cloud.json" defined. | `""` |
| `alibabacloud.zoneType` | Zone Filter. Available values are: public, private, or no value for both | `""` |
| `aws.credentials.secretKey` | When using the AWS provider, set `aws_secret_access_key` in the AWS credentials (optional) | `""` |
| `aws.credentials.accessKey` | When using the AWS provider, set `aws_access_key_id` in the AWS credentials (optional) | `""` |
| `aws.credentials.mountPath` | When using the AWS provider, determine `mountPath` for `credentials` secret | `/.aws` |
| `aws.credentials.secretName` | Use an existing secret with key "credentials" defined. | `""` |
| `aws.region` | When using the AWS provider, `AWS_DEFAULT_REGION` to set in the environment (optional) | `us-east-1` |
| `aws.zoneType` | When using the AWS provider, filter for zones of this type (optional, options: public, private) | `""` |
| `aws.assumeRoleArn` | When using the AWS provider, assume role by specifying --aws-assume-role to the external-dns daemon | `""` |
| `aws.roleArn` | Specify role ARN to the external-dns daemon | `""` |
| `aws.apiRetries` | Maximum number of retries for AWS API calls before giving up | `3` |
| `aws.batchChangeSize` | When using the AWS provider, set the maximum number of changes that will be applied in each batch | `1000` |
| `aws.zonesCacheDuration` | If the list of Route53 zones managed by ExternalDNS doesn't change frequently, cache it by setting a TTL | `0` |
| `aws.zoneTags` | When using the AWS provider, filter for zones with these tags | `[]` |
| `aws.preferCNAME` | When using the AWS provider, replaces Alias records with CNAME (options: true, false) | `""` |
| `aws.evaluateTargetHealth` | When using the AWS provider, sets the evaluate target health flag (options: true, false) | `""` |
| `azure.secretName` | When using the Azure provider, set the secret containing the `azure.json` file | `""` |
| `azure.cloud` | When using the Azure provider, set the Azure Cloud | `""` |
| `azure.resourceGroup` | When using the Azure provider, set the Azure Resource Group | `""` |
| `azure.tenantId` | When using the Azure provider, set the Azure Tenant ID | `""` |
| `azure.subscriptionId` | When using the Azure provider, set the Azure Subscription ID | `""` |
| `azure.aadClientId` | When using the Azure provider, set the Azure AAD Client ID | `""` |
| `azure.aadClientSecret` | When using the Azure provider, set the Azure AAD Client Secret | `""` |
| `azure.useManagedIdentityExtension` | When using the Azure provider, set if you use Azure MSI | `false` |
| `azure.userAssignedIdentityID` | When using the Azure provider with Azure MSI, set Client ID of Azure user-assigned managed identity (optional, otherwise system-assigned managed identity is used) | `""` |
| `cloudflare.apiToken` | When using the Cloudflare provider, `CF_API_TOKEN` to set (optional) | `""` |
| `cloudflare.apiKey` | When using the Cloudflare provider, `CF_API_KEY` to set (optional) | `""` |
| `cloudflare.secretName` | When using the Cloudflare provider, it's the name of the secret containing cloudflare_api_token or cloudflare_api_key. | `""` |
| `cloudflare.email` | When using the Cloudflare provider, `CF_API_EMAIL` to set (optional). Needed when using CF_API_KEY | `""` |
| `cloudflare.proxied` | When using the Cloudflare provider, enable the proxy feature (DDOS protection, CDN...) (optional) | `true` |
| `coredns.etcdEndpoints` | When using the CoreDNS provider, set etcd backend endpoints (comma-separated list) | `http://etcd-extdns:2379` |
| `coredns.etcdTLS.enabled` | When using the CoreDNS provider, enable secure communication with etcd | `false` |
| `coredns.etcdTLS.autoGenerated` | Generate automatically self-signed TLS certificates | `false` |
| `coredns.etcdTLS.secretName` | When using the CoreDNS provider, specify a name of existing Secret with etcd certs and keys | `etcd-client-certs` |
| `coredns.etcdTLS.mountPath` | When using the CoreDNS provider, set destination dir to mount data from `coredns.etcdTLS.secretName` to | `/etc/coredns/tls/etcd` |
| `coredns.etcdTLS.caFilename` | When using the CoreDNS provider, specify CA PEM file name from the `coredns.etcdTLS.secretName` | `ca.crt` |
| `coredns.etcdTLS.certFilename` | When using the CoreDNS provider, specify cert PEM file name from the `coredns.etcdTLS.secretName` | `cert.pem` |
| `coredns.etcdTLS.keyFilename` | When using the CoreDNS provider, specify private key PEM file name from the `coredns.etcdTLS.secretName` | `key.pem` |
| `designate.username` | When using the Designate provider, specify the OpenStack authentication username. (optional) | `""` |
| `designate.password` | When using the Designate provider, specify the OpenStack authentication password. (optional) | `""` |
| `designate.authUrl` | When using the Designate provider, specify the OpenStack authentication Url. (optional) | `""` |
| `designate.regionName` | When using the Designate provider, specify the OpenStack region name. (optional) | `""` |
| `designate.userDomainName` | When using the Designate provider, specify the OpenStack user domain name. (optional) | `""` |
| `designate.projectName` | When using the Designate provider, specify the OpenStack project name. (optional) | `""` |
| `designate.username` | When using the Designate provider, specify the OpenStack authentication username. (optional) | `""` |
| `designate.customCAHostPath` | When using the Designate provider, use a CA file already on the host to validate Openstack APIs. This conflicts with `designate.customCA.enabled` | `""` |
| `designate.customCA.enabled` | When using the Designate provider, enable a custom CA (optional) | `false` |
| `designate.customCA.content` | When using the Designate provider, set the content of the custom CA | `""` |
| `designate.customCA.mountPath` | When using the Designate provider, set the mountPath in which to mount the custom CA configuration | `/config/designate` |
| `designate.customCA.filename` | When using the Designate provider, set the custom CA configuration filename | `designate-ca.pem` |
| `digitalocean.apiToken` | When using the DigitalOcean provider, `DO_TOKEN` to set (optional) | `""` |
| `digitalocean.secretName` | Use an existing secret with key "digitalocean_api_token" defined. | `""` |
| `google.project` | When using the Google provider, specify the Google project (required when provider=google) | `""` |
| `google.serviceAccountSecret` | When using the Google provider, specify the existing secret which contains credentials.json (optional) | `""` |
| `google.serviceAccountSecretKey` | When using the Google provider with an existing secret, specify the key name (optional) | `credentials.json` |
| `google.serviceAccountKey` | When using the Google provider, specify the service account key JSON file. In this case a new secret will be created holding this service account (optional) | `""` |
| `google.zoneVisibility` | When using the Google provider, fiter for zones of a specific visibility (private or public) | `""` |
| `hetzner.token` | When using the Hetzner provider, specify your token here. (required when `hetzner.secretName` is not provided. In this case a new secret will be created holding the token.) | `""` |
| `hetzner.secretName` | When using the Hetzner provider, specify the existing secret which contains your token. Disables the usage of `hetzner.token` (optional) | `""` |
| `hetzner.secretKey` | When using the Hetzner provider with an existing secret, specify the key name (optional) | `hetzner_token` |
| `infoblox.wapiUsername` | When using the Infoblox provider, specify the Infoblox WAPI username | `admin` |
| `infoblox.wapiPassword` | When using the Infoblox provider, specify the Infoblox WAPI password (required when provider=infoblox) | `""` |
| `infoblox.gridHost` | When using the Infoblox provider, specify the Infoblox Grid host (required when provider=infoblox) | `""` |
| `infoblox.view` | Infoblox view | `""` |
| `infoblox.secretName` | Existing secret name, when in place wapiUsername and wapiPassword are not required | `""` |
| `infoblox.domainFilter` | When using the Infoblox provider, specify the domain (optional) | `""` |
| `infoblox.noSslVerify` | When using the Infoblox provider, disable SSL verification (optional) | `false` |
| `infoblox.wapiPort` | When using the Infoblox provider, specify the Infoblox WAPI port (optional) | `""` |
| `infoblox.wapiVersion` | When using the Infoblox provider, specify the Infoblox WAPI version (optional) | `""` |
| `infoblox.wapiConnectionPoolSize` | When using the Infoblox provider, specify the Infoblox WAPI request connection pool size (optional) | `""` |
| `infoblox.wapiHttpTimeout` | When using the Infoblox provider, specify the Infoblox WAPI request timeout in seconds (optional) | `""` |
| `infoblox.maxResults` | When using the Infoblox provider, specify the Infoblox Max Results (optional) | `""` |
| `linode.apiToken` | When using the Linode provider, `LINODE_TOKEN` to set (optional) | `""` |
| `linode.secretName` | Use an existing secret with key "linode_api_token" defined. | `""` |
| `ns1.minTTL` | When using the ns1 provider, specify minimal TTL, as an integer, for records | `10` |
| `ns1.apiKey` | When using the ns1 provider, specify the API key to use | `""` |
| `ns1.secretName` | Use an existing secret with key "ns1-api-key" defined. | `""` |
| `oci.region` | When using the OCI provider, specify the region, where your zone is located in. | `""` |
| `oci.tenancyOCID` | When using the OCI provider, specify your Tenancy OCID | `""` |
| `oci.userOCID` | When using the OCI provider, specify your User OCID | `""` |
| `oci.compartmentOCID` | When using the OCI provider, specify your Compartment OCID where your DNS Zone is located in. | `""` |
| `oci.privateKey` | When using the OCI provider, paste in your RSA private key file for the Oracle API | `""` |
| `oci.privateKeyFingerprint` | When using the OCI provider, put in the fingerprint of your privateKey | `""` |
| `oci.privateKeyPassphrase` | When using the OCI provider and your privateKey has a passphrase, put it in here. (optional) | `""` |
| `oci.secretName` | When using the OCI provider, it's the name of the secret containing `oci.yaml` file. | `""` |
| `ovh.consumerKey` | When using the OVH provider, specify the existing consumer key. (required when provider=ovh and `ovh.secretName` is not provided.) | `""` |
| `ovh.applicationKey` | When using the OVH provider with an existing application, specify the application key. (required when provider=ovh and `ovh.secretName` is not provided.) | `""` |
| `ovh.applicationSecret` | When using the OVH provider with an existing application, specify the application secret. (required when provider=ovh and `ovh.secretName` is not provided.) | `""` |
| `ovh.secretName` | When using the OVH provider, it's the name of the secret containing `ovh_consumer_key`, `ovh_application_key` and `ovh_application_secret`. Disables usage of other `ovh`. | `""` |
| `scaleway.scwAccessKey` | When using the Scaleway provider, specify an existing access key. (required when provider=scaleway) | `""` |
| `scaleway.scwSecretKey` | When using the Scaleway provider, specify an existing secret key. (required when provider=scaleway) | `""` |
| `scaleway.scwDefaultOrganizationId` | When using the Scaleway provider, specify the existing organization id. (required when provider=scaleway) | `""` |
| `rfc2136.host` | When using the rfc2136 provider, specify the RFC2136 host (required when provider=rfc2136) | `""` |
| `rfc2136.port` | When using the rfc2136 provider, specify the RFC2136 port (optional) | `53` |
| `rfc2136.zone` | When using the rfc2136 provider, specify the zone (required when provider=rfc2136) | `""` |
| `rfc2136.tsigSecret` | When using the rfc2136 provider, specify the tsig secret to enable security. (do not specify if `rfc2136.secretName` is provided.) (optional) | `""` |
| `rfc2136.secretName` | When using the rfc2136 provider, specify the existing secret which contains your tsig secret. Disables the usage of `rfc2136.tsigSecret` (optional) | `""` |
| `rfc2136.tsigSecretAlg` | When using the rfc2136 provider, specify the tsig secret to enable security (optional) | `hmac-sha256` |
| `rfc2136.tsigKeyname` | When using the rfc2136 provider, specify the tsig keyname to enable security (optional) | `externaldns-key` |
| `rfc2136.tsigAxfr` | When using the rfc2136 provider, enable AFXR to enable security (optional) | `true` |
| `rfc2136.minTTL` | When using the rfc2136 provider, specify minimal TTL (in duration format) for records[ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration | `0s` |
| `rfc2136.rfc3645Enabled` | When using the rfc2136 provider, extend using RFC3645 to support secure updates over Kerberos with GSS-TSIG | `false` |
| `rfc2136.kerberosConfig` | When using the rfc2136 provider with rfc3645Enabled, the contents of a configuration file for krb5 (optional) | `""` |
| `rfc2136.kerberosUsername` | When using the rfc2136 provider with rfc3645Enabled, specify the username to authenticate with (optional) | `""` |
| `rfc2136.kerberosPassword` | When using the rfc2136 provider with rfc3645Enabled, specify the password to authenticate with (optional) | `""` |
| `rfc2136.kerberosRealm` | When using the rfc2136 provider with rfc3645Enabled, specify the realm to authenticate to (required when provider=rfc2136 and rfc2136.rfc3645Enabled=true) | `""` |
| `pdns.apiUrl` | When using the PowerDNS provider, specify the API URL of the server. | `""` |
| `pdns.apiPort` | When using the PowerDNS provider, specify the API port of the server. | `8081` |
| `pdns.apiKey` | When using the PowerDNS provider, specify the API key of the server. | `""` |
| `pdns.secretName` | When using the PowerDNS provider, specify as secret name containing the API Key | `""` |
| `transip.account` | When using the TransIP provider, specify the account name. | `""` |
| `transip.apiKey` | When using the TransIP provider, specify the API key to use. | `""` |
| `vinyldns.host` | When using the VinylDNS provider, specify the VinylDNS API host. | `""` |
| `vinyldns.accessKey` | When using the VinylDNS provider, specify the Access Key to use. | `""` |
| `vinyldns.secretKey` | When using the VinylDNS provider, specify the Secret key to use. | `""` |
| `domainFilters` | Limit possible target zones by domain suffixes (optional) | `[]` |
| `excludeDomains` | Exclude subdomains (optional) | `[]` |
| `regexDomainFilter` | Limit possible target zones by regex domain suffixes (optional) | `""` |
| `regexDomainExclusion` | Exclude subdomains by using regex pattern (optional) | `""` |
| `zoneNameFilters` | Filter target zones by zone domain (optional) | `[]` |
| `zoneIdFilters` | Limit possible target zones by zone id (optional) | `[]` |
| `annotationFilter` | Filter sources managed by external-dns via annotation using label selector (optional) | `""` |
| `labelFilter` | Select sources managed by external-dns using label selector (optional) | `""` |
| `dryRun` | When enabled, prints DNS record changes rather than actually performing them (optional) | `false` |
| `triggerLoopOnEvent` | When enabled, triggers run loop on create/update/delete events in addition to regular interval (optional) | `false` |
| `interval` | Interval update period to use | `1m` |
| `logLevel` | Verbosity of the logs (options: panic, debug, info, warning, error, fatal, trace) | `info` |
| `logFormat` | Which format to output logs in (options: text, json) | `text` |
| `policy` | Modify how DNS records are synchronized between sources and providers (options: sync, upsert-only ) | `upsert-only` |
| `registry` | Registry method to use (options: txt, aws-sd, noop) | `txt` |
| `txtPrefix` | When using the TXT registry, a prefix for ownership records that avoids collision with CNAME entries (optional)<CNAME record> (Mutual exclusive with txt-suffix) | `""` |
| `txtSuffix` | When using the TXT registry, a suffix for ownership records that avoids collision with CNAME entries (optional)<CNAME record>.suffix (Mutual exclusive with txt-prefix) | `""` |
| `txtOwnerId` | A name that identifies this instance of ExternalDNS. Currently used by registry types: txt & aws-sd (optional) | `""` |
| `forceTxtOwnerId` | (backward compatibility) When using the non-TXT registry, it will pass the value defined by `txtOwnerId` down to the application (optional) | `false` |
| `extraArgs` | Extra arguments to be passed to external-dns | `{}` |
| `extraEnvVars` | An array to add extra env vars | `[]` |
| `extraEnvVarsCM` | ConfigMap containing extra env vars | `""` |
| `extraEnvVarsSecret` | Secret containing extra env vars (in case of sensitive data) | `""` |
| `lifecycleHooks` | Override default etcd container hooks | `{}` |
| `schedulerName` | Alternative scheduler | `""` |
| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
| `replicaCount` | Desired number of ExternalDNS replicas | `1` |
| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` |
| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` |
| `affinity` | Affinity for pod assignment | `{}` |
| `nodeSelector` | Node labels for pod assignment | `{}` |
| `tolerations` | Tolerations for pod assignment | `[]` |
| `podAnnotations` | Additional annotations to apply to the pod. | `{}` |
| `podLabels` | Additional labels to be added to pods | `{}` |
| `priorityClassName` | priorityClassName | `""` |
| `secretAnnotations` | Additional annotations to apply to the secret | `{}` |
| `crd.create` | Install and use the integrated DNSEndpoint CRD | `false` |
| `crd.apiversion` | Sets the API version for the CRD to watch | `""` |
| `crd.kind` | Sets the kind for the CRD to watch | `""` |
| `service.enabled` | Whether to create Service resource or not | `true` |
| `service.type` | Kubernetes Service type | `ClusterIP` |
| `service.ports.http` | ExternalDNS client port | `7979` |
| `service.nodePorts.http` | Port to bind to for NodePort service type (client port) | `""` |
| `service.clusterIP` | IP address to assign to service | `""` |
| `service.externalIPs` | Service external IP addresses | `[]` |
| `service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` |
| `service.loadBalancerSourceRanges` | List of IP CIDRs allowed access to load balancer (if supported) | `[]` |
| `service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` |
| `service.extraPorts` | Extra ports to expose in the service (normally used with the `sidecar` value) | `[]` |
| `service.annotations` | Annotations to add to service | `{}` |
| `service.labels` | Provide any additional labels which may be required. | `{}` |
| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `serviceAccount.create` | Determine whether a Service Account should be created or it should reuse a exiting one. | `true` |
| `serviceAccount.name` | ServiceAccount to use. A name is generated using the external-dns.fullname template if it is not set | `""` |
| `serviceAccount.annotations` | Additional Service Account annotations | `{}` |
| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a service account. | `true` |
| `serviceAccount.labels` | Additional labels to be included on the service account | `{}` |
| `rbac.create` | Whether to create & use RBAC resources or not | `true` |
| `rbac.clusterRole` | Whether to create Cluster Role. When set to false creates a Role in `namespace` | `true` |
| `rbac.apiVersion` | Version of the RBAC API | `v1` |
| `rbac.pspEnabled` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` |
| `containerSecurityContext` | Security context for the container | `{}` |
| `podSecurityContext.enabled` | Enable pod security context | `true` |
| `podSecurityContext.fsGroup` | Group ID for the container | `1001` |
| `podSecurityContext.runAsUser` | User ID for the container | `1001` |
| `resources.limits` | The resources limits for the container | `{}` |
| `resources.requests` | The requested resources for the container | `{}` |
| `livenessProbe.enabled` | Enable livenessProbe | `true` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` |
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `2` |
| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `readinessProbe.enabled` | Enable readinessProbe | `true` |
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `startupProbe.enabled` | Enable startupProbe | `false` |
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` |
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` |
| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` |
| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `customLivenessProbe` | Override default liveness probe | `{}` |
| `customReadinessProbe` | Override default readiness probe | `{}` |
| `customStartupProbe` | Override default startup probe | `{}` |
| `extraVolumes` | A list of volumes to be added to the pod | `[]` |
| `extraVolumeMounts` | A list of volume mounts to be added to the pod | `[]` |
| `podDisruptionBudget` | Configure PodDisruptionBudget | `{}` |
| `metrics.enabled` | Enable prometheus to access external-dns metrics endpoint | `false` |
| `metrics.podAnnotations` | Annotations for enabling prometheus to access the metrics endpoint | `{}` |
| `metrics.serviceMonitor.enabled` | Create ServiceMonitor object | `false` |
| `metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` |
| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `""` |
| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` |
| `metrics.serviceMonitor.selector` | Additional labels for ServiceMonitor object | `{}` |
| `metrics.serviceMonitor.metricRelabelings` | Specify Metric Relabelings to add to the scrape endpoint | `[]` |
| `metrics.serviceMonitor.relabelings` | Prometheus relabeling rules | `[]` |
| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` |
| `metrics.serviceMonitor.labels` | Used to pass Labels that are required by the installed Prometheus Operator | `{}` |
| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console
$ helm install my-release \
--set provider=aws bitnami/external-dns
```
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```bash
$ helm install my-release -f values.yaml bitnami/external-dns
```
> **Tip**: You can use the default [values.yaml](values.yaml)
## Configuration and installation details
### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/)
### Resource requests and limits
Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.
To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcesPreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
### [Rolling VS Immutable tags](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
### Prometheus metrics
This chart can be integrated with Prometheus by setting `metrics.enabled` to `true`. This will expose external-dns native Prometheus endpoint in the service. It will have the necessary annotations to be automatically scraped by Prometheus.
#### Prometheus requirements
It is necessary to have a working installation of Prometheus or Prometheus Operator for the integration to work. Install the [Bitnami Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/prometheus) or the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) to easily have a working Prometheus in your cluster.
#### Integration with Prometheus Operator
The chart can deploy `ServiceMonitor` objects for integration with Prometheus Operator installations. To do so, set the value `metrics.serviceMonitor.enabled=true`. Ensure that the Prometheus Operator `CustomResourceDefinitions` are installed in the cluster or it will fail with the following error:
```text
no matches for kind "ServiceMonitor" in version "monitoring.coreos.com/v1"
```
Install the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) for having the necessary CRDs and the Prometheus Operator.
### Backup and restore
To back up and restore Helm chart deployments on Kubernetes, you need to back up the persistent volumes from the source deployment and attach them to a new deployment using [Velero](https://velero.io/), a Kubernetes backup/restore tool. Find the instructions for using Velero in [this guide](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-backup-restore-deployments-velero-index.html).
### Setting Pod's affinity
This chart allows you to set your custom affinity using the `affinity` parameter. Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity).
As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/master/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters.
As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters.
### Using IRSA
If you are deploying to AWS EKS and you want to leverage [IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). You will need to override `fsGroup` and `runAsUser` with `65534`(nfsnobody) and `0` respectively. Otherwise service account token will not be properly mounted.
You can use the following arguments:
```
```console
--set podSecurityContext.fsGroup=65534 --set podSecurityContext.runAsUser=0
```
### Webhook Providers
Webhook providers allow integrating ExternalDNS with DNS providers through an HTTP interface. This approach decouples ExternalDNS and the Providers code which can be running in separate processes.
With the Bitnami ExternalDNS chart, you can deploy Webhook Providers and configure ExternalDNS easely using `sidecars` and `extraArgs` values:
```yaml
provider: webhook
extraArgs:
webhook-provider-url: http://localhost:8080
txt-prefix: reg-
sidecars:
- name: my-webhook
image: <external-dns-webhook-image>
ports:
- containerPort: 8080
name: http
livenessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 10
timeoutSeconds: 5
readinessProbe:
tcpSocket:
port: http
initialDelaySeconds: 10
timeoutSeconds: 5
env:
- name: <WEBHOOK-CONFIG-ENV-VAR>
value: TEST
...
```
More information about these new providers can be found in the [ExternalDNS documentation](https://github.com/kubernetes-sigs/external-dns/tree/master#new-providers)
## Tutorials
Find information about the requirements for each DNS provider on the link below:
@@ -374,20 +152,378 @@ For instance, to install ExternalDNS on AWS, you need to:
- Install ExternalDNS chart using the command below:
> Note: replace the placeholder HOSTED_ZONE_IDENTIFIER and HOSTED_ZONE_NAME, with your hosted zoned identifier and name, respectively.
```bash
$ helm install my-release \
```console
helm install my-release \
--set provider=aws \
--set aws.zoneType=public \
--set txtOwnerId=HOSTED_ZONE_IDENTIFIER \
--set domainFilters[0]=HOSTED_ZONE_NAME \
bitnami/external-dns
oci://REGISTRY_NAME/REPOSITORY_NAME/external-dns
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
## Parameters
### Global parameters
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.security.allowInsecureImages` | Allows skipping image verification | `false` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
### Common parameters
| Name | Description | Value |
| ------------------- | -------------------------------------------------------------------------------------------- | --------------- |
| `nameOverride` | String to partially override common.names.fullname template (will maintain the release name) | `""` |
| `fullnameOverride` | String to fully override common.names.fullname template | `""` |
| `namespaceOverride` | String to fully override common.names.namespace | `""` |
| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` |
| `commonLabels` | Labels to add to all deployed objects | `{}` |
| `commonAnnotations` | Annotations to add to all deployed objects | `{}` |
| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template). | `[]` |
| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` |
### external-dns parameters
| Name | Description | Value |
| --------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
| `image.registry` | ExternalDNS image registry | `REGISTRY_NAME` |
| `image.repository` | ExternalDNS image repository | `REPOSITORY_NAME/external-dns` |
| `image.digest` | ExternalDNS image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `image.pullPolicy` | ExternalDNS image pull policy | `IfNotPresent` |
| `image.pullSecrets` | ExternalDNS image pull secrets | `[]` |
| `revisionHistoryLimit` | sets number of replicaset to keep in k8s | `10` |
| `automountServiceAccountToken` | Mount Service Account token in pod | `true` |
| `hostAliases` | Deployment pod host aliases | `[]` |
| `updateStrategy` | update strategy type | `{}` |
| `command` | Override kiam default command | `[]` |
| `args` | Override kiam default args | `[]` |
| `sources` | K8s resources type to be observed for new DNS entries by ExternalDNS | `[]` |
| `provider` | DNS provider where the DNS records will be created. | `aws` |
| `initContainers` | Attach additional init containers to the pod (evaluated as a template) | `[]` |
| `dnsPolicy` | Specifies the DNS policy for the external-dns deployment | `""` |
| `dnsConfig` | allows users more control on the DNS settings for a Pod. Required if `dnsPolicy` is set to `None` | `{}` |
| `sidecars` | Attach additional containers to the pod (evaluated as a template) | `[]` |
| `namespace` | Limit sources of endpoints to a specific namespace (default: all namespaces) | `""` |
| `watchReleaseNamespace` | Watch only namespace used for the release | `false` |
| `fqdnTemplates` | Templated strings that are used to generate DNS names from sources that don't define a hostname themselves | `[]` |
| `containerPorts.http` | HTTP Container port | `7979` |
| `combineFQDNAnnotation` | Combine FQDN template and annotations instead of overwriting | `false` |
| `ignoreHostnameAnnotation` | Ignore hostname annotation when generating DNS names, valid only when fqdn-template is set | `false` |
| `publishInternalServices` | Allow external-dns to publish DNS records for ClusterIP services | `false` |
| `publishHostIP` | Allow external-dns to publish host-ip for headless services | `false` |
| `serviceTypeFilter` | The service types to take care about (default: all, options: ClusterIP, NodePort, LoadBalancer, ExternalName) | `[]` |
| `validation.enabled` | Enable chart validation | `true` |
| `akamai.host` | Hostname to use for EdgeGrid auth | `""` |
| `akamai.accessToken` | Access Token to use for EdgeGrid auth | `""` |
| `akamai.clientToken` | Client Token to use for EdgeGrid auth | `""` |
| `akamai.clientSecret` | When using the Akamai provider, `AKAMAI_CLIENT_SECRET` to set (optional) | `""` |
| `akamai.secretName` | Use an existing secret with key "akamai_api_seret" defined. | `""` |
| `alibabacloud.accessKeyId` | When using the Alibaba Cloud provider, set `accessKeyId` in the Alibaba Cloud configuration file (optional) | `""` |
| `alibabacloud.accessKeySecret` | When using the Alibaba Cloud provider, set `accessKeySecret` in the Alibaba Cloud configuration file (optional) | `""` |
| `alibabacloud.regionId` | When using the Alibaba Cloud provider, set `regionId` in the Alibaba Cloud configuration file (optional) | `""` |
| `alibabacloud.vpcId` | Alibaba Cloud VPC Id | `""` |
| `alibabacloud.secretName` | Use an existing secret with key "alibaba-cloud.json" defined. | `""` |
| `alibabacloud.zoneType` | Zone Filter. Available values are: public, private, or no value for both | `""` |
| `aws.credentials.secretKey` | When using the AWS provider, set `aws_secret_access_key` in the AWS credentials (optional) | `""` |
| `aws.credentials.accessKey` | When using the AWS provider, set `aws_access_key_id` in the AWS credentials (optional) | `""` |
| `aws.credentials.mountPath` | When using the AWS provider, determine `mountPath` for `credentials` secret | `/.aws` |
| `aws.credentials.secretName` | Use an existing secret with key "credentials" defined. | `""` |
| `aws.credentials.accessKeyIDSecretRef.name` | Define the name of the secret that stores aws_access_key_id. | `""` |
| `aws.credentials.accessKeyIDSecretRef.key` | Define the key of the secret that stores aws_access_key_id. | `""` |
| `aws.credentials.secretAccessKeySecretRef.name` | Define the name of the secret that stores aws_secret_access_key | `""` |
| `aws.credentials.secretAccessKeySecretRef.key` | Define the key of the secret that stores aws_secret_access_key | `""` |
| `aws.region` | When using the AWS provider, `AWS_DEFAULT_REGION` to set in the environment (optional) | `us-east-1` |
| `aws.zoneType` | When using the AWS provider, filter for zones of this type (optional, options: public, private) | `""` |
| `aws.assumeRoleArn` | When using the AWS provider, assume role by specifying --aws-assume-role to the external-dns daemon | `""` |
| `aws.roleArn` | Specify role ARN to the external-dns daemon | `""` |
| `aws.apiRetries` | Maximum number of retries for AWS API calls before giving up | `3` |
| `aws.batchChangeSize` | When using the AWS provider, set the maximum number of changes that will be applied in each batch | `1000` |
| `aws.zonesCacheDuration` | If the list of Route53 zones managed by ExternalDNS doesn't change frequently, cache it by setting a TTL | `0` |
| `aws.zoneTags` | When using the AWS provider, filter for zones with these tags | `[]` |
| `aws.preferCNAME` | When using the AWS provider, replaces Alias records with CNAME (options: true, false) | `""` |
| `aws.evaluateTargetHealth` | When using the AWS provider, sets the evaluate target health flag (options: true, false) | `""` |
| `aws.dynamodbTable` | When using the AWS provider, sets the DynamoDB table name to use for dynamodb registry | `""` |
| `aws.dynamodbRegion` | When using the AWS provider, sets the DynamoDB table region to use for dynamodb registry | `""` |
| `aws.zoneMatchParent` | When using the AWS provider, lets a domain filter match subdomains within the same zone by using their parent domain | `false` |
| `azure.secretName` | When using the Azure provider, set the secret containing the `azure.json` file | `""` |
| `azure.cloud` | When using the Azure provider, set the Azure Cloud | `""` |
| `azure.resourceGroup` | When using the Azure provider, set the Azure Resource Group | `""` |
| `azure.tenantId` | When using the Azure provider, set the Azure Tenant ID | `""` |
| `azure.subscriptionId` | When using the Azure provider, set the Azure Subscription ID | `""` |
| `azure.aadClientId` | When using the Azure provider, set the Azure AAD Client ID | `""` |
| `azure.aadClientSecret` | When using the Azure provider, set the Azure AAD Client Secret | `""` |
| `azure.useWorkloadIdentityExtension` | When using the Azure provider, set if you use Workload Identity extension. | `false` |
| `azure.useManagedIdentityExtension` | When using the Azure provider, set if you use Azure MSI | `false` |
| `azure.userAssignedIdentityID` | When using the Azure provider with Azure MSI, set Client ID of Azure user-assigned managed identity (optional, otherwise system-assigned managed identity is used) | `""` |
| `civo.apiToken` | When using the Civo provider, `CIVO_TOKEN` to set (optional) | `""` |
| `civo.secretName` | Use an existing secret with key "apiToken" defined. | `""` |
| `cloudflare.apiToken` | When using the Cloudflare provider, `CF_API_TOKEN` to set (optional) | `""` |
| `cloudflare.apiKey` | When using the Cloudflare provider, `CF_API_KEY` to set (optional) | `""` |
| `cloudflare.secretName` | When using the Cloudflare provider, it's the name of the secret containing cloudflare_api_token or cloudflare_api_key. | `""` |
| `cloudflare.email` | When using the Cloudflare provider, `CF_API_EMAIL` to set (optional). Needed when using CF_API_KEY | `""` |
| `cloudflare.proxied` | When using the Cloudflare provider, enable the proxy feature (DDOS protection, CDN...) (optional) | `true` |
| `cloudflare.dnsRecordsPerPage` | Number of DNS records to fetch per page. (optional) | `100` |
| `cloudflare.regionalServices` | Enable configuration of Cloudflare Regional Services. (optional) | `false` |
| `cloudflare.regionKey` | Set default region, when Cloudflare Regional Services are enabled. (optional) | `""` |
| `coredns.etcdEndpoints` | When using the CoreDNS provider, set etcd backend endpoints (comma-separated list) | `http://etcd-extdns:2379` |
| `coredns.etcdTLS.enabled` | When using the CoreDNS provider, enable secure communication with etcd | `false` |
| `coredns.etcdTLS.autoGenerated` | Generate automatically self-signed TLS certificates | `false` |
| `coredns.etcdTLS.secretName` | When using the CoreDNS provider, specify a name of existing Secret with etcd certs and keys | `etcd-client-certs` |
| `coredns.etcdTLS.mountPath` | When using the CoreDNS provider, set destination dir to mount data from `coredns.etcdTLS.secretName` to | `/etc/coredns/tls/etcd` |
| `coredns.etcdTLS.caFilename` | When using the CoreDNS provider, specify CA PEM file name from the `coredns.etcdTLS.secretName` | `ca.crt` |
| `coredns.etcdTLS.certFilename` | When using the CoreDNS provider, specify cert PEM file name from the `coredns.etcdTLS.secretName` | `cert.pem` |
| `coredns.etcdTLS.keyFilename` | When using the CoreDNS provider, specify private key PEM file name from the `coredns.etcdTLS.secretName` | `key.pem` |
| `exoscale.apiKey` | When using the Exoscale provider, `EXTERNAL_DNS_EXOSCALE_APIKEY` to set (optional) | `""` |
| `exoscale.apiToken` | When using the Exoscale provider, `EXTERNAL_DNS_EXOSCALE_APISECRET` to set (optional) | `""` |
| `exoscale.secretName` | Use an existing secret with keys "exoscale_api_key" and "exoscale_api_token" defined. | `""` |
| `digitalocean.apiToken` | When using the DigitalOcean provider, `DO_TOKEN` to set (optional) | `""` |
| `digitalocean.secretName` | Use an existing secret with key "digitalocean_api_token" defined. | `""` |
| `google.project` | When using the Google provider, specify the Google project (required when provider=google) | `""` |
| `google.batchChangeSize` | When using the google provider, set the maximum number of changes that will be applied in each batch | `1000` |
| `google.serviceAccountSecret` | When using the Google provider, specify the existing secret which contains credentials.json (optional) | `""` |
| `google.serviceAccountSecretKey` | When using the Google provider with an existing secret, specify the key name (optional) | `credentials.json` |
| `google.serviceAccountKey` | When using the Google provider, specify the service account key JSON file. In this case a new secret will be created holding this service account (optional) | `""` |
| `google.zoneVisibility` | When using the Google provider, fiter for zones of a specific visibility (private or public) | `""` |
| `linode.apiToken` | When using the Linode provider, `LINODE_TOKEN` to set (optional) | `""` |
| `linode.secretName` | Use an existing secret with key "linode_api_token" defined. | `""` |
| `ns1.minTTL` | When using the ns1 provider, specify minimal TTL, as an integer, for records | `10` |
| `ns1.apiKey` | When using the ns1 provider, specify the API key to use | `""` |
| `ns1.secretName` | Use an existing secret with key "ns1-api-key" defined. | `""` |
| `pihole.server` | When using the Pi-hole provider, specify The address of the Pi-hole web server | `""` |
| `pihole.tlsSkipVerify` | When using the Pi-hole provider, specify wheter to skip verification of any TLS certificates served by the Pi-hole web server | `""` |
| `pihole.password` | When using the Pi-hole provider, specify a password to use | `""` |
| `pihole.secretName` | Use an existing secret with key "pihole_password" defined. | `""` |
| `traefik.disableNew` | Disable listeners on Resources under traefik.io | `false` |
| `traefik.disableLegacy` | Disable listeners on Resources under traefik.containo.us | `false` |
| `oci.region` | When using the OCI provider, specify the region, where your zone is located in. | `""` |
| `oci.tenancyOCID` | When using the OCI provider, specify your Tenancy OCID | `""` |
| `oci.userOCID` | When using the OCI provider, specify your User OCID | `""` |
| `oci.compartmentOCID` | When using the OCI provider, specify your Compartment OCID where your DNS Zone is located in. | `""` |
| `oci.privateKey` | When using the OCI provider, paste in your RSA private key file for the Oracle API | `""` |
| `oci.privateKeyFingerprint` | When using the OCI provider, put in the fingerprint of your privateKey | `""` |
| `oci.privateKeyPassphrase` | When using the OCI provider and your privateKey has a passphrase, put it in here. (optional) | `""` |
| `oci.secretName` | When using the OCI provider, it's the name of the secret containing `oci.yaml` file. | `""` |
| `oci.useInstancePrincipal` | When using the OCI provider, enable IAM Instance Principal | `false` |
| `oci.useWorkloadIdentity` | When using the OCI provider, enable IAM Workload Identity | `false` |
| `ovh.consumerKey` | When using the OVH provider, specify the existing consumer key. (required when provider=ovh and `ovh.secretName` is not provided.) | `""` |
| `ovh.applicationKey` | When using the OVH provider with an existing application, specify the application key. (required when provider=ovh and `ovh.secretName` is not provided.) | `""` |
| `ovh.applicationSecret` | When using the OVH provider with an existing application, specify the application secret. (required when provider=ovh and `ovh.secretName` is not provided.) | `""` |
| `ovh.secretName` | When using the OVH provider, it's the name of the secret containing `ovh_consumer_key`, `ovh_application_key` and `ovh_application_secret`. Disables usage of other `ovh`. | `""` |
| `scaleway.scwAccessKey` | When using the Scaleway provider, specify an existing access key. (required when provider=scaleway) | `""` |
| `scaleway.scwSecretKey` | When using the Scaleway provider, specify an existing secret key. (required when provider=scaleway) | `""` |
| `scaleway.secretName` | Use an existing secret with keys "scaleway_access_key" and "scaleway_secret_key" defined (optional). | `""` |
| `rfc2136.host` | When using the rfc2136 provider, specify the RFC2136 host (required when provider=rfc2136) | `""` |
| `rfc2136.port` | When using the rfc2136 provider, specify the RFC2136 port (optional) | `53` |
| `rfc2136.zone` | DEPRECATED: use rfc2136.zones instead. | `""` |
| `rfc2136.zones` | When using the rfc2136 provider, specify the zones (required when provider=rfc2136 and `rfc2136.zone` is not provided.) | `[]` |
| `rfc2136.tsigSecret` | When using the rfc2136 provider, specify the tsig secret to enable security. (do not specify if `rfc2136.secretName` is provided.) (optional) | `""` |
| `rfc2136.secretName` | When using the rfc2136 provider, specify the existing secret which contains your tsig secret in the key "rfc2136_tsig_secret". Disables the usage of `rfc2136.tsigSecret` (optional) | `""` |
| `rfc2136.tsigSecretAlg` | When using the rfc2136 provider, specify the tsig secret to enable security (optional) | `hmac-sha256` |
| `rfc2136.tsigKeyname` | When using the rfc2136 provider, specify the tsig keyname to enable security (optional) | `rfc2136_tsig_secret` |
| `rfc2136.tsigAxfr` | When using the rfc2136 provider, enable AFXR to enable security (optional) | `true` |
| `rfc2136.minTTL` | When using the rfc2136 provider, specify minimal TTL (in duration format) for records[ns, us, ms, s, m, h], see more <https://golang.org/pkg/time/#ParseDuration> | `0s` |
| `rfc2136.rfc3645Enabled` | When using the rfc2136 provider, extend using RFC3645 to support secure updates over Kerberos with GSS-TSIG | `false` |
| `rfc2136.kerberosConfig` | When using the rfc2136 provider with rfc3645Enabled, the contents of a configuration file for krb5 (optional) | `""` |
| `rfc2136.kerberosUsername` | When using the rfc2136 provider with rfc3645Enabled, specify the username to authenticate with (optional) | `""` |
| `rfc2136.kerberosPassword` | When using the rfc2136 provider with rfc3645Enabled, specify the password to authenticate with (optional) | `""` |
| `rfc2136.kerberosRealm` | When using the rfc2136 provider with rfc3645Enabled, specify the realm to authenticate to (required when provider=rfc2136 and rfc2136.rfc3645Enabled=true) | `""` |
| `pdns.apiUrl` | When using the PowerDNS provider, specify the API URL of the server. | `""` |
| `pdns.apiPort` | When using the PowerDNS provider, specify the API port of the server. | `8081` |
| `pdns.apiKey` | When using the PowerDNS provider, specify the API key of the server. | `""` |
| `pdns.secretName` | When using the PowerDNS provider, specify as secret name containing the API Key | `""` |
| `transip.account` | When using the TransIP provider, specify the account name. | `""` |
| `transip.apiKey` | When using the TransIP provider, specify the API key to use. | `""` |
| `domainFilters` | Limit possible target zones by domain suffixes (optional) | `[]` |
| `excludeDomains` | Exclude subdomains (optional) | `[]` |
| `regexDomainFilter` | Limit possible target zones by regex domain suffixes (optional) | `""` |
| `regexDomainExclusion` | Exclude subdomains by using regex pattern (optional) | `""` |
| `zoneNameFilters` | Filter target zones by zone domain (optional) | `[]` |
| `zoneIdFilters` | Limit possible target zones by zone id (optional) | `[]` |
| `annotationFilter` | Filter sources managed by external-dns via annotation using label selector (optional) | `""` |
| `labelFilter` | Select sources managed by external-dns using label selector (optional) | `""` |
| `ingressClassFilters` | Filter sources managed by external-dns via IngressClass (optional) | `[]` |
| `managedRecordTypesFilters` | Filter record types managed by external-dns (optional) | `[]` |
| `dryRun` | When enabled, prints DNS record changes rather than actually performing them (optional) | `false` |
| `triggerLoopOnEvent` | When enabled, triggers run loop on create/update/delete events in addition to regular interval (optional) | `false` |
| `interval` | Interval update period to use | `1m` |
| `logLevel` | Verbosity of the logs (options: panic, debug, info, warning, error, fatal, trace) | `info` |
| `logFormat` | Which format to output logs in (options: text, json) | `text` |
| `policy` | Modify how DNS records are synchronized between sources and providers (options: sync, upsert-only ) | `upsert-only` |
| `registry` | Registry method to use (options: txt, aws-sd, dynamodb, noop) | `txt` |
| `txtPrefix` | When using the TXT registry, a prefix for ownership records that avoids collision with CNAME entries (optional)<CNAME record> (Mutual exclusive with txt-suffix) | `""` |
| `txtSuffix` | When using the TXT registry, a suffix for ownership records that avoids collision with CNAME entries (optional)<CNAME record>.suffix (Mutual exclusive with txt-prefix) | `""` |
| `txtNewFormatOnly` | When using the TXT registry, use only the new format for ownership records (optional) | `false` |
| `txtOwnerId` | A name that identifies this instance of ExternalDNS. Currently used by registry types: txt & aws-sd (optional) | `""` |
| `forceTxtOwnerId` | (backward compatibility) When using the non-TXT registry, it will pass the value defined by `txtOwnerId` down to the application (optional) | `false` |
| `txtEncrypt.enabled` | Enable TXT record encryption | `false` |
| `txtEncrypt.aesKey` | 32-byte AES-256-GCM encryption key. | `""` |
| `txtEncrypt.secretName` | Use an existing secret with key "txt_aes_encryption_key" defined. | `""` |
| `extraArgs` | Extra arguments to be passed to external-dns | `{}` |
| `extraEnvVars` | An array to add extra env vars | `[]` |
| `extraEnvVarsCM` | ConfigMap containing extra env vars | `""` |
| `extraEnvVarsSecret` | Secret containing extra env vars (in case of sensitive data) | `""` |
| `lifecycleHooks` | Override default etcd container hooks | `{}` |
| `schedulerName` | Alternative scheduler | `""` |
| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` |
| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` |
| `affinity` | Affinity for pod assignment | `{}` |
| `nodeSelector` | Node labels for pod assignment | `{}` |
| `tolerations` | Tolerations for pod assignment | `[]` |
| `podAnnotations` | Additional annotations to apply to the pod. | `{}` |
| `podLabels` | Additional labels to be added to pods | `{}` |
| `priorityClassName` | priorityClassName | `""` |
| `secretAnnotations` | Additional annotations to apply to the secret | `{}` |
| `crd.create` | Install and use the integrated DNSEndpoint CRD | `false` |
| `crd.apiversion` | Sets the API version for the CRD to watch | `""` |
| `crd.kind` | Sets the kind for the CRD to watch | `""` |
| `service.enabled` | Whether to create Service resource or not | `true` |
| `service.type` | Kubernetes Service type | `ClusterIP` |
| `service.ports.http` | ExternalDNS client port | `7979` |
| `service.nodePorts.http` | Port to bind to for NodePort service type (client port) | `""` |
| `service.clusterIP` | IP address to assign to service | `""` |
| `service.externalIPs` | Service external IP addresses | `[]` |
| `service.externalName` | Service external name | `""` |
| `service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` |
| `service.loadBalancerSourceRanges` | List of IP CIDRs allowed access to load balancer (if supported) | `[]` |
| `service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` |
| `service.extraPorts` | Extra ports to expose in the service (normally used with the `sidecar` value) | `[]` |
| `service.annotations` | Annotations to add to service | `{}` |
| `service.labels` | Provide any additional labels which may be required. | `{}` |
| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
| `networkPolicy.allowExternal` | Don't require server label for connections | `true` |
| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` |
| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
| `serviceAccount.create` | Determine whether a Service Account should be created or it should reuse a exiting one. | `true` |
| `serviceAccount.name` | ServiceAccount to use. A name is generated using the common.names.fullname template if it is not set | `""` |
| `serviceAccount.annotations` | Additional Service Account annotations | `{}` |
| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a service account. | `false` |
| `serviceAccount.labels` | Additional labels to be included on the service account | `{}` |
| `rbac.create` | Whether to create & use RBAC resources or not | `true` |
| `rbac.clusterRole` | Whether to create Cluster Role. When set to false creates a Role in `namespace` | `true` |
| `rbac.apiVersion` | Version of the RBAC API | `v1` |
| `rbac.pspEnabled` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` |
| `containerSecurityContext.enabled` | Enabled Apache Server containers' Security Context | `true` |
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `containerSecurityContext.runAsUser` | Set ExternalDNS containers' Security Context runAsUser | `1001` |
| `containerSecurityContext.runAsGroup` | Set ExternalDNS containers' Security Context runAsGroup | `1001` |
| `containerSecurityContext.runAsNonRoot` | Set ExternalDNS container's Security Context runAsNonRoot | `true` |
| `containerSecurityContext.privileged` | Set primary container's Security Context privileged | `false` |
| `containerSecurityContext.allowPrivilegeEscalation` | Set primary container's Security Context allowPrivilegeEscalation | `false` |
| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `containerSecurityContext.readOnlyRootFilesystem` | Set container readonlyRootFilesystem | `true` |
| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `podSecurityContext.enabled` | Enable pod security context | `true` |
| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `podSecurityContext.fsGroup` | Group ID for the container | `1001` |
| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano` |
| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `livenessProbe.enabled` | Enable livenessProbe | `true` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` |
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `2` |
| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `readinessProbe.enabled` | Enable readinessProbe | `true` |
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` |
| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` |
| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `startupProbe.enabled` | Enable startupProbe | `false` |
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` |
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` |
| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` |
| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `customLivenessProbe` | Override default liveness probe | `{}` |
| `customReadinessProbe` | Override default readiness probe | `{}` |
| `customStartupProbe` | Override default startup probe | `{}` |
| `extraVolumes` | A list of volumes to be added to the pod | `[]` |
| `extraVolumeMounts` | A list of volume mounts to be added to the pod | `[]` |
| `pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` |
| `pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` |
| `pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. | `""` |
| `metrics.enabled` | Enable prometheus to access external-dns metrics endpoint | `false` |
| `metrics.podAnnotations` | Annotations for enabling prometheus to access the metrics endpoint | `{}` |
| `metrics.serviceMonitor.enabled` | Create ServiceMonitor object | `false` |
| `metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` |
| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `""` |
| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` |
| `metrics.serviceMonitor.selector` | Additional labels for ServiceMonitor object | `{}` |
| `metrics.serviceMonitor.metricRelabelings` | Specify Metric Relabelings to add to the scrape endpoint | `[]` |
| `metrics.serviceMonitor.relabelings` | Prometheus relabeling rules | `[]` |
| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` |
| `metrics.serviceMonitor.labels` | Used to pass Labels that are required by the installed Prometheus Operator | `{}` |
| `metrics.serviceMonitor.targetLabels` | Labels from the Kubernetes service to be transferred to the created metrics | `[]` |
| `metrics.serviceMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` |
| `metrics.serviceMonitor.annotations` | Additional custom annotations for the ServiceMonitor | `{}` |
| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` |
| `metrics.googlePodMonitor.enabled` | Create Google Managed Prometheus PodMonitoring object | `false` |
| `metrics.googlePodMonitor.namespace` | Namespace in which PodMonitoring created | `""` |
| `metrics.googlePodMonitor.interval` | Interval at which metrics should be scraped by Google Managed Prometheus | `60s` |
| `metrics.googlePodMonitor.endpoint` | The endpoint for Google Managed Prometheus scraping the metrics | `/metrics` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console
helm install my-release \
--set provider=aws oci://REGISTRY_NAME/REPOSITORY_NAME/external-dns
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```console
helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/external-dns
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/external-dns/values.yaml)
## Troubleshooting
Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues).
## Upgrading
### To 9.0.0
Unsupported in-tree providers have been removed: OpenStack Designate, Hetzner, Infoblox, VinylDNS
### To 8.7.0
This version introduces image verification for security purposes. To disable it, set `global.security.allowInsecureImages` to `true`. More details at [GitHub issue](https://github.com/bitnami/charts/issues/30850).
### To 7.0.0
This major bump changes the following security defaults:
- `runAsGroup` is changed from `0` to `1001`
- `readOnlyRootFilesystem` is set to `true`
- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.
This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
### To 6.0.0
Some of the chart values were changed to adapt to the latest Bitnami standards. More specifically:
@@ -408,28 +544,28 @@ helm upgrade my-release -f my-values.yaml
### To 4.3.0
This version also introduces `bitnami/common`, a [library chart](https://helm.sh/docs/topics/library_charts/#helm) as a dependency. More documentation about this new utility could be found [here](https://github.com/bitnami/charts/tree/master/bitnami/common#bitnami-common-library-chart). Please, make sure that you have updated thechart dependencies before executing any upgrade.
This version also introduces `bitnami/common`, a [library chart](https://helm.sh/docs/topics/library_charts/#helm) as a dependency. More documentation about this new utility could be found [here](https://github.com/bitnami/charts/tree/main/bitnami/common#bitnami-common-library-chart). Please, make sure that you have updated thechart dependencies before executing any upgrade.
### To 4.0.0
[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.
**What changes were introduced in this major version?**
#### What changes were introduced in this major version?
- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field.
- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts
**Considerations when upgrading to this version**
#### Considerations when upgrading to this version
- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues
- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore
- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3
**Useful links**
#### Useful links
- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/
- https://helm.sh/docs/topics/v2_v3_migration/
- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/
- <https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-resolve-helm2-helm3-post-migration-issues-index.html>
- <https://helm.sh/docs/topics/v2_v3_migration/>
- <https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/>
### To 3.0.0
@@ -445,10 +581,12 @@ Backwards compatibility is not guaranteed unless you modify the labels used on t
Use the workaround below to upgrade from versions previous to 1.0.0. The following example assumes that the release name is `my-release`:
```console
$ kubectl delete deployment my-release-external-dns
$ helm upgrade my-release bitnami/external-dns
kubectl delete deployment my-release-external-dns
helm upgrade my-release oci://REGISTRY_NAME/REPOSITORY_NAME/external-dns
```
> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
Other mayor changes included in this major version are:
- Default image changes from `registry.opensource.zalan.do/teapot/external-dns` to `bitnami/external-dns`.
@@ -461,13 +599,13 @@ Other mayor changes included in this major version are:
## License
Copyright &copy; 2022 Bitnami
Copyright &copy; 2025 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
<http://www.apache.org/licenses/LICENSE-2.0>
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,

4
external-dns/charts/common/.helmignore
View File

@@ -20,3 +20,7 @@
.idea/
*.tmproj
.vscode/
# img folder
img/
# Changelog
CHANGELOG.md

14
external-dns/charts/common/Chart.yaml
View File

@@ -1,11 +1,12 @@
annotations:
category: Infrastructure
licenses: Apache-2.0
apiVersion: v2
appVersion: 2.0.1
appVersion: 2.31.4
description: A Library Helm Chart for grouping common logic between bitnami charts.
This chart is not deployable by itself.
home: https://github.com/bitnami/charts/tree/master/bitnami/common
icon: https://bitnami.com/downloads/logos/bitnami-mark.png
home: https://bitnami.com
icon: https://dyltqmyl993wv.cloudfront.net/downloads/logos/bitnami-mark.png
keywords:
- common
- helper
@@ -13,11 +14,10 @@ keywords:
- function
- bitnami
maintainers:
- name: Bitnami
- name: Broadcom, Inc. All Rights Reserved.
url: https://github.com/bitnami/charts
name: common
sources:
- https://github.com/bitnami/charts
- https://www.bitnami.com/
- https://github.com/bitnami/charts/tree/main/bitnami/common
type: library
version: 2.0.1
version: 2.31.4

209
external-dns/charts/common/README.md
View File

@@ -1,18 +1,18 @@
# Bitnami Common Library Chart
A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts.
A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts.
## TL;DR
```yaml
dependencies:
- name: common
version: 1.x.x
repository: https://charts.bitnami.com/bitnami
version: 2.x.x
repository: oci://registry-1.docker.io/bitnamicharts
```
```bash
$ helm dependency update
```console
helm dependency update
```
```yaml
@@ -24,16 +24,27 @@ data:
myvalue: "Hello World"
```
Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog.
## ⚠️ Important Notice: Upcoming changes to the Bitnami Catalog
Beginning August 28th, 2025, Bitnami will evolve its public catalog to offer a curated set of hardened, security-focused images under the new [Bitnami Secure Images initiative](https://news.broadcom.com/app-dev/broadcom-introduces-bitnami-secure-images-for-production-ready-containerized-applications). As part of this transition:
- Granting community users access for the first time to security-optimized versions of popular container images.
- Bitnami will begin deprecating support for non-hardened, Debian-based software images in its free tier and will gradually remove non-latest tags from the public catalog. As a result, community users will have access to a reduced number of hardened images. These images are published only under the “latest” tag and are intended for development purposes
- Starting August 28th, over two weeks, all existing container images, including older or versioned tags (e.g., 2.50.0, 10.6), will be migrated from the public catalog (docker.io/bitnami) to the “Bitnami Legacy” repository (docker.io/bitnamilegacy), where they will no longer receive updates.
- For production workloads and long-term support, users are encouraged to adopt Bitnami Secure Images, which include hardened containers, smaller attack surfaces, CVE transparency (via VEX/KEV), SBOMs, and enterprise support.
These changes aim to improve the security posture of all Bitnami users by promoting best practices for software supply chain integrity and up-to-date deployments. For more details, visit the [Bitnami Secure Images announcement](https://github.com/bitnami/containers/issues/83267).
## Introduction
This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
## Prerequisites
- Kubernetes 1.19+
- Helm 3.2.0+
- Kubernetes 1.23+
- Helm 3.8.0+
## Parameters
@@ -41,118 +52,144 @@ The following table lists the helpers available in the library which are scoped
### Affinities
| Helper identifier | Description | Expected Input |
|-------------------------------|------------------------------------------------------|------------------------------------------------|
| `common.affinities.nodes.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` |
| `common.affinities.nodes.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` |
| `common.affinities.pods.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` |
| `common.affinities.pods.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` |
| Helper identifier | Description | Expected Input |
| ------------------------------- | ---------------------------------------------------- | ------------------------------------------------------------ |
| `common.affinities.nodes.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` |
| `common.affinities.nodes.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` |
| `common.affinities.nodes` | Return a nodeAffinity definition | `dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")` |
| `common.affinities.topologyKey` | Return a topologyKey definition | `dict "topologyKey" "FOO"` |
| `common.affinities.pods.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` |
| `common.affinities.pods.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` |
| `common.affinities.pods` | Return a podAffinity/podAntiAffinity definition | `dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")` |
### Capabilities
| Helper identifier | Description | Expected Input |
|------------------------------------------------|------------------------------------------------------------------------------------------------|-------------------|
| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context |
| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context |
| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context |
| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context |
| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context |
| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context |
| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context |
| `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context |
| `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context |
| `common.capabilities.apiService.apiVersion` | Return the appropriate apiVersion for APIService. | `.` Chart context |
| `common.capabilities.hpa.apiVersion` | Return the appropriate apiVersion for Horizontal Pod Autoscaler | `.` Chart context |
| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context |
| Helper identifier | Description | Expected Input |
| --------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | --------------------------------------- |
| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context |
| `common.capabilities.apiVersions.has` | Return true if the apiVersion is supported | `dict "version" "batch/v1" "context" $` |
| `common.capabilities.job.apiVersion` | Return the appropriate apiVersion for job. | `.` Chart context |
| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context |
| `common.capabilities.daemonset.apiVersion` | Return the appropriate apiVersion for daemonset. | `.` Chart context |
| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context |
| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context |
| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context |
| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context |
| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context |
| `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context |
| `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context |
| `common.capabilities.apiService.apiVersion` | Return the appropriate apiVersion for APIService. | `.` Chart context |
| `common.capabilities.hpa.apiVersion` | Return the appropriate apiVersion for Horizontal Pod Autoscaler | `.` Chart context |
| `common.capabilities.vpa.apiVersion` | Return the appropriate apiVersion for Vertical Pod Autoscaler. | `.` Chart context |
| `common.capabilities.psp.supported` | Returns true if PodSecurityPolicy is supported | `.` Chart context |
| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context |
| `common.capabilities.admissionConfiguration.supported` | Returns true if AdmissionConfiguration is supported | `.` Chart context |
| `common.capabilities.admissionConfiguration.apiVersion` | Return the appropriate apiVersion for AdmissionConfiguration. | `.` Chart context |
| `common.capabilities.podSecurityConfiguration.apiVersion` | Return the appropriate apiVersion for PodSecurityConfiguration. | `.` Chart context |
### Compatibility
| Helper identifier | Description | Expected Input |
| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- |
| `common.compatibility.isOpenshift` | Return true if the detected platform is Openshift | `.` Chart context |
| `common.compatibility.renderSecurityContext` | Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC | `dict "secContext" .Values.containerSecurityContext "context" $` |
### Errors
| Helper identifier | Description | Expected Input |
|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|
| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- |
| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` |
| `common.errors.insecureImages` | Throw error when original container images are replaced. The error can be bypassed by setting the `global.security.allowInsecureImages` to true. | `dict "images" (list .Values.path.to.the.imageRoot) "context" $` |
### Images
| Helper identifier | Description | Expected Input |
|-----------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------|
| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. |
| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` |
| `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` |
| Helper identifier | Description | Expected Input |
| --------------------------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ |
| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. |
| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` |
| `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` |
| `common.images.version` | Return the proper image version | `dict "imageRoot" .Values.path.to.the.image "chart" .Chart` , see [ImageRoot](#imageroot) for the structure. |
### Ingress
| Helper identifier | Description | Expected Input |
|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences |
| `common.ingress.supportsPathType` | Prints "true" if the pathType field is supported | `.` Chart context |
| `common.ingress.supportsIngressClassname` | Prints "true" if the ingressClassname field is supported | `.` Chart context |
| `common.ingress.certManagerRequest` | Prints "true" if required cert-manager annotations for TLS signed certificates are set in the Ingress annotations | `dict "annotations" .Values.path.to.the.ingress.annotations` |
### Labels
| Helper identifier | Description | Expected Input |
|-----------------------------|-----------------------------------------------------------------------------|-------------------|
| --------------------------- | --------------------------------------------------------------------------- | ----------------- |
| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context |
| `common.labels.matchLabels` | Labels to use on `deploy.spec.selector.matchLabels` and `svc.spec.selector` | `.` Chart context |
### Names
| Helper identifier | Description | Expected Input |
|-----------------------------------|-----------------------------------------------------------------------|-------------------|
| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context |
| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context |
| `common.names.namespace` | Allow the release namespace to be overridden | `.` Chart context |
| `common.names.fullname.namespace` | Create a fully qualified app name adding the installation's namespace | `.` Chart context |
| `common.names.chart` | Chart name plus version | `.` Chart context |
| Helper identifier | Description | Expected Input |
| ---------------------------------- | --------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- |
| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context |
| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context |
| `common.names.namespace` | Allow the release namespace to be overridden | `.` Chart context |
| `common.names.fullname.namespace` | Create a fully qualified app name adding the installation's namespace | `.` Chart context |
| `common.names.chart` | Chart name plus version | `.` Chart context |
| `common.names.dependency.fullname` | Create a default fully qualified dependency name. | `dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $` |
### Resources
| Helper identifier | Description | Expected Input |
| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- |
| `common.resources.preset` | Return a resource request/limit object based on a given preset. These presets are for basic testing and not meant to be used in production. | `dict "type" "nano"` |
### Secrets
| Helper identifier | Description | Expected Input |
|---------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. |
| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. |
| `common.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $`, length, strong and chartNAme fields are optional. |
| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` |
| Helper identifier | Description | Expected Input |
| --------------------------------- | -------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. |
| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. |
| `common.secrets.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "honorProvidedValues" false "context" $`, length, strong, honorProvidedValues and chartName fields are optional. |
| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` |
| `common.secrets.lookup` | Reuses the value from an existing secret, otherwise sets its value to a default value. | `dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $` |
### Storage
| Helper identifier | Description | Expected Input |
|-------------------------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------|
| Helper identifier | Description | Expected Input |
| ---------------------- | -------------------------------- | ------------------------------------------------------------------------------------------------------------------- |
| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. |
### TplValues
| Helper identifier | Description | Expected Input |
|---------------------------|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` |
| Helper identifier | Description | Expected Input |
| ---------------------------------- | ------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` |
| `common.tplvalues.merge` | Merge a list of values that contains template after rendering them. | `dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $` |
| `common.tplvalues.merge-overwrite` | Merge a list of values that contains template after rendering them. | `dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $` |
### Utils
| Helper identifier | Description | Expected Input |
|--------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------|
| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` |
| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` |
| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` |
| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` |
| Helper identifier | Description | Expected Input |
| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- |
| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` |
| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` |
| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` |
| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` |
| `common.utils.checksumTemplate` | Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376) | `dict "path" "/configmap.yaml" "context" $` |
### Validations
| Helper identifier | Description | Expected Input |
|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) |
| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) |
| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. |
| `common.validations.values.mysql.passwords` | This helper will ensure required password for MySQL are not empty. It returns a shared error for all the values. | `dict "secret" "mysql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mysql chart and the helper. |
| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. |
| `common.validations.values.redis.passwords` | This helper will ensure required password for Redis&reg; are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. |
| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. |
| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB&reg; are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. |
| Helper identifier | Description | Expected Input |
| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) |
| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) |
| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. |
### Warnings
| Helper identifier | Description | Expected Input |
|------------------------------|----------------------------------|------------------------------------------------------------|
| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. |
| Helper identifier | Description | Expected Input |
| -------------------------------- | ----------------------------------------------------------------- | ---------------------------------------------------------- |
| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. |
| `common.warnings.modifiedImages` | Warning about replaced images from the original. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. |
| `common.warnings.resources` | Warning about not setting the resource object in all deployments. | `dict "sections" (list "path1" "path2") context $` |
## Special input schemas
@@ -176,7 +213,7 @@ tag:
pullPolicy:
type: string
description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
description: Specify a imagePullPolicy.'
pullSecrets:
type: array
@@ -299,7 +336,7 @@ keyMapping:
If we force those values to be empty we will see some alerts
```console
$ helm install test mychart --set path.to.value00="",path.to.value01=""
helm install test mychart --set path.to.value00="",path.to.value01=""
'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value:
export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d)
@@ -315,33 +352,33 @@ $ helm install test mychart --set path.to.value00="",path.to.value01=""
[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.
**What changes were introduced in this major version?**
#### What changes were introduced in this major version?
- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field.
- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information.
- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts
**Considerations when upgrading to this version**
#### Considerations when upgrading to this version
- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues
- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore
- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3
**Useful links**
#### Useful links
- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/
- https://helm.sh/docs/topics/v2_v3_migration/
- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/
- <https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-resolve-helm2-helm3-post-migration-issues-index.html>
- <https://helm.sh/docs/topics/v2_v3_migration/>
- <https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/>
## License
Copyright &copy; 2022 Bitnami
Copyright &copy; 2025 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
<http://www.apache.org/licenses/LICENSE-2.0>
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,

83
external-dns/charts/common/templates/_affinities.tpl
View File

@@ -1,3 +1,8 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
@@ -45,48 +50,110 @@ Return a nodeAffinity definition
{{- end -}}
{{- end -}}
{{/*
Return a topologyKey definition
{{ include "common.affinities.topologyKey" (dict "topologyKey" "BAR") -}}
*/}}
{{- define "common.affinities.topologyKey" -}}
{{ .topologyKey | default "kubernetes.io/hostname" -}}
{{- end -}}
{{/*
Return a soft podAffinity/podAntiAffinity definition
{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}}
{{ include "common.affinities.pods.soft" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "extraNamespaces" (list "namespace1" "namespace2") "context" $) -}}
*/}}
{{- define "common.affinities.pods.soft" -}}
{{- $component := default "" .component -}}
{{- $customLabels := default (dict) .customLabels -}}
{{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}}
{{- $extraNamespaces := default (list) .extraNamespaces -}}
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }}
matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 10 }}
{{- if not (empty $component) }}
{{ printf "app.kubernetes.io/component: %s" $component }}
{{- end }}
{{- range $key, $value := $extraMatchLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if $extraNamespaces }}
namespaces:
- {{ include "common.names.namespace" .context | quote }}
topologyKey: kubernetes.io/hostname
- {{ .context.Release.Namespace }}
{{- with $extraNamespaces }}
{{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }}
{{- end }}
{{- end }}
topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
weight: 1
{{- range $extraPodAffinityTerms }}
- podAffinityTerm:
labelSelector:
matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 10 }}
{{- if not (empty $component) }}
{{ printf "app.kubernetes.io/component: %s" $component }}
{{- end }}
{{- range $key, $value := .extraMatchLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if .namespaces }}
namespaces:
- {{ $.context.Release.Namespace }}
{{- with .namespaces }}
{{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }}
{{- end }}
{{- end }}
topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
weight: {{ .weight | default 1 -}}
{{- end -}}
{{- end -}}
{{/*
Return a hard podAffinity/podAntiAffinity definition
{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}}
{{ include "common.affinities.pods.hard" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "extraNamespaces" (list "namespace1" "namespace2") "context" $) -}}
*/}}
{{- define "common.affinities.pods.hard" -}}
{{- $component := default "" .component -}}
{{- $customLabels := default (dict) .customLabels -}}
{{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}}
{{- $extraNamespaces := default (list) .extraNamespaces -}}
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }}
matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 8 }}
{{- if not (empty $component) }}
{{ printf "app.kubernetes.io/component: %s" $component }}
{{- end }}
{{- range $key, $value := $extraMatchLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if $extraNamespaces }}
namespaces:
- {{ include "common.names.namespace" .context | quote }}
topologyKey: kubernetes.io/hostname
- {{ .context.Release.Namespace }}
{{- with $extraNamespaces }}
{{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 6 }}
{{- end }}
{{- end }}
topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
{{- range $extraPodAffinityTerms }}
- labelSelector:
matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 8 }}
{{- if not (empty $component) }}
{{ printf "app.kubernetes.io/component: %s" $component }}
{{- end }}
{{- range $key, $value := .extraMatchLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if .namespaces }}
namespaces:
- {{ $.context.Release.Namespace }}
{{- with .namespaces }}
{{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 6 }}
{{- end }}
{{- end }}
topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
{{- end -}}
{{- end -}}
{{/*

146
external-dns/charts/common/templates/_capabilities.tpl
View File

@@ -1,17 +1,28 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Return the target Kubernetes version
*/}}
{{- define "common.capabilities.kubeVersion" -}}
{{- if .Values.global }}
{{- if .Values.global.kubeVersion }}
{{- .Values.global.kubeVersion -}}
{{- else }}
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
{{- end -}}
{{- else }}
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}}
{{- default (default .Capabilities.KubeVersion.Version .Values.kubeVersion) ((.Values.global).kubeVersion) -}}
{{- end -}}
{{/*
Return true if the apiVersion is supported
Usage:
{{ include "common.capabilities.apiVersions.has" (dict "version" "batch/v1" "context" $) }}
*/}}
{{- define "common.capabilities.apiVersions.has" -}}
{{- $providedAPIVersions := default .context.Values.apiVersions ((.context.Values.global).apiVersions) -}}
{{- if and (empty $providedAPIVersions) (.context.Capabilities.APIVersions.Has .version) -}}
{{- true -}}
{{- else if has .version $providedAPIVersions -}}
{{- true -}}
{{- end -}}
{{- end -}}
@@ -19,126 +30,139 @@ Return the target Kubernetes version
Return the appropriate apiVersion for poddisruptionbudget.
*/}}
{{- define "common.capabilities.policy.apiVersion" -}}
{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "policy/v1beta1" -}}
{{- else -}}
{{- print "policy/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for networkpolicy.
*/}}
{{- define "common.capabilities.networkPolicy.apiVersion" -}}
{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for job.
*/}}
{{- define "common.capabilities.job.apiVersion" -}}
{{- print "batch/v1" -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for cronjob.
*/}}
{{- define "common.capabilities.cronjob.apiVersion" -}}
{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "batch/v1beta1" -}}
{{- else -}}
{{- print "batch/v1" -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for daemonset.
*/}}
{{- define "common.capabilities.daemonset.apiVersion" -}}
{{- print "apps/v1" -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for deployment.
*/}}
{{- define "common.capabilities.deployment.apiVersion" -}}
{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for statefulset.
*/}}
{{- define "common.capabilities.statefulset.apiVersion" -}}
{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "apps/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for ingress.
*/}}
{{- define "common.capabilities.ingress.apiVersion" -}}
{{- if .Values.ingress -}}
{{- if .Values.ingress.apiVersion -}}
{{- .Values.ingress.apiVersion -}}
{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end }}
{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for RBAC resources.
*/}}
{{- define "common.capabilities.rbac.apiVersion" -}}
{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "rbac.authorization.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "rbac.authorization.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for CRDs.
*/}}
{{- define "common.capabilities.crd.apiVersion" -}}
{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "apiextensions.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "apiextensions.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for APIService.
*/}}
{{- define "common.capabilities.apiService.apiVersion" -}}
{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "apiregistration.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "apiregistration.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for Horizontal Pod Autoscaler.
*/}}
{{- define "common.capabilities.hpa.apiVersion" -}}
{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}}
{{- if .beta2 -}}
{{- print "autoscaling/v2beta2" -}}
{{- else -}}
{{- print "autoscaling/v2beta1" -}}
{{- end -}}
{{- else -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}}
{{- print "autoscaling/v2" -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for Vertical Pod Autoscaler.
*/}}
{{- define "common.capabilities.vpa.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}}
{{- print "autoscaling/v1beta2" -}}
{{- else -}}
{{- print "autoscaling/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Returns true if PodSecurityPolicy is supported
*/}}
{{- define "common.capabilities.psp.supported" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if or (empty $kubeVersion) (semverCompare "<1.25-0" $kubeVersion) -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Returns true if AdmissionConfiguration is supported
*/}}
{{- define "common.capabilities.admissionConfiguration.supported" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- true -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for AdmissionConfiguration.
*/}}
{{- define "common.capabilities.admissionConfiguration.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}}
{{- print "apiserver.config.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "apiserver.config.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for PodSecurityConfiguration.
*/}}
{{- define "common.capabilities.podSecurityConfiguration.apiVersion" -}}
{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}}
{{- if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}}
{{- print "pod-security.admission.config.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "pod-security.admission.config.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*

46
external-dns/charts/common/templates/_compatibility.tpl Normal file
View File

@@ -0,0 +1,46 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Return true if the detected platform is Openshift
Usage:
{{- include "common.compatibility.isOpenshift" . -}}
*/}}
{{- define "common.compatibility.isOpenshift" -}}
{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC
Usage:
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}}
*/}}
{{- define "common.compatibility.renderSecurityContext" -}}
{{- $adaptedContext := .secContext -}}
{{- if (((.context.Values.global).compatibility).openshift) -}}
{{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}}
{{/* Remove incompatible user/group values that do not work in Openshift out of the box */}}
{{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
{{- if not .secContext.seLinuxOptions -}}
{{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}}
{{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/* Remove empty seLinuxOptions object if global.compatibility.omitEmptySeLinuxOptions is set to true */}}
{{- if and (((.context.Values.global).compatibility).omitEmptySeLinuxOptions) (not .secContext.seLinuxOptions) -}}
{{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
{{- end -}}
{{/* Remove fields that are disregarded when running the container in privileged mode */}}
{{- if $adaptedContext.privileged -}}
{{- $adaptedContext = omit $adaptedContext "capabilities" -}}
{{- end -}}
{{- omit $adaptedContext "enabled" | toYaml -}}
{{- end -}}

71
external-dns/charts/common/templates/_errors.tpl
View File

@@ -1,6 +1,11 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Through error when upgrading using empty passwords values that must not be empty.
Throw error when upgrading using empty passwords values that must not be empty.
Usage:
{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}}
@@ -21,3 +26,67 @@ Required password params:
{{- printf $errorString $validationErrors | fail -}}
{{- end -}}
{{- end -}}
{{/*
Throw error when original container images are replaced.
The error can be bypassed by setting the "global.security.allowInsecureImages" to true. In this case,
a warning message will be shown instead.
Usage:
{{ include "common.errors.insecureImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }}
*/}}
{{- define "common.errors.insecureImages" -}}
{{- $relocatedImages := list -}}
{{- $replacedImages := list -}}
{{- $bitnamiLegacyImages := list -}}
{{- $retaggedImages := list -}}
{{- $globalRegistry := ((.context.Values.global).imageRegistry) -}}
{{- $originalImages := .context.Chart.Annotations.images -}}
{{- range .images -}}
{{- $registryName := default .registry $globalRegistry -}}
{{- $fullImageNameNoTag := printf "%s/%s" $registryName .repository -}}
{{- $fullImageName := printf "%s:%s" $fullImageNameNoTag .tag -}}
{{- if not (contains $fullImageNameNoTag $originalImages) -}}
{{- if not (contains $registryName $originalImages) -}}
{{- $relocatedImages = append $relocatedImages $fullImageName -}}
{{- else if not (contains .repository $originalImages) -}}
{{- $replacedImages = append $replacedImages $fullImageName -}}
{{- if contains "docker.io/bitnamilegacy/" $fullImageNameNoTag -}}
{{- $bitnamiLegacyImages = append $bitnamiLegacyImages $fullImageName -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if not (contains (printf "%s:%s" .repository .tag) $originalImages) -}}
{{- $retaggedImages = append $retaggedImages $fullImageName -}}
{{- end -}}
{{- end -}}
{{- if and (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) (((.context.Values.global).security).allowInsecureImages) -}}
{{- print "\n\n⚠ SECURITY WARNING: Verifying original container images was skipped. Please note this Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Bitnami Secure Images containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables.\n" -}}
{{- else if (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) -}}
{{- $errorString := "Original containers have been substituted for unrecognized ones. Deploying this chart with non-standard containers is likely to cause degraded security and performance, broken chart features, and missing environment variables." -}}
{{- $errorString = print $errorString "\n\nUnrecognized images:" -}}
{{- range (concat $relocatedImages $replacedImages) -}}
{{- $errorString = print $errorString "\n - " . -}}
{{- end -}}
{{- if and (eq (len $relocatedImages) 0) (eq (len $replacedImages) (len $bitnamiLegacyImages)) -}}
{{- $errorString = print "\n\n⚠ WARNING: " $errorString -}}
{{- print $errorString -}}
{{- else if or (contains "docker.io/bitnami/" $originalImages) (contains "docker.io/bitnamiprem/" $originalImages) (contains "docker.io/bitnamisecure/" $originalImages) -}}
{{- $errorString = print "\n\n⚠ ERROR: " $errorString -}}
{{- $errorString = print $errorString "\n\nIf you are sure you want to proceed with non-standard containers, you can skip container image verification by setting the global parameter 'global.security.allowInsecureImages' to true." -}}
{{- $errorString = print $errorString "\nFurther information can be obtained at https://github.com/bitnami/charts/issues/30850" -}}
{{- print $errorString | fail -}}
{{- else if gt (len $replacedImages) 0 -}}
{{- $errorString = print "\n\n WARNING: " $errorString -}}
{{- print $errorString -}}
{{- end -}}
{{- else if gt (len $retaggedImages) 0 -}}
{{- $warnString := "\n\n WARNING: Original containers have been retagged. Please note this Helm chart was tested, and validated on multiple platforms using a specific set of Bitnami and Bitnami Secure Images containers. Substituting original image tags could cause unexpected behavior." -}}
{{- $warnString = print $warnString "\n\nRetagged images:" -}}
{{- range $retaggedImages -}}
{{- $warnString = print $warnString "\n - " . -}}
{{- end -}}
{{- print $warnString -}}
{{- end -}}
{{- end -}}

77
external-dns/charts/common/templates/_images.tpl
View File

@@ -1,23 +1,34 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Return the proper image name
{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }}
Return the proper image name.
If image tag and digest are not defined, termination fallbacks to chart appVersion.
{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global "chart" .Chart ) }}
*/}}
{{- define "common.images.image" -}}
{{- $registryName := .imageRoot.registry -}}
{{- $registryName := default .imageRoot.registry ((.global).imageRegistry) -}}
{{- $repositoryName := .imageRoot.repository -}}
{{- $separator := ":" -}}
{{- $termination := .imageRoot.tag | toString -}}
{{- if .global }}
{{- if .global.imageRegistry }}
{{- $registryName = .global.imageRegistry -}}
{{- end -}}
{{- if not .imageRoot.tag }}
{{- if .chart }}
{{- $termination = .chart.AppVersion | toString -}}
{{- end -}}
{{- end -}}
{{- if .imageRoot.digest }}
{{- $separator = "@" -}}
{{- $termination = .imageRoot.digest | toString -}}
{{- end -}}
{{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}}
{{- if $registryName }}
{{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}}
{{- else -}}
{{- printf "%s%s%s" $repositoryName $separator $termination -}}
{{- end -}}
{{- end -}}
{{/*
@@ -27,21 +38,27 @@ Return the proper Docker Image Registry Secret Names (deprecated: use common.ima
{{- define "common.images.pullSecrets" -}}
{{- $pullSecrets := list }}
{{- if .global }}
{{- range .global.imagePullSecrets -}}
{{- range ((.global).imagePullSecrets) -}}
{{- if kindIs "map" . -}}
{{- $pullSecrets = append $pullSecrets .name -}}
{{- else -}}
{{- $pullSecrets = append $pullSecrets . -}}
{{- end -}}
{{- end }}
{{- end -}}
{{- range .images -}}
{{- range .pullSecrets -}}
{{- $pullSecrets = append $pullSecrets . -}}
{{- if kindIs "map" . -}}
{{- $pullSecrets = append $pullSecrets .name -}}
{{- else -}}
{{- $pullSecrets = append $pullSecrets . -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if (not (empty $pullSecrets)) }}
{{- if (not (empty $pullSecrets)) -}}
imagePullSecrets:
{{- range $pullSecrets }}
{{- range $pullSecrets | uniq }}
- name: {{ . }}
{{- end }}
{{- end }}
@@ -55,22 +72,44 @@ Return the proper Docker Image Registry Secret Names evaluating values as templa
{{- $pullSecrets := list }}
{{- $context := .context }}
{{- if $context.Values.global }}
{{- range $context.Values.global.imagePullSecrets -}}
{{- range (($context.Values.global).imagePullSecrets) -}}
{{- if kindIs "map" . -}}
{{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}}
{{- else -}}
{{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
{{- end -}}
{{- end -}}
{{- range .images -}}
{{- range .pullSecrets -}}
{{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
{{- if kindIs "map" . -}}
{{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}}
{{- else -}}
{{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if (not (empty $pullSecrets)) }}
{{- if (not (empty $pullSecrets)) -}}
imagePullSecrets:
{{- range $pullSecrets }}
{{- range $pullSecrets | uniq }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Return the proper image version (ingores image revision/prerelease info & fallbacks to chart appVersion)
{{ include "common.images.version" ( dict "imageRoot" .Values.path.to.the.image "chart" .Chart ) }}
*/}}
{{- define "common.images.version" -}}
{{- $imageTag := .imageRoot.tag | toString -}}
{{/* regexp from https://github.com/Masterminds/semver/blob/23f51de38a0866c5ef0bfc42b3f735c73107b700/version.go#L41-L44 */}}
{{- if regexMatch `^([0-9]+)(\.[0-9]+)?(\.[0-9]+)?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?$` $imageTag -}}
{{- $version := semver $imageTag -}}
{{- printf "%d.%d.%d" $version.Major $version.Minor $version.Patch -}}
{{- else -}}
{{- print .chart.AppVersion -}}
{{- end -}}
{{- end -}}

39
external-dns/charts/common/templates/_ingress.tpl
View File

@@ -1,3 +1,8 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
@@ -12,11 +17,6 @@ Params:
- context - Dict - Required. The context for the template evaluation.
*/}}
{{- define "common.ingress.backend" -}}
{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}}
{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}}
serviceName: {{ .serviceName }}
servicePort: {{ .servicePort }}
{{- else -}}
service:
name: {{ .serviceName }}
port:
@@ -26,33 +26,6 @@ service:
number: {{ .servicePort | int }}
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Print "true" if the API pathType field is supported
Usage:
{{ include "common.ingress.supportsPathType" . }}
*/}}
{{- define "common.ingress.supportsPathType" -}}
{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}}
{{- print "false" -}}
{{- else -}}
{{- print "true" -}}
{{- end -}}
{{- end -}}
{{/*
Returns true if the ingressClassname field is supported
Usage:
{{ include "common.ingress.supportsIngressClassname" . }}
*/}}
{{- define "common.ingress.supportsIngressClassname" -}}
{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}}
{{- print "false" -}}
{{- else -}}
{{- print "true" -}}
{{- end -}}
{{- end -}}
{{/*
Return true if cert-manager required annotations for TLS signed
@@ -62,7 +35,7 @@ Usage:
{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }}
*/}}
{{- define "common.ingress.certManagerRequest" -}}
{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") }}
{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") (hasKey .annotations "kubernetes.io/tls-acme") }}
{{- true -}}
{{- end -}}
{{- end -}}

30
external-dns/charts/common/templates/_labels.tpl
View File

@@ -1,18 +1,46 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Kubernetes standard labels
{{ include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) -}}
*/}}
{{- define "common.labels.standard" -}}
{{- if and (hasKey . "customLabels") (hasKey . "context") -}}
{{- $default := dict "app.kubernetes.io/name" (include "common.names.name" .context) "helm.sh/chart" (include "common.names.chart" .context) "app.kubernetes.io/instance" .context.Release.Name "app.kubernetes.io/managed-by" .context.Release.Service -}}
{{- with .context.Chart.AppVersion -}}
{{- $_ := set $default "app.kubernetes.io/version" . -}}
{{- end -}}
{{ template "common.tplvalues.merge" (dict "values" (list .customLabels $default) "context" .context) }}
{{- else -}}
app.kubernetes.io/name: {{ include "common.names.name" . }}
helm.sh/chart: {{ include "common.names.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Chart.AppVersion }}
app.kubernetes.io/version: {{ . | quote }}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector
Labels used on immutable fields such as deploy.spec.selector.matchLabels or svc.spec.selector
{{ include "common.labels.matchLabels" (dict "customLabels" .Values.podLabels "context" $) -}}
We don't want to loop over custom labels appending them to the selector
since it's very likely that it will break deployments, services, etc.
However, it's important to overwrite the standard labels if the user
overwrote them on metadata.labels fields.
*/}}
{{- define "common.labels.matchLabels" -}}
{{- if and (hasKey . "customLabels") (hasKey . "context") -}}
{{ merge (pick (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) "app.kubernetes.io/name" "app.kubernetes.io/instance") (dict "app.kubernetes.io/name" (include "common.names.name" .context) "app.kubernetes.io/instance" .context.Release.Name ) | toYaml }}
{{- else -}}
app.kubernetes.io/name: {{ include "common.names.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{- end -}}

18
external-dns/charts/common/templates/_names.tpl
View File

@@ -1,3 +1,8 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
@@ -23,10 +28,11 @@ If release name contains chart name it will be used as a full name.
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- $releaseName := regexReplaceAll "(-?[^a-z\\d\\-])+-?" (lower .Release.Name) "-" -}}
{{- if contains $name $releaseName -}}
{{- $releaseName | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- printf "%s-%s" $releaseName $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
@@ -55,11 +61,7 @@ Usage:
Allow the release namespace to be overridden for multi-namespace deployments in combined charts.
*/}}
{{- define "common.names.namespace" -}}
{{- if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride -}}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*

50
external-dns/charts/common/templates/_resources.tpl Normal file
View File

@@ -0,0 +1,50 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Return a resource request/limit object based on a given preset.
These presets are for basic testing and not meant to be used in production
{{ include "common.resources.preset" (dict "type" "nano") -}}
*/}}
{{- define "common.resources.preset" -}}
{{/* The limits are the requests increased by 50% (except ephemeral-storage and xlarge/2xlarge sizes)*/}}
{{- $presets := dict
"nano" (dict
"requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "2Gi")
)
"micro" (dict
"requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "2Gi")
)
"small" (dict
"requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "2Gi")
)
"medium" (dict
"requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "2Gi")
)
"large" (dict
"requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "2Gi")
)
"xlarge" (dict
"requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "2Gi")
)
"2xlarge" (dict
"requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi")
"limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "2Gi")
)
}}
{{- if hasKey $presets .type -}}
{{- index $presets .type | toYaml -}}
{{- else -}}
{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}}
{{- end -}}
{{- end -}}

112
external-dns/charts/common/templates/_secrets.tpl
View File

@@ -1,3 +1,8 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Generate secret name.
@@ -8,7 +13,7 @@ Usage:
Params:
- existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user
to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility.
+info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret
+info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret
- defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment.
- context - Dict - Required. The context for the template evaluation.
*/}}
@@ -41,7 +46,7 @@ Usage:
Params:
- existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user
to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility.
+info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret
+info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret
- key - String - Required. Name of the key in the secret.
*/}}
{{- define "common.secrets.key" -}}
@@ -62,7 +67,7 @@ Params:
Generate secret password or retrieve one if already created.
Usage:
{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }}
{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "honorProvidedValues" false "context" $) }}
Params:
- secret - String - Required - Name of the 'Secret' resource where the password is stored.
@@ -72,13 +77,18 @@ Params:
- strong - Boolean - Optional - Whether to add symbols to the generated random password.
- chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart.
- context - Context - Required - Parent context.
- failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets.
- skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted.
- skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret.
- honorProvidedValues - Boolean - Optional - Default to false. If set to true, the values in providedValues have higher priority than an existing secret
The order in which this function returns a secret password:
1. Already existing 'Secret' resource
(If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned)
2. Password provided via the values.yaml
1. Password provided via the values.yaml if honorProvidedValues = true
(If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned)
3. Randomly generated secret password
2. Already existing 'Secret' resource
(If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned)
3. Password provided via the values.yaml if honorProvidedValues = false
(If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned)
4. Randomly generated secret password
(A new random secret password with the length specified in the 'length' parameter will be generated and returned)
*/}}
@@ -90,36 +100,78 @@ The order in which this function returns a secret password:
{{- $passwordLength := default 10 .length }}
{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }}
{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }}
{{- $secretData := (lookup "v1" "Secret" $.context.Release.Namespace .secret).data }}
{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }}
{{- if $secretData }}
{{- if hasKey $secretData .key }}
{{- $password = index $secretData .key }}
{{- else }}
{{- $password = index $secretData .key | b64dec }}
{{- else if not (eq .failOnNew false) }}
{{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}}
{{- end -}}
{{- else if $providedPasswordValue }}
{{- $password = $providedPasswordValue | toString | b64enc | quote }}
{{- else }}
{{- end }}
{{- if .context.Values.enabled }}
{{- $subchart = $chartName }}
{{- end -}}
{{- if and $providedPasswordValue .honorProvidedValues }}
{{- $password = tpl ($providedPasswordValue | toString) .context }}
{{- end }}
{{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}}
{{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}}
{{- $passwordValidationErrors := list $requiredPasswordError -}}
{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}}
{{- if .strong }}
{{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }}
{{- $password = randAscii $passwordLength }}
{{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }}
{{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }}
{{- if not $password }}
{{- if $providedPasswordValue }}
{{- $password = tpl ($providedPasswordValue | toString) .context }}
{{- else }}
{{- $password = randAlphaNum $passwordLength | b64enc | quote }}
{{- end }}
{{- if .context.Values.enabled }}
{{- $subchart = $chartName }}
{{- end -}}
{{- if not (eq .failOnNew false) }}
{{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}}
{{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}}
{{- $passwordValidationErrors := list $requiredPasswordError -}}
{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}}
{{- end }}
{{- if .strong }}
{{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }}
{{- $password = randAscii $passwordLength }}
{{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }}
{{- $password = printf "%s%s" $subStr $password | toString | shuffle }}
{{- else }}
{{- $password = randAlphaNum $passwordLength }}
{{- end }}
{{- end -}}
{{- end -}}
{{- if not .skipB64enc }}
{{- $password = $password | b64enc }}
{{- end -}}
{{- if .skipQuote -}}
{{- printf "%s" $password -}}
{{- else -}}
{{- printf "%s" $password | quote -}}
{{- end -}}
{{- end -}}
{{/*
Reuses the value from an existing secret, otherwise sets its value to a default value.
Usage:
{{ include "common.secrets.lookup" (dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $) }}
Params:
- secret - String - Required - Name of the 'Secret' resource where the password is stored.
- key - String - Required - Name of the key in the secret.
- defaultValue - String - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value.
- context - Context - Required - Parent context.
*/}}
{{- define "common.secrets.lookup" -}}
{{- $value := "" -}}
{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}}
{{- if and $secretData (hasKey $secretData .key) -}}
{{- $value = index $secretData .key -}}
{{- else if .defaultValue -}}
{{- $value = .defaultValue | toString | b64enc -}}
{{- end -}}
{{- if $value -}}
{{- printf "%s" $value -}}
{{- end -}}
{{- end -}}
{{/*
@@ -133,7 +185,7 @@ Params:
- context - Context - Required - Parent context.
*/}}
{{- define "common.secrets.exists" -}}
{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }}
{{- $secret := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret) }}
{{- if $secret }}
{{- true -}}
{{- end -}}

18
external-dns/charts/common/templates/_storage.tpl
View File

@@ -1,23 +1,21 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Return the proper Storage Class
{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }}
*/}}
{{- define "common.storage.class" -}}
{{- $storageClass := .persistence.storageClass -}}
{{- if .global -}}
{{- if .global.storageClass -}}
{{- $storageClass = .global.storageClass -}}
{{- end -}}
{{- end -}}
{{- $storageClass := (.global).storageClass | default .persistence.storageClass | default (.global).defaultStorageClass | default "" -}}
{{- if $storageClass -}}
{{- if (eq "-" $storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- else -}}
{{- printf "storageClassName: %s" $storageClass -}}
{{- end -}}
{{- end -}}
{{- end -}}

53
external-dns/charts/common/templates/_tplvalues.tpl
View File

@@ -1,13 +1,52 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Renders a value that contains template.
Renders a value that contains template perhaps with scope if the scope is present.
Usage:
{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }}
{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }}
{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }}
*/}}
{{- define "common.tplvalues.render" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }}
{{- if contains "{{" (toJson .value) }}
{{- if .scope }}
{{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }}
{{- else }}
{{- tpl $value .context }}
{{- end }}
{{- else }}
{{- $value }}
{{- end }}
{{- end -}}
{{/*
Merge a list of values that contains template after rendering them.
Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge
Usage:
{{ include "common.tplvalues.merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }}
*/}}
{{- define "common.tplvalues.merge" -}}
{{- $dst := dict -}}
{{- range .values -}}
{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}}
{{- end -}}
{{ $dst | toYaml }}
{{- end -}}
{{/*
Merge a list of values that contains template after rendering them.
Merge precedence is consistent with https://masterminds.github.io/sprig/dicts.html#mergeoverwrite-mustmergeoverwrite
Usage:
{{ include "common.tplvalues.merge-overwrite" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }}
*/}}
{{- define "common.tplvalues.merge-overwrite" -}}
{{- $dst := dict -}}
{{- range .values -}}
{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | mergeOverwrite $dst -}}
{{- end -}}
{{ $dst | toYaml }}
{{- end -}}

17
external-dns/charts/common/templates/_utils.tpl
View File

@@ -1,3 +1,8 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Print instructions to get a secret value.
@@ -6,7 +11,7 @@ Usage:
*/}}
{{- define "common.utils.secret.getvalue" -}}
{{- $varname := include "common.utils.fieldToEnvVar" . -}}
export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d)
export {{ $varname }}=$(kubectl get secret --namespace {{ include "common.names.namespace" .context | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d)
{{- end -}}
{{/*
@@ -60,3 +65,13 @@ Usage:
{{- end -}}
{{- printf "%s" $key -}}
{{- end -}}
{{/*
Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376).
Usage:
{{ include "common.utils.checksumTemplate" (dict "path" "/configmap.yaml" "context" $) }}
*/}}
{{- define "common.utils.checksumTemplate" -}}
{{- $obj := include (print .context.Template.BasePath .path) .context | fromYaml -}}
{{ omit $obj "apiVersion" "kind" "metadata" | toYaml | sha256sum }}
{{- end -}}

99
external-dns/charts/common/templates/_warnings.tpl
View File

@@ -1,3 +1,8 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Warning about using rolling tag.
@@ -8,7 +13,97 @@ Usage:
{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }}
WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
+info https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html
{{- end }}
{{- end -}}
{{/*
Warning about replaced images from the original.
Usage:
{{ include "common.warnings.modifiedImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }}
*/}}
{{- define "common.warnings.modifiedImages" -}}
{{- $affectedImages := list -}}
{{- $printMessage := false -}}
{{- $originalImages := .context.Chart.Annotations.images -}}
{{- range .images -}}
{{- $fullImageName := printf (printf "%s/%s:%s" .registry .repository .tag) -}}
{{- if not (contains $fullImageName $originalImages) }}
{{- $affectedImages = append $affectedImages (printf "%s/%s:%s" .registry .repository .tag) -}}
{{- $printMessage = true -}}
{{- end -}}
{{- end -}}
{{- if $printMessage }}
⚠ SECURITY WARNING: Original containers have been substituted. This Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Tanzu Application Catalog containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables.
Substituted images detected:
{{- range $affectedImages }}
- {{ . }}
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Warning about not setting the resource object in all deployments.
Usage:
{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }}
Example:
{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }}
The list in the example assumes that the following values exist:
- csiProvider.provider.resources
- server.resources
- volumePermissions.resources
- resources
*/}}
{{- define "common.warnings.resources" -}}
{{- $values := .context.Values -}}
{{- $printMessage := false -}}
{{ $affectedSections := list -}}
{{- range .sections -}}
{{- if eq . "" -}}
{{/* Case where the resources section is at the root (one main deployment in the chart) */}}
{{- if not (index $values "resources") -}}
{{- $affectedSections = append $affectedSections "resources" -}}
{{- $printMessage = true -}}
{{- end -}}
{{- else -}}
{{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}}
{{- $keys := split "." . -}}
{{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}}
{{- $section := $values -}}
{{- range $keys -}}
{{- $section = index $section . -}}
{{- end -}}
{{- if not (index $section "resources") -}}
{{/* If the section has enabled=false or replicaCount=0, do not include it */}}
{{- if and (hasKey $section "enabled") -}}
{{- if index $section "enabled" -}}
{{/* enabled=true */}}
{{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
{{- $printMessage = true -}}
{{- end -}}
{{- else if and (hasKey $section "replicaCount") -}}
{{/* We need a casting to int because number 0 is not treated as an int by default */}}
{{- if (gt (index $section "replicaCount" | int) 0) -}}
{{/* replicaCount > 0 */}}
{{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
{{- $printMessage = true -}}
{{- end -}}
{{- else -}}
{{/* Default case, add it to the affected sections */}}
{{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
{{- $printMessage = true -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if $printMessage }}
WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs:
{{- range $affectedSections }}
- {{ . }}
{{- end }}
+info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
{{- end -}}
{{- end -}}

27
external-dns/charts/common/templates/validations/_cassandra.tpl
View File

@@ -1,30 +1,9 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate Cassandra required passwords are not empty.
Usage:
{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret"
- subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- define "common.validations.values.cassandra.passwords" -}}
{{- $existingSecret := include "common.cassandra.values.existingSecret" . -}}
{{- $enabled := include "common.cassandra.values.enabled" . -}}
{{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}}
{{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}}
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/* vim: set filetype=mustache: */}}
{{/*
Auxiliary function to get the right value for existingSecret.

5
external-dns/charts/common/templates/validations/_mariadb.tpl
View File

@@ -1,3 +1,8 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Validate MariaDB required passwords are not empty.

47
external-dns/charts/common/templates/validations/_mongodb.tpl
View File

@@ -1,50 +1,9 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate MongoDB&reg; required passwords are not empty.
Usage:
{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where MongoDB&reg; values are stored, e.g: "mongodb-passwords-secret"
- subchart - Boolean - Optional. Whether MongoDB&reg; is used as subchart or not. Default: false
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- define "common.validations.values.mongodb.passwords" -}}
{{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}}
{{- $enabled := include "common.mongodb.values.enabled" . -}}
{{- $authPrefix := include "common.mongodb.values.key.auth" . -}}
{{- $architecture := include "common.mongodb.values.architecture" . -}}
{{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
{{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
{{- $valueKeyDatabase := printf "%s.database" $authPrefix -}}
{{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
{{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}}
{{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}}
{{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}}
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
{{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
{{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }}
{{- if and $valueUsername $valueDatabase -}}
{{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
{{- end -}}
{{- if (eq $architecture "replicaset") -}}
{{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/* vim: set filetype=mustache: */}}
{{/*
Auxiliary function to get the right value for existingSecret.

42
external-dns/charts/common/templates/validations/_mysql.tpl
View File

@@ -1,45 +1,9 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate MySQL required passwords are not empty.
Usage:
{{ include "common.validations.values.mysql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where MySQL values are stored, e.g: "mysql-passwords-secret"
- subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- define "common.validations.values.mysql.passwords" -}}
{{- $existingSecret := include "common.mysql.values.auth.existingSecret" . -}}
{{- $enabled := include "common.mysql.values.enabled" . -}}
{{- $architecture := include "common.mysql.values.architecture" . -}}
{{- $authPrefix := include "common.mysql.values.key.auth" . -}}
{{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}}
{{- $valueKeyUsername := printf "%s.username" $authPrefix -}}
{{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
{{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}}
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mysql-root-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}}
{{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }}
{{- if not (empty $valueUsername) -}}
{{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mysql-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
{{- end -}}
{{- if (eq $architecture "replication") -}}
{{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mysql-replication-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/* vim: set filetype=mustache: */}}
{{/*
Auxiliary function to get the right value for existingSecret.

30
external-dns/charts/common/templates/validations/_postgresql.tpl
View File

@@ -1,33 +1,9 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Validate PostgreSQL required passwords are not empty.
Usage:
{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret"
- subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- define "common.validations.values.postgresql.passwords" -}}
{{- $existingSecret := include "common.postgresql.values.existingSecret" . -}}
{{- $enabled := include "common.postgresql.values.enabled" . -}}
{{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}}
{{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}}
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}}
{{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}}
{{- if (eq $enabledReplication "true") -}}
{{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/* vim: set filetype=mustache: */}}
{{/*
Auxiliary function to decide whether evaluate global values.

38
external-dns/charts/common/templates/validations/_redis.tpl
View File

@@ -1,38 +1,10 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Validate Redis&reg; required passwords are not empty.
Usage:
{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }}
Params:
- secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret"
- subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false
*/}}
{{- define "common.validations.values.redis.passwords" -}}
{{- $enabled := include "common.redis.values.enabled" . -}}
{{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}}
{{- $standarizedVersion := include "common.redis.values.standarized.version" . }}
{{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }}
{{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }}
{{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }}
{{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }}
{{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
{{- $requiredPasswords := list -}}
{{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}}
{{- if eq $useAuth "true" -}}
{{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}}
{{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}}
{{- end -}}
{{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Auxiliary function to get the right value for enabled redis.

5
external-dns/charts/common/templates/validations/_validations.tpl
View File

@@ -1,3 +1,8 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Validate values must not be empty.

3
external-dns/charts/common/values.yaml
View File

@@ -1,3 +1,6 @@
# Copyright Broadcom, Inc. All Rights Reserved.
# SPDX-License-Identifier: APACHE-2.0
## bitnami/common
## It is required by CI/CD tools and processes.
## @skip exampleValue

9
external-dns/templates/NOTES.txt
View File

@@ -2,11 +2,18 @@ CHART NAME: {{ .Chart.Name }}
CHART VERSION: {{ .Chart.Version }}
APP VERSION: {{ .Chart.AppVersion }}
⚠ WARNING: Since August 28th, 2025, only a limited subset of images/charts are available for free.
Subscribe to Bitnami Secure Images to receive continued support and security updates.
More info at https://bitnami.com and https://github.com/bitnami/containers/issues/83267
** Please be patient while the chart is being deployed **
To verify that external-dns has started, run:
kubectl --namespace={{ .Release.Namespace }} get pods -l "app.kubernetes.io/name={{ template "external-dns.name" . }},app.kubernetes.io/instance={{ .Release.Name }}"
kubectl --namespace={{ include "common.names.namespace" . }} get pods -l "app.kubernetes.io/name={{ include "common.names.name" . }},app.kubernetes.io/instance={{ include "common.names.namespace" . }}"
{{ include "external-dns.validateValues" . }}
{{ include "external-dns.checkRollingTags" . }}
{{- include "common.warnings.resources" (dict "sections" (list "") "context" $) }}
{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image) "context" $) }}
{{- include "common.errors.insecureImages" (dict "images" (list .Values.image) "context" $) }}

370
external-dns/templates/_helpers.tpl
View File

@@ -1,140 +1,47 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "external-dns.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "external-dns.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "external-dns.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/* Helm required labels */}}
{{- define "external-dns.labels" -}}
app.kubernetes.io/name: {{ template "external-dns.name" . }}
helm.sh/chart: {{ template "external-dns.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels }}
{{- end }}
{{- end -}}
{{/* matchLabels */}}
{{- define "external-dns.matchLabels" -}}
app.kubernetes.io/name: {{ template "external-dns.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{/* podAnnotations */}}
{{- define "external-dns.podAnnotations" -}}
{{- if .Values.podAnnotations }}
{{ toYaml .Values.podAnnotations }}
{{- end }}
{{- if .Values.metrics.podAnnotations }}
{{ toYaml .Values.metrics.podAnnotations }}
{{- end }}
{{- end -}}
{{/*
Return the proper External DNS image name
*/}}
{{- define "external-dns.image" -}}
{{- $registryName := .Values.image.registry -}}
{{- $repositoryName := .Values.image.repository -}}
{{- $tag := .Values.image.tag | toString -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
Also, we can't use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imageRegistry }}
{{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "external-dns.imagePullSecrets" -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
Also, we can not use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- else if .Values.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end -}}
{{- else if .Values.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end -}}
{{- include "common.images.pullSecrets" (dict "images" (list .Values.image) "global" .Values.global) -}}
{{- end -}}
{{/*
Return true if a secret object should be created
*/}}
{{- define "external-dns.createSecret" -}}
{{- if and (eq .Values.provider "alibabacloud") .Values.alibabacloud.accessKeyId .Values.alibabacloud.accessKeySecret (not .Values.alibabacloud.secretName) }}
{{- if and (eq .Values.provider "akamai") .Values.akamai.clientSecret (not .Values.akamai.secretName) -}}
{{- true -}}
{{- else if and (eq .Values.provider "aws") .Values.aws.credentials.secretKey .Values.aws.credentials.accessKey (not .Values.aws.credentials.secretName) }}
{{- else if and (eq .Values.provider "alibabacloud") .Values.alibabacloud.accessKeyId .Values.alibabacloud.accessKeySecret (not .Values.alibabacloud.secretName) }}
{{- true -}}
{{- else if and (or (eq .Values.provider "azure") (eq .Values.provider "azure-private-dns")) (or (and .Values.azure.resourceGroup .Values.azure.tenantId .Values.azure.subscriptionId .Values.azure.aadClientId .Values.azure.aadClientSecret (not .Values.azure.useManagedIdentityExtension)) (and .Values.azure.resourceGroup .Values.azure.tenantId .Values.azure.subscriptionId .Values.azure.useManagedIdentityExtension)) (not .Values.azure.secretName) -}}
{{- else if and (eq .Values.provider "aws") .Values.aws.credentials.secretKey .Values.aws.credentials.accessKey (not .Values.aws.credentials.secretName) (not (include "external-dns.aws-credentials-secret-ref-defined" . )) }}
{{- true -}}
{{- else if and (or (eq .Values.provider "azure") (eq .Values.provider "azure-private-dns")) (or (and .Values.azure.resourceGroup .Values.azure.tenantId .Values.azure.subscriptionId .Values.azure.aadClientId .Values.azure.aadClientSecret (not .Values.azure.useManagedIdentityExtension)) (and .Values.azure.resourceGroup .Values.azure.subscriptionId .Values.azure.useWorkloadIdentityExtension (not .Values.azure.useManagedIdentityExtension)) (and .Values.azure.resourceGroup .Values.azure.tenantId .Values.azure.subscriptionId .Values.azure.useManagedIdentityExtension)) (not .Values.azure.secretName) -}}
{{- true -}}
{{- else if and (eq .Values.provider "cloudflare") (or .Values.cloudflare.apiToken .Values.cloudflare.apiKey) (not .Values.cloudflare.secretName) -}}
{{- true -}}
{{- else if and (eq .Values.provider "designate") (or .Values.designate.username .Values.designate.password) -}}
{{- true -}}
{{- else if and (eq .Values.provider "digitalocean") .Values.digitalocean.apiToken (not .Values.digitalocean.secretName) -}}
{{- true -}}
{{- else if and (eq .Values.provider "exoscale") .Values.exoscale.apiKey (not .Values.exoscale.secretName) -}}
{{- true -}}
{{- else if and (eq .Values.provider "google") .Values.google.serviceAccountKey (not .Values.google.serviceAccountSecret) -}}
{{- true -}}
{{- else if and (eq .Values.provider "hetzner") .Values.hetzner.token (not .Values.hetzner.secretName) -}}
{{- true -}}
{{- else if and (eq .Values.provider "infoblox") (and .Values.infoblox.wapiUsername .Values.infoblox.wapiPassword) (not .Values.infoblox.secretName) -}}
{{- true -}}
{{- else if and (eq .Values.provider "linode") .Values.linode.apiToken (not .Values.linode.secretName) -}}
{{- true -}}
{{- else if and (eq .Values.provider "oci") .Values.oci.privateKeyFingerprint (not .Values.oci.secretName) -}}
{{- else if and (eq .Values.provider "oci") (or .Values.oci.privateKeyFingerprint .Values.oci.useWorkloadIdentity) (not .Values.oci.secretName) -}}
{{- true -}}
{{- else if and (eq .Values.provider "rfc2136") (or .Values.rfc2136.tsigSecret (and .Values.rfc2136.kerberosUsername .Values.rfc2136.kerberosPassword)) (not .Values.rfc2136.secretName) -}}
{{- true -}}
@@ -144,13 +51,16 @@ Return true if a secret object should be created
{{- true -}}
{{- else if and (eq .Values.provider "ovh") .Values.ovh.consumerKey (not .Values.ovh.secretName) -}}
{{- true -}}
{{- else if and (eq .Values.provider "scaleway") .Values.scaleway.scwAccessKey -}}
{{- true -}}
{{- else if and (eq .Values.provider "vinyldns") (or .Values.vinyldns.secretKey .Values.vinyldns.accessKey) -}}
{{- else if and (eq .Values.provider "scaleway") .Values.scaleway.scwAccessKey (not .Values.scaleway.secretName) -}}
{{- true -}}
{{- else if and (eq .Values.provider "ns1") .Values.ns1.apiKey (not .Values.ns1.secretName) -}}
{{- true -}}
{{- else -}}
{{- else if and (eq .Values.provider "civo") .Values.civo.apiToken (not .Values.civo.secretName) -}}
{{- true -}}
{{- else if and (eq .Values.provider "pihole") .Values.pihole.password (not .Values.pihole.secretName) -}}
{{- true -}}
{{- else if and .Values.txtEncrypt.enabled (not .Values.txtEncrypt.secretName) -}}
{{- true -}}
{{- end -}}
{{- end -}}
@@ -158,9 +68,7 @@ Return true if a secret object should be created
Return true if a configmap object should be created
*/}}
{{- define "external-dns.createConfigMap" -}}
{{- if and (eq .Values.provider "designate") .Values.designate.customCA.enabled }}
{{- true -}}
{{- else if and (eq .Values.provider "rfc2136") .Values.rfc2136.rfc3645Enabled }}
{{- if and (eq .Values.provider "rfc2136") .Values.rfc2136.rfc3645Enabled }}
{{- true -}}
{{- else -}}
{{- end -}}
@@ -170,7 +78,9 @@ Return true if a configmap object should be created
Return the name of the Secret used to store the passwords
*/}}
{{- define "external-dns.secretName" -}}
{{- if and (eq .Values.provider "alibabacloud") .Values.alibabacloud.secretName }}
{{- if and (eq .Values.provider "akamai") .Values.akamai.secretName }}
{{- .Values.akamai.secretName }}
{{- else if and (eq .Values.provider "alibabacloud") .Values.alibabacloud.secretName }}
{{- .Values.alibabacloud.secretName }}
{{- else if and (eq .Values.provider "aws") .Values.aws.credentials.secretName }}
{{- .Values.aws.credentials.secretName }}
@@ -180,10 +90,10 @@ Return the name of the Secret used to store the passwords
{{- .Values.cloudflare.secretName }}
{{- else if and (eq .Values.provider "digitalocean") .Values.digitalocean.secretName }}
{{- .Values.digitalocean.secretName }}
{{- else if and (eq .Values.provider "exoscale") .Values.exoscale.secretName }}
{{- .Values.exoscale.secretName }}
{{- else if and (eq .Values.provider "google") .Values.google.serviceAccountSecret }}
{{- .Values.google.serviceAccountSecret }}
{{- else if and (eq .Values.provider "hetzner") .Values.hetzner.secretName }}
{{- .Values.hetzner.secretName }}
{{- else if and (eq .Values.provider "linode") .Values.linode.secretName }}
{{- .Values.linode.secretName }}
{{- else if and (eq .Values.provider "oci") .Values.oci.secretName }}
@@ -192,14 +102,18 @@ Return the name of the Secret used to store the passwords
{{- .Values.ovh.secretName }}
{{- else if and (eq .Values.provider "pdns") .Values.pdns.secretName }}
{{- .Values.pdns.secretName }}
{{- else if and (eq .Values.provider "infoblox") .Values.infoblox.secretName }}
{{- .Values.infoblox.secretName }}
{{- else if and (eq .Values.provider "rfc2136") .Values.rfc2136.secretName }}
{{- .Values.rfc2136.secretName }}
{{- else if and (eq .Values.provider "ns1") .Values.ns1.secretName }}
{{- .Values.ns1.secretName }}
{{- else if and (eq .Values.provider "civo") .Values.civo.secretName }}
{{- .Values.civo.secretName }}
{{- else if and (eq .Values.provider "pihole") .Values.pihole.secretName }}
{{- .Values.pihole.secretName }}
{{- else if and (eq .Values.provider "scaleway") .Values.scaleway.secretName }}
{{- .Values.scaleway.secretName }}
{{- else -}}
{{- template "external-dns.fullname" . }}
{{- template "common.names.fullname" . }}
{{- end -}}
{{- end -}}
@@ -231,31 +145,49 @@ aws_secret_access_key = {{ .Values.aws.credentials.secretKey }}
region = {{ .Values.aws.region }}
{{ end }}
{{- define "external-dns.aws-credentials-secret-ref-defined" -}}
{{- if and .Values.aws.credentials.accessKeyIDSecretRef.name .Values.aws.credentials.accessKeyIDSecretRef.key .Values.aws.credentials.secretAccessKeySecretRef.name .Values.aws.credentials.secretAccessKeySecretRef.key -}}
{{- true -}}
{{- else -}}
{{- end -}}
{{- end -}}
{{- define "external-dns.azure-credentials" -}}
{
{{- if .Values.azure.cloud }}
"cloud": "{{ .Values.azure.cloud }}",
{{- end }}
{{- if .Values.azure.tenantId }}
"tenantId": "{{ .Values.azure.tenantId }}",
{{- end }}
{{- if .Values.azure.subscriptionId }}
"subscriptionId": "{{ .Values.azure.subscriptionId }}",
{{- end }}
"resourceGroup": "{{ .Values.azure.resourceGroup }}",
{{- if not .Values.azure.useManagedIdentityExtension }}
"aadClientId": "{{ .Values.azure.aadClientId }}",
"aadClientSecret": "{{ .Values.azure.aadClientSecret }}"
{{- end }}
{{- if and .Values.azure.useManagedIdentityExtension .Values.azure.userAssignedIdentityID }}
"useManagedIdentityExtension": true,
"userAssignedIdentityID": "{{ .Values.azure.userAssignedIdentityID }}"
{{- else if and .Values.azure.useManagedIdentityExtension (not .Values.azure.userAssignedIdentityID) }}
"useManagedIdentityExtension": true
{{- end }}
}
{{ end }}
{{- $credentials := dict -}}
{{- if .Values.azure.cloud -}}
{{- $_ := set $credentials "cloud" .Values.azure.cloud -}}
{{- end -}}
{{- if .Values.azure.tenantId -}}
{{- $_ := set $credentials "tenantId" .Values.azure.tenantId -}}
{{- end -}}
{{- if .Values.azure.subscriptionId -}}
{{- $_ := set $credentials "subscriptionId" .Values.azure.subscriptionId -}}
{{- end -}}
{{- $_ := set $credentials "resourceGroup" .Values.azure.resourceGroup -}}
{{- if not (or .Values.azure.useManagedIdentityExtension .Values.azure.useWorkloadIdentityExtension) -}}
{{- $_ := set $credentials "aadClientId" .Values.azure.aadClientId -}}
{{- $_ := set $credentials "aadClientSecret" .Values.azure.aadClientSecret -}}
{{- end -}}
{{- if .Values.azure.useWorkloadIdentityExtension -}}
{{- $_ := set $credentials "useWorkloadIdentityExtension" true -}}
{{- end -}}
{{- if and .Values.azure.useManagedIdentityExtension .Values.azure.userAssignedIdentityID -}}
{{- $_ := set $credentials "useManagedIdentityExtension" true -}}
{{- $_ := set $credentials "userAssignedIdentityID" .Values.azure.userAssignedIdentityID -}}
{{- else if and .Values.azure.useManagedIdentityExtension (not .Values.azure.userAssignedIdentityID) -}}
{{- $_ := set $credentials "useManagedIdentityExtension" true -}}
{{- end -}}
{{- $credentials | toJson -}}
{{- end -}}
{{- define "external-dns.oci-credentials" -}}
{{- if .Values.oci.useWorkloadIdentity }}
auth:
region: {{ .Values.oci.region }}
useWorkloadIdentity: true
compartment: {{ .Values.oci.compartmentOCID }}
{{- else }}
auth:
region: {{ .Values.oci.region }}
tenancy: {{ .Values.oci.tenancyOCID }}
@@ -267,18 +199,21 @@ auth:
passphrase: {{ .Values.oci.privateKeyPassphrase }}
{{- end }}
compartment: {{ .Values.oci.compartmentOCID }}
{{ end }}
{{- end }}
{{- end }}
{{/*
Compile all warnings into a single message, and call fail.
Compile all warnings into a single message, and call fail if the validation is enabled
*/}}
{{- define "external-dns.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "external-dns.validateValues.provider" .) -}}
{{- $messages := append $messages (include "external-dns.validateValues.sources" .) -}}
{{- $messages := append $messages (include "external-dns.validateValues.akamai.host" .) -}}
{{- $messages := append $messages (include "external-dns.validateValues.akamai.accessToken" .) -}}
{{- $messages := append $messages (include "external-dns.validateValues.akamai.clientToken" .) -}}
{{- $messages := append $messages (include "external-dns.validateValues.akamai.clientSecret" .) -}}
{{- $messages := append $messages (include "external-dns.validateValues.aws" .) -}}
{{- $messages := append $messages (include "external-dns.validateValues.infoblox.gridHost" .) -}}
{{- $messages := append $messages (include "external-dns.validateValues.infoblox.wapiPassword" .) -}}
{{- $messages := append $messages (include "external-dns.validateValues.pdns.apiUrl" .) -}}
{{- $messages := append $messages (include "external-dns.validateValues.pdns.apiKey" .) -}}
{{- $messages := append $messages (include "external-dns.validateValues.azure.resourceGroupWithoutTenantId" .) -}}
@@ -309,14 +244,15 @@ Compile all warnings into a single message, and call fail.
{{- $messages := append $messages (include "external-dns.validateValues.rfc2136.kerberosConfig" .) -}}
{{- $messages := append $messages (include "external-dns.validateValues.scaleway.scwAccessKey" .) -}}
{{- $messages := append $messages (include "external-dns.validateValues.scaleway.scwSecretKey" .) -}}
{{- $messages := append $messages (include "external-dns.validateValues.scaleway.scwDefaultOrganizationId" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
{{- if .Values.validation.enabled -}}
{{- if $message -}}
{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Validate values of External DNS:
@@ -342,6 +278,54 @@ external-dns: sources
{{- end -}}
{{- end -}}
{{/*
Validate values of External DNS:
- must provide the Akamai host when provider is "akamai"
*/}}
{{- define "external-dns.validateValues.akamai.host" -}}
{{- if and (eq .Values.provider "akamai") (not .Values.akamai.host) -}}
external-dns: akamai.host
You must provide the Akamai host when provider="akamai".
Please set the host parameter (--set akamai.host="xxxx")
{{- end -}}
{{- end -}}
{{/*
Validate values of External DNS:
- must provide the Akamai access token when provider is "akamai"
*/}}
{{- define "external-dns.validateValues.akamai.accessToken" -}}
{{- if and (eq .Values.provider "akamai") (not .Values.akamai.accessToken) -}}
external-dns: akamai.accessToken
You must provide the Akamai access token when provider="akamai".
Please set the accessToken parameter (--set akamai.accessToken="xxxx")
{{- end -}}
{{- end -}}
{{/*
Validate values of External DNS:
- must provide the Akamai client token when provider is "akamai"
*/}}
{{- define "external-dns.validateValues.akamai.clientToken" -}}
{{- if and (eq .Values.provider "akamai") (not .Values.akamai.clientToken) -}}
external-dns: akamai.clientToken
You must provide the Akamai client token when provider="akamai".
Please set the clientToken parameter (--set akamai.clientToken="xxxx")
{{- end -}}
{{- end -}}
{{/*
Validate values of External DNS:
- must provide the Akamai client secret when provider is "akamai"
*/}}
{{- define "external-dns.validateValues.akamai.clientSecret" -}}
{{- if and (eq .Values.provider "akamai") (not .Values.akamai.clientSecret) (not .Values.akamai.secretName) -}}
external-dns: akamai.clientSecret
You must provide the Akamai client secret when provider="akamai".
Please set the clientSecret parameter (--set akamai.clientSecret="xxxx")
{{- end -}}
{{- end -}}
{{/*
Validate values of External DNS:
- The AWS Role to assume must follow ARN format when provider is "aws"
@@ -357,31 +341,6 @@ external-dns: aws.assumeRoleArn
{{- end -}}
{{- end -}}
{{/*
Validate values of External DNS:
- must provide the Grid Manager host when provider is "infoblox"
*/}}
{{- define "external-dns.validateValues.infoblox.gridHost" -}}
{{- if and (eq .Values.provider "infoblox") (not .Values.infoblox.gridHost) -}}
external-dns: infoblox.gridHost
You must provide the Grid Manager host when provider="infoblox".
Please set the gridHost parameter (--set infoblox.gridHost="xxxx")
{{- end -}}
{{- end -}}
{{/*
Validate values of External DNS:
- must provide a WAPI password when provider is "infoblox"
*/}}
{{- define "external-dns.validateValues.infoblox.wapiPassword" -}}
{{- if and (eq .Values.provider "infoblox") (not .Values.infoblox.wapiPassword) (not .Values.infoblox.secretName) -}}
external-dns: infoblox.wapiPassword
You must provide a WAPI password when provider="infoblox".
Please set the wapiPassword parameter (--set infoblox.wapiPassword="xxxx")
or you can provide an existing secret name via infoblox.secretName
{{- end -}}
{{- end -}}
{{/*
Validate values of External DNS:
- must provide the PowerDNS API URL when provider is "pdns"
@@ -408,10 +367,7 @@ external-dns: pdns.apiKey
{{/* Check if there are rolling tags in the images */}}
{{- define "external-dns.checkRollingTags" -}}
{{- if and (contains "bitnami/" .Values.image.repository) (not (.Values.image.tag | toString | regexFind "-r\\d+$|sha256:")) }}
WARNING: Rolling tag detected ({{ .Values.image.repository }}:{{ .Values.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
{{- end }}
{{- include "common.warnings.rollingTag" .Values.image }}
{{- end -}}
{{/*
@@ -503,7 +459,7 @@ Validate values of Azure DNS:
- must provide the Azure AAD Client ID when provider is "azure", secretName is not set and MSI is disabled and aadClientSecret is set
*/}}
{{- define "external-dns.validateValues.azure.aadClientId" -}}
{{- if and (eq .Values.provider "azure") (not .Values.azure.secretName) (not .Values.azure.aadClientId) (not .Values.azure.useManagedIdentityExtension) .Values.azure.aadClientSecret -}}
{{- if and (eq .Values.provider "azure") (not .Values.azure.secretName) (not .Values.azure.aadClientId) (not .Values.azure.useWorkloadIdentityExtension) (not .Values.azure.useManagedIdentityExtension) .Values.azure.aadClientSecret -}}
external-dns: azure.aadClientId
You must provide the Azure AAD Client ID when provider="azure" and aadClientSecret is set and useManagedIdentityExtension is not set.
Please set the aadClientId parameter (--set azure.aadClientId="xxxx")
@@ -600,7 +556,7 @@ Validate values of Azure Private DNS:
- must provide the Azure AAD Client ID when provider is "azure-private-dns", secret name is not set and MSI is disabled
*/}}
{{- define "external-dns.validateValues.azurePrivateDns.aadClientId" -}}
{{- if and (eq .Values.provider "azure-private-dns") (not .Values.azure.secretName) (not .Values.azure.aadClientId) (not .Values.azure.useManagedIdentityExtension) (not .Values.azure.userAssignedIdentityID) -}}
{{- if and (eq .Values.provider "azure-private-dns") (not .Values.azure.secretName) (not .Values.azure.aadClientId) (not .Values.azure.useManagedIdentityExtension) (not .Values.azure.useWorkloadIdentityExtension) (not .Values.azure.userAssignedIdentityID) -}}
external-dns: azure.useManagedIdentityExtension
You must provide the Azure AAD Client ID when provider="azure-private-dns" and useManagedIdentityExtension is not set.
Please set the aadClientSecret parameter (--set azure.aadClientId="xxxx")
@@ -612,7 +568,7 @@ Validate values of Azure Private DNS:
- must provide the Azure AAD Client Secret when provider is "azure-private-dns", secretName is not set and MSI is disabled
*/}}
{{- define "external-dns.validateValues.azurePrivateDns.aadClientSecret" -}}
{{- if and (eq .Values.provider "azure-private-dns") (not .Values.azure.secretName) (not .Values.azure.aadClientSecret) (not .Values.azure.useManagedIdentityExtension) (not .Values.azure.userAssignedIdentityID) -}}
{{- if and (eq .Values.provider "azure-private-dns") (not .Values.azure.secretName) (not .Values.azure.aadClientSecret) (not .Values.azure.useManagedIdentityExtension) (not .Values.azure.useWorkloadIdentityExtension) (not .Values.azure.userAssignedIdentityID) -}}
external-dns: azure.useManagedIdentityExtension
You must provide the Azure AAD Client Secret when provider="azure-private-dns" and useManagedIdentityExtension is not set.
Please set the aadClientSecret parameter (--set azure.aadClientSecret="xxxx")
@@ -631,19 +587,6 @@ external-dns: transip.account
{{- end -}}
{{- end -}}
{{/*
Validate values of External DNS:
- must provide an API token when provider is "hetzner"
*/}}
{{- define "external-dns.validateValues.hetzner" -}}
{{- if and (eq .Values.provider "hetzner") (or (not .Values.hetzner.token) (not .Values.hetzner.secretName)) -}}
external-dns: hetzner.token
You must provide the a Hetzner API Token when provider="hetzner".
Please set the token parameter (--set hetzner.token="xxxx")
or specify a secret that contains an API token. (--set hetzner.secretName="xxxx")
{{- end -}}
{{- end -}}
{{/*
Validate values of TransIP DNS:
- must provide the API key when provider is "transip"
@@ -746,7 +689,7 @@ Validate values of External DNS:
- must provide the Scaleway access key when provider is "scaleway"
*/}}
{{- define "external-dns.validateValues.scaleway.scwAccessKey" -}}
{{- if and (eq .Values.provider "scaleway") (not .Values.scaleway.scwAccessKey) -}}
{{- if and (eq .Values.provider "scaleway") (not .Values.scaleway.scwAccessKey) (not .Values.scaleway.secretName) -}}
external-dns: scaleway.scwAccessKey
You must provide the Scaleway access key when provider="scaleway".
Please set the scwAccessKey parameter (--set scaleway.scwAccessKey="xxxx")
@@ -758,44 +701,32 @@ Validate values of External DNS:
- must provide the scaleway secret key when provider is "scaleway"
*/}}
{{- define "external-dns.validateValues.scaleway.scwSecretKey" -}}
{{- if and (eq .Values.provider "scaleway") (not .Values.scaleway.scwSecretKey) -}}
{{- if and (eq .Values.provider "scaleway") (not .Values.scaleway.scwSecretKey) (not .Values.scaleway.secretName) -}}
external-dns: scaleway.scwSecretKey
You must provide the scaleway secret key when provider="scaleway".
Please set the scwSecretKey parameter (--set scaleway.scwSecretKey="xxxx")
{{- end -}}
{{- end -}}
{{/*
Validate values of External DNS:
- must provide the scaleway organization id when provider is "scaleway"
*/}}
{{- define "external-dns.validateValues.scaleway.scwDefaultOrganizationId" -}}
{{- if and (eq .Values.provider "scaleway") (not .Values.scaleway.scwDefaultOrganizationId) -}}
external-dns: scaleway.scwDefaultOrganizationId
You must provide the scaleway organization id key when provider="scaleway".
Please set the scwDefaultOrganizationId parameter (--set scaleway.scwDefaultOrganizationId="xxxx")
{{- end -}}
{{- end -}}
{{/*
Return the ExternalDNS service account name
*/}}
{{- define "external-dns.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "external-dns.fullname" .) .Values.serviceAccount.name }}
{{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Return the ExternalDNS namespace to be used
Return the namespace to be monitored by ExternalDNS
*/}}
{{- define "external-dns.namespace" -}}
{{- if and .Values.rbac.create (not .Values.rbac.clusterRole) -}}
{{ default .Release.Namespace .Values.namespace }}
{{ default (include "common.names.namespace" .) .Values.namespace }}
{{- else if .Values.watchReleaseNamespace -}}
{{ .Release.namespace }}
{{ include "common.names.namespace" . }}
{{- else -}}
{{ .Values.namespace }}
{{- end -}}
@@ -806,10 +737,10 @@ Return the secret containing external-dns TLS certificates
*/}}
{{- define "external-dns.tlsSecretName" -}}
{{- if .Values.coredns.etcdTLS.autoGenerated -}}
{{- printf "%s-crt" (include "external-dns.fullname" .) -}}
{{- printf "%s-crt" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $secretName := .Values.coredns.etcdTLS.secretName -}}
{{- printf "%s" (tpl $secretName $) -}}
{{- printf "%s" (tpl $secretName $) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
@@ -854,3 +785,14 @@ Return true if a TLS secret object should be created
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Returns the name of the default secret if the AES key is set via `.Values.txtEncrypt.aesKey` and the name of the custom secret when `.Values.txtEncrypt.secretName` is used.
*/}}
{{- define "external-dns.txtEncryptKeySecretName" -}}
{{- if and .Values.txtEncrypt.enabled .Values.txtEncrypt.secretName }}
{{- printf "%s" .Values.txtEncrypt.secretName -}}
{{- else if and .Values.txtEncrypt.enabled (not .Values.txtEncrypt.secretName) -}}
{{ template "common.names.fullname" . }}
{{- end -}}
{{- end -}}

56
external-dns/templates/clusterrole.yaml
View File

@@ -1,13 +1,14 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.rbac.create .Values.rbac.clusterRole }}
apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}
kind: ClusterRole
metadata:
name: {{ template "common.names.fullname.namespace" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{ include "external-dns.labels" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
@@ -18,7 +19,15 @@ rules:
- services
- pods
- nodes
- endpoints
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- "discovery.k8s.io"
resources:
- endpointslices
verbs:
- get
- list
@@ -92,6 +101,41 @@ rules:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- gateways
- httproutes
- tlsroutes
- tcproutes
- udproutes
- grpcroutes
verbs:
- get
- list
- watch
- apiGroups:
- cis.f5.com
resources:
- virtualservers
- transportservers
verbs:
- get
- watch
- list
{{- if has "traefik-proxy" .Values.sources }}
- apiGroups:
- traefik.containo.us
- traefik.io
resources:
- ingressroutes
- ingressroutetcps
- ingressrouteudps
verbs:
- get
- watch
- list
{{- end }}
{{- if or .Values.crd.create .Values.crd.apiversion }}
- apiGroups:
{{- if .Values.crd.create }}

13
external-dns/templates/clusterrolebinding.yaml
View File

@@ -1,13 +1,14 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.rbac.create .Values.rbac.clusterRole }}
apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}
kind: ClusterRoleBinding
metadata:
name: {{ template "common.names.fullname.namespace" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{ include "external-dns.labels" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
@@ -18,5 +19,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "external-dns.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "common.names.namespace" . | quote }}
{{- end }}

18
external-dns/templates/configmap.yaml
View File

@@ -1,21 +1,19 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if (include "external-dns.createConfigMap" .) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "external-dns.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{ include "external-dns.labels" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
{{- if .Values.designate.customCA.enabled }}
{{ .Values.designate.customCA.filename }}: |
{{ .Values.designate.customCA.content | indent 4 }}
{{- end }}
{{- if .Values.rfc2136.rfc3645Enabled }}
krb5.conf: |
{{ .Values.rfc2136.kerberosConfig | indent 4 }}

94
external-dns/templates/crd.yaml
View File

@@ -1,94 +0,0 @@
{{- if .Values.crd.create }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.5.0
api-approved.kubernetes.io: "https://github.com/kubernetes-sigs/external-dns/pull/2007"
creationTimestamp: null
name: dnsendpoints.externaldns.k8s.io
spec:
group: externaldns.k8s.io
names:
kind: DNSEndpoint
listKind: DNSEndpointList
plural: dnsendpoints
singular: dnsendpoint
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: DNSEndpointSpec defines the desired state of DNSEndpoint
properties:
endpoints:
items:
description: Endpoint is a high-level way of a connection between a service and an IP
properties:
dnsName:
description: The hostname of the DNS record
type: string
labels:
additionalProperties:
type: string
description: Labels stores labels defined for the Endpoint
type: object
providerSpecific:
description: ProviderSpecific stores provider specific config
items:
description: ProviderSpecificProperty holds the name and value of a configuration which is specific to individual DNS providers
properties:
name:
type: string
value:
type: string
type: object
type: array
recordTTL:
description: TTL for the record
format: int64
type: integer
recordType:
description: RecordType type of record, e.g. CNAME, A, SRV, TXT etc
type: string
setIdentifier:
description: Identifier to distinguish multiple records with the same name and type (e.g. Route53 records with routing policies other than 'simple')
type: string
targets:
description: The targets the DNS record points to
items:
type: string
type: array
type: object
type: array
type: object
status:
description: DNSEndpointStatus defines the observed state of DNSEndpoint
properties:
observedGeneration:
description: The generation observed by the external-dns controller.
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
{{- end }}

102
external-dns/templates/crds/crd.yaml Normal file
View File

@@ -0,0 +1,102 @@
# Source: https://raw.githubusercontent.com/kubernetes-sigs/external-dns/refs/tags/v{version}/config/crd/standard/dnsendpoints.externaldns.k8s.io.yaml
# Version: 0.18.0
# Conditional: .Values.crd.create
{{- if .Values.crd.create }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/external-dns/pull/2007
controller-gen.kubebuilder.io/version: v0.17.2
name: dnsendpoints.externaldns.k8s.io
spec:
group: externaldns.k8s.io
names:
kind: DNSEndpoint
listKind: DNSEndpointList
plural: dnsendpoints
singular: dnsendpoint
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
DNSEndpoint is a contract that a user-specified CRD must implement to be used as a source for external-dns.
The user-specified CRD should also have the status sub-resource.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: DNSEndpointSpec defines the desired state of DNSEndpoint
properties:
endpoints:
items:
description: Endpoint is a high-level way of a connection between a service and an IP
properties:
dnsName:
description: The hostname of the DNS record
type: string
labels:
additionalProperties:
type: string
description: Labels stores labels defined for the Endpoint
type: object
providerSpecific:
description: ProviderSpecific stores provider specific config
items:
description: ProviderSpecificProperty holds the name and value of a configuration which is specific to individual DNS providers
properties:
name:
type: string
value:
type: string
type: object
type: array
recordTTL:
description: TTL for the record
format: int64
type: integer
recordType:
description: RecordType type of record, e.g. CNAME, A, AAAA, SRV, TXT etc
type: string
setIdentifier:
description: Identifier to distinguish multiple records with the same name and type (e.g. Route53 records with routing policies other than 'simple')
type: string
targets:
description: The targets the DNS record points to
items:
type: string
type: array
type: object
type: array
type: object
status:
description: DNSEndpointStatus defines the observed state of DNSEndpoint
properties:
observedGeneration:
description: The generation observed by the external-dns controller.
format: int64
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

406
external-dns/templates/deployment.yaml
View File

@@ -1,51 +1,59 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "external-dns.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{ include "external-dns.labels" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
replicas: {{ coalesce .Values.replicas .Values.replicaCount }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
replicas: 1
{{- if .Values.updateStrategy }}
strategy: {{- toYaml .Values.updateStrategy | nindent 4 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector:
matchLabels: {{ include "external-dns.matchLabels" . | nindent 6 }}
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
template:
metadata:
labels: {{ include "external-dns.labels" . | nindent 8 }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
{{- if or .Values.podAnnotations (and .Values.metrics.enabled .Values.metrics.podAnnotations) (include "external-dns.createSecret" .) }}
annotations:
{{- if or .Values.podAnnotations .Values.metrics.enabled }}
{{- include "external-dns.podAnnotations" . | trim | nindent 8 }}
{{- if or .Values.podAnnotations (and .Values.metrics.enabled .Values.metrics.podAnnotations) }}
{{- $podAnnotations := include "common.tplvalues.merge" (dict "values" (list .Values.podAnnotations .Values.metrics.podAnnotations) "context" .) }}
{{- include "common.tplvalues.render" (dict "value" $podAnnotations "context" $) | nindent 8 }}
{{- end }}
{{- if (include "external-dns.createSecret" .) }}
checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
{{- end }}
{{- if and (eq .Values.provider "designate") .Values.designate.customCA.enabled }}
{{- if (include "external-dns.createConfigMap" .) }}
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- end }}
{{- end }}
spec:
{{- include "external-dns.imagePullSecrets" . | nindent 6 }}
{{- if .Values.podSecurityContext.enabled }}
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.affinity }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "context" $) | nindent 10 }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "context" $) | nindent 10 }}
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.schedulerName }}
schedulerName: {{ .Values.schedulerName | quote }}
{{- end }}
automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
{{- if .Values.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }}
{{- end }}
@@ -62,12 +70,18 @@ spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName | quote }}
{{- end }}
{{- if .Values.dnsPolicy }}
dnsPolicy: {{ .Values.dnsPolicy | quote }}
{{- end }}
{{- if .Values.dnsConfig }}
dnsConfig: {{- include "common.tplvalues.render" (dict "value" .Values.dnsConfig "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.initContainers }}
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: external-dns
image: {{ include "external-dns.image" . | quote }}
image: {{ template "external-dns.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }}
@@ -112,16 +126,16 @@ spec:
- --service-type-filter={{ . }}
{{- end }}
{{- range .Values.domainFilters }}
- --domain-filter={{ . }}
- --domain-filter={{- include "common.tplvalues.render" (dict "value" . "context" $) }}
{{- end }}
{{- range .Values.excludeDomains }}
- --exclude-domains={{ . }}
- --exclude-domains={{- include "common.tplvalues.render" (dict "value" . "context" $) }}
{{- end }}
{{- if .Values.regexDomainFilter }}
- --regex-domain-filter={{ .Values.regexDomainFilter }}
- --regex-domain-filter={{- include "common.tplvalues.render" (dict "value" .Values.regexDomainFilter "context" $) }}
{{- end }}
{{- if .Values.regexDomainExclusion }}
- --regex-domain-exclusion={{ .Values.regexDomainExclusion }}
- --regex-domain-exclusion={{- include "common.tplvalues.render" (dict "value" .Values.regexDomainExclusion "context" $) }}
{{- end }}
{{- range .Values.zoneNameFilters }}
- --zone-name-filter={{ . }}
@@ -145,16 +159,22 @@ spec:
{{- if .Values.txtSuffix }}
- --txt-suffix={{ .Values.txtSuffix }}
{{- end }}
{{- if .Values.txtNewFormatOnly }}
- --txt-new-format-only
{{- end }}
{{- end }}
{{- if .Values.annotationFilter }}
- --annotation-filter={{ .Values.annotationFilter }}
{{- end }}
{{- if .Values.ingressClass }}
- --ingress-class={{ .Values.ingressClass }}
{{- end }}
{{- if .Values.labelFilter }}
- --label-filter={{ .Values.labelFilter }}
{{- end }}
{{- range .Values.ingressClassFilters }}
- --ingress-class={{ . }}
{{- end }}
{{- range .Values.managedRecordTypesFilters }}
- --managed-record-types={{ . }}
{{- end }}
{{- if .Values.crd.apiversion }}
- --crd-source-apiversion={{ .Values.crd.apiversion }}
{{- end }}
@@ -197,9 +217,18 @@ spec:
{{- if .Values.aws.preferCNAME }}
- --aws-prefer-cname
{{- end }}
{{- if .Values.aws.dynamodbTable }}
- --dynamodb-table={{ .Values.aws.dynamodbTable }}
{{- end }}
{{- if .Values.aws.dynamodbRegion }}
- --dynamodb-region={{ .Values.aws.dynamodbRegion }}
{{- end }}
{{- if and (kindIs "bool" .Values.aws.evaluateTargetHealth) (not .Values.aws.evaluateTargetHealth) }}
- --no-aws-evaluate-target-health
{{- end }}
{{- if .Values.aws.zoneMatchParent }}
- --aws-zone-match-parent
{{- end }}
{{- if or (and (eq .Values.provider "azure") (not .Values.azure.secretName)) (eq .Values.provider "azure-private-dns") }}
# Azure Arguments
{{- if .Values.azure.resourceGroup }}
@@ -216,12 +245,24 @@ spec:
{{- if .Values.cloudflare.proxied }}
- --cloudflare-proxied
{{- end }}
{{- if .Values.cloudflare.dnsRecordsPerPage }}
- --cloudflare-dns-records-per-page={{ .Values.cloudflare.dnsRecordsPerPage }}
{{- end }}
{{- if .Values.cloudflare.regionalServices }}
- --cloudflare-regional-services
{{- end }}
{{- if .Values.cloudflare.regionKey }}
- --cloudflare-region-key={{ .Values.cloudflare.regionKey }}
{{- end }}
{{- end }}
{{- if eq .Values.provider "google" }}
# Google Arguments
{{- if .Values.google.project }}
- --google-project={{ .Values.google.project }}
{{- end }}
{{- if .Values.google.batchChangeSize }}
- --google-batch-change-size={{ .Values.google.batchChangeSize }}
{{- end }}
{{- if .Values.google.zoneVisibility }}
- --google-zone-visibility={{ .Values.google.zoneVisibility }}
{{- end }}
@@ -232,6 +273,9 @@ spec:
- --infoblox-view={{ .Values.infoblox.view }}
{{- if .Values.infoblox.domainFilter }}
- --domain-filter={{ .Values.infoblox.domainFilter }}
{{- end }}
{{- if .Values.infoblox.nameRegex }}
- --infoblox-name-regex={{ .Values.infoblox.nameRegex }}
{{- end }}
{{- if .Values.infoblox.wapiPort }}
- --infoblox-wapi-port={{ .Values.infoblox.wapiPort }}
@@ -243,20 +287,44 @@ spec:
- --no-infoblox-ssl-verify
{{- else }}
- --infoblox-ssl-verify
{{- end }}
{{- if .Values.infoblox.createPtr }}
- --infoblox-create-ptr
{{- end }}
{{- if .Values.infoblox.maxResults }}
- --infoblox-max-results={{ .Values.infoblox.maxResults }}
{{- end }}
{{- end }}
{{- if and (eq .Values.provider "oci") .Values.oci.useInstancePrincipal }}
# OCI Arguments
- --oci-auth-instance-principal
{{- if .Values.oci.compartmentOCID }}
- --oci-compartment-ocid={{ .Values.oci.compartmentOCID }}
{{- end }}
{{- end }}
{{- if eq .Values.provider "ns1" }}
# ns1 arguments
- --ns1-min-ttl={{ .Values.ns1.minTTL }}
{{- end }}
{{- if eq .Values.provider "pihole" }}
{{- if .Values.pihole.server }}
- --pihole-server={{ .Values.pihole.server }}
{{- end }}
{{- if .Values.pihole.tlsSkipVerify }}
- --pihole-tls-skip-verify
{{- end }}
{{- end }}
{{- if eq .Values.provider "rfc2136" }}
# RFC 2136 arguments
- --rfc2136-host={{ required "rfc2136.host must be supplied for provider 'rfc2136'" .Values.rfc2136.host }}
- --rfc2136-port={{ .Values.rfc2136.port }}
- --rfc2136-zone={{ required "rfc2136.zone must be supplied for provider 'rfc2136'" .Values.rfc2136.zone }}
{{- $rfc2136Zones := prepend .Values.rfc2136.zones .Values.rfc2136.zone | uniq | compact }}
{{- if empty $rfc2136Zones }}
{{ fail "rfc2136.zone or rfc2136.zones must be supplied for provider 'rfc2136'" }}
{{- end }}
{{- range $rfc2136Zones }}
- --rfc2136-zone={{ . }}
{{- end }}
- --rfc2136-min-ttl={{ .Values.rfc2136.minTTL }}
{{- if .Values.rfc2136.tsigAxfr }}
- --rfc2136-tsig-axfr
@@ -283,16 +351,55 @@ spec:
- --transip-account={{ .Values.transip.account }}
- --transip-keyfile=/transip/transip-api-key
{{- end }}
{{- range $key, $value := .Values.extraArgs }}
# Extra arguments
{{- if $value }}
{{- if .Values.traefik.disableLegacy }}
- --traefik-disable-legacy
{{- end }}
{{- if .Values.traefik.disableNew }}
- --traefik-disable-new
{{- end }}
{{- if .Values.txtEncrypt.enabled }}
# TXT registry encryption
- --txt-encrypt-enabled
- --txt-encrypt-aes-key=$(TXT_AES_ENCRYPTION_KEY)
{{- end }}
{{- if .Values.extraArgs }}
{{- range $key, $value := .Values.extraArgs }}
# Extra arguments
{{- if kindIs "slice" $value }}
{{- range $val := $value }}
- --{{ $key }}={{ $val }}
{{- end }}
{{- else if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
env:
{{- if eq .Values.provider "akamai" }}
# Akamai environment variables
{{- if .Values.akamai.host }}
- name: EXTERNAL_DNS_AKAMAI_SERVICECONSUMERDOMAIN
value: {{ .Values.akamai.host }}
{{- end }}
{{- if .Values.akamai.accessToken }}
- name: EXTERNAL_DNS_AKAMAI_ACCESS_TOKEN
value: {{ .Values.akamai.accessToken }}
{{- end }}
{{- if .Values.akamai.clientToken }}
- name: EXTERNAL_DNS_AKAMAI_CLIENT_TOKEN
value: {{ .Values.akamai.clientToken }}
{{- end }}
{{- if or (.Values.akamai.clientSecret) (.Values.akamai.secretName) }}
- name: EXTERNAL_DNS_AKAMAI_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ template "external-dns.secretName" . }}
key: akamai_client_secret
{{- end }}
{{- end }}
{{- if or (eq .Values.provider "aws") (eq .Values.provider "aws-sd") }}
# AWS environment variables
{{- if .Values.aws.region }}
@@ -303,10 +410,29 @@ spec:
- name: AWS_CONFIG_FILE
value: {{ .Values.aws.credentials.mountPath }}/config
{{- end }}
{{- if and .Values.aws.credentials.secretKey .Values.aws.credentials.accessKey }}
{{- if and .Values.aws.credentials.secretKey .Values.aws.credentials.accessKey (not (include "external-dns.aws-credentials-secret-ref-defined" . ))}}
- name: AWS_SHARED_CREDENTIALS_FILE
value: {{ .Values.aws.credentials.mountPath }}/credentials
{{- end }}
{{- if (include "external-dns.aws-credentials-secret-ref-defined" . ) }}
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: {{ .Values.aws.credentials.accessKeyIDSecretRef.name}}
key: {{ .Values.aws.credentials.accessKeyIDSecretRef.key }}
- name: AWS_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ .Values.aws.credentials.secretAccessKeySecretRef.name}}
key: {{ .Values.aws.credentials.secretAccessKeySecretRef.key }}
{{- end }}
{{- end }}
{{- if eq .Values.provider "civo" }}
- name: CIVO_TOKEN
valueFrom:
secretKeyRef:
name: {{ template "external-dns.secretName" . }}
key: apiToken
{{- end }}
{{- if eq .Values.provider "cloudflare" }}
# Cloudflare environment variables
@@ -338,46 +464,6 @@ spec:
value: {{ .Values.coredns.etcdTLS.mountPath }}/{{ include "external-dns.tlsCACert" . }}
{{- end }}
{{- end }}
{{- if eq .Values.provider "designate" }}
# Designate environment variables
{{- if .Values.designate.customCA.enabled }}
- name: OPENSTACK_CA_FILE
value: {{ .Values.designate.customCA.mountPath }}/{{ .Values.designate.customCA.filename }}
{{- else if .Values.designate.customCAHostPath }}
- name: OPENSTACK_CA_FILE
value: {{ .Values.designate.customCAHostPath }}
{{- end }}
{{- if .Values.designate.username }}
- name: OS_USERNAME
valueFrom:
secretKeyRef:
name: {{ template "external-dns.secretName" . }}
key: designate_username
{{- end }}
{{- if .Values.designate.password }}
- name: OS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "external-dns.secretName" . }}
key: designate_password
{{- end }}
{{- if .Values.designate.authUrl }}
- name: OS_AUTH_URL
value: {{ .Values.designate.authUrl }}
{{- end }}
{{- if .Values.designate.regionName }}
- name: OS_REGION_NAME
value: {{ .Values.designate.regionName }}
{{- end }}
{{- if .Values.designate.userDomainName }}
- name: OS_USER_DOMAIN_NAME
value: {{ .Values.designate.userDomainName }}
{{- end }}
{{- if .Values.designate.projectName }}
- name: OS_PROJECT_NAME
value: {{ .Values.designate.projectName }}
{{- end }}
{{- end }}
{{- if and (eq .Values.provider "digitalocean") (or .Values.digitalocean.apiToken .Values.digitalocean.secretName) }}
# DigitalOcean environment variables
- name: DO_TOKEN
@@ -386,6 +472,23 @@ spec:
name: {{ template "external-dns.secretName" . }}
key: digitalocean_api_token
{{- end }}
{{- if (eq .Values.provider "exoscale") }}
# Exoscale environment variables
{{- if (or .Values.exoscale.apiKey .Values.exoscale.secretName) }}
- name: EXTERNAL_DNS_EXOSCALE_APIKEY
valueFrom:
secretKeyRef:
name: {{ template "external-dns.secretName" . }}
key: exoscale_api_key
{{- end }}
{{- if (or .Values.exoscale.apiToken .Values.exoscale.secretName) }}
- name: EXTERNAL_DNS_EXOSCALE_APISECRET
valueFrom:
secretKeyRef:
name: {{ template "external-dns.secretName" . }}
key: exoscale_api_token
{{- end }}
{{- end }}
{{- if eq .Values.provider "google" }}
# Google environment variables
{{- if or .Values.google.serviceAccountSecret .Values.google.serviceAccountKey }}
@@ -393,22 +496,6 @@ spec:
value: /etc/secrets/service-account/credentials.json
{{- end }}
{{- end }}
{{- if eq .Values.provider "hetzner" }}
# Hetzner environment variables
{{- if .Values.hetzner.secretName }}
- name: HETZNER_TOKEN
valueFrom:
secretKeyRef:
name: {{ .Values.hetzner.secretName }}
key: {{ .Values.hetzner.secretKey }}
{{- else }}
- name: HETZNER_TOKEN
valueFrom:
secretKeyRef:
name: {{ template "external-dns.secretName" . }}
key: hetzner_token
{{- end }}
{{- end }}
{{- if eq .Values.provider "linode" }}
# Linode environment variables
{{- if or (.Values.linode.apiToken) (.Values.linode.secretName) }}
@@ -445,51 +532,22 @@ spec:
{{- end }}
{{- if eq .Values.provider "scaleway" }}
# Scaleway environment variables
{{- if .Values.scaleway.scwAccessKey }}
{{- if or (.Values.scaleway.scwAccessKey) (.Values.scaleway.secretName) }}
- name: SCW_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ template "external-dns.secretName" . }}
key: scw_access_key
{{- end }}
{{- if .Values.scaleway.scwSecretKey }}
{{- if or (.Values.scaleway.scwSecretKey) (.Values.scaleway.secretName) }}
- name: SCW_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ template "external-dns.secretName" . }}
key: scw_secret_key
{{- end }}
{{- if .Values.scaleway.scwDefaultOrganizationId }}
- name: SCW_DEFAULT_ORGANIZATION_ID
valueFrom:
secretKeyRef:
name: {{ template "external-dns.secretName" . }}
key: scw_default_organization_id
{{- end }}
{{- end }}
{{- if eq .Values.provider "infoblox" }}
# Infloblox environment variables
{{- if .Values.infoblox.wapiConnectionPoolSize }}
- name: EXTERNAL_DNS_INFOBLOX_HTTP_POOL_CONNECTIONS
value: "{{ .Values.infoblox.wapiConnectionPoolSize }}"
{{- end }}
{{- if .Values.infoblox.wapiHttpTimeout }}
- name: EXTERNAL_DNS_INFOBLOX_HTTP_REQUEST_TIMEOUT
value: "{{ .Values.infoblox.wapiHttpTimeout }}"
{{- end }}
{{- if or (and .Values.infoblox.wapiUsername .Values.infoblox.wapiPassword) (.Values.infoblox.secretName) }}
- name: EXTERNAL_DNS_INFOBLOX_WAPI_USERNAME
valueFrom:
secretKeyRef:
name: {{ template "external-dns.secretName" . }}
key: infoblox_wapi_username
- name: EXTERNAL_DNS_INFOBLOX_WAPI_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "external-dns.secretName" . }}
key: infoblox_wapi_password
{{- end }}
{{- end }}
{{- if eq .Values.provider "rfc2136" }}
{{- if .Values.rfc2136.tsigSecret | or (and .Values.rfc2136.kerberosUsername .Values.rfc2136.kerberosPassword) | or .Values.rfc2136.secretName }}
# RFC 2136 environment variables
{{- if .Values.rfc2136.rfc3645Enabled }}
@@ -511,6 +569,7 @@ spec:
key: rfc2136_tsig_secret
{{- end }}
{{- end }}
{{- end }}
{{- if eq .Values.provider "pdns" }}
# PowerDNS environment variables
- name: PDNS_API_KEY
@@ -518,31 +577,17 @@ spec:
secretKeyRef:
name: {{ template "external-dns.secretName" . }}
key: pdns_api_key
{{- end }}
{{- if eq .Values.provider "vinyldns" }}
# VinylDNS environment variables
{{- if .Values.vinyldns.host }}
- name: VINYLDNS_HOST
value: {{ .Values.vinyldns.host }}
{{- end }}
{{- if .Values.vinyldns.accessKey }}
- name: VINYLDNS_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ template "external-dns.secretName" . }}
key: vinyldns-access-key
{{- end }}
{{- if .Values.vinyldns.secretKey }}
- name: VINYLDNS_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ template "external-dns.secretName" . }}
key: vinyldns-secret-key
{{- end }}
{{- end }}
{{- if .Values.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.pihole.secretName }}
- name: EXTERNAL_DNS_PIHOLE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "external-dns.secretName" . }}
key: pihole_password
{{- end }}
{{- if eq .Values.provider "ns1" }}
# NS1 environment variables
{{- if or (.Values.ns1.apiKey) (.Values.ns1.secretName) }}
@@ -553,6 +598,13 @@ spec:
key: ns1-api-key
{{- end }}
{{- end }}
{{- if and .Values.txtEncrypt.enabled }}
- name: TXT_AES_ENCRYPTION_KEY
valueFrom:
secretKeyRef:
name: {{ template "external-dns.txtEncryptKeySecretName" . }}
key: txt_aes_encryption_key
{{- end }}
envFrom:
{{- if .Values.extraEnvVarsCM }}
- configMapRef:
@@ -565,20 +617,21 @@ spec:
ports:
- name: http
containerPort: {{ .Values.containerPorts.http }}
{{- if .Values.livenessProbe.enabled }}
{{- if .Values.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }}
{{- else if .Values.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /healthz
tcpSocket:
port: http
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
{{- else if .Values.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.readinessProbe.enabled }}
{{- if .Values.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }}
{{- else if .Values.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /healthz
@@ -588,10 +641,10 @@ spec:
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
{{- else if .Values.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.startupProbe.enabled }}
{{- if .Values.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }}
{{- else if .Values.startupProbe.enabled }}
startupProbe:
httpGet:
path: /healthz
@@ -601,26 +654,29 @@ spec:
timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
successThreshold: {{ .Values.startupProbe.successThreshold }}
failureThreshold: {{ .Values.startupProbe.failureThreshold }}
{{- else if .Values.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.containerSecurityContext }}
securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- if .Values.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- else if ne .Values.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if and (eq .Values.provider "alibabacloud") (or (and .Values.alibabacloud.accessKeyId .Values.alibabacloud.accessKeySecret) .Values.alibabacloud.secretName) }}
# Alibaba Cloud mountPath(s)
- name: alibabacloud-config-file
mountPath: /etc/kubernetes/
readOnly: true
{{- end }}
{{- if and (eq .Values.provider "aws") (or (and .Values.aws.credentials.secretKey .Values.aws.credentials.accessKey) .Values.aws.credentials.secretName) }}
{{- if and (eq .Values.provider "aws") (or (and .Values.aws.credentials.secretKey .Values.aws.credentials.accessKey) .Values.aws.credentials.secretName) (not (include "external-dns.aws-credentials-secret-ref-defined" . )) }}
# AWS mountPath(s)
- name: aws-credentials
mountPath: {{ .Values.aws.credentials.mountPath }}
@@ -647,24 +703,10 @@ spec:
- name: google-service-account
mountPath: /etc/secrets/service-account/
{{- end }}
{{- if eq .Values.provider "oci" }}
{{- if and (eq .Values.provider "oci") (not .Values.oci.useInstancePrincipal) }}
- name: oci-config-file
mountPath: /etc/kubernetes/
{{- end }}
{{- if eq .Values.provider "designate" }}
# Designate mountPath(s)
{{- if and (.Values.designate.customCAHostPath) (.Values.designate.customCA.enabled) }}
{{- fail "designate.customCAHostPath cannot be specified with designate.customCA.enabled set to true" }}
{{- else if .Values.designate.customCA.enabled }}
- name: designate-custom-ca
mountPath: {{ .Values.designate.customCA.mountPath }}
readOnly: true
{{- else if .Values.designate.customCAHostPath }}
- name: designate-custom-ca-hostpath
mountPath: {{ .Values.designate.customCAHostPath }}
readOnly: true
{{- end }}
{{- end }}
{{- if and (eq .Values.provider "rfc2136") .Values.rfc2136.rfc3645Enabled }}
- name: krb5config
mountPath: /etc/krb5.conf
@@ -684,13 +726,15 @@ spec:
{{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: empty-dir
emptyDir: {}
{{- if and (eq .Values.provider "alibabacloud") (or (and .Values.alibabacloud.accessKeyId .Values.alibabacloud.accessKeySecret) .Values.alibabacloud.secretName) }}
# Alibaba Cloud volume(s)
- name: alibabacloud-config-file
secret:
secretName: {{ template "external-dns.secretName" . }}
{{- end }}
{{- if and (eq .Values.provider "aws") (or (and .Values.aws.credentials.secretKey .Values.aws.credentials.accessKey) .Values.aws.credentials.secretName) }}
{{- if and (eq .Values.provider "aws") (or (and .Values.aws.credentials.secretKey .Values.aws.credentials.accessKey) .Values.aws.credentials.secretName) (not (include "external-dns.aws-credentials-secret-ref-defined" . )) }}
# AWS volume(s)
- name: aws-credentials
secret:
@@ -702,16 +746,19 @@ spec:
{{- if or .Values.azure.secretName (and .Values.azure.resourceGroup .Values.azure.tenantId .Values.azure.subscriptionId) }}
secret:
secretName: {{ template "external-dns.secretName" . }}
{{- else if .Values.azure.useWorkloadIdentityExtension }}
secret:
secretName: {{ template "common.names.fullname" . }}
{{- else if .Values.azure.useManagedIdentityExtension }}
secret:
secretName: {{ template "external-dns.fullname" . }}
secretName: {{ template "common.names.fullname" . }}
{{- else }}
hostPath:
path: /etc/kubernetes/azure.json
type: File
{{- end }}
{{- end }}
{{- if (eq .Values.provider "oci")}}
{{- if and (eq .Values.provider "oci") (not .Values.oci.useInstancePrincipal) }}
- name: oci-config-file
secret:
secretName: {{ template "external-dns.secretName" . }}
@@ -734,26 +781,11 @@ spec:
path: credentials.json
{{- end }}
{{- end }}
{{- if eq .Values.provider "designate" }}
# Designate volume(s)
{{- if .Values.designate.customCA.enabled }}
- name: designate-custom-ca
configMap:
name: {{ template "external-dns.fullname" . }}
items:
- key: {{ .Values.designate.customCA.filename }}
path: {{ .Values.designate.customCA.filename }}
{{- else if .Values.designate.customCAHostPath }}
- name: designate-custom-ca-hostpath
hostPath:
path: {{ .Values.designate.customCAHostPath }}
{{- end }}
{{- end }}
{{- if and (eq .Values.provider "rfc2136") .Values.rfc2136.rfc3645Enabled }}
# Kerberos config volume
- name: krb5config
configMap:
name: {{ template "external-dns.fullname" . }}
name: {{ template "common.names.fullname" . }}
items:
- key: "krb5.conf"
path: "krb5.conf"
@@ -762,7 +794,7 @@ spec:
# TransIP volume(s)
- name: transip-api-key
secret:
secretName: {{ template "external-dns.fullname" . }}
secretName: {{ template "common.names.fullname" . }}
{{- end }}
{{- if .Values.extraVolumes }}
# Extra volume(s)

5
external-dns/templates/extra-list.yaml
View File

@@ -1,3 +1,8 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- range .Values.extraDeploy }}
---
{{ include "common.tplvalues.render" (dict "value" . "context" $) }}

69
external-dns/templates/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,69 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
policyTypes:
- Ingress
- Egress
{{- if .Values.networkPolicy.allowExternalEgress }}
egress:
- {}
{{- else }}
egress:
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
{{- range $port := .Values.networkPolicy.kubeAPIServerPorts }}
- port: {{ $port }}
{{- end }}
{{- if .Values.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:
- ports:
- port: {{ .Values.containerPorts.http }}
{{- if not .Values.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
- podSelector:
matchLabels:
{{ template "common.names.fullname" . }}-client: "true"
{{- if .Values.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- if .Values.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.networkPolicy.extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
{{- end }}

26
external-dns/templates/pdb.yaml
View File

@@ -1,18 +1,26 @@
{{- if .Values.podDisruptionBudget -}}
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.pdb.create }}
apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ include "external-dns.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{ include "external-dns.labels" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.pdb.minAvailable }}
minAvailable: {{ .Values.pdb.minAvailable }}
{{- end }}
{{- if or .Values.pdb.maxUnavailable (not .Values.pdb.minAvailable) }}
maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector:
matchLabels: {{ include "external-dns.matchLabels" . | nindent 6 }}
{{- include "common.tplvalues.render" (dict "value" .Values.podDisruptionBudget "context" $) | nindent 2 }}
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
{{- end -}}

25
external-dns/templates/podmonitor.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.metrics.enabled .Values.metrics.googlePodMonitor.enabled }}
apiVersion: monitoring.googleapis.com/v1
kind: PodMonitoring
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ default (include "common.names.namespace" .) .Values.metrics.googlePodMonitor.namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
spec:
endpoints:
- port: http
{{- with .Values.metrics.googlePodMonitor.endpoint }}
path: {{ . }}
{{- end }}
{{- with .Values.metrics.googlePodMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
{{- end }}

16
external-dns/templates/psp-clusterrole.yaml
View File

@@ -1,14 +1,14 @@
{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}}
{{- if and $pspAvailable .Values.rbac.pspEnabled }}
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and (include "common.capabilities.psp.supported" .) .Values.rbac.pspEnabled }}
kind: ClusterRole
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
metadata:
name: {{ printf "%s-%s" (include "common.names.fullname.namespace" .) "psp" }}
namespace: {{ .Release.Namespace | quote }}
labels: {{ include "external-dns.labels" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ printf "%s-%s" (include "common.names.fullname.namespace" .) "psp" | trunc 63 | trimSuffix "-" }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}

20
external-dns/templates/psp-clusterrolebinding.yaml
View File

@@ -1,23 +1,23 @@
{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}}
{{- if and $pspAvailable .Values.rbac.pspEnabled }}
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and (include "common.capabilities.psp.supported" .) .Values.rbac.pspEnabled }}
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: ClusterRoleBinding
metadata:
name: {{ printf "%s-%s" (include "common.names.fullname.namespace" .) "psp" }}
namespace: {{ .Release.Namespace | quote }}
labels: {{ include "external-dns.labels" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ printf "%s-%s" (include "common.names.fullname.namespace" .) "psp" | trunc 63 | trimSuffix "-" }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ printf "%s-%s" (include "common.names.fullname.namespace" .) "psp" }}
name: {{ printf "%s-%s" (include "common.names.fullname.namespace" .) "psp" | trunc 63 | trimSuffix "-" }}
subjects:
- kind: ServiceAccount
name: {{ template "external-dns.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "common.names.namespace" . | quote }}
{{- end }}

15
external-dns/templates/psp.yaml
View File

@@ -1,14 +1,15 @@
{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}}
{{- if and $pspAvailable .Values.rbac.pspEnabled }}
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and (include "common.capabilities.psp.supported" .) .Values.rbac.pspEnabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "common.names.fullname.namespace" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{ include "external-dns.labels" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}

12
external-dns/templates/role.yaml
View File

@@ -1,13 +1,15 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.rbac.create (not .Values.rbac.clusterRole) }}
apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}
kind: Role
metadata:
name: {{ template "external-dns.fullname" . }}
name: {{ template "common.names.fullname" . }}
namespace: {{ template "external-dns.namespace" . }}
labels: {{ include "external-dns.labels" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}

16
external-dns/templates/rolebindings.yaml
View File

@@ -1,22 +1,24 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.rbac.create (not .Values.rbac.clusterRole) }}
apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}
kind: RoleBinding
metadata:
name: {{ template "external-dns.fullname" . }}
name: {{ template "common.names.fullname" . }}
namespace: {{ template "external-dns.namespace" . }}
labels: {{ include "external-dns.labels" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "external-dns.fullname" . }}
name: {{ template "common.names.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "external-dns.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "common.names.namespace" . | quote }}
{{- end }}

59
external-dns/templates/secret.yaml
View File

@@ -1,22 +1,24 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if (include "external-dns.createSecret" .) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "external-dns.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{ include "external-dns.labels" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.secretAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.secretAnnotations "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if or .Values.secretAnnotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.secretAnnotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- if eq .Values.provider "akamai" }}
akamai_client_secret: {{ .Values.akamai.clientSecret | b64enc | quote }}
{{- end }}
{{- if eq .Values.provider "alibabacloud" }}
alibaba-cloud.json: {{ include "external-dns.alibabacloud-credentials" . | b64enc | quote }}
{{- end }}
@@ -32,8 +34,8 @@ data:
{{- if eq .Values.provider "google" }}
credentials.json: {{ .Values.google.serviceAccountKey | b64enc | quote }}
{{- end }}
{{- if and (eq .Values.provider "hetzner") (not .Values.hetzner.secretName) }}
hetzner_token: {{ .Values.hetzner.token | b64enc | quote }}
{{- if eq .Values.provider "civo" }}
apiToken: {{ .Values.civo.apiToken | b64enc | quote }}
{{- end }}
{{- if eq .Values.provider "cloudflare" }}
{{- if .Values.cloudflare.apiToken }}
@@ -42,25 +44,17 @@ data:
cloudflare_api_key: {{ required "cloudflare.apiKey is required if cloudflare.apiToken is not provided" .Values.cloudflare.apiKey | b64enc | quote }}
{{- end }}
{{- end }}
{{- if eq .Values.provider "designate" }}
{{- if .Values.designate.username }}
designate_username: {{ .Values.designate.username | b64enc | quote }}
{{- end }}
{{- if .Values.designate.password }}
designate_password: {{ .Values.designate.password | b64enc | quote }}
{{- end }}
{{- end }}
{{- if eq .Values.provider "digitalocean" }}
digitalocean_api_token: {{ .Values.digitalocean.apiToken | b64enc | quote }}
{{- end }}
{{- if eq .Values.provider "infoblox" }}
infoblox_wapi_username: {{ .Values.infoblox.wapiUsername | b64enc | quote }}
infoblox_wapi_password: {{ .Values.infoblox.wapiPassword | b64enc | quote }}
{{- if eq .Values.provider "exoscale" }}
exoscale_api_key: {{ .Values.exoscale.apiKey | b64enc | quote }}
exoscale_api_token: {{ .Values.exoscale.apiToken | b64enc | quote }}
{{- end }}
{{- if eq .Values.provider "linode" }}
linode_api_token: {{ .Values.linode.apiToken | b64enc | quote }}
{{- end }}
{{- if eq .Values.provider "oci" }}
{{- if and (eq .Values.provider "oci") (not .Values.useInstancePrincipal) }}
oci.yaml: {{ include "external-dns.oci-credentials" . | b64enc | quote }}
{{- end }}
{{- if eq .Values.provider "pdns" }}
@@ -82,13 +76,14 @@ data:
{{- if eq .Values.provider "scaleway" }}
scw_access_key: {{ .Values.scaleway.scwAccessKey | b64enc | quote }}
scw_secret_key: {{ .Values.scaleway.scwSecretKey | b64enc | quote }}
scw_default_organization_id: {{ .Values.scaleway.scwDefaultOrganizationId | b64enc | quote }}
{{- end }}
{{- if eq .Values.provider "vinyldns" }}
vinyldns-access-key: {{ .Values.vinyldns.accessKey | b64enc | quote }}
vinyldns-secret-key: {{ .Values.vinyldns.secretKey | b64enc | quote }}
{{- end }}
{{- if eq .Values.provider "ns1" }}
ns1-api-key: {{ .Values.ns1.apiKey | b64enc | quote }}
{{- end }}
{{- if .Values.pihole.password }}
pihole_password: {{ .Values.pihole.password | b64enc | quote }}
{{- end }}
{{- if .Values.txtEncrypt.enabled }}
txt_aes_encryption_key: {{ .Values.txtEncrypt.aesKey | default (randAlphaNum 32 | replace "+" "-" | replace "/" "_") | b64enc | quote }}
{{- end }}
{{- end }}

24
external-dns/templates/service.yaml
View File

@@ -1,16 +1,16 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.service.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "external-dns.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{ include "external-dns.labels" . | nindent 4 }}
{{- if .Values.service.labels -}}
{{ toYaml .Values.service.labels | nindent 4 }}
{{- end }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.labels .Values.commonLabels ) "context" . ) }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
{{- if .Values.service.annotations }}
annotations: {{ toYaml .Values.service.annotations | nindent 4 }}
{{- end }}
@@ -25,6 +25,9 @@ spec:
{{- if .Values.service.externalIPs }}
externalIPs: {{ toYaml .Values.service.externalIPs | nindent 4 }}
{{- end }}
{{- if and (eq .Values.service.type "ExternalName") .Values.service.externalName }}
externalName: {{ .Values.service.externalName }}
{{- end }}
{{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP)) }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
@@ -48,5 +51,6 @@ spec:
{{- if .Values.service.extraPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }}
{{- end }}
selector: {{ include "external-dns.matchLabels" . | nindent 4 }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
{{- end }}

27
external-dns/templates/serviceaccount.yaml
View File

@@ -1,22 +1,19 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "external-dns.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{ include "external-dns.labels" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.serviceAccount.labels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.serviceAccount.labels "context" $ ) | nindent 4 }}
{{- end }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.serviceAccount.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.serviceAccount.annotations "context" $ ) | nindent 4 }}
{{- end }}
namespace: {{ include "common.names.namespace" . | quote }}
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.labels .Values.commonLabels ) "context" . ) }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
{{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}

51
external-dns/templates/servicemonitor.yaml
View File

@@ -1,47 +1,52 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "external-dns.fullname" . }}
namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }}
labels: {{ include "external-dns.labels" . | nindent 4 }}
{{- if .Values.metrics.serviceMonitor.labels }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.labels "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.additionalLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.additionalLabels "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ template "common.names.fullname" . }}
namespace: {{ default (include "common.names.namespace" .) .Values.metrics.serviceMonitor.namespace | quote }}
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
{{- if or .Values.metrics.serviceMonitor.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.metrics.serviceMonitor.annotations .Values.commonAnnotations) "context" .) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
endpoints:
- port: http
path: /metrics
{{- with .Values.metrics.serviceMonitor.interval }}
interval: {{ . }}
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
{{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.honorLabels }}
honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.metricRelabelings }}
metricRelabelings: {{- toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 6 }}
metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.relabelings }}
relabelings: {{ toYaml .Values.metrics.serviceMonitor.relabelings | nindent 6 }}
relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.jobLabel }}
jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.podTargetLabels }}
podTargetLabels: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.podTargetLabels "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.targetLabels }}
targetLabels: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.targetLabels "context" $) | nindent 4 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
- {{ include "common.names.namespace" . | quote }}
selector:
matchLabels: {{ include "external-dns.matchLabels" . | nindent 6 }}
{{- if .Values.metrics.serviceMonitor.selector }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }}
{{- end }}
{{- $svcLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.selector .Values.commonLabels ) "context" . ) }}
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $svcLabels "context" $ ) | nindent 6 }}
{{- end }}

27
external-dns/templates/tls-secret.yaml
View File

@@ -1,26 +1,29 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if (include "external-dns.createTlsSecret" .) }}
{{- $secretName := printf "%s-crt" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- $ca := genCA "external-dns-ca" 365 }}
{{- $releaseNamespace := .Release.Namespace }}
{{- $clusterDomain := .Values.clusterDomain }}
{{- $fullname := include "external-dns.fullname" . }}
{{- $serviceName := include "external-dns.fullname" . }}
{{- $fullname := include "common.names.fullname" . }}
{{- $serviceName := include "common.names.fullname" . }}
{{- $altNames := list (printf "*.%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) $fullname }}
{{- $crt := genSignedCert $fullname nil $altNames 365 $ca }}
{{- $cert := genSignedCert $fullname nil $altNames 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "external-dns.fullname" . }}-crt
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
name: {{ $secretName }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
ca.crt: {{ $ca.Cert | b64enc | quote }}
tls.crt: {{ $crt.Cert | b64enc | quote }}
tls.key: {{ $crt.Key | b64enc | quote }}
tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
{{- end }}

535
external-dns/values.yaml
View File

@@ -1,3 +1,6 @@
# Copyright Broadcom, Inc. All Rights Reserved.
# SPDX-License-Identifier: APACHE-2.0
## @section Global parameters
## Global Docker image parameters
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
@@ -14,20 +17,35 @@ global:
## - myRegistryKeySecretName
##
imagePullSecrets: []
## Security parameters
##
security:
## @param global.security.allowInsecureImages Allows skipping image verification
allowInsecureImages: false
## Compatibility adaptations for Kubernetes platforms
##
compatibility:
## Compatibility adaptations for Openshift
##
openshift:
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
##
adaptSecurityContext: auto
## @section Common parameters
##
## @param nameOverride String to partially override external-dns.fullname template (will maintain the release name)
## @param nameOverride String to partially override common.names.fullname template (will maintain the release name)
##
nameOverride: ""
## @param fullnameOverride String to fully override external-dns.fullname template
## @param fullnameOverride String to fully override common.names.fullname template
##
fullnameOverride: ""
## @param namespaceOverride String to fully override common.names.namespace
##
namespaceOverride: ""
## @param clusterDomain Kubernetes Cluster Domain
##
clusterDomain: cluster.local
## @param commonLabels Labels to add to all deployed objects
##
commonLabels: {}
@@ -41,30 +59,26 @@ extraDeploy: []
## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
##
kubeVersion: ""
## @param watchReleaseNamespace Watch only namepsace used for the release
##
watchReleaseNamespace: false
## @section external-dns parameters
##
## Bitnami external-dns image version
## ref: https://hub.docker.com/r/bitnami/external-dns/tags/
## @param image.registry ExternalDNS image registry
## @param image.repository ExternalDNS image repository
## @param image.tag ExternalDNS Image tag (immutable tags are recommended)
## @param image.registry [default: REGISTRY_NAME] ExternalDNS image registry
## @param image.repository [default: REPOSITORY_NAME/external-dns] ExternalDNS image repository
## @skip image.tag ExternalDNS Image tag (immutable tags are recommended)
## @param image.digest ExternalDNS image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
## @param image.pullPolicy ExternalDNS image pull policy
## @param image.pullSecrets ExternalDNS image pull secrets
##
image:
registry: gitea.geekhome.org
repository: ghp/external-dns
tag: v0.7.6-663-gf76382a5
registry: registry.k8s.io
repository: external-dns/external-dns
tag: v0.19.0
digest: ""
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
@@ -75,24 +89,26 @@ image:
## - myRegistryKeySecretName
##
pullSecrets: []
## @param revisionHistoryLimit sets number of replicaset to keep in k8s
##
revisionHistoryLimit: 10
## @param automountServiceAccountToken Mount Service Account token in pod
##
automountServiceAccountToken: true
## @param hostAliases Deployment pod host aliases
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
##
hostAliases: []
## @param updateStrategy update strategy type
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#update-strategies
##
updateStrategy: {}
## @param command Override kiam default command
##
command: []
## @param args Override kiam default args
##
args: []
## @param sources [array] K8s resources type to be observed for new DNS entries by ExternalDNS
##
sources:
@@ -102,12 +118,34 @@ sources:
# - contour-httpproxy
## @param provider DNS provider where the DNS records will be created.
## Available providers are:
## - alibabacloud, aws, azure, azure-private-dns, cloudflare, coredns, designate, digitalocean, google, hetzner, infoblox, linode, rfc2136, transip, oci
## - akamai, alibabacloud, aws, azure, azure-private-dns, civo, cloudflare, coredns, digitalocean, exoscale, google, linode, ns1, oci, ovh, pdns, pihole, rfc2136, scaleway, transip
##
provider: aws
## @param initContainers Attach additional init containers to the pod (evaluated as a template)
##
initContainers: []
## DNS-Pod services
## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
## @param dnsPolicy Specifies the DNS policy for the external-dns deployment
## DNS policies can be set on a per-Pod basis. Currently Kubernetes supports the following Pod-specific DNS policies.
## Available options: Default, ClusterFirst, ClusterFirstWithHostNet, None
## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
dnsPolicy: ""
## @param dnsConfig allows users more control on the DNS settings for a Pod. Required if `dnsPolicy` is set to `None`
## The dnsConfig field is optional and it can work with any dnsPolicy settings.
## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
## E.g.
## dnsConfig:
## nameservers:
## - 192.0.2.1 # this is an example
## searches:
## - ns1.svc.cluster-domain.example
## - my.dns.search.suffix
## options:
## - name: ndots
## value: "2"
## - name: edns0
dnsConfig: {}
## @param sidecars Attach additional containers to the pod (evaluated as a template)
##
sidecars: []
@@ -116,6 +154,9 @@ sidecars: []
## @param namespace Limit sources of endpoints to a specific namespace (default: all namespaces)
##
namespace: ""
## @param watchReleaseNamespace Watch only namespace used for the release
##
watchReleaseNamespace: false
## @param fqdnTemplates Templated strings that are used to generate DNS names from sources that don't define a hostname themselves
##
fqdnTemplates: []
@@ -138,6 +179,31 @@ publishHostIP: false
## @param serviceTypeFilter The service types to take care about (default: all, options: ClusterIP, NodePort, LoadBalancer, ExternalName)
##
serviceTypeFilter: []
## Chart Validation
##
validation:
## @param validation.enabled Enable chart validation
##
enabled: true
## Akamai configuration to be set via arguments/env. variables
##
akamai:
## @param akamai.host Hostname to use for EdgeGrid auth
##
host: ""
## @param akamai.accessToken Access Token to use for EdgeGrid auth
##
accessToken: ""
## @param akamai.clientToken Client Token to use for EdgeGrid auth
##
clientToken: ""
## @param akamai.clientSecret When using the Akamai provider, `AKAMAI_CLIENT_SECRET` to set (optional)
##
clientSecret: ""
## @param akamai.secretName Use an existing secret with key "akamai_api_seret" defined.
## This ignores akamai.clientSecret
##
secretName: ""
## Alibaba cloud configuration to be set via arguments/env. variables
## These will be added to /etc/kubernetes/alibaba-cloud.json via secret
##
@@ -179,6 +245,21 @@ aws:
## This ignores aws.credentials.secretKey, and aws.credentials.accessKey
##
secretName: ""
## AWS access key id stored in key-value secret.
## If aws.credentials.accessKeyIDSecretRef and aws.credentials.secretAccessKeySecretRef defined aws.credentials.secretKey, aws.credentials.accessKey and aws.credentials.secretName are ignored
## @param aws.credentials.accessKeyIDSecretRef.name Define the name of the secret that stores aws_access_key_id.
## @param aws.credentials.accessKeyIDSecretRef.key Define the key of the secret that stores aws_access_key_id.
##
accessKeyIDSecretRef:
name: ""
key: ""
## AWS secret access key stored in key-value secret
## @param aws.credentials.secretAccessKeySecretRef.name Define the name of the secret that stores aws_secret_access_key
## @param aws.credentials.secretAccessKeySecretRef.key Define the key of the secret that stores aws_secret_access_key
##
secretAccessKeySecretRef:
name: ""
key: ""
## @param aws.region When using the AWS provider, `AWS_DEFAULT_REGION` to set in the environment (optional)
##
region: "us-east-1"
@@ -210,6 +291,17 @@ aws:
## @param aws.evaluateTargetHealth When using the AWS provider, sets the evaluate target health flag (options: true, false)
##
evaluateTargetHealth: ""
## @param aws.dynamodbTable When using the AWS provider, sets the DynamoDB table name to use for dynamodb registry
## ref: https://github.com/kubernetes-sigs/external-dns/blob/0483ffde22e60436f16be154b9fe1a388a1400d0/docs/registry/dynamodb.md
##
dynamodbTable: ""
## @param aws.dynamodbRegion When using the AWS provider, sets the DynamoDB table region to use for dynamodb registry
## ref: https://github.com/kubernetes-sigs/external-dns/blob/0483ffde22e60436f16be154b9fe1a388a1400d0/docs/registry/dynamodb.md
##
dynamodbRegion: ""
## @param aws.zoneMatchParent When using the AWS provider, lets a domain filter match subdomains within the same zone by using their parent domain
##
zoneMatchParent: false
## Azure configuration to be set via arguments/env. variables
##
azure:
@@ -235,12 +327,25 @@ azure:
## @param azure.aadClientSecret When using the Azure provider, set the Azure AAD Client Secret
##
aadClientSecret: ""
## @param azure.useWorkloadIdentityExtension When using the Azure provider, set if you use Workload Identity extension.
##
useWorkloadIdentityExtension: false
## @param azure.useManagedIdentityExtension When using the Azure provider, set if you use Azure MSI
##
useManagedIdentityExtension: false
## @param azure.userAssignedIdentityID When using the Azure provider with Azure MSI, set Client ID of Azure user-assigned managed identity (optional, otherwise system-assigned managed identity is used)
##
userAssignedIdentityID: ""
## Civo configuration to be set via arguments/env. variables
##
civo:
## @param civo.apiToken When using the Civo provider, `CIVO_TOKEN` to set (optional)
##
apiToken: ""
## @param civo.secretName Use an existing secret with key "apiToken" defined.
## This ignores civo.apiToken
##
secretName: ""
## Cloudflare configuration to be set via arguments/env. variables
##
cloudflare:
@@ -260,6 +365,17 @@ cloudflare:
## @param cloudflare.proxied When using the Cloudflare provider, enable the proxy feature (DDOS protection, CDN...) (optional)
##
proxied: true
## @param cloudflare.dnsRecordsPerPage Number of DNS records to fetch per page. (optional)
## When using the Cloudflare provider, specify how many DNS records listed per page, max possible 5,000 (default: 100)
##
dnsRecordsPerPage: 100
## @param cloudflare.regionalServices Enable configuration of Cloudflare Regional Services. (optional)
##
regionalServices: false
## @param cloudflare.regionKey Set default region, when Cloudflare Regional Services are enabled. (optional)
## Using the "external-dns.alpha.kubernetes.io/cloudflare-region-key" annotation on your ingress, you can specify the region for that record.
##
regionKey: ""
## CoreDNS configuration to be set via arguments/env variables
##
coredns:
@@ -281,7 +397,7 @@ coredns:
## @param coredns.etcdTLS.secretName When using the CoreDNS provider, specify a name of existing Secret with etcd certs and keys
## ref: https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/security.md
## ref (secret creation):
## https://github.com/bitnami/charts/tree/master/bitnami/etcd#configure-certificates-for-client-communication
## https://github.com/bitnami/charts/tree/main/bitnami/etcd#configure-certificates-for-client-communication
##
secretName: "etcd-client-certs"
## @param coredns.etcdTLS.mountPath When using the CoreDNS provider, set destination dir to mount data from `coredns.etcdTLS.secretName` to
@@ -298,47 +414,21 @@ coredns:
## Will be used by external-dns to authenticate against etcd
##
keyFilename: "key.pem"
## OpenStack Designate provider configuration to be set via arguments/env. variables
## Exoscale configuration to be set via arguments/env. variables
##
designate:
## Set Openstack environment variables (optional). Username and password will be saved in a kubernetes secret
## The alternative to this is to export the necessary Openstack environment variables in the extraEnv argument
## @param designate.username When using the Designate provider, specify the OpenStack authentication username. (optional)
## @param designate.password When using the Designate provider, specify the OpenStack authentication password. (optional)
## @param designate.authUrl When using the Designate provider, specify the OpenStack authentication Url. (optional)
## @param designate.regionName When using the Designate provider, specify the OpenStack region name. (optional)
## @param designate.userDomainName When using the Designate provider, specify the OpenStack user domain name. (optional)
## @param designate.projectName When using the Designate provider, specify the OpenStack project name. (optional)
## @param designate.username When using the Designate provider, specify the OpenStack authentication username. (optional)
## e.g:
## username: "someuser"
## password: "p@55w0rd"
## authUrl: "https://mykeystone.example.net:5000/v3/"
## regionName: "dev"
## userDomainName: "development"
## projectName: "myteamname"
exoscale:
## @param exoscale.apiKey When using the Exoscale provider, `EXTERNAL_DNS_EXOSCALE_APIKEY` to set (optional)
##
username: ""
password: ""
authUrl: ""
regionName: ""
userDomainName: ""
projectName: ""
## @param designate.customCAHostPath When using the Designate provider, use a CA file already on the host to validate Openstack APIs. This conflicts with `designate.customCA.enabled`
## This conflicts setting the above customCA to true and chart rendering will fail if you set customCA to true and specify customCAHostPath
apiKey: ""
## @param exoscale.apiToken When using the Exoscale provider, `EXTERNAL_DNS_EXOSCALE_APISECRET` to set (optional)
##
customCAHostPath: ""
## Use a custom CA (optional)
## @param designate.customCA.enabled When using the Designate provider, enable a custom CA (optional)
## @param designate.customCA.content When using the Designate provider, set the content of the custom CA
## @param designate.customCA.mountPath When using the Designate provider, set the mountPath in which to mount the custom CA configuration
## @param designate.customCA.filename When using the Designate provider, set the custom CA configuration filename
apiToken: ""
## @param exoscale.secretName Use an existing secret with keys "exoscale_api_key" and "exoscale_api_token" defined.
## This ignores exoscale.apiKey and exoscale.apiToken
##
customCA:
enabled: false
content: ""
mountPath: "/config/designate"
filename: "designate-ca.pem"
secretName: ""
## Google configuration to be set via arguments/env. variables
##
## DigitalOcean configuration to be set via arguments/env. variables
##
digitalocean:
@@ -355,6 +445,9 @@ google:
## @param google.project When using the Google provider, specify the Google project (required when provider=google)
##
project: ""
## @param google.batchChangeSize When using the google provider, set the maximum number of changes that will be applied in each batch
##
batchChangeSize: 1000
## @param google.serviceAccountSecret When using the Google provider, specify the existing secret which contains credentials.json (optional)
##
serviceAccountSecret: ""
@@ -367,61 +460,6 @@ google:
## @param google.zoneVisibility When using the Google provider, fiter for zones of a specific visibility (private or public)
##
zoneVisibility: ""
## Hetzner configuration to be set via arguments/env. variables
##
hetzner:
## @param hetzner.token When using the Hetzner provider, specify your token here. (required when `hetzner.secretName` is not provided. In this case a new secret will be created holding the token.)
## Mutually exclusive with `hetzner.secretName`.
##
token: ""
## @param hetzner.secretName When using the Hetzner provider, specify the existing secret which contains your token. Disables the usage of `hetzner.token` (optional)
##
secretName: ""
## @param hetzner.secretKey When using the Hetzner provider with an existing secret, specify the key name (optional)
##
secretKey: "hetzner_token"
## Infoblox configuration to be set via arguments/env. variables
##
infoblox:
## @param infoblox.wapiUsername When using the Infoblox provider, specify the Infoblox WAPI username
##
wapiUsername: "admin"
## @param infoblox.wapiPassword When using the Infoblox provider, specify the Infoblox WAPI password (required when provider=infoblox)
##
wapiPassword: ""
## @param infoblox.gridHost When using the Infoblox provider, specify the Infoblox Grid host (required when provider=infoblox)
##
gridHost: ""
## @param infoblox.view Infoblox view
##
view: ""
## Optional keys
##
## @param infoblox.secretName Existing secret name, when in place wapiUsername and wapiPassword are not required
##
secretName: ""
##
## @param infoblox.domainFilter When using the Infoblox provider, specify the domain (optional)
##
domainFilter: ""
## @param infoblox.noSslVerify When using the Infoblox provider, disable SSL verification (optional)
##
noSslVerify: false
## @param infoblox.wapiPort When using the Infoblox provider, specify the Infoblox WAPI port (optional)
##
wapiPort: ""
## @param infoblox.wapiVersion When using the Infoblox provider, specify the Infoblox WAPI version (optional)
##
wapiVersion: ""
## @param infoblox.wapiConnectionPoolSize When using the Infoblox provider, specify the Infoblox WAPI request connection pool size (optional)
##
wapiConnectionPoolSize: ""
## @param infoblox.wapiHttpTimeout When using the Infoblox provider, specify the Infoblox WAPI request timeout in seconds (optional)
##
wapiHttpTimeout: ""
## @param infoblox.maxResults When using the Infoblox provider, specify the Infoblox Max Results (optional)
##
maxResults: ""
## Linode configuration to be set via arguments/env. variables
##
linode:
@@ -432,7 +470,6 @@ linode:
## This ignores linode.apiToken
##
secretName: ""
## NS1 configuration to be set via arguments/env. variables
##
ns1:
@@ -446,7 +483,30 @@ ns1:
## This ignores ns1.apiToken
##
secretName: ""
## Pi-hole configuration to be set via arguments/env. variables
##
pihole:
## @param pihole.server When using the Pi-hole provider, specify The address of the Pi-hole web server
##
server: ""
## @param pihole.tlsSkipVerify When using the Pi-hole provider, specify wheter to skip verification of any TLS certificates served by the Pi-hole web server
##
tlsSkipVerify: ""
## @param pihole.password When using the Pi-hole provider, specify a password to use
##
password: ""
## @param pihole.secretName Use an existing secret with key "pihole_password" defined.
##
secretName: ""
## Compatibility adaptations for Traefik
##
traefik:
## @param traefik.disableNew Disable listeners on Resources under traefik.io
##
disableNew: false
## @param traefik.disableLegacy Disable listeners on Resources under traefik.containo.us
##
disableLegacy: false
## oci configuration to be set via arguments/env. variables
##
oci:
@@ -477,6 +537,12 @@ oci:
## Ref: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/oracle.md#deploy-externaldns
##
secretName: ""
## @param oci.useInstancePrincipal When using the OCI provider, enable IAM Instance Principal
## Ref: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/oracle.md#oci-iam-instance-principal
useInstancePrincipal: false
## @param oci.useWorkloadIdentity When using the OCI provider, enable IAM Workload Identity
## Ref: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/oracle.md#oci-iam-instance-principal
useWorkloadIdentity: false
## OVH configuration to be set via arguments/env. variables
##
ovh:
@@ -506,9 +572,10 @@ scaleway:
## @param scaleway.scwSecretKey When using the Scaleway provider, specify an existing secret key. (required when provider=scaleway)
##
scwSecretKey: ""
## @param scaleway.scwDefaultOrganizationId When using the Scaleway provider, specify the existing organization id. (required when provider=scaleway)
## @param scaleway.secretName Use an existing secret with keys "scaleway_access_key" and "scaleway_secret_key" defined (optional).
## This ignores scaleway.scwAccessKey and scaleway.scwSecretKey
##
scwDefaultOrganizationId: ""
secretName: ""
## RFC 2136 configuration to be set via arguments/env. variables
##
rfc2136:
@@ -518,13 +585,17 @@ rfc2136:
## @param rfc2136.port When using the rfc2136 provider, specify the RFC2136 port (optional)
##
port: 53
## @param rfc2136.zone When using the rfc2136 provider, specify the zone (required when provider=rfc2136)
## @param rfc2136.zone DEPRECATED: use rfc2136.zones instead.
## Currently, the contents of rfc2136.zone and rfc2136.zones will be merged and deduplicated, in a future release this value will be removed in favor of `rfc2136.zones`.
##
zone: ""
## @param rfc2136.zones When using the rfc2136 provider, specify the zones (required when provider=rfc2136 and `rfc2136.zone` is not provided.)
##
zones: []
## @param rfc2136.tsigSecret When using the rfc2136 provider, specify the tsig secret to enable security. (do not specify if `rfc2136.secretName` is provided.) (optional)
##
tsigSecret: ""
## @param rfc2136.secretName When using the rfc2136 provider, specify the existing secret which contains your tsig secret. Disables the usage of `rfc2136.tsigSecret` (optional)
## @param rfc2136.secretName When using the rfc2136 provider, specify the existing secret which contains your tsig secret in the key "rfc2136_tsig_secret". Disables the usage of `rfc2136.tsigSecret` (optional)
##
secretName: ""
## @param rfc2136.tsigSecretAlg When using the rfc2136 provider, specify the tsig secret to enable security (optional)
@@ -532,11 +603,11 @@ rfc2136:
tsigSecretAlg: hmac-sha256
## @param rfc2136.tsigKeyname When using the rfc2136 provider, specify the tsig keyname to enable security (optional)
##
tsigKeyname: externaldns-key
tsigKeyname: rfc2136_tsig_secret
## @param rfc2136.tsigAxfr When using the rfc2136 provider, enable AFXR to enable security (optional)
##
tsigAxfr: true
## @param rfc2136.minTTL When using the rfc2136 provider, specify minimal TTL (in duration format) for records[ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
## @param rfc2136.minTTL When using the rfc2136 provider, specify minimal TTL (in duration format) for records[ns, us, ms, s, m, h], see more <https://golang.org/pkg/time/#ParseDuration>
##
minTTL: "0s"
## @param rfc2136.rfc3645Enabled When using the rfc2136 provider, extend using RFC3645 to support secure updates over Kerberos with GSS-TSIG
@@ -554,7 +625,6 @@ rfc2136:
## @param rfc2136.kerberosRealm When using the rfc2136 provider with rfc3645Enabled, specify the realm to authenticate to (required when provider=rfc2136 and rfc2136.rfc3645Enabled=true)
##
kerberosRealm: ""
## PowerDNS configuration to be set via arguments/env. variables
##
pdns:
@@ -579,18 +649,6 @@ transip:
## @param transip.apiKey When using the TransIP provider, specify the API key to use.
##
apiKey: ""
## VinylDNS configuration to be set via arguments/env. variables
##
vinyldns:
## @param vinyldns.host When using the VinylDNS provider, specify the VinylDNS API host.
##
host: ""
## @param vinyldns.accessKey When using the VinylDNS provider, specify the Access Key to use.
##
accessKey: ""
## @param vinyldns.secretKey When using the VinylDNS provider, specify the Secret key to use.
##
secretKey: ""
## @param domainFilters Limit possible target zones by domain suffixes (optional)
##
domainFilters: []
@@ -614,12 +672,15 @@ zoneIdFilters: []
## @param annotationFilter Filter sources managed by external-dns via annotation using label selector (optional)
##
annotationFilter: ""
## @param ingressClass Filter sources managed by external-dns via annotation using label selector (optional)
##
ingressClass: ""
## @param labelFilter Select sources managed by external-dns using label selector (optional)
##
labelFilter: ""
## @param ingressClassFilters Filter sources managed by external-dns via IngressClass (optional)
##
ingressClassFilters: []
## @param managedRecordTypesFilters Filter record types managed by external-dns (optional)
##
managedRecordTypesFilters: []
## @param dryRun When enabled, prints DNS record changes rather than actually performing them (optional)
##
dryRun: false
@@ -638,8 +699,8 @@ logFormat: text
## @param policy Modify how DNS records are synchronized between sources and providers (options: sync, upsert-only )
##
policy: upsert-only
## @param registry Registry method to use (options: txt, aws-sd, noop)
## ref: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/proposal/registry.md
## @param registry Registry method to use (options: txt, aws-sd, dynamodb, noop)
## ref: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/registry/registry.md
##
registry: "txt"
## @param txtPrefix When using the TXT registry, a prefix for ownership records that avoids collision with CNAME entries (optional)<CNAME record> (Mutual exclusive with txt-suffix)
@@ -648,6 +709,10 @@ txtPrefix: ""
## @param txtSuffix When using the TXT registry, a suffix for ownership records that avoids collision with CNAME entries (optional)<CNAME record>.suffix (Mutual exclusive with txt-prefix)
##
txtSuffix: ""
## @param txtNewFormatOnly When using the TXT registry, use only the new format for ownership records (optional)
## ref: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/registry/txt.md#record-format-options
##
txtNewFormatOnly: false
## @param txtOwnerId A name that identifies this instance of ExternalDNS. Currently used by registry types: txt & aws-sd (optional)
## But other registry types might be added in the future.
##
@@ -668,9 +733,29 @@ txtOwnerId: ""
## value passed as txtOwnerId when forceTxtOwnerId=true
##
forceTxtOwnerId: false
## TXT registry record encryption
## ref: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/registry/txt.md#encryption
##
txtEncrypt:
## @param txtEncrypt.enabled Enable TXT record encryption
##
enabled: false
## @param txtEncrypt.aesKey 32-byte AES-256-GCM encryption key.
## ref: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/registry/txt.md#generating-the-txt-encryption-key
## Note: If txtEncrypt.enabled is enabled and txtEncrypt.aesKey is not set, a default key will be generated.
##
aesKey: ""
## @param txtEncrypt.secretName Use an existing secret with key "txt_aes_encryption_key" defined.
## This ignores txtEncrypt.aesKey
##
secretName: ""
## @param extraArgs Extra arguments to be passed to external-dns
##
extraArgs: {}
##extraArgs:
## rfc2136-zone:
## - extra-zone1.com
## - extra-zone2.com
## @param extraEnvVars An array to add extra env vars
##
extraEnvVars: []
@@ -692,9 +777,6 @@ schedulerName: ""
## The value is evaluated as a template
##
topologySpreadConstraints: []
## @param replicaCount Desired number of ExternalDNS replicas
##
replicaCount: 1
## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
##
@@ -729,7 +811,7 @@ nodeAffinityPreset:
##
affinity: {}
## @param nodeSelector Node labels for pod assignment
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
##
nodeSelector: {}
## @param tolerations Tolerations for pod assignment
@@ -784,6 +866,9 @@ service:
## @param service.externalIPs Service external IP addresses
##
externalIPs: []
## @param service.externalName Service external name
##
externalName: ""
## @param service.loadBalancerIP IP address to assign to load balancer (if supported)
##
loadBalancerIP: ""
@@ -819,6 +904,64 @@ service:
## timeoutSeconds: 300
##
sessionAffinityConfig: {}
## Network Policies
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
networkPolicy:
## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created
##
enabled: true
## @param networkPolicy.allowExternal Don't require server label for connections
## The Policy model to apply. When set to false, only pods with the correct
## server label will have network access to the ports server is listening
## on. When true, server will accept connections from any source
## (with the correct destination port).
##
allowExternal: true
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
##
allowExternalEgress: true
## @param networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
##
kubeAPIServerPorts: [443, 6443, 8443]
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraIngress:
## - ports:
## - port: 1234
## from:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
extraIngress: []
## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraEgress:
## - ports:
## - port: 1234
## to:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
##
extraEgress: []
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
##
ingressNSMatchLabels: {}
ingressNSPodMatchLabels: {}
## ServiceAccount parameters
## https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
##
@@ -826,7 +969,7 @@ serviceAccount:
## @param serviceAccount.create Determine whether a Service Account should be created or it should reuse a exiting one.
##
create: true
## @param serviceAccount.name ServiceAccount to use. A name is generated using the external-dns.fullname template if it is not set
## @param serviceAccount.name ServiceAccount to use. A name is generated using the common.names.fullname template if it is not set
##
name: ""
## @param serviceAccount.annotations Additional Service Account annotations
@@ -834,7 +977,7 @@ serviceAccount:
annotations: {}
## @param serviceAccount.automountServiceAccountToken Automount API credentials for a service account.
##
automountServiceAccountToken: true
automountServiceAccountToken: false
## @param serviceAccount.labels [object] Additional labels to be included on the service account
##
labels: {}
@@ -854,46 +997,70 @@ rbac:
## @param rbac.pspEnabled Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later
##
pspEnabled: false
## @param containerSecurityContext Security context for the container
## @param containerSecurityContext.enabled Enabled Apache Server containers' Security Context
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param containerSecurityContext.runAsUser Set ExternalDNS containers' Security Context runAsUser
## @param containerSecurityContext.runAsGroup Set ExternalDNS containers' Security Context runAsGroup
## @param containerSecurityContext.runAsNonRoot Set ExternalDNS container's Security Context runAsNonRoot
## @param containerSecurityContext.privileged Set primary container's Security Context privileged
## @param containerSecurityContext.allowPrivilegeEscalation Set primary container's Security Context allowPrivilegeEscalation
## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped
## @param containerSecurityContext.readOnlyRootFilesystem Set container readonlyRootFilesystem
## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
## Example:
## securityContext:
## containerSecurityContext:
## allowPrivilegeEscalation: false
## readOnlyRootFilesystem: true
## capabilities:
## drop: ["ALL"]
##
containerSecurityContext: {}
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
## @param podSecurityContext.enabled Enable pod security context
## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param podSecurityContext.supplementalGroups Set filesystem extra groups
## @param podSecurityContext.fsGroup Group ID for the container
## @param podSecurityContext.runAsUser User ID for the container
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
runAsUser: 1001
## Container resource requests and limits
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## We usually recommend not to specify default resources and to leave this as a conscious
## choice for the user. This also increases chances charts run on environments with little
## resources, such as Minikube. If you do want to specify resources, uncomment the following
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
## @param resources.limits The resources limits for the container
## @param resources.requests The requested resources for the container
## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resources:
## Example:
## limits:
## cpu: 50m
## memory: 50Mi
##
limits: {}
## Examples:
## requests:
## cpu: 10m
## memory: 50Mi
##
requests: {}
resourcesPreset: "nano"
## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
## requests:
## cpu: 2
## memory: 512Mi
## limits:
## cpu: 3
## memory: 1024Mi
##
resources: {}
## Configure extra options for liveness probe
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
## @param livenessProbe.enabled Enable livenessProbe
@@ -957,11 +1124,14 @@ extraVolumes: []
## @param extraVolumeMounts A list of volume mounts to be added to the pod
##
extraVolumeMounts: []
## @param podDisruptionBudget Configure PodDisruptionBudget
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
## @param pdb.create Enable/disable a Pod Disruption Budget creation
## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty.
##
podDisruptionBudget: {}
pdb:
create: true
minAvailable: ""
maxUnavailable: ""
## Prometheus Exporter / Metrics
##
metrics:
@@ -989,7 +1159,7 @@ metrics:
##
scrapeTimeout: ""
## @param metrics.serviceMonitor.selector Additional labels for ServiceMonitor object
## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration
## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration
## e.g:
## selector:
## prometheus: my-prometheus
@@ -1005,11 +1175,32 @@ metrics:
## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint
##
honorLabels: false
## DEPRECATED metrics.serviceMonitor.additionalLabels will be removed in a future release - Please use metrics.serviceMonitor.labels instead
## @param metrics.serviceMonitor.labels Used to pass Labels that are required by the installed Prometheus Operator
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec
##
labels: {}
## @param metrics.serviceMonitor.targetLabels Labels from the Kubernetes service to be transferred to the created metrics
targetLabels: []
## @param metrics.serviceMonitor.podTargetLabels Labels from the Kubernetes pod to be transferred to the created metrics
podTargetLabels: []
## @param metrics.serviceMonitor.annotations Additional custom annotations for the ServiceMonitor
##
annotations: {}
## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
##
jobLabel: ""
## Google Managed Prometheus PodMonitor configuration
##
googlePodMonitor:
## @param metrics.googlePodMonitor.enabled Create Google Managed Prometheus PodMonitoring object
##
enabled: false
## @param metrics.googlePodMonitor.namespace Namespace in which PodMonitoring created
##
namespace: ""
## @param metrics.googlePodMonitor.interval Interval at which metrics should be scraped by Google Managed Prometheus
##
interval: "60s"
## @param metrics.googlePodMonitor.endpoint The endpoint for Google Managed Prometheus scraping the metrics
##
endpoint: /metrics