From e65899ebde5d97d4e54cb35229af66498a90bbe4 Mon Sep 17 00:00:00 2001 From: ace Date: Mon, 29 Aug 2022 03:02:03 +0300 Subject: [PATCH] external-dns: bump to v0.7.6, helm chart v6.8.1 --- external-dns/.helmignore | 21 + external-dns/Chart.lock | 6 + external-dns/Chart.yaml | 27 + external-dns/README.md | 476 ++++++++ external-dns/charts/common/.helmignore | 22 + external-dns/charts/common/Chart.yaml | 23 + external-dns/charts/common/README.md | 350 ++++++ .../charts/common/templates/_affinities.tpl | 102 ++ .../charts/common/templates/_capabilities.tpl | 154 +++ .../charts/common/templates/_errors.tpl | 23 + .../charts/common/templates/_images.tpl | 76 ++ .../charts/common/templates/_ingress.tpl | 68 ++ .../charts/common/templates/_labels.tpl | 18 + .../charts/common/templates/_names.tpl | 70 ++ .../charts/common/templates/_secrets.tpl | 140 +++ .../charts/common/templates/_storage.tpl | 23 + .../charts/common/templates/_tplvalues.tpl | 13 + .../charts/common/templates/_utils.tpl | 62 + .../charts/common/templates/_warnings.tpl | 14 + .../templates/validations/_cassandra.tpl | 72 ++ .../common/templates/validations/_mariadb.tpl | 103 ++ .../common/templates/validations/_mongodb.tpl | 108 ++ .../common/templates/validations/_mysql.tpl | 103 ++ .../templates/validations/_postgresql.tpl | 129 +++ .../common/templates/validations/_redis.tpl | 76 ++ .../templates/validations/_validations.tpl | 46 + external-dns/charts/common/values.yaml | 5 + external-dns/templates/NOTES.txt | 12 + external-dns/templates/_helpers.tpl | 856 ++++++++++++++ external-dns/templates/clusterrole.yaml | 127 +++ .../templates/clusterrolebinding.yaml | 22 + external-dns/templates/configmap.yaml | 23 + external-dns/templates/crd.yaml | 94 ++ external-dns/templates/deployment.yaml | 770 +++++++++++++ external-dns/templates/extra-list.yaml | 4 + external-dns/templates/pdb.yaml | 18 + external-dns/templates/psp-clusterrole.yaml | 21 + .../templates/psp-clusterrolebinding.yaml | 23 + external-dns/templates/psp.yaml | 47 + external-dns/templates/role.yaml | 118 ++ external-dns/templates/rolebindings.yaml | 22 + external-dns/templates/secret.yaml | 94 ++ external-dns/templates/service.yaml | 52 + external-dns/templates/serviceaccount.yaml | 22 + external-dns/templates/servicemonitor.yaml | 47 + external-dns/templates/tls-secret.yaml | 26 + external-dns/values.yaml | 1015 +++++++++++++++++ 47 files changed, 5743 insertions(+) create mode 100644 external-dns/.helmignore create mode 100644 external-dns/Chart.lock create mode 100644 external-dns/Chart.yaml create mode 100644 external-dns/README.md create mode 100644 external-dns/charts/common/.helmignore create mode 100644 external-dns/charts/common/Chart.yaml create mode 100644 external-dns/charts/common/README.md create mode 100644 external-dns/charts/common/templates/_affinities.tpl create mode 100644 external-dns/charts/common/templates/_capabilities.tpl create mode 100644 external-dns/charts/common/templates/_errors.tpl create mode 100644 external-dns/charts/common/templates/_images.tpl create mode 100644 external-dns/charts/common/templates/_ingress.tpl create mode 100644 external-dns/charts/common/templates/_labels.tpl create mode 100644 external-dns/charts/common/templates/_names.tpl create mode 100644 external-dns/charts/common/templates/_secrets.tpl create mode 100644 external-dns/charts/common/templates/_storage.tpl create mode 100644 external-dns/charts/common/templates/_tplvalues.tpl create mode 100644 external-dns/charts/common/templates/_utils.tpl create mode 100644 external-dns/charts/common/templates/_warnings.tpl create mode 100644 external-dns/charts/common/templates/validations/_cassandra.tpl create mode 100644 external-dns/charts/common/templates/validations/_mariadb.tpl create mode 100644 external-dns/charts/common/templates/validations/_mongodb.tpl create mode 100644 external-dns/charts/common/templates/validations/_mysql.tpl create mode 100644 external-dns/charts/common/templates/validations/_postgresql.tpl create mode 100644 external-dns/charts/common/templates/validations/_redis.tpl create mode 100644 external-dns/charts/common/templates/validations/_validations.tpl create mode 100644 external-dns/charts/common/values.yaml create mode 100644 external-dns/templates/NOTES.txt create mode 100644 external-dns/templates/_helpers.tpl create mode 100644 external-dns/templates/clusterrole.yaml create mode 100644 external-dns/templates/clusterrolebinding.yaml create mode 100644 external-dns/templates/configmap.yaml create mode 100644 external-dns/templates/crd.yaml create mode 100644 external-dns/templates/deployment.yaml create mode 100644 external-dns/templates/extra-list.yaml create mode 100644 external-dns/templates/pdb.yaml create mode 100644 external-dns/templates/psp-clusterrole.yaml create mode 100644 external-dns/templates/psp-clusterrolebinding.yaml create mode 100644 external-dns/templates/psp.yaml create mode 100644 external-dns/templates/role.yaml create mode 100644 external-dns/templates/rolebindings.yaml create mode 100644 external-dns/templates/secret.yaml create mode 100644 external-dns/templates/service.yaml create mode 100644 external-dns/templates/serviceaccount.yaml create mode 100644 external-dns/templates/servicemonitor.yaml create mode 100644 external-dns/templates/tls-secret.yaml create mode 100644 external-dns/values.yaml diff --git a/external-dns/.helmignore b/external-dns/.helmignore new file mode 100644 index 0000000..f0c1319 --- /dev/null +++ b/external-dns/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/external-dns/Chart.lock b/external-dns/Chart.lock new file mode 100644 index 0000000..6409e55 --- /dev/null +++ b/external-dns/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + version: 2.0.1 +digest: sha256:46553c7194313fd9ce2e1e86422eef4dab3defb450e20c692f865924eacb8fb1 +generated: "2022-08-23T21:17:43.285411696Z" diff --git a/external-dns/Chart.yaml b/external-dns/Chart.yaml new file mode 100644 index 0000000..2903893 --- /dev/null +++ b/external-dns/Chart.yaml @@ -0,0 +1,27 @@ +annotations: + category: DeveloperTools +apiVersion: v2 +appVersion: 0.7.6 +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 2.x.x +description: ExternalDNS is a Kubernetes addon that configures public DNS servers + with information about exposed Kubernetes services to make them discoverable. +home: https://github.com/bitnami/charts/tree/master/bitnami/external-dns +icon: https://bitnami.com/assets/stacks/external-dns/img/external-dns-stack-220x234.png +keywords: +- external-dns +- network +- dns +maintainers: +- name: Bitnami + url: https://github.com/bitnami/charts +name: external-dns +sources: +- https://github.com/kubernetes-sigs/external-dns +- https://github.com/bitnami/containers/tree/main/bitnami/external-dns +- https://github.com/kubernetes-sigs/external-dns +version: 6.8.1 diff --git a/external-dns/README.md b/external-dns/README.md new file mode 100644 index 0000000..76d6024 --- /dev/null +++ b/external-dns/README.md @@ -0,0 +1,476 @@ + + +# ExternalDNS packaged by Bitnami + +ExternalDNS is a Kubernetes addon that configures public DNS servers with information about exposed Kubernetes services to make them discoverable. + +[Overview of ExternalDNS](https://github.com/kubernetes-incubator/external-dns) + +Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement. + +## TL;DR + +```console +$ helm repo add bitnami https://charts.bitnami.com/bitnami +$ helm install my-release bitnami/external-dns +``` + +## Introduction + +This chart bootstraps a [ExternalDNS](https://github.com/bitnami/containers/tree/main/bitnami/external-dns) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```bash +$ helm install my-release bitnami/external-dns +``` + +The command deploys ExternalDNS on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +$ helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +### Global parameters + +| Name | Description | Value | +| ------------------------- | ----------------------------------------------- | ----- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | + + +### Common parameters + +| Name | Description | Value | +| ----------------------- | -------------------------------------------------------------------------------------------- | --------------- | +| `nameOverride` | String to partially override external-dns.fullname template (will maintain the release name) | `""` | +| `fullnameOverride` | String to fully override external-dns.fullname template | `""` | +| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` | +| `commonLabels` | Labels to add to all deployed objects | `{}` | +| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | +| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template). | `[]` | +| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` | +| `watchReleaseNamespace` | Watch only namepsace used for the release | `false` | + + +### external-dns parameters + +| Name | Description | Value | +| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | +| `image.registry` | ExternalDNS image registry | `docker.io` | +| `image.repository` | ExternalDNS image repository | `bitnami/external-dns` | +| `image.tag` | ExternalDNS Image tag (immutable tags are recommended) | `0.12.2-debian-11-r5` | +| `image.digest` | ExternalDNS image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | ExternalDNS image pull policy | `IfNotPresent` | +| `image.pullSecrets` | ExternalDNS image pull secrets | `[]` | +| `hostAliases` | Deployment pod host aliases | `[]` | +| `updateStrategy` | update strategy type | `{}` | +| `command` | Override kiam default command | `[]` | +| `args` | Override kiam default args | `[]` | +| `sources` | K8s resources type to be observed for new DNS entries by ExternalDNS | `[]` | +| `provider` | DNS provider where the DNS records will be created. | `aws` | +| `initContainers` | Attach additional init containers to the pod (evaluated as a template) | `[]` | +| `sidecars` | Attach additional containers to the pod (evaluated as a template) | `[]` | +| `namespace` | Limit sources of endpoints to a specific namespace (default: all namespaces) | `""` | +| `fqdnTemplates` | Templated strings that are used to generate DNS names from sources that don't define a hostname themselves | `[]` | +| `containerPorts.http` | HTTP Container port | `7979` | +| `combineFQDNAnnotation` | Combine FQDN template and annotations instead of overwriting | `false` | +| `ignoreHostnameAnnotation` | Ignore hostname annotation when generating DNS names, valid only when fqdn-template is set | `false` | +| `publishInternalServices` | Allow external-dns to publish DNS records for ClusterIP services | `false` | +| `publishHostIP` | Allow external-dns to publish host-ip for headless services | `false` | +| `serviceTypeFilter` | The service types to take care about (default: all, options: ClusterIP, NodePort, LoadBalancer, ExternalName) | `[]` | +| `alibabacloud.accessKeyId` | When using the Alibaba Cloud provider, set `accessKeyId` in the Alibaba Cloud configuration file (optional) | `""` | +| `alibabacloud.accessKeySecret` | When using the Alibaba Cloud provider, set `accessKeySecret` in the Alibaba Cloud configuration file (optional) | `""` | +| `alibabacloud.regionId` | When using the Alibaba Cloud provider, set `regionId` in the Alibaba Cloud configuration file (optional) | `""` | +| `alibabacloud.vpcId` | Alibaba Cloud VPC Id | `""` | +| `alibabacloud.secretName` | Use an existing secret with key "alibaba-cloud.json" defined. | `""` | +| `alibabacloud.zoneType` | Zone Filter. Available values are: public, private, or no value for both | `""` | +| `aws.credentials.secretKey` | When using the AWS provider, set `aws_secret_access_key` in the AWS credentials (optional) | `""` | +| `aws.credentials.accessKey` | When using the AWS provider, set `aws_access_key_id` in the AWS credentials (optional) | `""` | +| `aws.credentials.mountPath` | When using the AWS provider, determine `mountPath` for `credentials` secret | `/.aws` | +| `aws.credentials.secretName` | Use an existing secret with key "credentials" defined. | `""` | +| `aws.region` | When using the AWS provider, `AWS_DEFAULT_REGION` to set in the environment (optional) | `us-east-1` | +| `aws.zoneType` | When using the AWS provider, filter for zones of this type (optional, options: public, private) | `""` | +| `aws.assumeRoleArn` | When using the AWS provider, assume role by specifying --aws-assume-role to the external-dns daemon | `""` | +| `aws.roleArn` | Specify role ARN to the external-dns daemon | `""` | +| `aws.apiRetries` | Maximum number of retries for AWS API calls before giving up | `3` | +| `aws.batchChangeSize` | When using the AWS provider, set the maximum number of changes that will be applied in each batch | `1000` | +| `aws.zonesCacheDuration` | If the list of Route53 zones managed by ExternalDNS doesn't change frequently, cache it by setting a TTL | `0` | +| `aws.zoneTags` | When using the AWS provider, filter for zones with these tags | `[]` | +| `aws.preferCNAME` | When using the AWS provider, replaces Alias records with CNAME (options: true, false) | `""` | +| `aws.evaluateTargetHealth` | When using the AWS provider, sets the evaluate target health flag (options: true, false) | `""` | +| `azure.secretName` | When using the Azure provider, set the secret containing the `azure.json` file | `""` | +| `azure.cloud` | When using the Azure provider, set the Azure Cloud | `""` | +| `azure.resourceGroup` | When using the Azure provider, set the Azure Resource Group | `""` | +| `azure.tenantId` | When using the Azure provider, set the Azure Tenant ID | `""` | +| `azure.subscriptionId` | When using the Azure provider, set the Azure Subscription ID | `""` | +| `azure.aadClientId` | When using the Azure provider, set the Azure AAD Client ID | `""` | +| `azure.aadClientSecret` | When using the Azure provider, set the Azure AAD Client Secret | `""` | +| `azure.useManagedIdentityExtension` | When using the Azure provider, set if you use Azure MSI | `false` | +| `azure.userAssignedIdentityID` | When using the Azure provider with Azure MSI, set Client ID of Azure user-assigned managed identity (optional, otherwise system-assigned managed identity is used) | `""` | +| `cloudflare.apiToken` | When using the Cloudflare provider, `CF_API_TOKEN` to set (optional) | `""` | +| `cloudflare.apiKey` | When using the Cloudflare provider, `CF_API_KEY` to set (optional) | `""` | +| `cloudflare.secretName` | When using the Cloudflare provider, it's the name of the secret containing cloudflare_api_token or cloudflare_api_key. | `""` | +| `cloudflare.email` | When using the Cloudflare provider, `CF_API_EMAIL` to set (optional). Needed when using CF_API_KEY | `""` | +| `cloudflare.proxied` | When using the Cloudflare provider, enable the proxy feature (DDOS protection, CDN...) (optional) | `true` | +| `coredns.etcdEndpoints` | When using the CoreDNS provider, set etcd backend endpoints (comma-separated list) | `http://etcd-extdns:2379` | +| `coredns.etcdTLS.enabled` | When using the CoreDNS provider, enable secure communication with etcd | `false` | +| `coredns.etcdTLS.autoGenerated` | Generate automatically self-signed TLS certificates | `false` | +| `coredns.etcdTLS.secretName` | When using the CoreDNS provider, specify a name of existing Secret with etcd certs and keys | `etcd-client-certs` | +| `coredns.etcdTLS.mountPath` | When using the CoreDNS provider, set destination dir to mount data from `coredns.etcdTLS.secretName` to | `/etc/coredns/tls/etcd` | +| `coredns.etcdTLS.caFilename` | When using the CoreDNS provider, specify CA PEM file name from the `coredns.etcdTLS.secretName` | `ca.crt` | +| `coredns.etcdTLS.certFilename` | When using the CoreDNS provider, specify cert PEM file name from the `coredns.etcdTLS.secretName` | `cert.pem` | +| `coredns.etcdTLS.keyFilename` | When using the CoreDNS provider, specify private key PEM file name from the `coredns.etcdTLS.secretName` | `key.pem` | +| `designate.username` | When using the Designate provider, specify the OpenStack authentication username. (optional) | `""` | +| `designate.password` | When using the Designate provider, specify the OpenStack authentication password. (optional) | `""` | +| `designate.authUrl` | When using the Designate provider, specify the OpenStack authentication Url. (optional) | `""` | +| `designate.regionName` | When using the Designate provider, specify the OpenStack region name. (optional) | `""` | +| `designate.userDomainName` | When using the Designate provider, specify the OpenStack user domain name. (optional) | `""` | +| `designate.projectName` | When using the Designate provider, specify the OpenStack project name. (optional) | `""` | +| `designate.username` | When using the Designate provider, specify the OpenStack authentication username. (optional) | `""` | +| `designate.customCAHostPath` | When using the Designate provider, use a CA file already on the host to validate Openstack APIs. This conflicts with `designate.customCA.enabled` | `""` | +| `designate.customCA.enabled` | When using the Designate provider, enable a custom CA (optional) | `false` | +| `designate.customCA.content` | When using the Designate provider, set the content of the custom CA | `""` | +| `designate.customCA.mountPath` | When using the Designate provider, set the mountPath in which to mount the custom CA configuration | `/config/designate` | +| `designate.customCA.filename` | When using the Designate provider, set the custom CA configuration filename | `designate-ca.pem` | +| `digitalocean.apiToken` | When using the DigitalOcean provider, `DO_TOKEN` to set (optional) | `""` | +| `digitalocean.secretName` | Use an existing secret with key "digitalocean_api_token" defined. | `""` | +| `google.project` | When using the Google provider, specify the Google project (required when provider=google) | `""` | +| `google.serviceAccountSecret` | When using the Google provider, specify the existing secret which contains credentials.json (optional) | `""` | +| `google.serviceAccountSecretKey` | When using the Google provider with an existing secret, specify the key name (optional) | `credentials.json` | +| `google.serviceAccountKey` | When using the Google provider, specify the service account key JSON file. In this case a new secret will be created holding this service account (optional) | `""` | +| `google.zoneVisibility` | When using the Google provider, fiter for zones of a specific visibility (private or public) | `""` | +| `hetzner.token` | When using the Hetzner provider, specify your token here. (required when `hetzner.secretName` is not provided. In this case a new secret will be created holding the token.) | `""` | +| `hetzner.secretName` | When using the Hetzner provider, specify the existing secret which contains your token. Disables the usage of `hetzner.token` (optional) | `""` | +| `hetzner.secretKey` | When using the Hetzner provider with an existing secret, specify the key name (optional) | `hetzner_token` | +| `infoblox.wapiUsername` | When using the Infoblox provider, specify the Infoblox WAPI username | `admin` | +| `infoblox.wapiPassword` | When using the Infoblox provider, specify the Infoblox WAPI password (required when provider=infoblox) | `""` | +| `infoblox.gridHost` | When using the Infoblox provider, specify the Infoblox Grid host (required when provider=infoblox) | `""` | +| `infoblox.view` | Infoblox view | `""` | +| `infoblox.secretName` | Existing secret name, when in place wapiUsername and wapiPassword are not required | `""` | +| `infoblox.domainFilter` | When using the Infoblox provider, specify the domain (optional) | `""` | +| `infoblox.noSslVerify` | When using the Infoblox provider, disable SSL verification (optional) | `false` | +| `infoblox.wapiPort` | When using the Infoblox provider, specify the Infoblox WAPI port (optional) | `""` | +| `infoblox.wapiVersion` | When using the Infoblox provider, specify the Infoblox WAPI version (optional) | `""` | +| `infoblox.wapiConnectionPoolSize` | When using the Infoblox provider, specify the Infoblox WAPI request connection pool size (optional) | `""` | +| `infoblox.wapiHttpTimeout` | When using the Infoblox provider, specify the Infoblox WAPI request timeout in seconds (optional) | `""` | +| `infoblox.maxResults` | When using the Infoblox provider, specify the Infoblox Max Results (optional) | `""` | +| `linode.apiToken` | When using the Linode provider, `LINODE_TOKEN` to set (optional) | `""` | +| `linode.secretName` | Use an existing secret with key "linode_api_token" defined. | `""` | +| `ns1.minTTL` | When using the ns1 provider, specify minimal TTL, as an integer, for records | `10` | +| `ns1.apiKey` | When using the ns1 provider, specify the API key to use | `""` | +| `ns1.secretName` | Use an existing secret with key "ns1-api-key" defined. | `""` | +| `oci.region` | When using the OCI provider, specify the region, where your zone is located in. | `""` | +| `oci.tenancyOCID` | When using the OCI provider, specify your Tenancy OCID | `""` | +| `oci.userOCID` | When using the OCI provider, specify your User OCID | `""` | +| `oci.compartmentOCID` | When using the OCI provider, specify your Compartment OCID where your DNS Zone is located in. | `""` | +| `oci.privateKey` | When using the OCI provider, paste in your RSA private key file for the Oracle API | `""` | +| `oci.privateKeyFingerprint` | When using the OCI provider, put in the fingerprint of your privateKey | `""` | +| `oci.privateKeyPassphrase` | When using the OCI provider and your privateKey has a passphrase, put it in here. (optional) | `""` | +| `oci.secretName` | When using the OCI provider, it's the name of the secret containing `oci.yaml` file. | `""` | +| `ovh.consumerKey` | When using the OVH provider, specify the existing consumer key. (required when provider=ovh and `ovh.secretName` is not provided.) | `""` | +| `ovh.applicationKey` | When using the OVH provider with an existing application, specify the application key. (required when provider=ovh and `ovh.secretName` is not provided.) | `""` | +| `ovh.applicationSecret` | When using the OVH provider with an existing application, specify the application secret. (required when provider=ovh and `ovh.secretName` is not provided.) | `""` | +| `ovh.secretName` | When using the OVH provider, it's the name of the secret containing `ovh_consumer_key`, `ovh_application_key` and `ovh_application_secret`. Disables usage of other `ovh`. | `""` | +| `scaleway.scwAccessKey` | When using the Scaleway provider, specify an existing access key. (required when provider=scaleway) | `""` | +| `scaleway.scwSecretKey` | When using the Scaleway provider, specify an existing secret key. (required when provider=scaleway) | `""` | +| `scaleway.scwDefaultOrganizationId` | When using the Scaleway provider, specify the existing organization id. (required when provider=scaleway) | `""` | +| `rfc2136.host` | When using the rfc2136 provider, specify the RFC2136 host (required when provider=rfc2136) | `""` | +| `rfc2136.port` | When using the rfc2136 provider, specify the RFC2136 port (optional) | `53` | +| `rfc2136.zone` | When using the rfc2136 provider, specify the zone (required when provider=rfc2136) | `""` | +| `rfc2136.tsigSecret` | When using the rfc2136 provider, specify the tsig secret to enable security. (do not specify if `rfc2136.secretName` is provided.) (optional) | `""` | +| `rfc2136.secretName` | When using the rfc2136 provider, specify the existing secret which contains your tsig secret. Disables the usage of `rfc2136.tsigSecret` (optional) | `""` | +| `rfc2136.tsigSecretAlg` | When using the rfc2136 provider, specify the tsig secret to enable security (optional) | `hmac-sha256` | +| `rfc2136.tsigKeyname` | When using the rfc2136 provider, specify the tsig keyname to enable security (optional) | `externaldns-key` | +| `rfc2136.tsigAxfr` | When using the rfc2136 provider, enable AFXR to enable security (optional) | `true` | +| `rfc2136.minTTL` | When using the rfc2136 provider, specify minimal TTL (in duration format) for records[ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration | `0s` | +| `rfc2136.rfc3645Enabled` | When using the rfc2136 provider, extend using RFC3645 to support secure updates over Kerberos with GSS-TSIG | `false` | +| `rfc2136.kerberosConfig` | When using the rfc2136 provider with rfc3645Enabled, the contents of a configuration file for krb5 (optional) | `""` | +| `rfc2136.kerberosUsername` | When using the rfc2136 provider with rfc3645Enabled, specify the username to authenticate with (optional) | `""` | +| `rfc2136.kerberosPassword` | When using the rfc2136 provider with rfc3645Enabled, specify the password to authenticate with (optional) | `""` | +| `rfc2136.kerberosRealm` | When using the rfc2136 provider with rfc3645Enabled, specify the realm to authenticate to (required when provider=rfc2136 and rfc2136.rfc3645Enabled=true) | `""` | +| `pdns.apiUrl` | When using the PowerDNS provider, specify the API URL of the server. | `""` | +| `pdns.apiPort` | When using the PowerDNS provider, specify the API port of the server. | `8081` | +| `pdns.apiKey` | When using the PowerDNS provider, specify the API key of the server. | `""` | +| `pdns.secretName` | When using the PowerDNS provider, specify as secret name containing the API Key | `""` | +| `transip.account` | When using the TransIP provider, specify the account name. | `""` | +| `transip.apiKey` | When using the TransIP provider, specify the API key to use. | `""` | +| `vinyldns.host` | When using the VinylDNS provider, specify the VinylDNS API host. | `""` | +| `vinyldns.accessKey` | When using the VinylDNS provider, specify the Access Key to use. | `""` | +| `vinyldns.secretKey` | When using the VinylDNS provider, specify the Secret key to use. | `""` | +| `domainFilters` | Limit possible target zones by domain suffixes (optional) | `[]` | +| `excludeDomains` | Exclude subdomains (optional) | `[]` | +| `regexDomainFilter` | Limit possible target zones by regex domain suffixes (optional) | `""` | +| `regexDomainExclusion` | Exclude subdomains by using regex pattern (optional) | `""` | +| `zoneNameFilters` | Filter target zones by zone domain (optional) | `[]` | +| `zoneIdFilters` | Limit possible target zones by zone id (optional) | `[]` | +| `annotationFilter` | Filter sources managed by external-dns via annotation using label selector (optional) | `""` | +| `labelFilter` | Select sources managed by external-dns using label selector (optional) | `""` | +| `dryRun` | When enabled, prints DNS record changes rather than actually performing them (optional) | `false` | +| `triggerLoopOnEvent` | When enabled, triggers run loop on create/update/delete events in addition to regular interval (optional) | `false` | +| `interval` | Interval update period to use | `1m` | +| `logLevel` | Verbosity of the logs (options: panic, debug, info, warning, error, fatal, trace) | `info` | +| `logFormat` | Which format to output logs in (options: text, json) | `text` | +| `policy` | Modify how DNS records are synchronized between sources and providers (options: sync, upsert-only ) | `upsert-only` | +| `registry` | Registry method to use (options: txt, aws-sd, noop) | `txt` | +| `txtPrefix` | When using the TXT registry, a prefix for ownership records that avoids collision with CNAME entries (optional) (Mutual exclusive with txt-suffix) | `""` | +| `txtSuffix` | When using the TXT registry, a suffix for ownership records that avoids collision with CNAME entries (optional).suffix (Mutual exclusive with txt-prefix) | `""` | +| `txtOwnerId` | A name that identifies this instance of ExternalDNS. Currently used by registry types: txt & aws-sd (optional) | `""` | +| `forceTxtOwnerId` | (backward compatibility) When using the non-TXT registry, it will pass the value defined by `txtOwnerId` down to the application (optional) | `false` | +| `extraArgs` | Extra arguments to be passed to external-dns | `{}` | +| `extraEnvVars` | An array to add extra env vars | `[]` | +| `extraEnvVarsCM` | ConfigMap containing extra env vars | `""` | +| `extraEnvVarsSecret` | Secret containing extra env vars (in case of sensitive data) | `""` | +| `lifecycleHooks` | Override default etcd container hooks | `{}` | +| `schedulerName` | Alternative scheduler | `""` | +| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | +| `replicaCount` | Desired number of ExternalDNS replicas | `1` | +| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | +| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | +| `affinity` | Affinity for pod assignment | `{}` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `tolerations` | Tolerations for pod assignment | `[]` | +| `podAnnotations` | Additional annotations to apply to the pod. | `{}` | +| `podLabels` | Additional labels to be added to pods | `{}` | +| `priorityClassName` | priorityClassName | `""` | +| `secretAnnotations` | Additional annotations to apply to the secret | `{}` | +| `crd.create` | Install and use the integrated DNSEndpoint CRD | `false` | +| `crd.apiversion` | Sets the API version for the CRD to watch | `""` | +| `crd.kind` | Sets the kind for the CRD to watch | `""` | +| `service.enabled` | Whether to create Service resource or not | `true` | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.ports.http` | ExternalDNS client port | `7979` | +| `service.nodePorts.http` | Port to bind to for NodePort service type (client port) | `""` | +| `service.clusterIP` | IP address to assign to service | `""` | +| `service.externalIPs` | Service external IP addresses | `[]` | +| `service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` | +| `service.loadBalancerSourceRanges` | List of IP CIDRs allowed access to load balancer (if supported) | `[]` | +| `service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `service.extraPorts` | Extra ports to expose in the service (normally used with the `sidecar` value) | `[]` | +| `service.annotations` | Annotations to add to service | `{}` | +| `service.labels` | Provide any additional labels which may be required. | `{}` | +| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `serviceAccount.create` | Determine whether a Service Account should be created or it should reuse a exiting one. | `true` | +| `serviceAccount.name` | ServiceAccount to use. A name is generated using the external-dns.fullname template if it is not set | `""` | +| `serviceAccount.annotations` | Additional Service Account annotations | `{}` | +| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a service account. | `true` | +| `serviceAccount.labels` | Additional labels to be included on the service account | `{}` | +| `rbac.create` | Whether to create & use RBAC resources or not | `true` | +| `rbac.clusterRole` | Whether to create Cluster Role. When set to false creates a Role in `namespace` | `true` | +| `rbac.apiVersion` | Version of the RBAC API | `v1` | +| `rbac.pspEnabled` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | +| `containerSecurityContext` | Security context for the container | `{}` | +| `podSecurityContext.enabled` | Enable pod security context | `true` | +| `podSecurityContext.fsGroup` | Group ID for the container | `1001` | +| `podSecurityContext.runAsUser` | User ID for the container | `1001` | +| `resources.limits` | The resources limits for the container | `{}` | +| `resources.requests` | The requested resources for the container | `{}` | +| `livenessProbe.enabled` | Enable livenessProbe | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `2` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readinessProbe.enabled` | Enable readinessProbe | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `startupProbe.enabled` | Enable startupProbe | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` | +| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `customLivenessProbe` | Override default liveness probe | `{}` | +| `customReadinessProbe` | Override default readiness probe | `{}` | +| `customStartupProbe` | Override default startup probe | `{}` | +| `extraVolumes` | A list of volumes to be added to the pod | `[]` | +| `extraVolumeMounts` | A list of volume mounts to be added to the pod | `[]` | +| `podDisruptionBudget` | Configure PodDisruptionBudget | `{}` | +| `metrics.enabled` | Enable prometheus to access external-dns metrics endpoint | `false` | +| `metrics.podAnnotations` | Annotations for enabling prometheus to access the metrics endpoint | `{}` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor object | `false` | +| `metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `""` | +| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.selector` | Additional labels for ServiceMonitor object | `{}` | +| `metrics.serviceMonitor.metricRelabelings` | Specify Metric Relabelings to add to the scrape endpoint | `[]` | +| `metrics.serviceMonitor.relabelings` | Prometheus relabeling rules | `[]` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.labels` | Used to pass Labels that are required by the installed Prometheus Operator | `{}` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | + + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +$ helm install my-release \ + --set provider=aws bitnami/external-dns +``` + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```bash +$ helm install my-release -f values.yaml bitnami/external-dns +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Configuration and installation details + +### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Setting Pod's affinity + +This chart allows you to set your custom affinity using the `affinity` parameter. Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/master/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. + +### Using IRSA +If you are deploying to AWS EKS and you want to leverage [IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). You will need to override `fsGroup` and `runAsUser` with `65534`(nfsnobody) and `0` respectively. Otherwise service account token will not be properly mounted. +You can use the following arguments: +``` +--set podSecurityContext.fsGroup=65534 --set podSecurityContext.runAsUser=0 +``` +## Tutorials + +Find information about the requirements for each DNS provider on the link below: + +- [ExternalDNS Tutorials](https://github.com/kubernetes-sigs/external-dns/tree/master/docs/tutorials) + +For instance, to install ExternalDNS on AWS, you need to: + +- Provide the K8s worker node which runs the cluster autoscaler with a minimum IAM policy (check [IAM permissions docs](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-permissions) for more information). +- Setup a hosted zone on Route53 and annotate the Hosted Zone ID and its associated "nameservers" as described on [these docs](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#set-up-a-hosted-zone). +- Install ExternalDNS chart using the command below: + +> Note: replace the placeholder HOSTED_ZONE_IDENTIFIER and HOSTED_ZONE_NAME, with your hosted zoned identifier and name, respectively. +```bash +$ helm install my-release \ + --set provider=aws \ + --set aws.zoneType=public \ + --set txtOwnerId=HOSTED_ZONE_IDENTIFIER \ + --set domainFilters[0]=HOSTED_ZONE_NAME \ + bitnami/external-dns +``` + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). +## Upgrading + +### To 6.0.0 + +Some of the chart values were changed to adapt to the latest Bitnami standards. More specifically: + +- `containerPort` was changed to `containerPorts.http` +- `service.port` was changed to `service.ports.http` + +No issues should be expected when upgrading. + +### To 5.0.0 + +The CRD was updated according to the latest changes in the upstream project. As a consequence, the CRD API version was moved from `apiextensions.k8s.io/v1beta1` to `apiextensions.k8s.io/v1`. If you deployed the Helm Chart using `crd.create=true` you need to manually delete the old CRD before upgrading the release. + +```console +kubectl delete crd dnsendpoints.externaldns.k8s.io +helm upgrade my-release -f my-values.yaml +``` + +### To 4.3.0 + +This version also introduces `bitnami/common`, a [library chart](https://helm.sh/docs/topics/library_charts/#helm) as a dependency. More documentation about this new utility could be found [here](https://github.com/bitnami/charts/tree/master/bitnami/common#bitnami-common-library-chart). Please, make sure that you have updated thechart dependencies before executing any upgrade. + +### To 4.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +**What changes were introduced in this major version?** + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +**Considerations when upgrading to this version** + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +**Useful links** + +- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ +- https://helm.sh/docs/topics/v2_v3_migration/ +- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ + +### To 3.0.0 + +- The parameters below are renamed: + - `rbac.serviceAccountCreate` -> `serviceAccount.create` + - `rbac.serviceAccountName` -> `serviceAccount.name` + - `rbac.serviceAccountAnnotations` -> `serviceAccount.annotations` +- It is now possible to create serviceAccount, clusterRole and clusterRoleBinding manually and give the serviceAccount to the chart. + +### To 2.0.0 + +Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments. +Use the workaround below to upgrade from versions previous to 1.0.0. The following example assumes that the release name is `my-release`: + +```console +$ kubectl delete deployment my-release-external-dns +$ helm upgrade my-release bitnami/external-dns +``` + +Other mayor changes included in this major version are: + +- Default image changes from `registry.opensource.zalan.do/teapot/external-dns` to `bitnami/external-dns`. +- The parameters below are renamed: + - `aws.secretKey` -> `aws.credentials.secretKey` + - `aws.accessKey` -> `aws.credentials.accessKey` + - `aws.credentialsPath` -> `aws.credentials.mountPath` + - `designate.customCA.directory` -> `designate.customCA.mountPath` +- Support to Prometheus metrics is added. + +## License + +Copyright © 2022 Bitnami + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/external-dns/charts/common/.helmignore b/external-dns/charts/common/.helmignore new file mode 100644 index 0000000..50af031 --- /dev/null +++ b/external-dns/charts/common/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/external-dns/charts/common/Chart.yaml b/external-dns/charts/common/Chart.yaml new file mode 100644 index 0000000..c810e3e --- /dev/null +++ b/external-dns/charts/common/Chart.yaml @@ -0,0 +1,23 @@ +annotations: + category: Infrastructure +apiVersion: v2 +appVersion: 2.0.1 +description: A Library Helm Chart for grouping common logic between bitnami charts. + This chart is not deployable by itself. +home: https://github.com/bitnami/charts/tree/master/bitnami/common +icon: https://bitnami.com/downloads/logos/bitnami-mark.png +keywords: +- common +- helper +- template +- function +- bitnami +maintainers: +- name: Bitnami + url: https://github.com/bitnami/charts +name: common +sources: +- https://github.com/bitnami/charts +- https://www.bitnami.com/ +type: library +version: 2.0.1 diff --git a/external-dns/charts/common/README.md b/external-dns/charts/common/README.md new file mode 100644 index 0000000..a2ecd60 --- /dev/null +++ b/external-dns/charts/common/README.md @@ -0,0 +1,350 @@ +# Bitnami Common Library Chart + +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts. + +## TL;DR + +```yaml +dependencies: + - name: common + version: 1.x.x + repository: https://charts.bitnami.com/bitnami +``` + +```bash +$ helm dependency update +``` + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} +data: + myvalue: "Hello World" +``` + +## Introduction + +This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ + +## Parameters + +The following table lists the helpers available in the library which are scoped in different sections. + +### Affinities + +| Helper identifier | Description | Expected Input | +|-------------------------------|------------------------------------------------------|------------------------------------------------| +| `common.affinities.nodes.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.nodes.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.pods.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | +| `common.affinities.pods.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | + +### Capabilities + +| Helper identifier | Description | Expected Input | +|------------------------------------------------|------------------------------------------------------------------------------------------------|-------------------| +| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context | +| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context | +| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | +| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | +| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | +| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context | +| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context | +| `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context | +| `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context | +| `common.capabilities.apiService.apiVersion` | Return the appropriate apiVersion for APIService. | `.` Chart context | +| `common.capabilities.hpa.apiVersion` | Return the appropriate apiVersion for Horizontal Pod Autoscaler | `.` Chart context | +| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context | + +### Errors + +| Helper identifier | Description | Expected Input | +|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------| +| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | + +### Images + +| Helper identifier | Description | Expected Input | +|-----------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------| +| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | +| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | +| `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` | + +### Ingress + +| Helper identifier | Description | Expected Input | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences | +| `common.ingress.supportsPathType` | Prints "true" if the pathType field is supported | `.` Chart context | +| `common.ingress.supportsIngressClassname` | Prints "true" if the ingressClassname field is supported | `.` Chart context | +| `common.ingress.certManagerRequest` | Prints "true" if required cert-manager annotations for TLS signed certificates are set in the Ingress annotations | `dict "annotations" .Values.path.to.the.ingress.annotations` | + +### Labels + +| Helper identifier | Description | Expected Input | +|-----------------------------|-----------------------------------------------------------------------------|-------------------| +| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | +| `common.labels.matchLabels` | Labels to use on `deploy.spec.selector.matchLabels` and `svc.spec.selector` | `.` Chart context | + +### Names + +| Helper identifier | Description | Expected Input | +|-----------------------------------|-----------------------------------------------------------------------|-------------------| +| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | +| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | +| `common.names.namespace` | Allow the release namespace to be overridden | `.` Chart context | +| `common.names.fullname.namespace` | Create a fully qualified app name adding the installation's namespace | `.` Chart context | +| `common.names.chart` | Chart name plus version | `.` Chart context | + +### Secrets + +| Helper identifier | Description | Expected Input | +|---------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | +| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | +| `common.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $`, length, strong and chartNAme fields are optional. | +| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` | + +### Storage + +| Helper identifier | Description | Expected Input | +|-------------------------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------| +| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | + +### TplValues + +| Helper identifier | Description | Expected Input | +|---------------------------|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` | + +### Utils + +| Helper identifier | Description | Expected Input | +|--------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------| +| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | +| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | +| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | +| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` | + +### Validations + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | +| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | +| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | +| `common.validations.values.mysql.passwords` | This helper will ensure required password for MySQL are not empty. It returns a shared error for all the values. | `dict "secret" "mysql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mysql chart and the helper. | +| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. | +| `common.validations.values.redis.passwords` | This helper will ensure required password for Redis® are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. | +| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. | +| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB® are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. | + +### Warnings + +| Helper identifier | Description | Expected Input | +|------------------------------|----------------------------------|------------------------------------------------------------| +| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | + +## Special input schemas + +### ImageRoot + +```yaml +registry: + type: string + description: Docker registry where the image is located + example: docker.io + +repository: + type: string + description: Repository and image name + example: bitnami/nginx + +tag: + type: string + description: image tag + example: 1.16.1-debian-10-r63 + +pullPolicy: + type: string + description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + +pullSecrets: + type: array + items: + type: string + description: Optionally specify an array of imagePullSecrets (evaluated as templates). + +debug: + type: boolean + description: Set to true if you would like to see extra information on logs + example: false + +## An instance would be: +# registry: docker.io +# repository: bitnami/nginx +# tag: 1.16.1-debian-10-r63 +# pullPolicy: IfNotPresent +# debug: false +``` + +### Persistence + +```yaml +enabled: + type: boolean + description: Whether enable persistence. + example: true + +storageClass: + type: string + description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. + example: "-" + +accessMode: + type: string + description: Access mode for the Persistent Volume Storage. + example: ReadWriteOnce + +size: + type: string + description: Size the Persistent Volume Storage. + example: 8Gi + +path: + type: string + description: Path to be persisted. + example: /bitnami + +## An instance would be: +# enabled: true +# storageClass: "-" +# accessMode: ReadWriteOnce +# size: 8Gi +# path: /bitnami +``` + +### ExistingSecret + +```yaml +name: + type: string + description: Name of the existing secret. + example: mySecret +keyMapping: + description: Mapping between the expected key name and the name of the key in the existing secret. + type: object + +## An instance would be: +# name: mySecret +# keyMapping: +# password: myPasswordKey +``` + +#### Example of use + +When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. + +```yaml +# templates/secret.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + labels: + app: {{ include "common.names.fullname" . }} +type: Opaque +data: + password: {{ .Values.password | b64enc | quote }} + +# templates/dpl.yaml +--- +... + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} + key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} +... + +# values.yaml +--- +name: mySecret +keyMapping: + password: myPasswordKey +``` + +### ValidateValue + +#### NOTES.txt + +```console +{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} + +{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} +``` + +If we force those values to be empty we will see some alerts + +```console +$ helm install test mychart --set path.to.value00="",path.to.value01="" + 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: + + export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d) + + 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: + + export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d) +``` + +## Upgrading + +### To 1.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +**What changes were introduced in this major version?** + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +**Considerations when upgrading to this version** + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +**Useful links** + +- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ +- https://helm.sh/docs/topics/v2_v3_migration/ +- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ + +## License + +Copyright © 2022 Bitnami + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/external-dns/charts/common/templates/_affinities.tpl b/external-dns/charts/common/templates/_affinities.tpl new file mode 100644 index 0000000..2387be2 --- /dev/null +++ b/external-dns/charts/common/templates/_affinities.tpl @@ -0,0 +1,102 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a soft nodeAffinity definition +{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.soft" -}} +preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} + weight: 1 +{{- end -}} + +{{/* +Return a hard nodeAffinity definition +{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.hard" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} +{{- end -}} + +{{/* +Return a nodeAffinity definition +{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.nodes.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.nodes.hard" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return a soft podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}} +*/}} +{{- define "common.affinities.pods.soft" -}} +{{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + namespaces: + - {{ include "common.names.namespace" .context | quote }} + topologyKey: kubernetes.io/hostname + weight: 1 +{{- end -}} + +{{/* +Return a hard podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}} +*/}} +{{- define "common.affinities.pods.hard" -}} +{{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + namespaces: + - {{ include "common.names.namespace" .context | quote }} + topologyKey: kubernetes.io/hostname +{{- end -}} + +{{/* +Return a podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.pods" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.pods.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.pods.hard" . -}} + {{- end -}} +{{- end -}} diff --git a/external-dns/charts/common/templates/_capabilities.tpl b/external-dns/charts/common/templates/_capabilities.tpl new file mode 100644 index 0000000..9d9b760 --- /dev/null +++ b/external-dns/charts/common/templates/_capabilities.tpl @@ -0,0 +1,154 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "common.capabilities.kubeVersion" -}} +{{- if .Values.global }} + {{- if .Values.global.kubeVersion }} + {{- .Values.global.kubeVersion -}} + {{- else }} + {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} + {{- end -}} +{{- else }} +{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for poddisruptionbudget. +*/}} +{{- define "common.capabilities.policy.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "policy/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "common.capabilities.networkPolicy.apiVersion" -}} +{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for cronjob. +*/}} +{{- define "common.capabilities.cronjob.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "batch/v1beta1" -}} +{{- else -}} +{{- print "batch/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "common.capabilities.deployment.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "common.capabilities.statefulset.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apps/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "common.capabilities.ingress.apiVersion" -}} +{{- if .Values.ingress -}} +{{- if .Values.ingress.apiVersion -}} +{{- .Values.ingress.apiVersion -}} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for RBAC resources. +*/}} +{{- define "common.capabilities.rbac.apiVersion" -}} +{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for CRDs. +*/}} +{{- define "common.capabilities.crd.apiVersion" -}} +{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiextensions.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiextensions.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for APIService. +*/}} +{{- define "common.capabilities.apiService.apiVersion" -}} +{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiregistration.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiregistration.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for Horizontal Pod Autoscaler. +*/}} +{{- define "common.capabilities.hpa.apiVersion" -}} +{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}} +{{- if .beta2 -}} +{{- print "autoscaling/v2beta2" -}} +{{- else -}} +{{- print "autoscaling/v2beta1" -}} +{{- end -}} +{{- else -}} +{{- print "autoscaling/v2" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the used Helm version is 3.3+. +A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. +This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. +**To be removed when the catalog's minimun Helm version is 3.3** +*/}} +{{- define "common.capabilities.supportsHelmVersion" -}} +{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/external-dns/charts/common/templates/_errors.tpl b/external-dns/charts/common/templates/_errors.tpl new file mode 100644 index 0000000..a79cc2e --- /dev/null +++ b/external-dns/charts/common/templates/_errors.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Through error when upgrading using empty passwords values that must not be empty. + +Usage: +{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} +{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} +{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} + +Required password params: + - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. + - context - Context - Required. Parent context. +*/}} +{{- define "common.errors.upgrade.passwords.empty" -}} + {{- $validationErrors := join "" .validationErrors -}} + {{- if and $validationErrors .context.Release.IsUpgrade -}} + {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} + {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} + {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} + {{- $errorString = print $errorString "\n%s" -}} + {{- printf $errorString $validationErrors | fail -}} + {{- end -}} +{{- end -}} diff --git a/external-dns/charts/common/templates/_images.tpl b/external-dns/charts/common/templates/_images.tpl new file mode 100644 index 0000000..46c659e --- /dev/null +++ b/external-dns/charts/common/templates/_images.tpl @@ -0,0 +1,76 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper image name +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := .imageRoot.registry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $separator := ":" -}} +{{- $termination := .imageRoot.tag | toString -}} +{{- if .global }} + {{- if .global.imageRegistry }} + {{- $registryName = .global.imageRegistry -}} + {{- end -}} +{{- end -}} +{{- if .imageRoot.digest }} + {{- $separator = "@" -}} + {{- $termination = .imageRoot.digest | toString -}} +{{- end -}} +{{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) +{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} +*/}} +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- if .global }} + {{- range .global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names evaluating values as templates +{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} +*/}} +{{- define "common.images.renderPullSecrets" -}} + {{- $pullSecrets := list }} + {{- $context := .context }} + + {{- if $context.Values.global }} + {{- range $context.Values.global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/external-dns/charts/common/templates/_ingress.tpl b/external-dns/charts/common/templates/_ingress.tpl new file mode 100644 index 0000000..8caf73a --- /dev/null +++ b/external-dns/charts/common/templates/_ingress.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Generate backend entry that is compatible with all Kubernetes API versions. + +Usage: +{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} + +Params: + - serviceName - String. Name of an existing service backend + - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.ingress.backend" -}} +{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} +{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} + number: {{ .servicePort | int }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* +Print "true" if the API pathType field is supported +Usage: +{{ include "common.ingress.supportsPathType" . }} +*/}} +{{- define "common.ingress.supportsPathType" -}} +{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the ingressClassname field is supported +Usage: +{{ include "common.ingress.supportsIngressClassname" . }} +*/}} +{{- define "common.ingress.supportsIngressClassname" -}} +{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if cert-manager required annotations for TLS signed +certificates are set in the Ingress annotations +Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations +Usage: +{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }} +*/}} +{{- define "common.ingress.certManagerRequest" -}} +{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/external-dns/charts/common/templates/_labels.tpl b/external-dns/charts/common/templates/_labels.tpl new file mode 100644 index 0000000..252066c --- /dev/null +++ b/external-dns/charts/common/templates/_labels.tpl @@ -0,0 +1,18 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes standard labels +*/}} +{{- define "common.labels.standard" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +helm.sh/chart: {{ include "common.names.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +*/}} +{{- define "common.labels.matchLabels" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} diff --git a/external-dns/charts/common/templates/_names.tpl b/external-dns/charts/common/templates/_names.tpl new file mode 100644 index 0000000..1bdac8b --- /dev/null +++ b/external-dns/charts/common/templates/_names.tpl @@ -0,0 +1,70 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified dependency name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Usage: +{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} +*/}} +{{- define "common.names.dependency.fullname" -}} +{{- if .chartValues.fullnameOverride -}} +{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .chartName .chartValues.nameOverride -}} +{{- if contains $name .context.Release.Name -}} +{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "common.names.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified app name adding the installation's namespace. +*/}} +{{- define "common.names.fullname.namespace" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/external-dns/charts/common/templates/_secrets.tpl b/external-dns/charts/common/templates/_secrets.tpl new file mode 100644 index 0000000..a53fb44 --- /dev/null +++ b/external-dns/charts/common/templates/_secrets.tpl @@ -0,0 +1,140 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Generate secret name. + +Usage: +{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.secrets.name" -}} +{{- $name := (include "common.names.fullname" .context) -}} + +{{- if .defaultNameSuffix -}} +{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- with .existingSecret -}} +{{- if not (typeIs "string" .) -}} +{{- with .name -}} +{{- $name = . -}} +{{- end -}} +{{- else -}} +{{- $name = . -}} +{{- end -}} +{{- end -}} + +{{- printf "%s" $name -}} +{{- end -}} + +{{/* +Generate secret key. + +Usage: +{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - key - String - Required. Name of the key in the secret. +*/}} +{{- define "common.secrets.key" -}} +{{- $key := .key -}} + +{{- if .existingSecret -}} + {{- if not (typeIs "string" .existingSecret) -}} + {{- if .existingSecret.keyMapping -}} + {{- $key = index .existingSecret.keyMapping $.key -}} + {{- end -}} + {{- end }} +{{- end -}} + +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Generate secret password or retrieve one if already created. + +Usage: +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - length - int - Optional - Length of the generated random password. + - strong - Boolean - Optional - Whether to add symbols to the generated random password. + - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. + - context - Context - Required - Parent context. + +The order in which this function returns a secret password: + 1. Already existing 'Secret' resource + (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) + 2. Password provided via the values.yaml + (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) + 3. Randomly generated secret password + (A new random secret password with the length specified in the 'length' parameter will be generated and returned) + +*/}} +{{- define "common.secrets.passwords.manage" -}} + +{{- $password := "" }} +{{- $subchart := "" }} +{{- $chartName := default "" .chartName }} +{{- $passwordLength := default 10 .length }} +{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} +{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} +{{- $secretData := (lookup "v1" "Secret" $.context.Release.Namespace .secret).data }} +{{- if $secretData }} + {{- if hasKey $secretData .key }} + {{- $password = index $secretData .key }} + {{- else }} + {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- end -}} +{{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString | b64enc | quote }} +{{- else }} + + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- else }} + {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- end }} +{{- end -}} +{{- printf "%s" $password -}} +{{- end -}} + +{{/* +Returns whether a previous generated secret already exists + +Usage: +{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.exists" -}} +{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }} +{{- if $secret }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/external-dns/charts/common/templates/_storage.tpl b/external-dns/charts/common/templates/_storage.tpl new file mode 100644 index 0000000..60e2a84 --- /dev/null +++ b/external-dns/charts/common/templates/_storage.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper Storage Class +{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} +*/}} +{{- define "common.storage.class" -}} + +{{- $storageClass := .persistence.storageClass -}} +{{- if .global -}} + {{- if .global.storageClass -}} + {{- $storageClass = .global.storageClass -}} + {{- end -}} +{{- end -}} + +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} + +{{- end -}} diff --git a/external-dns/charts/common/templates/_tplvalues.tpl b/external-dns/charts/common/templates/_tplvalues.tpl new file mode 100644 index 0000000..2db1668 --- /dev/null +++ b/external-dns/charts/common/templates/_tplvalues.tpl @@ -0,0 +1,13 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "common.tplvalues.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} diff --git a/external-dns/charts/common/templates/_utils.tpl b/external-dns/charts/common/templates/_utils.tpl new file mode 100644 index 0000000..8c22b2a --- /dev/null +++ b/external-dns/charts/common/templates/_utils.tpl @@ -0,0 +1,62 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Print instructions to get a secret value. +Usage: +{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} +*/}} +{{- define "common.utils.secret.getvalue" -}} +{{- $varname := include "common.utils.fieldToEnvVar" . -}} +export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d) +{{- end -}} + +{{/* +Build env var name given a field +Usage: +{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} +*/}} +{{- define "common.utils.fieldToEnvVar" -}} + {{- $fieldNameSplit := splitList "-" .field -}} + {{- $upperCaseFieldNameSplit := list -}} + + {{- range $fieldNameSplit -}} + {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} + {{- end -}} + + {{ join "_" $upperCaseFieldNameSplit }} +{{- end -}} + +{{/* +Gets a value from .Values given +Usage: +{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} +*/}} +{{- define "common.utils.getValueFromKey" -}} +{{- $splitKey := splitList "." .key -}} +{{- $value := "" -}} +{{- $latestObj := $.context.Values -}} +{{- range $splitKey -}} + {{- if not $latestObj -}} + {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} + {{- end -}} + {{- $value = ( index $latestObj . ) -}} + {{- $latestObj = $value -}} +{{- end -}} +{{- printf "%v" (default "" $value) -}} +{{- end -}} + +{{/* +Returns first .Values key with a defined value or first of the list if all non-defined +Usage: +{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} +*/}} +{{- define "common.utils.getKeyFromList" -}} +{{- $key := first .keys -}} +{{- $reverseKeys := reverse .keys }} +{{- range $reverseKeys }} + {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} + {{- if $value -}} + {{- $key = . }} + {{- end -}} +{{- end -}} +{{- printf "%s" $key -}} +{{- end -}} diff --git a/external-dns/charts/common/templates/_warnings.tpl b/external-dns/charts/common/templates/_warnings.tpl new file mode 100644 index 0000000..ae10fa4 --- /dev/null +++ b/external-dns/charts/common/templates/_warnings.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Warning about using rolling tag. +Usage: +{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} +*/}} +{{- define "common.warnings.rollingTag" -}} + +{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ +{{- end }} + +{{- end -}} diff --git a/external-dns/charts/common/templates/validations/_cassandra.tpl b/external-dns/charts/common/templates/validations/_cassandra.tpl new file mode 100644 index 0000000..ded1ae3 --- /dev/null +++ b/external-dns/charts/common/templates/validations/_cassandra.tpl @@ -0,0 +1,72 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Cassandra required passwords are not empty. + +Usage: +{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.cassandra.passwords" -}} + {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} + {{- $enabled := include "common.cassandra.values.enabled" . -}} + {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} + {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.dbUser.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled cassandra. + +Usage: +{{ include "common.cassandra.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.cassandra.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.cassandra.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key dbUser + +Usage: +{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.key.dbUser" -}} + {{- if .subchart -}} + cassandra.dbUser + {{- else -}} + dbUser + {{- end -}} +{{- end -}} diff --git a/external-dns/charts/common/templates/validations/_mariadb.tpl b/external-dns/charts/common/templates/validations/_mariadb.tpl new file mode 100644 index 0000000..b6906ff --- /dev/null +++ b/external-dns/charts/common/templates/validations/_mariadb.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MariaDB required passwords are not empty. + +Usage: +{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mariadb.passwords" -}} + {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mariadb.values.enabled" . -}} + {{- $architecture := include "common.mariadb.values.architecture" . -}} + {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mariadb. + +Usage: +{{ include "common.mariadb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mariadb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mariadb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.key.auth" -}} + {{- if .subchart -}} + mariadb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/external-dns/charts/common/templates/validations/_mongodb.tpl b/external-dns/charts/common/templates/validations/_mongodb.tpl new file mode 100644 index 0000000..f820ec1 --- /dev/null +++ b/external-dns/charts/common/templates/validations/_mongodb.tpl @@ -0,0 +1,108 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MongoDB® required passwords are not empty. + +Usage: +{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret" + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mongodb.passwords" -}} + {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mongodb.values.enabled" . -}} + {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} + {{- $architecture := include "common.mongodb.values.architecture" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} + {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} + + {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} + {{- if and $valueUsername $valueDatabase -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replicaset") -}} + {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mongodb. + +Usage: +{{ include "common.mongodb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mongodb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mongodb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.key.auth" -}} + {{- if .subchart -}} + mongodb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} diff --git a/external-dns/charts/common/templates/validations/_mysql.tpl b/external-dns/charts/common/templates/validations/_mysql.tpl new file mode 100644 index 0000000..74472a0 --- /dev/null +++ b/external-dns/charts/common/templates/validations/_mysql.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MySQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.mysql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MySQL values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mysql.passwords" -}} + {{- $existingSecret := include "common.mysql.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mysql.values.enabled" . -}} + {{- $architecture := include "common.mysql.values.architecture" . -}} + {{- $authPrefix := include "common.mysql.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mysql-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mysql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mysql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mysql. + +Usage: +{{ include "common.mysql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mysql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mysql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.key.auth" -}} + {{- if .subchart -}} + mysql.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/external-dns/charts/common/templates/validations/_postgresql.tpl b/external-dns/charts/common/templates/validations/_postgresql.tpl new file mode 100644 index 0000000..164ec0d --- /dev/null +++ b/external-dns/charts/common/templates/validations/_postgresql.tpl @@ -0,0 +1,129 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate PostgreSQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.postgresql.passwords" -}} + {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} + {{- $enabled := include "common.postgresql.values.enabled" . -}} + {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} + {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} + + {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} + {{- if (eq $enabledReplication "true") -}} + {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to decide whether evaluate global values. + +Usage: +{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} +Params: + - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" +*/}} +{{- define "common.postgresql.values.use.global" -}} + {{- if .context.Values.global -}} + {{- if .context.Values.global.postgresql -}} + {{- index .context.Values.global.postgresql .key | quote -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.existingSecret" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} + + {{- if .subchart -}} + {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} + {{- else -}} + {{- default (.context.Values.existingSecret | quote) $globalValue -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled postgresql. + +Usage: +{{ include "common.postgresql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key postgressPassword. + +Usage: +{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.postgressPassword" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} + + {{- if not $globalValue -}} + {{- if .subchart -}} + postgresql.postgresqlPassword + {{- else -}} + postgresqlPassword + {{- end -}} + {{- else -}} + global.postgresql.postgresqlPassword + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled.replication. + +Usage: +{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.enabled.replication" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.replication.enabled -}} + {{- else -}} + {{- printf "%v" .context.Values.replication.enabled -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key replication.password. + +Usage: +{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.replicationPassword" -}} + {{- if .subchart -}} + postgresql.replication.password + {{- else -}} + replication.password + {{- end -}} +{{- end -}} diff --git a/external-dns/charts/common/templates/validations/_redis.tpl b/external-dns/charts/common/templates/validations/_redis.tpl new file mode 100644 index 0000000..dcccfc1 --- /dev/null +++ b/external-dns/charts/common/templates/validations/_redis.tpl @@ -0,0 +1,76 @@ + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Redis® required passwords are not empty. + +Usage: +{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.redis.passwords" -}} + {{- $enabled := include "common.redis.values.enabled" . -}} + {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} + {{- $standarizedVersion := include "common.redis.values.standarized.version" . }} + + {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }} + {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }} + + {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }} + {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}} + {{- if eq $useAuth "true" -}} + {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled redis. + +Usage: +{{ include "common.redis.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.redis.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.redis.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right prefix path for the values + +Usage: +{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.keys.prefix" -}} + {{- if .subchart -}}redis.{{- else -}}{{- end -}} +{{- end -}} + +{{/* +Checks whether the redis chart's includes the standarizations (version >= 14) + +Usage: +{{ include "common.redis.values.standarized.version" (dict "context" $) }} +*/}} +{{- define "common.redis.values.standarized.version" -}} + + {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}} + {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }} + + {{- if $standarizedAuthValues -}} + {{- true -}} + {{- end -}} +{{- end -}} diff --git a/external-dns/charts/common/templates/validations/_validations.tpl b/external-dns/charts/common/templates/validations/_validations.tpl new file mode 100644 index 0000000..9a814cf --- /dev/null +++ b/external-dns/charts/common/templates/validations/_validations.tpl @@ -0,0 +1,46 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate values must not be empty. + +Usage: +{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} +{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" +*/}} +{{- define "common.validations.values.multiple.empty" -}} + {{- range .required -}} + {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} + {{- end -}} +{{- end -}} + +{{/* +Validate a value must not be empty. + +Usage: +{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" + - subchart - String - Optional - Name of the subchart that the validated password is part of. +*/}} +{{- define "common.validations.values.single.empty" -}} + {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} + {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} + + {{- if not $value -}} + {{- $varname := "my-value" -}} + {{- $getCurrentValue := "" -}} + {{- if and .secret .field -}} + {{- $varname = include "common.utils.fieldToEnvVar" . -}} + {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} + {{- end -}} + {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} + {{- end -}} +{{- end -}} diff --git a/external-dns/charts/common/values.yaml b/external-dns/charts/common/values.yaml new file mode 100644 index 0000000..f2df68e --- /dev/null +++ b/external-dns/charts/common/values.yaml @@ -0,0 +1,5 @@ +## bitnami/common +## It is required by CI/CD tools and processes. +## @skip exampleValue +## +exampleValue: common-chart diff --git a/external-dns/templates/NOTES.txt b/external-dns/templates/NOTES.txt new file mode 100644 index 0000000..3616571 --- /dev/null +++ b/external-dns/templates/NOTES.txt @@ -0,0 +1,12 @@ +CHART NAME: {{ .Chart.Name }} +CHART VERSION: {{ .Chart.Version }} +APP VERSION: {{ .Chart.AppVersion }} + +** Please be patient while the chart is being deployed ** + +To verify that external-dns has started, run: + + kubectl --namespace={{ .Release.Namespace }} get pods -l "app.kubernetes.io/name={{ template "external-dns.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" + +{{ include "external-dns.validateValues" . }} +{{ include "external-dns.checkRollingTags" . }} diff --git a/external-dns/templates/_helpers.tpl b/external-dns/templates/_helpers.tpl new file mode 100644 index 0000000..beae1f6 --- /dev/null +++ b/external-dns/templates/_helpers.tpl @@ -0,0 +1,856 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "external-dns.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "external-dns.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "external-dns.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* Helm required labels */}} +{{- define "external-dns.labels" -}} +app.kubernetes.io/name: {{ template "external-dns.name" . }} +helm.sh/chart: {{ template "external-dns.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Values.podLabels }} +{{ toYaml .Values.podLabels }} +{{- end }} +{{- end -}} + +{{/* matchLabels */}} +{{- define "external-dns.matchLabels" -}} +app.kubernetes.io/name: {{ template "external-dns.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* podAnnotations */}} +{{- define "external-dns.podAnnotations" -}} +{{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations }} +{{- end }} +{{- if .Values.metrics.podAnnotations }} +{{ toYaml .Values.metrics.podAnnotations }} +{{- end }} +{{- end -}} + +{{/* +Return the proper External DNS image name +*/}} +{{- define "external-dns.image" -}} +{{- $registryName := .Values.image.registry -}} +{{- $repositoryName := .Values.image.repository -}} +{{- $tag := .Values.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "external-dns.imagePullSecrets" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +Also, we can not use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- else if .Values.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- else if .Values.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created +*/}} +{{- define "external-dns.createSecret" -}} +{{- if and (eq .Values.provider "alibabacloud") .Values.alibabacloud.accessKeyId .Values.alibabacloud.accessKeySecret (not .Values.alibabacloud.secretName) }} + {{- true -}} +{{- else if and (eq .Values.provider "aws") .Values.aws.credentials.secretKey .Values.aws.credentials.accessKey (not .Values.aws.credentials.secretName) }} + {{- true -}} +{{- else if and (or (eq .Values.provider "azure") (eq .Values.provider "azure-private-dns")) (or (and .Values.azure.resourceGroup .Values.azure.tenantId .Values.azure.subscriptionId .Values.azure.aadClientId .Values.azure.aadClientSecret (not .Values.azure.useManagedIdentityExtension)) (and .Values.azure.resourceGroup .Values.azure.tenantId .Values.azure.subscriptionId .Values.azure.useManagedIdentityExtension)) (not .Values.azure.secretName) -}} + {{- true -}} +{{- else if and (eq .Values.provider "cloudflare") (or .Values.cloudflare.apiToken .Values.cloudflare.apiKey) (not .Values.cloudflare.secretName) -}} + {{- true -}} +{{- else if and (eq .Values.provider "designate") (or .Values.designate.username .Values.designate.password) -}} + {{- true -}} +{{- else if and (eq .Values.provider "digitalocean") .Values.digitalocean.apiToken (not .Values.digitalocean.secretName) -}} + {{- true -}} +{{- else if and (eq .Values.provider "google") .Values.google.serviceAccountKey (not .Values.google.serviceAccountSecret) -}} + {{- true -}} +{{- else if and (eq .Values.provider "hetzner") .Values.hetzner.token (not .Values.hetzner.secretName) -}} + {{- true -}} +{{- else if and (eq .Values.provider "infoblox") (and .Values.infoblox.wapiUsername .Values.infoblox.wapiPassword) (not .Values.infoblox.secretName) -}} + {{- true -}} +{{- else if and (eq .Values.provider "linode") .Values.linode.apiToken (not .Values.linode.secretName) -}} + {{- true -}} +{{- else if and (eq .Values.provider "oci") .Values.oci.privateKeyFingerprint (not .Values.oci.secretName) -}} + {{- true -}} +{{- else if and (eq .Values.provider "rfc2136") (or .Values.rfc2136.tsigSecret (and .Values.rfc2136.kerberosUsername .Values.rfc2136.kerberosPassword)) (not .Values.rfc2136.secretName) -}} + {{- true -}} +{{- else if and (eq .Values.provider "pdns") .Values.pdns.apiKey (not .Values.pdns.secretName) -}} + {{- true -}} +{{- else if and (eq .Values.provider "transip") .Values.transip.apiKey -}} + {{- true -}} +{{- else if and (eq .Values.provider "ovh") .Values.ovh.consumerKey (not .Values.ovh.secretName) -}} + {{- true -}} +{{- else if and (eq .Values.provider "scaleway") .Values.scaleway.scwAccessKey -}} + {{- true -}} +{{- else if and (eq .Values.provider "vinyldns") (or .Values.vinyldns.secretKey .Values.vinyldns.accessKey) -}} + {{- true -}} +{{- else if and (eq .Values.provider "ns1") .Values.ns1.apiKey (not .Values.ns1.secretName) -}} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created +*/}} +{{- define "external-dns.createConfigMap" -}} +{{- if and (eq .Values.provider "designate") .Values.designate.customCA.enabled }} + {{- true -}} +{{- else if and (eq .Values.provider "rfc2136") .Values.rfc2136.rfc3645Enabled }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return the name of the Secret used to store the passwords +*/}} +{{- define "external-dns.secretName" -}} +{{- if and (eq .Values.provider "alibabacloud") .Values.alibabacloud.secretName }} +{{- .Values.alibabacloud.secretName }} +{{- else if and (eq .Values.provider "aws") .Values.aws.credentials.secretName }} +{{- .Values.aws.credentials.secretName }} +{{- else if and (or (eq .Values.provider "azure") (eq .Values.provider "azure-private-dns")) .Values.azure.secretName }} +{{- .Values.azure.secretName }} +{{- else if and (eq .Values.provider "cloudflare") .Values.cloudflare.secretName }} +{{- .Values.cloudflare.secretName }} +{{- else if and (eq .Values.provider "digitalocean") .Values.digitalocean.secretName }} +{{- .Values.digitalocean.secretName }} +{{- else if and (eq .Values.provider "google") .Values.google.serviceAccountSecret }} +{{- .Values.google.serviceAccountSecret }} +{{- else if and (eq .Values.provider "hetzner") .Values.hetzner.secretName }} +{{- .Values.hetzner.secretName }} +{{- else if and (eq .Values.provider "linode") .Values.linode.secretName }} +{{- .Values.linode.secretName }} +{{- else if and (eq .Values.provider "oci") .Values.oci.secretName }} +{{- .Values.oci.secretName }} +{{- else if and (eq .Values.provider "ovh") .Values.ovh.secretName }} +{{- .Values.ovh.secretName }} +{{- else if and (eq .Values.provider "pdns") .Values.pdns.secretName }} +{{- .Values.pdns.secretName }} +{{- else if and (eq .Values.provider "infoblox") .Values.infoblox.secretName }} +{{- .Values.infoblox.secretName }} +{{- else if and (eq .Values.provider "rfc2136") .Values.rfc2136.secretName }} +{{- .Values.rfc2136.secretName }} +{{- else if and (eq .Values.provider "ns1") .Values.ns1.secretName }} +{{- .Values.ns1.secretName }} +{{- else -}} +{{- template "external-dns.fullname" . }} +{{- end -}} +{{- end -}} + +{{- define "external-dns.alibabacloud-credentials" -}} +{ + {{- if .Values.alibabacloud.regionId }} + "regionId": "{{ .Values.alibabacloud.regionId }}", + {{- end }} + {{- if .Values.alibabacloud.vpcId }} + "vpcId": "{{ .Values.alibabacloud.vpcId }}", + {{- end }} + {{- if .Values.alibabacloud.accessKeyId }} + "accessKeyId": "{{ .Values.alibabacloud.accessKeyId }}", + {{- end }} + {{- if .Values.alibabacloud.accessKeySecret }} + "accessKeySecret": "{{ .Values.alibabacloud.accessKeySecret }}" + {{- end }} +} +{{ end }} + +{{- define "external-dns.aws-credentials" }} +[default] +aws_access_key_id = {{ .Values.aws.credentials.accessKey }} +aws_secret_access_key = {{ .Values.aws.credentials.secretKey }} +{{ end }} + +{{- define "external-dns.aws-config" }} +[profile default] +region = {{ .Values.aws.region }} +{{ end }} + +{{- define "external-dns.azure-credentials" -}} +{ + {{- if .Values.azure.cloud }} + "cloud": "{{ .Values.azure.cloud }}", + {{- end }} + {{- if .Values.azure.tenantId }} + "tenantId": "{{ .Values.azure.tenantId }}", + {{- end }} + {{- if .Values.azure.subscriptionId }} + "subscriptionId": "{{ .Values.azure.subscriptionId }}", + {{- end }} + "resourceGroup": "{{ .Values.azure.resourceGroup }}", + {{- if not .Values.azure.useManagedIdentityExtension }} + "aadClientId": "{{ .Values.azure.aadClientId }}", + "aadClientSecret": "{{ .Values.azure.aadClientSecret }}" + {{- end }} + {{- if and .Values.azure.useManagedIdentityExtension .Values.azure.userAssignedIdentityID }} + "useManagedIdentityExtension": true, + "userAssignedIdentityID": "{{ .Values.azure.userAssignedIdentityID }}" + {{- else if and .Values.azure.useManagedIdentityExtension (not .Values.azure.userAssignedIdentityID) }} + "useManagedIdentityExtension": true + {{- end }} +} +{{ end }} +{{- define "external-dns.oci-credentials" -}} +auth: + region: {{ .Values.oci.region }} + tenancy: {{ .Values.oci.tenancyOCID }} + user: {{ .Values.oci.userOCID }} + key: {{ toYaml .Values.oci.privateKey | indent 4 }} + fingerprint: {{ .Values.oci.privateKeyFingerprint }} + # Omit if there is not a password for the key + {{- if .Values.oci.privateKeyPassphrase }} + passphrase: {{ .Values.oci.privateKeyPassphrase }} + {{- end }} +compartment: {{ .Values.oci.compartmentOCID }} +{{ end }} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "external-dns.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "external-dns.validateValues.provider" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.sources" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.aws" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.infoblox.gridHost" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.infoblox.wapiPassword" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.pdns.apiUrl" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.pdns.apiKey" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.azure.resourceGroupWithoutTenantId" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.azure.resourceGroupWithoutSubscriptionId" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.azure.tenantIdWithoutSubscriptionId" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.azure.subscriptionIdWithoutTenantId" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.azure.useManagedIdentityExtensionAadClientId" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.azure.useManagedIdentityExtensionAadClientSecret" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.azure.userAssignedIdentityIDWithoutUseManagedIdentityExtension" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.azure.aadClientId" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.azure.aadClientSecret" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.azurePrivateDns.resourceGroup" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.azurePrivateDns.tenantId" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.azurePrivateDns.subscriptionId" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.azurePrivateDns.aadClientId" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.azurePrivateDns.aadClientSecret" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.azurePrivateDns.useManagedIdentityExtensionAadClientId" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.azurePrivateDns.useManagedIdentityExtensionAadClientSecret" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.azurePrivateDns.userAssignedIdentityIDWithoutUseManagedIdentityExtension" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.transip.account" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.transip.apiKey" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.ns1.apiKey" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.linode.apiToken" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.ovh.consumerKey" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.ovh.applicationKey" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.ovh.applicationSecret" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.rfc2136.kerberosRealm" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.rfc2136.kerberosConfig" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.scaleway.scwAccessKey" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.scaleway.scwSecretKey" .) -}} +{{- $messages := append $messages (include "external-dns.validateValues.scaleway.scwDefaultOrganizationId" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of External DNS: +- must set a provider +*/}} +{{- define "external-dns.validateValues.provider" -}} +{{- if not .Values.provider -}} +external-dns: provider + You must set a provider (options: aws, google, azure, cloudflare, ...) + Please set the provider parameter (--set provider="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of External DNS: +- must provide sources to be observed for new DNS entries by ExternalDNS +*/}} +{{- define "external-dns.validateValues.sources" -}} +{{- if empty .Values.sources -}} +external-dns: sources + You must provide sources to be observed for new DNS entries by ExternalDNS + Please set the sources parameter (--set sources="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of External DNS: +- The AWS Role to assume must follow ARN format when provider is "aws" +*/}} +{{- define "external-dns.validateValues.aws" -}} +{{- if and (eq .Values.provider "aws") .Values.aws.assumeRoleArn -}} +{{- if not (regexMatch "^arn:(aws|aws-us-gov|aws-cn):iam::.*$" .Values.aws.assumeRoleArn) -}} +external-dns: aws.assumeRoleArn + The AWS Role to assume must follow ARN format: `arn:aws:iam::123455567:role/external-dns` + Ref: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html + Please set a valid ARN (--set aws.assumeRoleARN="xxxx") +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of External DNS: +- must provide the Grid Manager host when provider is "infoblox" +*/}} +{{- define "external-dns.validateValues.infoblox.gridHost" -}} +{{- if and (eq .Values.provider "infoblox") (not .Values.infoblox.gridHost) -}} +external-dns: infoblox.gridHost + You must provide the Grid Manager host when provider="infoblox". + Please set the gridHost parameter (--set infoblox.gridHost="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of External DNS: +- must provide a WAPI password when provider is "infoblox" +*/}} +{{- define "external-dns.validateValues.infoblox.wapiPassword" -}} +{{- if and (eq .Values.provider "infoblox") (not .Values.infoblox.wapiPassword) (not .Values.infoblox.secretName) -}} +external-dns: infoblox.wapiPassword + You must provide a WAPI password when provider="infoblox". + Please set the wapiPassword parameter (--set infoblox.wapiPassword="xxxx") + or you can provide an existing secret name via infoblox.secretName +{{- end -}} +{{- end -}} + +{{/* +Validate values of External DNS: +- must provide the PowerDNS API URL when provider is "pdns" +*/}} +{{- define "external-dns.validateValues.pdns.apiUrl" -}} +{{- if and (eq .Values.provider "pdns") (not .Values.pdns.apiUrl) -}} +external-dns: pdns.apiUrl + You must provide the PowerDNS API URL when provider="pdns". + Please set the apiUrl parameter (--set pdns.apiUrl="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of External DNS: +- must provide the PowerDNS API key when provider is "pdns" +*/}} +{{- define "external-dns.validateValues.pdns.apiKey" -}} +{{- if and (eq .Values.provider "pdns") (not .Values.pdns.apiKey) (not .Values.pdns.secretName) -}} +external-dns: pdns.apiKey + You must provide the PowerDNS API key when provider="pdns". + Please set the apiKey parameter (--set pdns.apiKey="xxxx") +{{- end -}} +{{- end -}} + +{{/* Check if there are rolling tags in the images */}} +{{- define "external-dns.checkRollingTags" -}} +{{- if and (contains "bitnami/" .Values.image.repository) (not (.Values.image.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .Values.image.repository }}:{{ .Values.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ +{{- end }} +{{- end -}} + +{{/* +Validate values of Azure DNS: +- must provide the Azure Resource Group when provider is "azure" and tenantId is set +*/}} +{{- define "external-dns.validateValues.azure.resourceGroupWithoutTenantId" -}} +{{- if and (eq .Values.provider "azure") (not .Values.azure.resourceGroup) (not .Values.azure.secretName) .Values.azure.tenantId -}} +external-dns: azure.resourceGroup + You must provide the Azure Resource Group when provider="azure" and tenantId is set. + Please set the resourceGroup parameter (--set azure.resourceGroup="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of Azure DNS: +- must provide the Azure Resource Group when provider is "azure" and subscriptionId is set +*/}} +{{- define "external-dns.validateValues.azure.resourceGroupWithoutSubscriptionId" -}} +{{- if and (eq .Values.provider "azure") (not .Values.azure.resourceGroup) (not .Values.azure.secretName) .Values.azure.subscriptionId -}} +external-dns: azure.resourceGroup + You must provide the Azure Resource Group when provider="azure" and subscriptionId is set. + Please set the resourceGroup parameter (--set azure.resourceGroup="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of Azure DNS: +- must provide the Azure Tenant ID when provider is "azure" and secretName is not set and subscriptionId is set +*/}} +{{- define "external-dns.validateValues.azure.tenantIdWithoutSubscriptionId" -}} +{{- if and (eq .Values.provider "azure") (not .Values.azure.tenantId) (not .Values.azure.secretName) .Values.azure.subscriptionId -}} +external-dns: azure.tenantId + You must provide the Azure Tenant ID when provider="azure" and subscriptionId is set. + Please set the tenantId parameter (--set azure.tenantId="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of Azure DNS: +- must provide the Azure Subscription ID when provider is "azure" and secretName is not set and tenantId is set +*/}} +{{- define "external-dns.validateValues.azure.subscriptionIdWithoutTenantId" -}} +{{- if and (eq .Values.provider "azure") (not .Values.azure.subscriptionId) (not .Values.azure.secretName) .Values.azure.tenantId -}} +external-dns: azure.subscriptionId + You must provide the Azure Subscription ID when provider="azure" and tenantId is set. + Please set the subscriptionId parameter (--set azure.subscriptionId="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of Azure DNS: +- must not provide the Azure AAD Client ID when provider is "azure", secretName is not set and MSI is enabled +*/}} +{{- define "external-dns.validateValues.azure.useManagedIdentityExtensionAadClientId" -}} +{{- if and (eq .Values.provider "azure") (not .Values.azure.secretName) .Values.azure.aadClientId .Values.azure.useManagedIdentityExtension -}} +external-dns: azure.useManagedIdentityExtension + You must not provide the Azure AAD Client ID when provider="azure" and useManagedIdentityExtension is "true". + Please unset the aadClientId parameter (--set azure.aadClientId="") +{{- end -}} +{{- end -}} + +{{/* +Validate values of Azure DNS: +- must not provide the Azure AAD Client secret when provider is "azure", secretName is not set and MSI is enabled +*/}} +{{- define "external-dns.validateValues.azure.useManagedIdentityExtensionAadClientSecret" -}} +{{- if and (eq .Values.provider "azure") (not .Values.azure.secretName) .Values.azure.aadClientSecret .Values.azure.useManagedIdentityExtension -}} +external-dns: azure.useManagedIdentityExtension + You must not provide the Azure AAD Client Secret when provider="azure" and useManagedIdentityExtension is "true". + Please unset the aadClientSecret parameter (--set azure.aadClientSecret="") +{{- end -}} +{{- end -}} + +{{/* +Validate values of Azure DNS: +- must enable the MSI when provider is "azure", secretName is not set and managed identity ID is set +*/}} +{{- define "external-dns.validateValues.azure.userAssignedIdentityIDWithoutUseManagedIdentityExtension" -}} +{{- if and (eq .Values.provider "azure") (not .Values.azure.secretName) (not .Values.azure.useManagedIdentityExtension) .Values.azure.userAssignedIdentityID -}} +external-dns: azure.userAssignedIdentityID + You must enable the MSI when provider="azure" and userAssignedIdentityID is set. + Please set the useManagedIdentityExtension parameter (--set azure.useManagedIdentityExtension="true") +{{- end -}} +{{- end -}} + +{{/* +Validate values of Azure DNS: +- must provide the Azure AAD Client ID when provider is "azure", secretName is not set and MSI is disabled and aadClientSecret is set +*/}} +{{- define "external-dns.validateValues.azure.aadClientId" -}} +{{- if and (eq .Values.provider "azure") (not .Values.azure.secretName) (not .Values.azure.aadClientId) (not .Values.azure.useManagedIdentityExtension) .Values.azure.aadClientSecret -}} +external-dns: azure.aadClientId + You must provide the Azure AAD Client ID when provider="azure" and aadClientSecret is set and useManagedIdentityExtension is not set. + Please set the aadClientId parameter (--set azure.aadClientId="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of Azure DNS: +- must provide the Azure AAD Client Secret when provider is "azure", secretName is not set and MSI is disabled and aadClientId is set +*/}} +{{- define "external-dns.validateValues.azure.aadClientSecret" -}} +{{- if and (eq .Values.provider "azure") (not .Values.azure.secretName) (not .Values.azure.aadClientSecret) (not .Values.azure.useManagedIdentityExtension) .Values.azure.aadClientId -}} +external-dns: azure.aadClientSecret + You must provide the Azure AAD Client Secret when provider="azure" and aadClientId is set and useManagedIdentityExtension is not set. + Please set the aadClientSecret parameter (--set azure.aadClientSecret="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of Azure Private DNS: +- must provide the Azure AAD Client Secret when provider is "azure-private-dns", secretName is not set and useManagedIdentityExtension is "true" +*/}} +{{- define "external-dns.validateValues.azurePrivateDns.useManagedIdentityExtensionAadClientSecret" -}} +{{- if and (eq .Values.provider "azure-private-dns") (not .Values.azure.secretName) .Values.azure.aadClientSecret .Values.azure.useManagedIdentityExtension -}} +external-dns: azure.useManagedIdentityExtension + You must not provide the Azure AAD Client Secret when provider="azure-private-dns", secretName is not set, and useManagedIdentityExtension is "true". + Please unset the aadClientSecret parameter (--set azure.aadClientSecret="") +{{- end -}} +{{- end -}} + +{{/* +Validate values of Azure Private DNS: +- must enable the MSI when provider is "azure", secretName is not set and managed identity ID is set +*/}} +{{- define "external-dns.validateValues.azurePrivateDns.userAssignedIdentityIDWithoutUseManagedIdentityExtension" -}} +{{- if and (eq .Values.provider "azure-private-dns") (not .Values.azure.secretName) (not .Values.azure.useManagedIdentityExtension) .Values.azure.userAssignedIdentityID -}} +external-dns: azure.userAssignedIdentityID + You must enable the MSI when provider="azure-private-dns" and userAssignedIdentityID is set. + Please set the useManagedIdentityExtension parameter (--set azure.useManagedIdentityExtension="true") +{{- end -}} +{{- end -}} + +{{/* +Validate values of Azure Private DNS: +- must provide the Azure Resource Group when provider is "azure-private-dns" +- azure-private-dns provider does not use azure.json for specifying the resource group so it must be set +*/}} +{{- define "external-dns.validateValues.azurePrivateDns.resourceGroup" -}} +{{- if and (eq .Values.provider "azure-private-dns") (not .Values.azure.resourceGroup) -}} +external-dns: azure.resourceGroup + You must provide the Azure Resource Group when provider="azure-private-dns". + Please set the resourceGroup parameter (--set azure.resourceGroup="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of Azure Private DNS: +- must provide the Azure Tenant ID when provider is "azure-private-dns" +*/}} +{{- define "external-dns.validateValues.azurePrivateDns.tenantId" -}} +{{- if and (eq .Values.provider "azure-private-dns") (not .Values.azure.tenantId) -}} +external-dns: azure.tenantId + You must provide the Azure Tenant ID when provider="azure-private-dns". + Please set the tenantId parameter (--set azure.tenantId="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of Azure Private DNS: +- must provide the Azure Subscription ID when provider is "azure-private-dns" +*/}} +{{- define "external-dns.validateValues.azurePrivateDns.subscriptionId" -}} +{{- if and (eq .Values.provider "azure-private-dns") (not .Values.azure.subscriptionId) -}} +external-dns: azure.subscriptionId + You must provide the Azure Subscription ID when provider="azure-private-dns". + Please set the subscriptionId parameter (--set azure.subscriptionId="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of Azure Private DNS: +- must not provide the Azure AAD Client Secret when provider is "azure-private-dns", secretName is not set and MSI is enabled +*/}} +{{- define "external-dns.validateValues.azurePrivateDns.useManagedIdentityExtensionAadClientId" -}} +{{- if and (eq .Values.provider "azure-private-dns") (not .Values.azure.secretName) .Values.azure.aadClientId .Values.azure.useManagedIdentityExtension -}} +external-dns: azure.useManagedIdentityExtension + You must not provide the Azure AAD Client ID when provider="azure-private-dns" and useManagedIdentityExtension is "true". + Please unset the aadClientId parameter (--set azure.aadClientId="") +{{- end -}} +{{- end -}} + +{{/* +Validate values of Azure Private DNS: +- must provide the Azure AAD Client ID when provider is "azure-private-dns", secret name is not set and MSI is disabled +*/}} +{{- define "external-dns.validateValues.azurePrivateDns.aadClientId" -}} +{{- if and (eq .Values.provider "azure-private-dns") (not .Values.azure.secretName) (not .Values.azure.aadClientId) (not .Values.azure.useManagedIdentityExtension) (not .Values.azure.userAssignedIdentityID) -}} +external-dns: azure.useManagedIdentityExtension + You must provide the Azure AAD Client ID when provider="azure-private-dns" and useManagedIdentityExtension is not set. + Please set the aadClientSecret parameter (--set azure.aadClientId="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of Azure Private DNS: +- must provide the Azure AAD Client Secret when provider is "azure-private-dns", secretName is not set and MSI is disabled +*/}} +{{- define "external-dns.validateValues.azurePrivateDns.aadClientSecret" -}} +{{- if and (eq .Values.provider "azure-private-dns") (not .Values.azure.secretName) (not .Values.azure.aadClientSecret) (not .Values.azure.useManagedIdentityExtension) (not .Values.azure.userAssignedIdentityID) -}} +external-dns: azure.useManagedIdentityExtension + You must provide the Azure AAD Client Secret when provider="azure-private-dns" and useManagedIdentityExtension is not set. + Please set the aadClientSecret parameter (--set azure.aadClientSecret="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of TransIP DNS: +- must provide the account name when provider is "transip" +*/}} +{{- define "external-dns.validateValues.transip.account" -}} +{{- if and (eq .Values.provider "transip") (not .Values.transip.account) -}} +external-dns: transip.account + You must provide the TransIP account name when provider="transip". + Please set the account parameter (--set transip.account="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of External DNS: +- must provide an API token when provider is "hetzner" +*/}} +{{- define "external-dns.validateValues.hetzner" -}} +{{- if and (eq .Values.provider "hetzner") (or (not .Values.hetzner.token) (not .Values.hetzner.secretName)) -}} +external-dns: hetzner.token + You must provide the a Hetzner API Token when provider="hetzner". + Please set the token parameter (--set hetzner.token="xxxx") + or specify a secret that contains an API token. (--set hetzner.secretName="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of TransIP DNS: +- must provide the API key when provider is "transip" +*/}} +{{- define "external-dns.validateValues.transip.apiKey" -}} +{{- if and (eq .Values.provider "transip") (not .Values.transip.apiKey) -}} +external-dns: transip.apiKey + You must provide the TransIP API key when provider="transip". + Please set the apiKey parameter (--set transip.apiKey="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of External DNS: +- must provide the Linode API token when provider is "linode" +*/}} +{{- define "external-dns.validateValues.linode.apiToken" -}} +{{- if and (eq .Values.provider "linode") (not .Values.linode.apiToken) (not .Values.linode.secretName) -}} +external-dns: linode.apiToken + You must provide the Linode API token when provider="linode". + Please set the apiToken parameter (--set linode.apiToken="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of External DNS: +- must provide the NS1 API key when provider is "ns1" +*/}} +{{- define "external-dns.validateValues.ns1.apiKey" -}} +{{- if and (eq .Values.provider "ns1") (not .Values.ns1.apiKey) (not .Values.ns1.secretName) -}} +external-dns: ns1.apiKey + You must provide the NS1 API key when provider="ns1". + Please set the token parameter (--set ns1.apiKey="xxxx") + or specify a secret that contains an API key. (--set ns1.secretName="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of External DNS: +- must provide the OVH consumer key when provider is "ovh" +*/}} +{{- define "external-dns.validateValues.ovh.consumerKey" -}} +{{- if and (eq .Values.provider "ovh") (not .Values.ovh.consumerKey) (not .Values.ovh.secretName) -}} +external-dns: ovh.consumerKey + You must provide the OVH consumer key when provider="ovh". + Please set the consumerKey parameter (--set ovh.consumerKey="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of External DNS: +- must provide the OVH application key when provider is "ovh" +*/}} +{{- define "external-dns.validateValues.ovh.applicationKey" -}} +{{- if and (eq .Values.provider "ovh") (not .Values.ovh.applicationKey) (not .Values.ovh.secretName) -}} +external-dns: ovh.applicationKey + You must provide the OVH appliciation key when provider="ovh". + Please set the applicationKey parameter (--set ovh.applicationKey="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of External DNS: +- must provide the OVH application secret when provider is "ovh" +*/}} +{{- define "external-dns.validateValues.ovh.applicationSecret" -}} +{{- if and (eq .Values.provider "ovh") (not .Values.ovh.applicationSecret) (not .Values.ovh.secretName) -}} +external-dns: ovh.applicationSecret + You must provide the OVH appliciation secret key when provider="ovh". + Please set the applicationSecret parameter (--set ovh.applicationSecret="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of RFC2136 DNS: +- Must provide the kerberos realm when provider is rfc2136 and rfc3645Enabled is true +*/}} +{{- define "external-dns.validateValues.rfc2136.kerberosRealm" -}} +{{- if and (eq .Values.provider "rfc2136") .Values.rfc2136.rfc3645Enabled (not .Values.rfc2136.kerberosRealm) -}} +external-dns: rfc2136.kerberosRealm + You must provide the kerberos realm when provider is rfc2136 and rfc3645Enabled is true + Please set the kerberosRealm parameter (--set rfc2136.kerberosRealm="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of RFC2136 DNS: +- Must provide the kerberos config when provider is rfc2136 and rfc3645Enabled is true +*/}} +{{- define "external-dns.validateValues.rfc2136.kerberosConfig" -}} +{{- if and (eq .Values.provider "rfc2136") .Values.rfc2136.rfc3645Enabled (not .Values.rfc2136.kerberosConfig) -}} +external-dns: rfc2136.kerberosConfig + You must provide the kerberos config when provider is rfc2136 and rfc3645Enabled is true + Please set the kerberosConfig parameter (--set-file rfc2136.kerberosConfig="path/to/krb5.conf") +{{- end -}} +{{- end -}} + +{{/* +Validate values of External DNS: +- must provide the Scaleway access key when provider is "scaleway" +*/}} +{{- define "external-dns.validateValues.scaleway.scwAccessKey" -}} +{{- if and (eq .Values.provider "scaleway") (not .Values.scaleway.scwAccessKey) -}} +external-dns: scaleway.scwAccessKey + You must provide the Scaleway access key when provider="scaleway". + Please set the scwAccessKey parameter (--set scaleway.scwAccessKey="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of External DNS: +- must provide the scaleway secret key when provider is "scaleway" +*/}} +{{- define "external-dns.validateValues.scaleway.scwSecretKey" -}} +{{- if and (eq .Values.provider "scaleway") (not .Values.scaleway.scwSecretKey) -}} +external-dns: scaleway.scwSecretKey + You must provide the scaleway secret key when provider="scaleway". + Please set the scwSecretKey parameter (--set scaleway.scwSecretKey="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of External DNS: +- must provide the scaleway organization id when provider is "scaleway" +*/}} +{{- define "external-dns.validateValues.scaleway.scwDefaultOrganizationId" -}} +{{- if and (eq .Values.provider "scaleway") (not .Values.scaleway.scwDefaultOrganizationId) -}} +external-dns: scaleway.scwDefaultOrganizationId + You must provide the scaleway organization id key when provider="scaleway". + Please set the scwDefaultOrganizationId parameter (--set scaleway.scwDefaultOrganizationId="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Return the ExternalDNS service account name +*/}} +{{- define "external-dns.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "external-dns.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Return the ExternalDNS namespace to be used +*/}} +{{- define "external-dns.namespace" -}} +{{- if and .Values.rbac.create (not .Values.rbac.clusterRole) -}} + {{ default .Release.Namespace .Values.namespace }} +{{- else if .Values.watchReleaseNamespace -}} + {{ .Release.namespace }} +{{- else -}} + {{ .Values.namespace }} +{{- end -}} +{{- end -}} + +{{/* +Return the secret containing external-dns TLS certificates +*/}} +{{- define "external-dns.tlsSecretName" -}} +{{- if .Values.coredns.etcdTLS.autoGenerated -}} + {{- printf "%s-crt" (include "external-dns.fullname" .) -}} +{{- else -}} +{{- $secretName := .Values.coredns.etcdTLS.secretName -}} +{{- printf "%s" (tpl $secretName $) -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the CA cert file. +*/}} +{{- define "external-dns.tlsCACert" -}} +{{- if .Values.coredns.etcdTLS.autoGenerated }} + {{- printf "ca.crt" -}} +{{- else -}} + {{- printf "%s" .Values.coredns.etcdTLS.caFilename -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the cert file. +*/}} +{{- define "external-dns.tlsCert" -}} +{{- if .Values.coredns.etcdTLS.autoGenerated }} + {{- printf "tls.crt" -}} +{{- else -}} + {{- printf "%s" .Values.coredns.etcdTLS.certFilename -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the cert key file. +*/}} +{{- define "external-dns.tlsCertKey" -}} +{{- if .Values.coredns.etcdTLS.autoGenerated }} + {{- printf "tls.key" -}} +{{- else -}} + {{- printf "%s" .Values.coredns.etcdTLS.keyFilename -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a TLS secret object should be created +*/}} +{{- define "external-dns.createTlsSecret" -}} +{{- if and .Values.coredns.etcdTLS.enabled .Values.coredns.etcdTLS.autoGenerated }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/external-dns/templates/clusterrole.yaml b/external-dns/templates/clusterrole.yaml new file mode 100644 index 0000000..e488ae5 --- /dev/null +++ b/external-dns/templates/clusterrole.yaml @@ -0,0 +1,127 @@ +{{- if and .Values.rbac.create .Values.rbac.clusterRole }} +apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }} +kind: ClusterRole +metadata: + name: {{ template "common.names.fullname.namespace" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{ include "external-dns.labels" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resources: + - services + - pods + - nodes + - endpoints + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - "networking.k8s.io" + - getambassador.io + resources: + - ingresses + - hosts + verbs: + - get + - list + - watch + - apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list + - watch + - apiGroups: + - networking.istio.io + resources: + - gateways + - virtualservices + verbs: + - get + - list + - watch + - apiGroups: + - zalando.org + resources: + - routegroups + verbs: + - get + - list + - watch + - apiGroups: + - zalando.org + resources: + - routegroups/status + verbs: + - patch + - update + - apiGroups: + - projectcontour.io + resources: + - httpproxies + verbs: + - get + - watch + - list + - apiGroups: + - gloo.solo.io + - gateway.solo.io + resources: + - proxies + - virtualservices + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses + verbs: + - get + - list + - watch + {{- if or .Values.crd.create .Values.crd.apiversion }} + - apiGroups: + {{- if .Values.crd.create }} + - externaldns.k8s.io + {{- else }} + - {{ $api := splitn "/" 2 .Values.crd.apiversion }}{{ $api._0 }} + {{- end }} + resources: + {{- if .Values.crd.create }} + - dnsendpoints + {{- else }} + - {{ printf "%ss" (.Values.crd.kind | lower) }} + {{- end }} + verbs: + - get + - list + - watch + - apiGroups: + {{- if .Values.crd.create }} + - externaldns.k8s.io + {{- else }} + - {{ $api := splitn "/" 2 .Values.crd.apiversion }}{{ $api._0 }} + {{- end }} + resources: + {{- if .Values.crd.create }} + - dnsendpoints/status + {{- else }} + - {{ printf "%ss/status" (.Values.crd.kind | lower) }} + {{- end }} + verbs: + - update + {{- end }} +{{- end }} diff --git a/external-dns/templates/clusterrolebinding.yaml b/external-dns/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..bac82d1 --- /dev/null +++ b/external-dns/templates/clusterrolebinding.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.rbac.create .Values.rbac.clusterRole }} +apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }} +kind: ClusterRoleBinding +metadata: + name: {{ template "common.names.fullname.namespace" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{ include "external-dns.labels" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "common.names.fullname.namespace" . }} +subjects: + - kind: ServiceAccount + name: {{ template "external-dns.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/external-dns/templates/configmap.yaml b/external-dns/templates/configmap.yaml new file mode 100644 index 0000000..8458125 --- /dev/null +++ b/external-dns/templates/configmap.yaml @@ -0,0 +1,23 @@ +{{- if (include "external-dns.createConfigMap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "external-dns.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{ include "external-dns.labels" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: +{{- if .Values.designate.customCA.enabled }} + {{ .Values.designate.customCA.filename }}: | +{{ .Values.designate.customCA.content | indent 4 }} +{{- end }} +{{- if .Values.rfc2136.rfc3645Enabled }} + krb5.conf: | +{{ .Values.rfc2136.kerberosConfig | indent 4 }} +{{- end }} +{{- end }} diff --git a/external-dns/templates/crd.yaml b/external-dns/templates/crd.yaml new file mode 100644 index 0000000..a50a1a9 --- /dev/null +++ b/external-dns/templates/crd.yaml @@ -0,0 +1,94 @@ +{{- if .Values.crd.create }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + api-approved.kubernetes.io: "https://github.com/kubernetes-sigs/external-dns/pull/2007" + creationTimestamp: null + name: dnsendpoints.externaldns.k8s.io +spec: + group: externaldns.k8s.io + names: + kind: DNSEndpoint + listKind: DNSEndpointList + plural: dnsendpoints + singular: dnsendpoint + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DNSEndpointSpec defines the desired state of DNSEndpoint + properties: + endpoints: + items: + description: Endpoint is a high-level way of a connection between a service and an IP + properties: + dnsName: + description: The hostname of the DNS record + type: string + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: ProviderSpecificProperty holds the name and value of a configuration which is specific to individual DNS providers + properties: + name: + type: string + value: + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + description: RecordType type of record, e.g. CNAME, A, SRV, TXT etc + type: string + setIdentifier: + description: Identifier to distinguish multiple records with the same name and type (e.g. Route53 records with routing policies other than 'simple') + type: string + targets: + description: The targets the DNS record points to + items: + type: string + type: array + type: object + type: array + type: object + status: + description: DNSEndpointStatus defines the observed state of DNSEndpoint + properties: + observedGeneration: + description: The generation observed by the external-dns controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/external-dns/templates/deployment.yaml b/external-dns/templates/deployment.yaml new file mode 100644 index 0000000..bb81f41 --- /dev/null +++ b/external-dns/templates/deployment.yaml @@ -0,0 +1,770 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "external-dns.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{ include "external-dns.labels" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: {{ coalesce .Values.replicas .Values.replicaCount }} + {{- if .Values.updateStrategy }} + strategy: {{- toYaml .Values.updateStrategy | nindent 4 }} + {{- end }} + selector: + matchLabels: {{ include "external-dns.matchLabels" . | nindent 6 }} + template: + metadata: + labels: {{ include "external-dns.labels" . | nindent 8 }} + annotations: + {{- if or .Values.podAnnotations .Values.metrics.enabled }} + {{- include "external-dns.podAnnotations" . | trim | nindent 8 }} + {{- end }} + {{- if (include "external-dns.createSecret" .) }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- end }} + {{- if and (eq .Values.provider "designate") .Values.designate.customCA.enabled }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + spec: + {{- include "external-dns.imagePullSecrets" . | nindent 6 }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName | quote }} + {{- end }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "external-dns.serviceAccountName" . }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- if .Values.initContainers }} + initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + containers: + - name: external-dns + image: {{ include "external-dns.image" . | quote }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- else }} + args: + # Generic arguments + - --metrics-address=:{{ .Values.containerPorts.http }} + {{- if .Values.logLevel }} + - --log-level={{ .Values.logLevel }} + {{- end }} + {{- if .Values.logFormat }} + - --log-format={{ .Values.logFormat }} + {{- end }} + {{- if .Values.dryRun }} + - --dry-run + {{- end }} + {{- if .Values.triggerLoopOnEvent }} + - --events + {{- end }} + {{- if (include "external-dns.namespace" .) }} + - --namespace={{ template "external-dns.namespace" . }} + {{- end }} + {{- if .Values.fqdnTemplates }} + - --fqdn-template={{ join "," .Values.fqdnTemplates }}{{/* Explicitly wants comma separated list */}} + {{- end }} + {{- if .Values.combineFQDNAnnotation }} + - --combine-fqdn-annotation + {{- end }} + {{- if and .Values.ignoreHostnameAnnotation .Values.fqdnTemplates }} + - --ignore-hostname-annotation + {{- end }} + {{- if .Values.publishInternalServices }} + - --publish-internal-services + {{- end }} + {{- if .Values.publishHostIP }} + - --publish-host-ip + {{- end }} + {{- range .Values.serviceTypeFilter }} + - --service-type-filter={{ . }} + {{- end }} + {{- range .Values.domainFilters }} + - --domain-filter={{ . }} + {{- end }} + {{- range .Values.excludeDomains }} + - --exclude-domains={{ . }} + {{- end }} + {{- if .Values.regexDomainFilter }} + - --regex-domain-filter={{ .Values.regexDomainFilter }} + {{- end }} + {{- if .Values.regexDomainExclusion }} + - --regex-domain-exclusion={{ .Values.regexDomainExclusion }} + {{- end }} + {{- range .Values.zoneNameFilters }} + - --zone-name-filter={{ . }} + {{- end }} + {{- range .Values.zoneIdFilters }} + - --zone-id-filter={{ . }} + {{- end }} + - --policy={{ .Values.policy }} + - --provider={{ .Values.provider }} + - --registry={{ .Values.registry }} + - --interval={{ .Values.interval }} + {{- if or (ne .Values.registry "aws-sd") .Values.forceTxtOwnerId }} + {{- if .Values.txtOwnerId }} + - --txt-owner-id={{ .Values.txtOwnerId }} + {{- end }} + {{- end }} + {{- if eq .Values.registry "txt" }} + {{- if .Values.txtPrefix }} + - --txt-prefix={{ .Values.txtPrefix }} + {{- end }} + {{- if .Values.txtSuffix }} + - --txt-suffix={{ .Values.txtSuffix }} + {{- end }} + {{- end }} + {{- if .Values.annotationFilter }} + - --annotation-filter={{ .Values.annotationFilter }} + {{- end }} + {{- if .Values.ingressClass }} + - --ingress-class={{ .Values.ingressClass }} + {{- end }} + {{- if .Values.labelFilter }} + - --label-filter={{ .Values.labelFilter }} + {{- end }} + {{- if .Values.crd.apiversion }} + - --crd-source-apiversion={{ .Values.crd.apiversion }} + {{- end }} + {{- if .Values.crd.kind }} + - --crd-source-kind={{ .Values.crd.kind }} + {{- end }} + {{- range .Values.sources }} + - --source={{ . }} + {{- end }} + {{- if eq .Values.provider "alibabacloud" }} + # Alibaba Cloud arguments + {{- if or (and .Values.alibabacloud.accessKeyId .Values.alibabacloud.accessKeySecret) .Values.alibabacloud.secretName }} + - --alibaba-cloud-config-file=/etc/kubernetes/alibaba-cloud.json + {{- else }} + - --alibaba-cloud-config-file= + {{- end }} + {{- if .Values.alibabacloud.zoneType }} + - --alibaba-cloud-zone-type={{ .Values.alibabacloud.zoneType }} + {{- end }} + {{- end }} + {{- if or (eq .Values.provider "aws") (eq .Values.provider "aws-sd") }} + # AWS arguments + {{- if .Values.aws.apiRetries }} + - --aws-api-retries={{ .Values.aws.apiRetries }} + {{- end }} + - --aws-zone-type={{ .Values.aws.zoneType }} + {{- if .Values.aws.assumeRoleArn }} + - --aws-assume-role={{ .Values.aws.assumeRoleArn }} + {{- end }} + {{- if .Values.aws.batchChangeSize }} + - --aws-batch-change-size={{ .Values.aws.batchChangeSize }} + {{- end }} + {{- end }} + {{- if .Values.aws.zonesCacheDuration }} + - --aws-zones-cache-duration={{ .Values.aws.zonesCacheDuration }} + {{- end }} + {{- range .Values.aws.zoneTags }} + - --aws-zone-tags={{ . }} + {{- end }} + {{- if .Values.aws.preferCNAME }} + - --aws-prefer-cname + {{- end }} + {{- if and (kindIs "bool" .Values.aws.evaluateTargetHealth) (not .Values.aws.evaluateTargetHealth) }} + - --no-aws-evaluate-target-health + {{- end }} + {{- if or (and (eq .Values.provider "azure") (not .Values.azure.secretName)) (eq .Values.provider "azure-private-dns") }} + # Azure Arguments + {{- if .Values.azure.resourceGroup }} + - --azure-resource-group={{ .Values.azure.resourceGroup }} + {{- end }} + {{- end }} + {{- if eq .Values.provider "azure-private-dns" }} + {{- if .Values.azure.subscriptionId }} + - --azure-subscription-id={{ .Values.azure.subscriptionId }} + {{- end }} + {{- end }} + {{- if eq .Values.provider "cloudflare" }} + # Cloudflare arguments + {{- if .Values.cloudflare.proxied }} + - --cloudflare-proxied + {{- end }} + {{- end }} + {{- if eq .Values.provider "google" }} + # Google Arguments + {{- if .Values.google.project }} + - --google-project={{ .Values.google.project }} + {{- end }} + {{- if .Values.google.zoneVisibility }} + - --google-zone-visibility={{ .Values.google.zoneVisibility }} + {{- end }} + {{- end }} + {{- if eq .Values.provider "infoblox" }} + # Infloblox Arguments + - --infoblox-grid-host={{ .Values.infoblox.gridHost }} + - --infoblox-view={{ .Values.infoblox.view }} + {{- if .Values.infoblox.domainFilter }} + - --domain-filter={{ .Values.infoblox.domainFilter }} + {{- end }} + {{- if .Values.infoblox.wapiPort }} + - --infoblox-wapi-port={{ .Values.infoblox.wapiPort }} + {{- end }} + {{- if .Values.infoblox.wapiVersion }} + - --infoblox-wapi-version={{ .Values.infoblox.wapiVersion }} + {{- end }} + {{- if .Values.infoblox.noSslVerify }} + - --no-infoblox-ssl-verify + {{- else }} + - --infoblox-ssl-verify + {{- end }} + {{- if .Values.infoblox.maxResults }} + - --infoblox-max-results={{ .Values.infoblox.maxResults }} + {{- end }} + {{- end }} + {{- if eq .Values.provider "ns1" }} + # ns1 arguments + - --ns1-min-ttl={{ .Values.ns1.minTTL }} + {{- end }} + {{- if eq .Values.provider "rfc2136" }} + # RFC 2136 arguments + - --rfc2136-host={{ required "rfc2136.host must be supplied for provider 'rfc2136'" .Values.rfc2136.host }} + - --rfc2136-port={{ .Values.rfc2136.port }} + - --rfc2136-zone={{ required "rfc2136.zone must be supplied for provider 'rfc2136'" .Values.rfc2136.zone }} + - --rfc2136-min-ttl={{ .Values.rfc2136.minTTL }} + {{- if .Values.rfc2136.tsigAxfr }} + - --rfc2136-tsig-axfr + {{- end }} + {{- if .Values.rfc2136.rfc3645Enabled }} + - --rfc2136-gss-tsig + - --rfc2136-kerberos-realm={{ .Values.rfc2136.kerberosRealm }} + {{- else }} + {{- if .Values.rfc2136.tsigKeyname }} + - --rfc2136-tsig-secret-alg={{ .Values.rfc2136.tsigSecretAlg }} + - --rfc2136-tsig-keyname={{ .Values.rfc2136.tsigKeyname }} + {{- else }} + - --rfc2136-insecure + {{- end }} + {{- end }} + {{- end }} + {{- if eq .Values.provider "pdns" }} + # PowerDNS arguments + - --pdns-server={{ .Values.pdns.apiUrl }}:{{ .Values.pdns.apiPort }} + - --pdns-api-key=$(PDNS_API_KEY) + {{- end }} + {{- if eq .Values.provider "transip" }} + # TransIP arguments + - --transip-account={{ .Values.transip.account }} + - --transip-keyfile=/transip/transip-api-key + {{- end }} + {{- range $key, $value := .Values.extraArgs }} + # Extra arguments + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + {{- end }} + env: + {{- if or (eq .Values.provider "aws") (eq .Values.provider "aws-sd") }} + # AWS environment variables + {{- if .Values.aws.region }} + - name: AWS_DEFAULT_REGION + value: {{ .Values.aws.region }} + {{- end }} + {{- if .Values.aws.roleArn }} + - name: AWS_CONFIG_FILE + value: {{ .Values.aws.credentials.mountPath }}/config + {{- end }} + {{- if and .Values.aws.credentials.secretKey .Values.aws.credentials.accessKey }} + - name: AWS_SHARED_CREDENTIALS_FILE + value: {{ .Values.aws.credentials.mountPath }}/credentials + {{- end }} + {{- end }} + {{- if eq .Values.provider "cloudflare" }} + # Cloudflare environment variables + - name: CF_API_TOKEN + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: cloudflare_api_token + optional: true + - name: CF_API_KEY + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: cloudflare_api_key + optional: true + - name: CF_API_EMAIL + value: {{ .Values.cloudflare.email | quote }} + {{- end }} + {{- if eq .Values.provider "coredns" }} + # CoreDNS environment variables + - name: ETCD_URLS + value: {{ .Values.coredns.etcdEndpoints | quote }} + {{- if .Values.coredns.etcdTLS.enabled }} + - name: ETCD_CERT_FILE + value: {{ .Values.coredns.etcdTLS.mountPath }}/{{ include "external-dns.tlsCert" . }} + - name: ETCD_KEY_FILE + value: {{ .Values.coredns.etcdTLS.mountPath }}/{{ include "external-dns.tlsCertKey" . }} + - name: ETCD_CA_FILE + value: {{ .Values.coredns.etcdTLS.mountPath }}/{{ include "external-dns.tlsCACert" . }} + {{- end }} + {{- end }} + {{- if eq .Values.provider "designate" }} + # Designate environment variables + {{- if .Values.designate.customCA.enabled }} + - name: OPENSTACK_CA_FILE + value: {{ .Values.designate.customCA.mountPath }}/{{ .Values.designate.customCA.filename }} + {{- else if .Values.designate.customCAHostPath }} + - name: OPENSTACK_CA_FILE + value: {{ .Values.designate.customCAHostPath }} + {{- end }} + {{- if .Values.designate.username }} + - name: OS_USERNAME + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: designate_username + {{- end }} + {{- if .Values.designate.password }} + - name: OS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: designate_password + {{- end }} + {{- if .Values.designate.authUrl }} + - name: OS_AUTH_URL + value: {{ .Values.designate.authUrl }} + {{- end }} + {{- if .Values.designate.regionName }} + - name: OS_REGION_NAME + value: {{ .Values.designate.regionName }} + {{- end }} + {{- if .Values.designate.userDomainName }} + - name: OS_USER_DOMAIN_NAME + value: {{ .Values.designate.userDomainName }} + {{- end }} + {{- if .Values.designate.projectName }} + - name: OS_PROJECT_NAME + value: {{ .Values.designate.projectName }} + {{- end }} + {{- end }} + {{- if and (eq .Values.provider "digitalocean") (or .Values.digitalocean.apiToken .Values.digitalocean.secretName) }} + # DigitalOcean environment variables + - name: DO_TOKEN + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: digitalocean_api_token + {{- end }} + {{- if eq .Values.provider "google" }} + # Google environment variables + {{- if or .Values.google.serviceAccountSecret .Values.google.serviceAccountKey }} + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /etc/secrets/service-account/credentials.json + {{- end }} + {{- end }} + {{- if eq .Values.provider "hetzner" }} + # Hetzner environment variables + {{- if .Values.hetzner.secretName }} + - name: HETZNER_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.hetzner.secretName }} + key: {{ .Values.hetzner.secretKey }} + {{- else }} + - name: HETZNER_TOKEN + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: hetzner_token + {{- end }} + {{- end }} + {{- if eq .Values.provider "linode" }} + # Linode environment variables + {{- if or (.Values.linode.apiToken) (.Values.linode.secretName) }} + - name: LINODE_TOKEN + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: linode_api_token + {{- end }} + {{- end }} + {{- if eq .Values.provider "ovh" }} + # OVH environment variables + {{- if or (.Values.ovh.consumerKey) (.Values.ovh.secretName) }} + - name: OVH_CONSUMER_KEY + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: ovh_consumer_key + {{- end }} + {{- if or (.Values.ovh.applicationKey) (.Values.ovh.secretName) }} + - name: OVH_APPLICATION_KEY + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: ovh_application_key + {{- end }} + {{- if or (.Values.ovh.applicationSecret) (.Values.ovh.secretName) }} + - name: OVH_APPLICATION_SECRET + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: ovh_application_secret + {{- end }} + {{- end }} + {{- if eq .Values.provider "scaleway" }} + # Scaleway environment variables + {{- if .Values.scaleway.scwAccessKey }} + - name: SCW_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: scw_access_key + {{- end }} + {{- if .Values.scaleway.scwSecretKey }} + - name: SCW_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: scw_secret_key + {{- end }} + {{- if .Values.scaleway.scwDefaultOrganizationId }} + - name: SCW_DEFAULT_ORGANIZATION_ID + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: scw_default_organization_id + {{- end }} + {{- end }} + {{- if eq .Values.provider "infoblox" }} + # Infloblox environment variables + {{- if .Values.infoblox.wapiConnectionPoolSize }} + - name: EXTERNAL_DNS_INFOBLOX_HTTP_POOL_CONNECTIONS + value: "{{ .Values.infoblox.wapiConnectionPoolSize }}" + {{- end }} + {{- if .Values.infoblox.wapiHttpTimeout }} + - name: EXTERNAL_DNS_INFOBLOX_HTTP_REQUEST_TIMEOUT + value: "{{ .Values.infoblox.wapiHttpTimeout }}" + {{- end }} + {{- if or (and .Values.infoblox.wapiUsername .Values.infoblox.wapiPassword) (.Values.infoblox.secretName) }} + - name: EXTERNAL_DNS_INFOBLOX_WAPI_USERNAME + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: infoblox_wapi_username + - name: EXTERNAL_DNS_INFOBLOX_WAPI_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: infoblox_wapi_password + {{- end }} + {{- end }} + {{- if .Values.rfc2136.tsigSecret | or (and .Values.rfc2136.kerberosUsername .Values.rfc2136.kerberosPassword) | or .Values.rfc2136.secretName }} + # RFC 2136 environment variables + {{- if .Values.rfc2136.rfc3645Enabled }} + - name: EXTERNAL_DNS_RFC2136_KERBEROS_USERNAME + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: rfc2136_kerberos_username + - name: EXTERNAL_DNS_RFC2136_KERBEROS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: rfc2136_kerberos_password + {{- else }} + - name: EXTERNAL_DNS_RFC2136_TSIG_SECRET + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: rfc2136_tsig_secret + {{- end }} + {{- end }} + {{- if eq .Values.provider "pdns" }} + # PowerDNS environment variables + - name: PDNS_API_KEY + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: pdns_api_key + {{- end }} + {{- if eq .Values.provider "vinyldns" }} + # VinylDNS environment variables + {{- if .Values.vinyldns.host }} + - name: VINYLDNS_HOST + value: {{ .Values.vinyldns.host }} + {{- end }} + {{- if .Values.vinyldns.accessKey }} + - name: VINYLDNS_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: vinyldns-access-key + {{- end }} + {{- if .Values.vinyldns.secretKey }} + - name: VINYLDNS_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: vinyldns-secret-key + {{- end }} + {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if eq .Values.provider "ns1" }} + # NS1 environment variables + {{- if or (.Values.ns1.apiKey) (.Values.ns1.secretName) }} + - name: NS1_APIKEY + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: ns1-api-key + {{- end }} + {{- end }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.containerPorts.http }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /healthz + port: http + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- else if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /healthz + port: http + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + {{- else if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.startupProbe.enabled }} + startupProbe: + httpGet: + path: /healthz + port: http + initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }} + successThreshold: {{ .Values.startupProbe.successThreshold }} + failureThreshold: {{ .Values.startupProbe.failureThreshold }} + {{- else if .Values.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.containerSecurityContext }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumeMounts: + {{- if and (eq .Values.provider "alibabacloud") (or (and .Values.alibabacloud.accessKeyId .Values.alibabacloud.accessKeySecret) .Values.alibabacloud.secretName) }} + # Alibaba Cloud mountPath(s) + - name: alibabacloud-config-file + mountPath: /etc/kubernetes/ + readOnly: true + {{- end }} + {{- if and (eq .Values.provider "aws") (or (and .Values.aws.credentials.secretKey .Values.aws.credentials.accessKey) .Values.aws.credentials.secretName) }} + # AWS mountPath(s) + - name: aws-credentials + mountPath: {{ .Values.aws.credentials.mountPath }} + readOnly: true + {{- end }} + {{- if or (eq .Values.provider "azure") (eq .Values.provider "azure-private-dns") }} + # Azure mountPath(s) + - name: azure-config-file + {{- if or .Values.azure.secretName (and .Values.azure.resourceGroup .Values.azure.tenantId .Values.azure.subscriptionId) }} + mountPath: /etc/kubernetes/ + {{- else }} + mountPath: /etc/kubernetes/azure.json + {{- end }} + readOnly: true + {{- end }} + {{- if and (eq .Values.provider "coredns") (.Values.coredns.etcdTLS.enabled) }} + # CoreDNS mountPath(s) + - name: {{ include "external-dns.tlsSecretName" . }} + mountPath: {{ .Values.coredns.etcdTLS.mountPath }} + readOnly: true + {{- end }} + {{- if and (eq .Values.provider "google") (or .Values.google.serviceAccountKey .Values.google.serviceAccountSecret) }} + # Google mountPath(s) + - name: google-service-account + mountPath: /etc/secrets/service-account/ + {{- end }} + {{- if eq .Values.provider "oci" }} + - name: oci-config-file + mountPath: /etc/kubernetes/ + {{- end }} + {{- if eq .Values.provider "designate" }} + # Designate mountPath(s) + {{- if and (.Values.designate.customCAHostPath) (.Values.designate.customCA.enabled) }} + {{- fail "designate.customCAHostPath cannot be specified with designate.customCA.enabled set to true" }} + {{- else if .Values.designate.customCA.enabled }} + - name: designate-custom-ca + mountPath: {{ .Values.designate.customCA.mountPath }} + readOnly: true + {{- else if .Values.designate.customCAHostPath }} + - name: designate-custom-ca-hostpath + mountPath: {{ .Values.designate.customCAHostPath }} + readOnly: true + {{- end }} + {{- end }} + {{- if and (eq .Values.provider "rfc2136") .Values.rfc2136.rfc3645Enabled }} + - name: krb5config + mountPath: /etc/krb5.conf + subPath: krb5.conf + {{- end }} + {{- if (eq .Values.provider "transip") }} + # TransIP mountPath(s) + - name: transip-api-key + mountPath: /transip + readOnly: true + {{- end }} + {{- if .Values.extraVolumeMounts }} + # Extra volume mount(s) + {{- toYaml .Values.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + {{- if and (eq .Values.provider "alibabacloud") (or (and .Values.alibabacloud.accessKeyId .Values.alibabacloud.accessKeySecret) .Values.alibabacloud.secretName) }} + # Alibaba Cloud volume(s) + - name: alibabacloud-config-file + secret: + secretName: {{ template "external-dns.secretName" . }} + {{- end }} + {{- if and (eq .Values.provider "aws") (or (and .Values.aws.credentials.secretKey .Values.aws.credentials.accessKey) .Values.aws.credentials.secretName) }} + # AWS volume(s) + - name: aws-credentials + secret: + secretName: {{ template "external-dns.secretName" . }} + {{- end }} + {{- if or (eq .Values.provider "azure") (eq .Values.provider "azure-private-dns") }} + # Azure and Azure Private DNS volume(s) + - name: azure-config-file + {{- if or .Values.azure.secretName (and .Values.azure.resourceGroup .Values.azure.tenantId .Values.azure.subscriptionId) }} + secret: + secretName: {{ template "external-dns.secretName" . }} + {{- else if .Values.azure.useManagedIdentityExtension }} + secret: + secretName: {{ template "external-dns.fullname" . }} + {{- else }} + hostPath: + path: /etc/kubernetes/azure.json + type: File + {{- end }} + {{- end }} + {{- if (eq .Values.provider "oci")}} + - name: oci-config-file + secret: + secretName: {{ template "external-dns.secretName" . }} + {{- end }} + {{- if and (eq .Values.provider "coredns") (.Values.coredns.etcdTLS.enabled) }} + # CoreDNS volume(s) + - name: {{ include "external-dns.tlsSecretName" . }} + secret: + secretName: {{ include "external-dns.tlsSecretName" . }} + defaultMode: 400 + {{- end }} + {{- if and (eq .Values.provider "google") (or .Values.google.serviceAccountKey .Values.google.serviceAccountSecret) }} + # Google volume(s) + - name: google-service-account + secret: + secretName: {{ template "external-dns.secretName" . }} + {{- if and .Values.google.serviceAccountSecret .Values.google.serviceAccountSecretKey }} + items: + - key: {{ .Values.google.serviceAccountSecretKey | quote }} + path: credentials.json + {{- end }} + {{- end }} + {{- if eq .Values.provider "designate" }} + # Designate volume(s) + {{- if .Values.designate.customCA.enabled }} + - name: designate-custom-ca + configMap: + name: {{ template "external-dns.fullname" . }} + items: + - key: {{ .Values.designate.customCA.filename }} + path: {{ .Values.designate.customCA.filename }} + {{- else if .Values.designate.customCAHostPath }} + - name: designate-custom-ca-hostpath + hostPath: + path: {{ .Values.designate.customCAHostPath }} + {{- end }} + {{- end }} + {{- if and (eq .Values.provider "rfc2136") .Values.rfc2136.rfc3645Enabled }} + # Kerberos config volume + - name: krb5config + configMap: + name: {{ template "external-dns.fullname" . }} + items: + - key: "krb5.conf" + path: "krb5.conf" + {{- end }} + {{- if (eq .Values.provider "transip") }} + # TransIP volume(s) + - name: transip-api-key + secret: + secretName: {{ template "external-dns.fullname" . }} + {{- end }} + {{- if .Values.extraVolumes }} + # Extra volume(s) + {{- toYaml .Values.extraVolumes | nindent 8 }} + {{- end }} diff --git a/external-dns/templates/extra-list.yaml b/external-dns/templates/extra-list.yaml new file mode 100644 index 0000000..9ac65f9 --- /dev/null +++ b/external-dns/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/external-dns/templates/pdb.yaml b/external-dns/templates/pdb.yaml new file mode 100644 index 0000000..96a1794 --- /dev/null +++ b/external-dns/templates/pdb.yaml @@ -0,0 +1,18 @@ +{{- if .Values.podDisruptionBudget -}} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "external-dns.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{ include "external-dns.labels" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: {{ include "external-dns.matchLabels" . | nindent 6 }} +{{- include "common.tplvalues.render" (dict "value" .Values.podDisruptionBudget "context" $) | nindent 2 }} +{{- end -}} diff --git a/external-dns/templates/psp-clusterrole.yaml b/external-dns/templates/psp-clusterrole.yaml new file mode 100644 index 0000000..e15c6b8 --- /dev/null +++ b/external-dns/templates/psp-clusterrole.yaml @@ -0,0 +1,21 @@ +{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- if and $pspAvailable .Values.rbac.pspEnabled }} +kind: ClusterRole +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ printf "%s-%s" (include "common.names.fullname.namespace" .) "psp" }} + namespace: {{ .Release.Namespace | quote }} + labels: {{ include "external-dns.labels" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "common.names.fullname.namespace" . }} +{{- end }} diff --git a/external-dns/templates/psp-clusterrolebinding.yaml b/external-dns/templates/psp-clusterrolebinding.yaml new file mode 100644 index 0000000..161619b --- /dev/null +++ b/external-dns/templates/psp-clusterrolebinding.yaml @@ -0,0 +1,23 @@ +{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- if and $pspAvailable .Values.rbac.pspEnabled }} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: ClusterRoleBinding +metadata: + name: {{ printf "%s-%s" (include "common.names.fullname.namespace" .) "psp" }} + namespace: {{ .Release.Namespace | quote }} + labels: {{ include "external-dns.labels" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ printf "%s-%s" (include "common.names.fullname.namespace" .) "psp" }} +subjects: + - kind: ServiceAccount + name: {{ template "external-dns.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/external-dns/templates/psp.yaml b/external-dns/templates/psp.yaml new file mode 100644 index 0000000..f437a50 --- /dev/null +++ b/external-dns/templates/psp.yaml @@ -0,0 +1,47 @@ +{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- if and $pspAvailable .Values.rbac.pspEnabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "common.names.fullname.namespace" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{ include "external-dns.labels" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'hostPath' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 1001 + max: 1001 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1001 + max: 1001 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1001 + max: 1001 +{{- end }} diff --git a/external-dns/templates/role.yaml b/external-dns/templates/role.yaml new file mode 100644 index 0000000..cb3c50f --- /dev/null +++ b/external-dns/templates/role.yaml @@ -0,0 +1,118 @@ +{{- if and .Values.rbac.create (not .Values.rbac.clusterRole) }} +apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }} +kind: Role +metadata: + name: {{ template "external-dns.fullname" . }} + namespace: {{ template "external-dns.namespace" . }} + labels: {{ include "external-dns.labels" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resources: + - services + - pods + - endpoints + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - "networking.k8s.io" + - getambassador.io + resources: + - ingresses + - hosts + verbs: + - get + - list + - watch + - apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list + - watch + - apiGroups: + - networking.istio.io + resources: + - gateways + - virtualservices + verbs: + - get + - list + - watch + - apiGroups: + - zalando.org + resources: + - routegroups + verbs: + - get + - list + - watch + - apiGroups: + - zalando.org + resources: + - routegroups/status + verbs: + - patch + - update + - apiGroups: + - projectcontour.io + resources: + - httpproxies + verbs: + - get + - watch + - list + - apiGroups: + - gloo.solo.io + - gateway.solo.io + resources: + - proxies + - virtualservices + verbs: + - get + - list + - watch + {{- if or .Values.crd.create .Values.crd.apiversion }} + - apiGroups: + {{- if .Values.crd.create }} + - externaldns.k8s.io + {{- else }} + - {{ $api := splitn "/" 2 .Values.crd.apiversion }}{{ $api._0 }} + {{- end }} + resources: + {{- if .Values.crd.create }} + - dnsendpoints + {{- else }} + - {{ printf "%ss" (.Values.crd.kind | lower) }} + {{- end }} + verbs: + - get + - list + - watch + - apiGroups: + {{- if .Values.crd.create }} + - externaldns.k8s.io + {{- else }} + - {{ $api := splitn "/" 2 .Values.crd.apiversion }}{{ $api._0 }} + {{- end }} + resources: + {{- if .Values.crd.create }} + - dnsendpoints/status + {{- else }} + - {{ printf "%ss/status" (.Values.crd.kind | lower) }} + {{- end }} + verbs: + - update + {{- end }} +{{- end }} diff --git a/external-dns/templates/rolebindings.yaml b/external-dns/templates/rolebindings.yaml new file mode 100644 index 0000000..7113397 --- /dev/null +++ b/external-dns/templates/rolebindings.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.rbac.create (not .Values.rbac.clusterRole) }} +apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }} +kind: RoleBinding +metadata: + name: {{ template "external-dns.fullname" . }} + namespace: {{ template "external-dns.namespace" . }} + labels: {{ include "external-dns.labels" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "external-dns.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "external-dns.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/external-dns/templates/secret.yaml b/external-dns/templates/secret.yaml new file mode 100644 index 0000000..ac4e6cb --- /dev/null +++ b/external-dns/templates/secret.yaml @@ -0,0 +1,94 @@ +{{- if (include "external-dns.createSecret" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "external-dns.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{ include "external-dns.labels" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.secretAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.secretAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + {{- if eq .Values.provider "alibabacloud" }} + alibaba-cloud.json: {{ include "external-dns.alibabacloud-credentials" . | b64enc | quote }} + {{- end }} + {{- if eq .Values.provider "aws" }} + credentials: {{ include "external-dns.aws-credentials" . | b64enc | quote }} + {{- if .Values.aws.region }} + config: {{ include "external-dns.aws-config" . | b64enc | quote }} + {{- end }} + {{- end }} + {{- if or (eq .Values.provider "azure") (eq .Values.provider "azure-private-dns") }} + azure.json: {{ include "external-dns.azure-credentials" . | b64enc | quote }} + {{- end }} + {{- if eq .Values.provider "google" }} + credentials.json: {{ .Values.google.serviceAccountKey | b64enc | quote }} + {{- end }} + {{- if and (eq .Values.provider "hetzner") (not .Values.hetzner.secretName) }} + hetzner_token: {{ .Values.hetzner.token | b64enc | quote }} + {{- end }} + {{- if eq .Values.provider "cloudflare" }} + {{- if .Values.cloudflare.apiToken }} + cloudflare_api_token: {{ .Values.cloudflare.apiToken | b64enc | quote }} + {{- else }} + cloudflare_api_key: {{ required "cloudflare.apiKey is required if cloudflare.apiToken is not provided" .Values.cloudflare.apiKey | b64enc | quote }} + {{- end }} + {{- end }} + {{- if eq .Values.provider "designate" }} + {{- if .Values.designate.username }} + designate_username: {{ .Values.designate.username | b64enc | quote }} + {{- end }} + {{- if .Values.designate.password }} + designate_password: {{ .Values.designate.password | b64enc | quote }} + {{- end }} + {{- end }} + {{- if eq .Values.provider "digitalocean" }} + digitalocean_api_token: {{ .Values.digitalocean.apiToken | b64enc | quote }} + {{- end }} + {{- if eq .Values.provider "infoblox" }} + infoblox_wapi_username: {{ .Values.infoblox.wapiUsername | b64enc | quote }} + infoblox_wapi_password: {{ .Values.infoblox.wapiPassword | b64enc | quote }} + {{- end }} + {{- if eq .Values.provider "linode" }} + linode_api_token: {{ .Values.linode.apiToken | b64enc | quote }} + {{- end }} + {{- if eq .Values.provider "oci" }} + oci.yaml: {{ include "external-dns.oci-credentials" . | b64enc | quote }} + {{- end }} + {{- if eq .Values.provider "pdns" }} + pdns_api_key: {{ .Values.pdns.apiKey | b64enc | quote }} + {{- end }} + {{- if eq .Values.provider "rfc2136" }} + rfc2136_tsig_secret: {{ .Values.rfc2136.tsigSecret | b64enc | quote }} + rfc2136_kerberos_username: {{ .Values.rfc2136.kerberosUsername | b64enc | quote }} + rfc2136_kerberos_password: {{ .Values.rfc2136.kerberosPassword | b64enc | quote }} + {{- end }} + {{- if eq .Values.provider "transip" }} + transip-api-key: {{ .Values.transip.apiKey | b64enc | quote }} + {{- end }} + {{- if eq .Values.provider "ovh" }} + ovh_consumer_key: {{ .Values.ovh.consumerKey | b64enc | quote }} + ovh_application_key: {{ .Values.ovh.applicationKey | b64enc | quote }} + ovh_application_secret: {{ .Values.ovh.applicationSecret | b64enc | quote }} + {{- end }} + {{- if eq .Values.provider "scaleway" }} + scw_access_key: {{ .Values.scaleway.scwAccessKey | b64enc | quote }} + scw_secret_key: {{ .Values.scaleway.scwSecretKey | b64enc | quote }} + scw_default_organization_id: {{ .Values.scaleway.scwDefaultOrganizationId | b64enc | quote }} + {{- end }} + {{- if eq .Values.provider "vinyldns" }} + vinyldns-access-key: {{ .Values.vinyldns.accessKey | b64enc | quote }} + vinyldns-secret-key: {{ .Values.vinyldns.secretKey | b64enc | quote }} + {{- end }} + {{- if eq .Values.provider "ns1" }} + ns1-api-key: {{ .Values.ns1.apiKey | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/external-dns/templates/service.yaml b/external-dns/templates/service.yaml new file mode 100644 index 0000000..c971fa9 --- /dev/null +++ b/external-dns/templates/service.yaml @@ -0,0 +1,52 @@ +{{- if .Values.service.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "external-dns.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{ include "external-dns.labels" . | nindent 4 }} + {{- if .Values.service.labels -}} + {{ toYaml .Values.service.labels | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.service.annotations }} + annotations: {{ toYaml .Values.service.annotations | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.type }} + {{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} + {{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if .Values.service.externalIPs }} + externalIPs: {{ toYaml .Values.service.externalIPs | nindent 4 }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ .Values.service.loadBalancerSourceRanges }} + {{- end }} + {{- if .Values.service.sessionAffinity }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- end }} + {{- if .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + ports: + - name: http + port: {{ .Values.service.ports.http }} + protocol: TCP + targetPort: http + {{- if and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePorts.http)) }} + nodePort: {{ .Values.service.nodePorts.http }} + {{- end }} + {{- if .Values.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{ include "external-dns.matchLabels" . | nindent 4 }} +{{- end }} diff --git a/external-dns/templates/serviceaccount.yaml b/external-dns/templates/serviceaccount.yaml new file mode 100644 index 0000000..9d42260 --- /dev/null +++ b/external-dns/templates/serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "external-dns.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{ include "external-dns.labels" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.serviceAccount.labels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.serviceAccount.labels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.serviceAccount.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.serviceAccount.annotations "context" $ ) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/external-dns/templates/servicemonitor.yaml b/external-dns/templates/servicemonitor.yaml new file mode 100644 index 0000000..d45a6d3 --- /dev/null +++ b/external-dns/templates/servicemonitor.yaml @@ -0,0 +1,47 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "external-dns.fullname" . }} + namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }} + labels: {{ include "external-dns.labels" . | nindent 4 }} + {{- if .Values.metrics.serviceMonitor.labels }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.labels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.additionalLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.additionalLabels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} +spec: + endpoints: + - port: http + path: /metrics + {{- with .Values.metrics.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{ toYaml .Values.metrics.serviceMonitor.relabelings | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: {{ include "external-dns.matchLabels" . | nindent 6 }} + {{- if .Values.metrics.serviceMonitor.selector }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }} + {{- end }} +{{- end }} diff --git a/external-dns/templates/tls-secret.yaml b/external-dns/templates/tls-secret.yaml new file mode 100644 index 0000000..ef5d9a0 --- /dev/null +++ b/external-dns/templates/tls-secret.yaml @@ -0,0 +1,26 @@ +{{- if (include "external-dns.createTlsSecret" .) }} +{{- $ca := genCA "external-dns-ca" 365 }} +{{- $releaseNamespace := .Release.Namespace }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $fullname := include "external-dns.fullname" . }} +{{- $serviceName := include "external-dns.fullname" . }} +{{- $altNames := list (printf "*.%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) $fullname }} +{{- $crt := genSignedCert $fullname nil $altNames 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "external-dns.fullname" . }}-crt + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $crt.Cert | b64enc | quote }} + tls.key: {{ $crt.Key | b64enc | quote }} +{{- end }} diff --git a/external-dns/values.yaml b/external-dns/values.yaml new file mode 100644 index 0000000..c50606a --- /dev/null +++ b/external-dns/values.yaml @@ -0,0 +1,1015 @@ +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + +## @section Common parameters +## + +## @param nameOverride String to partially override external-dns.fullname template (will maintain the release name) +## +nameOverride: "" +## @param fullnameOverride String to fully override external-dns.fullname template +## +fullnameOverride: "" +## @param clusterDomain Kubernetes Cluster Domain +## +clusterDomain: cluster.local + +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} +## +## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template). +## +extraDeploy: [] +## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) +## +kubeVersion: "" +## @param watchReleaseNamespace Watch only namepsace used for the release +## +watchReleaseNamespace: false + +## @section external-dns parameters +## + +## Bitnami external-dns image version +## ref: https://hub.docker.com/r/bitnami/external-dns/tags/ +## @param image.registry ExternalDNS image registry +## @param image.repository ExternalDNS image repository +## @param image.tag ExternalDNS Image tag (immutable tags are recommended) +## @param image.digest ExternalDNS image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy ExternalDNS image pull policy +## @param image.pullSecrets ExternalDNS image pull secrets +## +image: + registry: docker.io + repository: bitnami/external-dns + tag: 0.12.2-debian-11-r5 + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + +## @param hostAliases Deployment pod host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] + +## @param updateStrategy update strategy type +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#update-strategies +## +updateStrategy: {} + +## @param command Override kiam default command +## +command: [] +## @param args Override kiam default args +## +args: [] + +## @param sources [array] K8s resources type to be observed for new DNS entries by ExternalDNS +## +sources: + # - crd + - service + - ingress + # - contour-httpproxy +## @param provider DNS provider where the DNS records will be created. +## Available providers are: +## - alibabacloud, aws, azure, azure-private-dns, cloudflare, coredns, designate, digitalocean, google, hetzner, infoblox, linode, rfc2136, transip, oci +## +provider: aws +## @param initContainers Attach additional init containers to the pod (evaluated as a template) +## +initContainers: [] +## @param sidecars Attach additional containers to the pod (evaluated as a template) +## +sidecars: [] +## Flags related to processing sources +## ref: https://github.com/kubernetes-sigs/external-dns/blob/master/pkg/apis/externaldns/types.go#L272 +## @param namespace Limit sources of endpoints to a specific namespace (default: all namespaces) +## +namespace: "" +## @param fqdnTemplates Templated strings that are used to generate DNS names from sources that don't define a hostname themselves +## +fqdnTemplates: [] +## @param containerPorts.http HTTP Container port +## +containerPorts: + http: 7979 +## @param combineFQDNAnnotation Combine FQDN template and annotations instead of overwriting +## +combineFQDNAnnotation: false +## @param ignoreHostnameAnnotation Ignore hostname annotation when generating DNS names, valid only when fqdn-template is set +## +ignoreHostnameAnnotation: false +## @param publishInternalServices Allow external-dns to publish DNS records for ClusterIP services +## +publishInternalServices: false +## @param publishHostIP Allow external-dns to publish host-ip for headless services +## +publishHostIP: false +## @param serviceTypeFilter The service types to take care about (default: all, options: ClusterIP, NodePort, LoadBalancer, ExternalName) +## +serviceTypeFilter: [] +## Alibaba cloud configuration to be set via arguments/env. variables +## These will be added to /etc/kubernetes/alibaba-cloud.json via secret +## +alibabacloud: + ## @param alibabacloud.accessKeyId When using the Alibaba Cloud provider, set `accessKeyId` in the Alibaba Cloud configuration file (optional) + ## + accessKeyId: "" + ## @param alibabacloud.accessKeySecret When using the Alibaba Cloud provider, set `accessKeySecret` in the Alibaba Cloud configuration file (optional) + ## + accessKeySecret: "" + ## @param alibabacloud.regionId When using the Alibaba Cloud provider, set `regionId` in the Alibaba Cloud configuration file (optional) + ## + regionId: "" + ## @param alibabacloud.vpcId Alibaba Cloud VPC Id + ## + vpcId: "" + ## @param alibabacloud.secretName Use an existing secret with key "alibaba-cloud.json" defined. + ## This ignores alibabacloud.accessKeyId, and alibabacloud.accessKeySecret + ## + secretName: "" + ## @param alibabacloud.zoneType Zone Filter. Available values are: public, private, or no value for both + ## + zoneType: "" +## AWS configuration to be set via arguments/env. variables +## +aws: + ## AWS credentials + ## @param aws.credentials.secretKey When using the AWS provider, set `aws_secret_access_key` in the AWS credentials (optional) + ## @param aws.credentials.accessKey When using the AWS provider, set `aws_access_key_id` in the AWS credentials (optional) + ## @param aws.credentials.mountPath When using the AWS provider, determine `mountPath` for `credentials` secret + ## + credentials: + secretKey: "" + accessKey: "" + ## Before external-dns 0.5.9 home dir should be `/root/.aws` + ## + mountPath: "/.aws" + ## @param aws.credentials.secretName Use an existing secret with key "credentials" defined. + ## This ignores aws.credentials.secretKey, and aws.credentials.accessKey + ## + secretName: "" + ## @param aws.region When using the AWS provider, `AWS_DEFAULT_REGION` to set in the environment (optional) + ## + region: "us-east-1" + ## @param aws.zoneType When using the AWS provider, filter for zones of this type (optional, options: public, private) + ## + zoneType: "" + ## @param aws.assumeRoleArn When using the AWS provider, assume role by specifying --aws-assume-role to the external-dns daemon + ## + assumeRoleArn: "" + ## @param aws.roleArn Specify role ARN to the external-dns daemon + ## + roleArn: "" + ## @param aws.apiRetries Maximum number of retries for AWS API calls before giving up + ## + apiRetries: 3 + ## @param aws.batchChangeSize When using the AWS provider, set the maximum number of changes that will be applied in each batch + ## + batchChangeSize: 1000 + ## @param aws.zonesCacheDuration If the list of Route53 zones managed by ExternalDNS doesn't change frequently, cache it by setting a TTL + ## (default 0 - disabled, can be set to time interval like 1m or 1h) + ## + zonesCacheDuration: 0 + ## @param aws.zoneTags When using the AWS provider, filter for zones with these tags + ## + zoneTags: [] + ## @param aws.preferCNAME When using the AWS provider, replaces Alias records with CNAME (options: true, false) + ## + preferCNAME: "" + ## @param aws.evaluateTargetHealth When using the AWS provider, sets the evaluate target health flag (options: true, false) + ## + evaluateTargetHealth: "" +## Azure configuration to be set via arguments/env. variables +## +azure: + ## When a secret to load azure.json is not specified, the host's /etc/kubernetes/azure.json will be used + ## @param azure.secretName When using the Azure provider, set the secret containing the `azure.json` file + ## + secretName: "" + ## @param azure.cloud When using the Azure provider, set the Azure Cloud + ## + cloud: "" + ## @param azure.resourceGroup When using the Azure provider, set the Azure Resource Group + ## + resourceGroup: "" + ## @param azure.tenantId When using the Azure provider, set the Azure Tenant ID + ## + tenantId: "" + ## @param azure.subscriptionId When using the Azure provider, set the Azure Subscription ID + ## + subscriptionId: "" + ## @param azure.aadClientId When using the Azure provider, set the Azure AAD Client ID + ## + aadClientId: "" + ## @param azure.aadClientSecret When using the Azure provider, set the Azure AAD Client Secret + ## + aadClientSecret: "" + ## @param azure.useManagedIdentityExtension When using the Azure provider, set if you use Azure MSI + ## + useManagedIdentityExtension: false + ## @param azure.userAssignedIdentityID When using the Azure provider with Azure MSI, set Client ID of Azure user-assigned managed identity (optional, otherwise system-assigned managed identity is used) + ## + userAssignedIdentityID: "" +## Cloudflare configuration to be set via arguments/env. variables +## +cloudflare: + ## @param cloudflare.apiToken When using the Cloudflare provider, `CF_API_TOKEN` to set (optional) + ## + apiToken: "" + ## @param cloudflare.apiKey When using the Cloudflare provider, `CF_API_KEY` to set (optional) + ## + apiKey: "" + ## @param cloudflare.secretName When using the Cloudflare provider, it's the name of the secret containing cloudflare_api_token or cloudflare_api_key. + ## This ignores cloudflare.apiToken, and cloudflare.apiKey + ## + secretName: "" + ## @param cloudflare.email When using the Cloudflare provider, `CF_API_EMAIL` to set (optional). Needed when using CF_API_KEY + ## + email: "" + ## @param cloudflare.proxied When using the Cloudflare provider, enable the proxy feature (DDOS protection, CDN...) (optional) + ## + proxied: true +## CoreDNS configuration to be set via arguments/env variables +## +coredns: + ## @param coredns.etcdEndpoints When using the CoreDNS provider, set etcd backend endpoints (comma-separated list) + ## Secure (https) endpoints can be used as well, in that case `etcdTLS` section + ## should be filled in accordingly + ## + etcdEndpoints: "http://etcd-extdns:2379" + ## Configuration of the secure communication and client authentication to the etcd cluster + ## If enabled all the values under this key must hold a valid data + ## + etcdTLS: + ## @param coredns.etcdTLS.enabled When using the CoreDNS provider, enable secure communication with etcd + ## + enabled: false + ## @param coredns.etcdTLS.autoGenerated Generate automatically self-signed TLS certificates + ## + autoGenerated: false + ## @param coredns.etcdTLS.secretName When using the CoreDNS provider, specify a name of existing Secret with etcd certs and keys + ## ref: https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/security.md + ## ref (secret creation): + ## https://github.com/bitnami/charts/tree/master/bitnami/etcd#configure-certificates-for-client-communication + ## + secretName: "etcd-client-certs" + ## @param coredns.etcdTLS.mountPath When using the CoreDNS provider, set destination dir to mount data from `coredns.etcdTLS.secretName` to + ## + mountPath: "/etc/coredns/tls/etcd" + ## @param coredns.etcdTLS.caFilename When using the CoreDNS provider, specify CA PEM file name from the `coredns.etcdTLS.secretName` + ## + caFilename: "ca.crt" + ## @param coredns.etcdTLS.certFilename When using the CoreDNS provider, specify cert PEM file name from the `coredns.etcdTLS.secretName` + ## Will be used by external-dns to authenticate against etcd + ## + certFilename: "cert.pem" + ## @param coredns.etcdTLS.keyFilename When using the CoreDNS provider, specify private key PEM file name from the `coredns.etcdTLS.secretName` + ## Will be used by external-dns to authenticate against etcd + ## + keyFilename: "key.pem" +## OpenStack Designate provider configuration to be set via arguments/env. variables +## +designate: + ## Set Openstack environment variables (optional). Username and password will be saved in a kubernetes secret + ## The alternative to this is to export the necessary Openstack environment variables in the extraEnv argument + ## @param designate.username When using the Designate provider, specify the OpenStack authentication username. (optional) + ## @param designate.password When using the Designate provider, specify the OpenStack authentication password. (optional) + ## @param designate.authUrl When using the Designate provider, specify the OpenStack authentication Url. (optional) + ## @param designate.regionName When using the Designate provider, specify the OpenStack region name. (optional) + ## @param designate.userDomainName When using the Designate provider, specify the OpenStack user domain name. (optional) + ## @param designate.projectName When using the Designate provider, specify the OpenStack project name. (optional) + ## @param designate.username When using the Designate provider, specify the OpenStack authentication username. (optional) + ## e.g: + ## username: "someuser" + ## password: "p@55w0rd" + ## authUrl: "https://mykeystone.example.net:5000/v3/" + ## regionName: "dev" + ## userDomainName: "development" + ## projectName: "myteamname" + ## + username: "" + password: "" + authUrl: "" + regionName: "" + userDomainName: "" + projectName: "" + ## @param designate.customCAHostPath When using the Designate provider, use a CA file already on the host to validate Openstack APIs. This conflicts with `designate.customCA.enabled` + ## This conflicts setting the above customCA to true and chart rendering will fail if you set customCA to true and specify customCAHostPath + ## + customCAHostPath: "" + ## Use a custom CA (optional) + ## @param designate.customCA.enabled When using the Designate provider, enable a custom CA (optional) + ## @param designate.customCA.content When using the Designate provider, set the content of the custom CA + ## @param designate.customCA.mountPath When using the Designate provider, set the mountPath in which to mount the custom CA configuration + ## @param designate.customCA.filename When using the Designate provider, set the custom CA configuration filename + ## + customCA: + enabled: false + content: "" + mountPath: "/config/designate" + filename: "designate-ca.pem" +## DigitalOcean configuration to be set via arguments/env. variables +## +digitalocean: + ## @param digitalocean.apiToken When using the DigitalOcean provider, `DO_TOKEN` to set (optional) + ## + apiToken: "" + ## @param digitalocean.secretName Use an existing secret with key "digitalocean_api_token" defined. + ## This ignores digitalocean.apiToken + ## + secretName: "" +## Google configuration to be set via arguments/env. variables +## +google: + ## @param google.project When using the Google provider, specify the Google project (required when provider=google) + ## + project: "" + ## @param google.serviceAccountSecret When using the Google provider, specify the existing secret which contains credentials.json (optional) + ## + serviceAccountSecret: "" + ## @param google.serviceAccountSecretKey When using the Google provider with an existing secret, specify the key name (optional) + ## + serviceAccountSecretKey: "credentials.json" + ## @param google.serviceAccountKey When using the Google provider, specify the service account key JSON file. In this case a new secret will be created holding this service account (optional) + ## + serviceAccountKey: "" + ## @param google.zoneVisibility When using the Google provider, fiter for zones of a specific visibility (private or public) + ## + zoneVisibility: "" +## Hetzner configuration to be set via arguments/env. variables +## +hetzner: + ## @param hetzner.token When using the Hetzner provider, specify your token here. (required when `hetzner.secretName` is not provided. In this case a new secret will be created holding the token.) + ## Mutually exclusive with `hetzner.secretName`. + ## + token: "" + ## @param hetzner.secretName When using the Hetzner provider, specify the existing secret which contains your token. Disables the usage of `hetzner.token` (optional) + ## + secretName: "" + ## @param hetzner.secretKey When using the Hetzner provider with an existing secret, specify the key name (optional) + ## + secretKey: "hetzner_token" +## Infoblox configuration to be set via arguments/env. variables +## +infoblox: + ## @param infoblox.wapiUsername When using the Infoblox provider, specify the Infoblox WAPI username + ## + wapiUsername: "admin" + ## @param infoblox.wapiPassword When using the Infoblox provider, specify the Infoblox WAPI password (required when provider=infoblox) + ## + wapiPassword: "" + ## @param infoblox.gridHost When using the Infoblox provider, specify the Infoblox Grid host (required when provider=infoblox) + ## + gridHost: "" + ## @param infoblox.view Infoblox view + ## + view: "" + ## Optional keys + ## + ## @param infoblox.secretName Existing secret name, when in place wapiUsername and wapiPassword are not required + ## + secretName: "" + ## + ## @param infoblox.domainFilter When using the Infoblox provider, specify the domain (optional) + ## + domainFilter: "" + ## @param infoblox.noSslVerify When using the Infoblox provider, disable SSL verification (optional) + ## + noSslVerify: false + ## @param infoblox.wapiPort When using the Infoblox provider, specify the Infoblox WAPI port (optional) + ## + wapiPort: "" + ## @param infoblox.wapiVersion When using the Infoblox provider, specify the Infoblox WAPI version (optional) + ## + wapiVersion: "" + ## @param infoblox.wapiConnectionPoolSize When using the Infoblox provider, specify the Infoblox WAPI request connection pool size (optional) + ## + wapiConnectionPoolSize: "" + ## @param infoblox.wapiHttpTimeout When using the Infoblox provider, specify the Infoblox WAPI request timeout in seconds (optional) + ## + wapiHttpTimeout: "" + ## @param infoblox.maxResults When using the Infoblox provider, specify the Infoblox Max Results (optional) + ## + maxResults: "" +## Linode configuration to be set via arguments/env. variables +## +linode: + ## @param linode.apiToken When using the Linode provider, `LINODE_TOKEN` to set (optional) + ## + apiToken: "" + ## @param linode.secretName Use an existing secret with key "linode_api_token" defined. + ## This ignores linode.apiToken + ## + secretName: "" + +## NS1 configuration to be set via arguments/env. variables +## +ns1: + ## @param ns1.minTTL When using the ns1 provider, specify minimal TTL, as an integer, for records + ## + minTTL: 10 + ## @param ns1.apiKey When using the ns1 provider, specify the API key to use + ## + apiKey: "" + ## @param ns1.secretName Use an existing secret with key "ns1-api-key" defined. + ## This ignores ns1.apiToken + ## + secretName: "" + +## oci configuration to be set via arguments/env. variables +## +oci: + ## @param oci.region When using the OCI provider, specify the region, where your zone is located in. + ## + region: "" + ## @param oci.tenancyOCID When using the OCI provider, specify your Tenancy OCID + ## + tenancyOCID: "" + ## @param oci.userOCID When using the OCI provider, specify your User OCID + ## + userOCID: "" + ## @param oci.compartmentOCID When using the OCI provider, specify your Compartment OCID where your DNS Zone is located in. + ## + compartmentOCID: "" + ## @param oci.privateKey [string] When using the OCI provider, paste in your RSA private key file for the Oracle API + ## + privateKey: | + -----BEGIN RSA PRIVATE KEY----- + -----END RSA PRIVATE KEY----- + ## @param oci.privateKeyFingerprint When using the OCI provider, put in the fingerprint of your privateKey + ## + privateKeyFingerprint: "" + ## @param oci.privateKeyPassphrase When using the OCI provider and your privateKey has a passphrase, put it in here. (optional) + ## + privateKeyPassphrase: "" + ## @param oci.secretName When using the OCI provider, it's the name of the secret containing `oci.yaml` file. + ## Ref: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/oracle.md#deploy-externaldns + ## + secretName: "" +## OVH configuration to be set via arguments/env. variables +## +ovh: + ## @param ovh.consumerKey When using the OVH provider, specify the existing consumer key. (required when provider=ovh and `ovh.secretName` is not provided.) + ## + consumerKey: "" + ## @param ovh.applicationKey When using the OVH provider with an existing application, specify the application key. (required when provider=ovh and `ovh.secretName` is not provided.) + ## + applicationKey: "" + ## @param ovh.applicationSecret When using the OVH provider with an existing application, specify the application secret. (required when provider=ovh and `ovh.secretName` is not provided.) + ## + applicationSecret: "" + ## @param ovh.secretName When using the OVH provider, it's the name of the secret containing `ovh_consumer_key`, `ovh_application_key` and `ovh_application_secret`. Disables usage of other `ovh`. + ## with following keys: + ## - ovh_consumer_key + ## - ovh_application_key + ## - ovh_application_secret + ## This ignores consumerKey, applicationKey & applicationSecret + ## + secretName: "" +## Scaleway configuration to be set via arguments/env. variables +## +scaleway: + ## @param scaleway.scwAccessKey When using the Scaleway provider, specify an existing access key. (required when provider=scaleway) + ## + scwAccessKey: "" + ## @param scaleway.scwSecretKey When using the Scaleway provider, specify an existing secret key. (required when provider=scaleway) + ## + scwSecretKey: "" + ## @param scaleway.scwDefaultOrganizationId When using the Scaleway provider, specify the existing organization id. (required when provider=scaleway) + ## + scwDefaultOrganizationId: "" +## RFC 2136 configuration to be set via arguments/env. variables +## +rfc2136: + ## @param rfc2136.host When using the rfc2136 provider, specify the RFC2136 host (required when provider=rfc2136) + ## + host: "" + ## @param rfc2136.port When using the rfc2136 provider, specify the RFC2136 port (optional) + ## + port: 53 + ## @param rfc2136.zone When using the rfc2136 provider, specify the zone (required when provider=rfc2136) + ## + zone: "" + ## @param rfc2136.tsigSecret When using the rfc2136 provider, specify the tsig secret to enable security. (do not specify if `rfc2136.secretName` is provided.) (optional) + ## + tsigSecret: "" + ## @param rfc2136.secretName When using the rfc2136 provider, specify the existing secret which contains your tsig secret. Disables the usage of `rfc2136.tsigSecret` (optional) + ## + secretName: "" + ## @param rfc2136.tsigSecretAlg When using the rfc2136 provider, specify the tsig secret to enable security (optional) + ## + tsigSecretAlg: hmac-sha256 + ## @param rfc2136.tsigKeyname When using the rfc2136 provider, specify the tsig keyname to enable security (optional) + ## + tsigKeyname: externaldns-key + ## @param rfc2136.tsigAxfr When using the rfc2136 provider, enable AFXR to enable security (optional) + ## + tsigAxfr: true + ## @param rfc2136.minTTL When using the rfc2136 provider, specify minimal TTL (in duration format) for records[ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration + ## + minTTL: "0s" + ## @param rfc2136.rfc3645Enabled When using the rfc2136 provider, extend using RFC3645 to support secure updates over Kerberos with GSS-TSIG + ## + rfc3645Enabled: false + ## @param rfc2136.kerberosConfig When using the rfc2136 provider with rfc3645Enabled, the contents of a configuration file for krb5 (optional) + ## + kerberosConfig: "" + ## @param rfc2136.kerberosUsername When using the rfc2136 provider with rfc3645Enabled, specify the username to authenticate with (optional) + ## + kerberosUsername: "" + ## @param rfc2136.kerberosPassword When using the rfc2136 provider with rfc3645Enabled, specify the password to authenticate with (optional) + ## + kerberosPassword: "" + ## @param rfc2136.kerberosRealm When using the rfc2136 provider with rfc3645Enabled, specify the realm to authenticate to (required when provider=rfc2136 and rfc2136.rfc3645Enabled=true) + ## + kerberosRealm: "" + +## PowerDNS configuration to be set via arguments/env. variables +## +pdns: + ## @param pdns.apiUrl When using the PowerDNS provider, specify the API URL of the server. + ## + apiUrl: "" + ## @param pdns.apiPort When using the PowerDNS provider, specify the API port of the server. + ## + apiPort: "8081" + ## @param pdns.apiKey When using the PowerDNS provider, specify the API key of the server. + ## + apiKey: "" + ## @param pdns.secretName When using the PowerDNS provider, specify as secret name containing the API Key + ## + secretName: "" +## TransIP configuration to be set via arguments/env. variables +## +transip: + ## @param transip.account When using the TransIP provider, specify the account name. + ## + account: "" + ## @param transip.apiKey When using the TransIP provider, specify the API key to use. + ## + apiKey: "" +## VinylDNS configuration to be set via arguments/env. variables +## +vinyldns: + ## @param vinyldns.host When using the VinylDNS provider, specify the VinylDNS API host. + ## + host: "" + ## @param vinyldns.accessKey When using the VinylDNS provider, specify the Access Key to use. + ## + accessKey: "" + ## @param vinyldns.secretKey When using the VinylDNS provider, specify the Secret key to use. + ## + secretKey: "" +## @param domainFilters Limit possible target zones by domain suffixes (optional) +## +domainFilters: [] +## @param excludeDomains Exclude subdomains (optional) +## +excludeDomains: [] +## @param regexDomainFilter Limit possible target zones by regex domain suffixes (optional) +## If regexDomainFilter is specified, domainFilters will be ignored +## +regexDomainFilter: "" +## @param regexDomainExclusion Exclude subdomains by using regex pattern (optional) +## If regexDomainFilter is specified, excludeDomains will be ignored and external-dns will use regexDomainExclusion even though regexDomainExclusion is empty +## +regexDomainExclusion: "" +## @param zoneNameFilters Filter target zones by zone domain (optional) +## +zoneNameFilters: [] +## @param zoneIdFilters Limit possible target zones by zone id (optional) +## +zoneIdFilters: [] +## @param annotationFilter Filter sources managed by external-dns via annotation using label selector (optional) +## +annotationFilter: "" +## @param ingressClass Filter sources managed by external-dns via annotation using label selector (optional) +## +ingressClass: "" +## @param labelFilter Select sources managed by external-dns using label selector (optional) +## +labelFilter: "" +## @param dryRun When enabled, prints DNS record changes rather than actually performing them (optional) +## +dryRun: false +## @param triggerLoopOnEvent When enabled, triggers run loop on create/update/delete events in addition to regular interval (optional) +## +triggerLoopOnEvent: false +## @param interval Interval update period to use +## +interval: "1m" +## @param logLevel Verbosity of the logs (options: panic, debug, info, warning, error, fatal, trace) +## +logLevel: info +## @param logFormat Which format to output logs in (options: text, json) +## +logFormat: text +## @param policy Modify how DNS records are synchronized between sources and providers (options: sync, upsert-only ) +## +policy: upsert-only +## @param registry Registry method to use (options: txt, aws-sd, noop) +## ref: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/proposal/registry.md +## +registry: "txt" +## @param txtPrefix When using the TXT registry, a prefix for ownership records that avoids collision with CNAME entries (optional) (Mutual exclusive with txt-suffix) +## +txtPrefix: "" +## @param txtSuffix When using the TXT registry, a suffix for ownership records that avoids collision with CNAME entries (optional).suffix (Mutual exclusive with txt-prefix) +## +txtSuffix: "" +## @param txtOwnerId A name that identifies this instance of ExternalDNS. Currently used by registry types: txt & aws-sd (optional) +## But other registry types might be added in the future. +## +txtOwnerId: "" +## @param forceTxtOwnerId (backward compatibility) When using the non-TXT registry, it will pass the value defined by `txtOwnerId` down to the application (optional) +## This setting added for backward compatibility for +## customers who already used bitnami/external-dns helm chart +## to privision 'aws-sd' registry type. +## Previously bitnami/external-dns helm chart did not pass +## txtOwnerId value down to the external-dns application +## so the app itself sets that value to be a string 'default'. +## If existing customers force the actual txtOwnerId value to be +## passed properly, their external-dns updates will stop working +## because the owner's value for exting DNS records in +## AWS Service Discovery would remain 'default'. +## NOTE: It is up to the end user to update AWS Service Discovery +## 'default' values in description fields to make it work with new +## value passed as txtOwnerId when forceTxtOwnerId=true +## +forceTxtOwnerId: false +## @param extraArgs Extra arguments to be passed to external-dns +## +extraArgs: {} +## @param extraEnvVars An array to add extra env vars +## +extraEnvVars: [] +## @param extraEnvVarsCM ConfigMap containing extra env vars +## +extraEnvVarsCM: "" +## @param extraEnvVarsSecret Secret containing extra env vars (in case of sensitive data) +## +extraEnvVarsSecret: "" +## @param lifecycleHooks [object] Override default etcd container hooks +## +lifecycleHooks: {} +## @param schedulerName Alternative scheduler +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param topologySpreadConstraints Topology Spread Constraints for pod assignment +## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## The value is evaluated as a template +## +topologySpreadConstraints: [] +## @param replicaCount Desired number of ExternalDNS replicas +## +replicaCount: 1 +## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## Allowed values: soft, hard +## +podAntiAffinityPreset: soft +## Node affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## +nodeAffinityPreset: + ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] +## @param affinity Affinity for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} +## @param nodeSelector Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## @param tolerations Tolerations for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param podAnnotations Additional annotations to apply to the pod. +## +podAnnotations: {} +## @param podLabels Additional labels to be added to pods +## +podLabels: {} +## @param priorityClassName priorityClassName +## +priorityClassName: "" +## @param secretAnnotations Additional annotations to apply to the secret +## +secretAnnotations: {} +## Options for the source type "crd" +## +crd: + ## @param crd.create Install and use the integrated DNSEndpoint CRD + ## + create: false + ## @param crd.apiversion Sets the API version for the CRD to watch + ## + apiversion: "" + ## @param crd.kind Sets the kind for the CRD to watch + ## + kind: "" +## Kubernetes svc configutarion +## +service: + ## @param service.enabled Whether to create Service resource or not + ## + enabled: true + ## @param service.type Kubernetes Service type + ## + type: ClusterIP + ## @param service.ports.http ExternalDNS client port + ## + ports: + http: 7979 + ## @param service.nodePorts.http Port to bind to for NodePort service type (client port) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + http: "" + ## @param service.clusterIP IP address to assign to service + ## + clusterIP: "" + ## @param service.externalIPs Service external IP addresses + ## + externalIPs: [] + ## @param service.loadBalancerIP IP address to assign to load balancer (if supported) + ## + loadBalancerIP: "" + ## @param service.loadBalancerSourceRanges List of IP CIDRs allowed access to load balancer (if supported) + ## + loadBalancerSourceRanges: [] + ## @param service.externalTrafficPolicy Enable client source IP preservation + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param service.extraPorts Extra ports to expose in the service (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param service.annotations Annotations to add to service + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + ## @param service.labels Provide any additional labels which may be required. + ## This can be used to have external-dns show up in `kubectl cluster-info` + ## kubernetes.io/cluster-service: "true" + ## kubernetes.io/name: "external-dns" + ## + labels: {} + ## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} +## ServiceAccount parameters +## https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + ## @param serviceAccount.create Determine whether a Service Account should be created or it should reuse a exiting one. + ## + create: true + ## @param serviceAccount.name ServiceAccount to use. A name is generated using the external-dns.fullname template if it is not set + ## + name: "" + ## @param serviceAccount.annotations Additional Service Account annotations + ## + annotations: {} + ## @param serviceAccount.automountServiceAccountToken Automount API credentials for a service account. + ## + automountServiceAccountToken: true + ## @param serviceAccount.labels [object] Additional labels to be included on the service account + ## + labels: {} +## RBAC parameters +## https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +## +rbac: + ## @param rbac.create Whether to create & use RBAC resources or not + ## + create: true + ## @param rbac.clusterRole Whether to create Cluster Role. When set to false creates a Role in `namespace` + ## + clusterRole: true + ## @param rbac.apiVersion Version of the RBAC API + ## + apiVersion: v1 + ## @param rbac.pspEnabled Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later + ## + pspEnabled: false +## @param containerSecurityContext Security context for the container +## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## Example: +## securityContext: +## allowPrivilegeEscalation: false +## readOnlyRootFilesystem: true +## capabilities: +## drop: ["ALL"] +## +containerSecurityContext: {} +## @param podSecurityContext.enabled Enable pod security context +## @param podSecurityContext.fsGroup Group ID for the container +## @param podSecurityContext.runAsUser User ID for the container +## +podSecurityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 +## Container resource requests and limits +## ref: https://kubernetes.io/docs/user-guide/compute-resources/ +## We usually recommend not to specify default resources and to leave this as a conscious +## choice for the user. This also increases chances charts run on environments with little +## resources, such as Minikube. If you do want to specify resources, uncomment the following +## lines, adjust them as necessary, and remove the curly braces after 'resources:'. +## @param resources.limits The resources limits for the container +## @param resources.requests The requested resources for the container +## +resources: + ## Example: + ## limits: + ## cpu: 50m + ## memory: 50Mi + ## + limits: {} + ## Examples: + ## requests: + ## cpu: 10m + ## memory: 50Mi + ## + requests: {} +## Configure extra options for liveness probe +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## @param livenessProbe.enabled Enable livenessProbe +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 2 + successThreshold: 1 +## Configure extra options for readiness probe +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## @param readinessProbe.enabled Enable readinessProbe +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 +## Configure extra options for startup probe +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-startup-probes/#configure-probes +## @param startupProbe.enabled Enable startupProbe +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe +## +startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 +## @param customLivenessProbe Override default liveness probe +## +customLivenessProbe: {} +## @param customReadinessProbe Override default readiness probe +## +customReadinessProbe: {} +## @param customStartupProbe Override default startup probe +## +customStartupProbe: {} +## @param extraVolumes A list of volumes to be added to the pod +## +extraVolumes: [] +## @param extraVolumeMounts A list of volume mounts to be added to the pod +## +extraVolumeMounts: [] +## @param podDisruptionBudget Configure PodDisruptionBudget +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +## + +podDisruptionBudget: {} +## Prometheus Exporter / Metrics +## +metrics: + ## @param metrics.enabled Enable prometheus to access external-dns metrics endpoint + ## + enabled: false + ## @param metrics.podAnnotations Annotations for enabling prometheus to access the metrics endpoint + ## + podAnnotations: {} + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor object + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running + ## + namespace: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + interval: "" + ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.selector Additional labels for ServiceMonitor object + ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration + ## e.g: + ## selector: + ## prometheus: my-prometheus + ## + selector: {} + ## @param metrics.serviceMonitor.metricRelabelings Specify Metric Relabelings to add to the scrape endpoint + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.relabelings [array] Prometheus relabeling rules + ## + relabelings: [] + ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## DEPRECATED metrics.serviceMonitor.additionalLabels will be removed in a future release - Please use metrics.serviceMonitor.labels instead + ## @param metrics.serviceMonitor.labels Used to pass Labels that are required by the installed Prometheus Operator + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + ## + labels: {} + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: ""