diff --git a/argocd-helm-charts/external-dns/Chart.lock b/argocd-helm-charts/external-dns/Chart.lock index 58069f768..13630f6ee 100644 --- a/argocd-helm-charts/external-dns/Chart.lock +++ b/argocd-helm-charts/external-dns/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: external-dns repository: https://charts.bitnami.com/bitnami - version: 6.28.5 -digest: sha256:81c39dc28315b7187b1abda81daaeeaceb97017482f6c17a42136d8fc1e7b23a -generated: "2023-11-23T09:30:48.093901654+05:30" + version: 8.0.2 +digest: sha256:ab30fe8499d67e272c8ba5a2eaae09b7bb512d0e4f7ad45f740549f6ac3bf4a8 +generated: "2024-07-05T13:21:18.235042814+05:30" diff --git a/argocd-helm-charts/external-dns/Chart.yaml b/argocd-helm-charts/external-dns/Chart.yaml index 0132a3c3b..07c61b539 100644 --- a/argocd-helm-charts/external-dns/Chart.yaml +++ b/argocd-helm-charts/external-dns/Chart.yaml @@ -1,9 +1,7 @@ apiVersion: v2 name: external-dns version: 0.10.2 -# see latest chart here: https://artifacthub.io/packages/helm/bitnami/external-dns dependencies: - name: external-dns - version: 6.28.5 + version: 8.0.2 repository: https://charts.bitnami.com/bitnami - #repository: "oci://ghcr.io/Obmondo" diff --git a/argocd-helm-charts/external-dns/charts/external-dns/.helmignore b/argocd-helm-charts/external-dns/charts/external-dns/.helmignore index f0c131944..207983f36 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/.helmignore +++ b/argocd-helm-charts/external-dns/charts/external-dns/.helmignore @@ -19,3 +19,7 @@ .project .idea/ *.tmproj +# img folder +img/ +# Changelog +CHANGELOG.md diff --git a/argocd-helm-charts/external-dns/charts/external-dns/Chart.lock b/argocd-helm-charts/external-dns/charts/external-dns/Chart.lock index 81898f589..a39e57017 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/Chart.lock +++ b/argocd-helm-charts/external-dns/charts/external-dns/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.13.3 -digest: sha256:9a971689db0c66ea95ac2e911c05014c2b96c6077c991131ff84f2982f88fb83 -generated: "2023-11-07T18:11:31.14103494Z" + version: 2.20.3 +digest: sha256:569e1c9d81abdcad3891e065c0f23c83786527d2043f2bc68193c43d18886c19 +generated: "2024-06-18T11:35:47.714107662Z" diff --git a/argocd-helm-charts/external-dns/charts/external-dns/Chart.yaml b/argocd-helm-charts/external-dns/charts/external-dns/Chart.yaml index 1c0730c0b..c6dc22bb5 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/Chart.yaml +++ b/argocd-helm-charts/external-dns/charts/external-dns/Chart.yaml @@ -2,10 +2,10 @@ annotations: category: DeveloperTools images: | - name: external-dns - image: docker.io/bitnami/external-dns:0.14.0-debian-11-r1 + image: docker.io/bitnami/external-dns:0.14.2-debian-12-r4 licenses: Apache-2.0 apiVersion: v2 -appVersion: 0.14.0 +appVersion: 0.14.2 dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts @@ -21,9 +21,9 @@ keywords: - network - dns maintainers: -- name: VMware, Inc. +- name: Broadcom, Inc. All Rights Reserved. url: https://github.com/bitnami/charts name: external-dns sources: - https://github.com/bitnami/charts/tree/main/bitnami/external-dns -version: 6.28.5 +version: 8.0.2 diff --git a/argocd-helm-charts/external-dns/charts/external-dns/README.md b/argocd-helm-charts/external-dns/charts/external-dns/README.md index 373c2f8c0..3f0268449 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/README.md +++ b/argocd-helm-charts/external-dns/charts/external-dns/README.md @@ -14,7 +14,7 @@ Trademarks: This software listing is packaged by Bitnami. The respective tradema helm install my-release oci://registry-1.docker.io/bitnamicharts/external-dns ``` -Looking to use ExternalDNS in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. +Looking to use ExternalDNS in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. ## Introduction @@ -41,346 +41,15 @@ The command deploys ExternalDNS on the Kubernetes cluster in the default configu > **Tip**: List all releases using `helm list` -## Uninstalling the Chart - -To uninstall/delete the `my-release` deployment: - -```console -helm delete my-release -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Parameters - -### Global parameters - -| Name | Description | Value | -| ------------------------- | ----------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | - -### Common parameters - -| Name | Description | Value | -| ----------------------- | -------------------------------------------------------------------------------------------- | --------------- | -| `nameOverride` | String to partially override external-dns.fullname template (will maintain the release name) | `""` | -| `fullnameOverride` | String to fully override external-dns.fullname template | `""` | -| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` | -| `commonLabels` | Labels to add to all deployed objects | `{}` | -| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | -| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template). | `[]` | -| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` | -| `watchReleaseNamespace` | Watch only namepsace used for the release | `false` | -| `useDaemonset` | Use ExternalDNS in Daemonset mode | `false` | - -### external-dns parameters - -| Name | Description | Value | -| --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------ | -| `image.registry` | ExternalDNS image registry | `REGISTRY_NAME` | -| `image.repository` | ExternalDNS image repository | `REPOSITORY_NAME/external-dns` | -| `image.digest` | ExternalDNS image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `image.pullPolicy` | ExternalDNS image pull policy | `IfNotPresent` | -| `image.pullSecrets` | ExternalDNS image pull secrets | `[]` | -| `hostAliases` | Deployment pod host aliases | `[]` | -| `updateStrategy` | update strategy type | `{}` | -| `command` | Override kiam default command | `[]` | -| `args` | Override kiam default args | `[]` | -| `sources` | K8s resources type to be observed for new DNS entries by ExternalDNS | `[]` | -| `provider` | DNS provider where the DNS records will be created. | `aws` | -| `initContainers` | Attach additional init containers to the pod (evaluated as a template) | `[]` | -| `sidecars` | Attach additional containers to the pod (evaluated as a template) | `[]` | -| `namespace` | Limit sources of endpoints to a specific namespace (default: all namespaces) | `""` | -| `fqdnTemplates` | Templated strings that are used to generate DNS names from sources that don't define a hostname themselves | `[]` | -| `containerPorts.http` | HTTP Container port | `7979` | -| `combineFQDNAnnotation` | Combine FQDN template and annotations instead of overwriting | `false` | -| `ignoreHostnameAnnotation` | Ignore hostname annotation when generating DNS names, valid only when fqdn-template is set | `false` | -| `publishInternalServices` | Allow external-dns to publish DNS records for ClusterIP services | `false` | -| `publishHostIP` | Allow external-dns to publish host-ip for headless services | `false` | -| `serviceTypeFilter` | The service types to take care about (default: all, options: ClusterIP, NodePort, LoadBalancer, ExternalName) | `[]` | -| `validation.enabled` | Enable chart validation | `true` | -| `akamai.host` | Hostname to use for EdgeGrid auth | `""` | -| `akamai.accessToken` | Access Token to use for EdgeGrid auth | `""` | -| `akamai.clientToken` | Client Token to use for EdgeGrid auth | `""` | -| `akamai.clientSecret` | When using the Akamai provider, `AKAMAI_CLIENT_SECRET` to set (optional) | `""` | -| `akamai.secretName` | Use an existing secret with key "akamai_api_seret" defined. | `""` | -| `alibabacloud.accessKeyId` | When using the Alibaba Cloud provider, set `accessKeyId` in the Alibaba Cloud configuration file (optional) | `""` | -| `alibabacloud.accessKeySecret` | When using the Alibaba Cloud provider, set `accessKeySecret` in the Alibaba Cloud configuration file (optional) | `""` | -| `alibabacloud.regionId` | When using the Alibaba Cloud provider, set `regionId` in the Alibaba Cloud configuration file (optional) | `""` | -| `alibabacloud.vpcId` | Alibaba Cloud VPC Id | `""` | -| `alibabacloud.secretName` | Use an existing secret with key "alibaba-cloud.json" defined. | `""` | -| `alibabacloud.zoneType` | Zone Filter. Available values are: public, private, or no value for both | `""` | -| `aws.credentials.secretKey` | When using the AWS provider, set `aws_secret_access_key` in the AWS credentials (optional) | `""` | -| `aws.credentials.accessKey` | When using the AWS provider, set `aws_access_key_id` in the AWS credentials (optional) | `""` | -| `aws.credentials.mountPath` | When using the AWS provider, determine `mountPath` for `credentials` secret | `/.aws` | -| `aws.credentials.secretName` | Use an existing secret with key "credentials" defined. | `""` | -| `aws.credentials.accessKeyIDSecretRef.name` | Define the name of the secret that stores aws_access_key_id. | `""` | -| `aws.credentials.accessKeyIDSecretRef.key` | Define the key of the secret that stores aws_access_key_id. | `""` | -| `aws.credentials.secretAccessKeySecretRef.name` | Define the name of the secret that stores aws_secret_access_key | `""` | -| `aws.credentials.secretAccessKeySecretRef.key` | Define the key of the secret that stores aws_secret_access_key | `""` | -| `aws.region` | When using the AWS provider, `AWS_DEFAULT_REGION` to set in the environment (optional) | `us-east-1` | -| `aws.zoneType` | When using the AWS provider, filter for zones of this type (optional, options: public, private) | `""` | -| `aws.assumeRoleArn` | When using the AWS provider, assume role by specifying --aws-assume-role to the external-dns daemon | `""` | -| `aws.roleArn` | Specify role ARN to the external-dns daemon | `""` | -| `aws.apiRetries` | Maximum number of retries for AWS API calls before giving up | `3` | -| `aws.batchChangeSize` | When using the AWS provider, set the maximum number of changes that will be applied in each batch | `1000` | -| `aws.zonesCacheDuration` | If the list of Route53 zones managed by ExternalDNS doesn't change frequently, cache it by setting a TTL | `0` | -| `aws.zoneTags` | When using the AWS provider, filter for zones with these tags | `[]` | -| `aws.preferCNAME` | When using the AWS provider, replaces Alias records with CNAME (options: true, false) | `""` | -| `aws.evaluateTargetHealth` | When using the AWS provider, sets the evaluate target health flag (options: true, false) | `""` | -| `aws.dynamodbTable` | When using the AWS provider, sets the DynamoDB table name to use for dynamodb registry | `""` | -| `aws.dynamodbRegion` | When using the AWS provider, sets the DynamoDB table region to use for dynamodb registry | `""` | -| `azure.secretName` | When using the Azure provider, set the secret containing the `azure.json` file | `""` | -| `azure.cloud` | When using the Azure provider, set the Azure Cloud | `""` | -| `azure.resourceGroup` | When using the Azure provider, set the Azure Resource Group | `""` | -| `azure.tenantId` | When using the Azure provider, set the Azure Tenant ID | `""` | -| `azure.subscriptionId` | When using the Azure provider, set the Azure Subscription ID | `""` | -| `azure.aadClientId` | When using the Azure provider, set the Azure AAD Client ID | `""` | -| `azure.aadClientSecret` | When using the Azure provider, set the Azure AAD Client Secret | `""` | -| `azure.useWorkloadIdentityExtension` | When using the Azure provider, set if you use Workload Identity extension. | `false` | -| `azure.useManagedIdentityExtension` | When using the Azure provider, set if you use Azure MSI | `false` | -| `azure.userAssignedIdentityID` | When using the Azure provider with Azure MSI, set Client ID of Azure user-assigned managed identity (optional, otherwise system-assigned managed identity is used) | `""` | -| `civo.apiToken` | When using the Civo provider, `CIVO_TOKEN` to set (optional) | `""` | -| `civo.secretName` | Use an existing secret with key "apiToken" defined. | `""` | -| `cloudflare.apiToken` | When using the Cloudflare provider, `CF_API_TOKEN` to set (optional) | `""` | -| `cloudflare.apiKey` | When using the Cloudflare provider, `CF_API_KEY` to set (optional) | `""` | -| `cloudflare.secretName` | When using the Cloudflare provider, it's the name of the secret containing cloudflare_api_token or cloudflare_api_key. | `""` | -| `cloudflare.email` | When using the Cloudflare provider, `CF_API_EMAIL` to set (optional). Needed when using CF_API_KEY | `""` | -| `cloudflare.proxied` | When using the Cloudflare provider, enable the proxy feature (DDOS protection, CDN...) (optional) | `true` | -| `coredns.etcdEndpoints` | When using the CoreDNS provider, set etcd backend endpoints (comma-separated list) | `http://etcd-extdns:2379` | -| `coredns.etcdTLS.enabled` | When using the CoreDNS provider, enable secure communication with etcd | `false` | -| `coredns.etcdTLS.autoGenerated` | Generate automatically self-signed TLS certificates | `false` | -| `coredns.etcdTLS.secretName` | When using the CoreDNS provider, specify a name of existing Secret with etcd certs and keys | `etcd-client-certs` | -| `coredns.etcdTLS.mountPath` | When using the CoreDNS provider, set destination dir to mount data from `coredns.etcdTLS.secretName` to | `/etc/coredns/tls/etcd` | -| `coredns.etcdTLS.caFilename` | When using the CoreDNS provider, specify CA PEM file name from the `coredns.etcdTLS.secretName` | `ca.crt` | -| `coredns.etcdTLS.certFilename` | When using the CoreDNS provider, specify cert PEM file name from the `coredns.etcdTLS.secretName` | `cert.pem` | -| `coredns.etcdTLS.keyFilename` | When using the CoreDNS provider, specify private key PEM file name from the `coredns.etcdTLS.secretName` | `key.pem` | -| `designate.username` | When using the Designate provider, specify the OpenStack authentication username. (optional) | `""` | -| `designate.password` | When using the Designate provider, specify the OpenStack authentication password. (optional) | `""` | -| `designate.applicationCredentialId` | When using the Designate provider, specify the OpenStack authentication application credential ID. This conflicts with `designate.username`. (optional) | `""` | -| `designate.applicationCredentialSecret` | When using the Designate provider, specify the OpenStack authentication application credential ID. This conflicts with `designate.password`. (optional) | `""` | -| `designate.authUrl` | When using the Designate provider, specify the OpenStack authentication Url. (optional) | `""` | -| `designate.regionName` | When using the Designate provider, specify the OpenStack region name. (optional) | `""` | -| `designate.userDomainName` | When using the Designate provider, specify the OpenStack user domain name. (optional) | `""` | -| `designate.projectName` | When using the Designate provider, specify the OpenStack project name. (optional) | `""` | -| `designate.authType` | When using the Designate provider, specify the OpenStack auth type. (optional) | `""` | -| `designate.customCAHostPath` | When using the Designate provider, use a CA file already on the host to validate Openstack APIs. This conflicts with `designate.customCA.enabled` | `""` | -| `designate.customCA.enabled` | When using the Designate provider, enable a custom CA (optional) | `false` | -| `designate.customCA.content` | When using the Designate provider, set the content of the custom CA | `""` | -| `designate.customCA.mountPath` | When using the Designate provider, set the mountPath in which to mount the custom CA configuration | `/config/designate` | -| `designate.customCA.filename` | When using the Designate provider, set the custom CA configuration filename | `designate-ca.pem` | -| `exoscale.apiKey` | When using the Exoscale provider, `EXTERNAL_DNS_EXOSCALE_APIKEY` to set (optional) | `""` | -| `exoscale.apiToken` | When using the Exoscale provider, `EXTERNAL_DNS_EXOSCALE_APISECRET` to set (optional) | `""` | -| `exoscale.secretName` | Use an existing secret with keys "exoscale_api_key" and "exoscale_api_token" defined. | `""` | -| `digitalocean.apiToken` | When using the DigitalOcean provider, `DO_TOKEN` to set (optional) | `""` | -| `digitalocean.secretName` | Use an existing secret with key "digitalocean_api_token" defined. | `""` | -| `google.project` | When using the Google provider, specify the Google project (required when provider=google) | `""` | -| `google.batchChangeSize` | When using the google provider, set the maximum number of changes that will be applied in each batch | `1000` | -| `google.serviceAccountSecret` | When using the Google provider, specify the existing secret which contains credentials.json (optional) | `""` | -| `google.serviceAccountSecretKey` | When using the Google provider with an existing secret, specify the key name (optional) | `credentials.json` | -| `google.serviceAccountKey` | When using the Google provider, specify the service account key JSON file. In this case a new secret will be created holding this service account (optional) | `""` | -| `google.zoneVisibility` | When using the Google provider, fiter for zones of a specific visibility (private or public) | `""` | -| `hetzner.token` | When using the Hetzner provider, specify your token here. (required when `hetzner.secretName` is not provided. In this case a new secret will be created holding the token.) | `""` | -| `hetzner.secretName` | When using the Hetzner provider, specify the existing secret which contains your token. Disables the usage of `hetzner.token` (optional) | `""` | -| `hetzner.secretKey` | When using the Hetzner provider with an existing secret, specify the key name (optional) | `hetzner_token` | -| `infoblox.wapiUsername` | When using the Infoblox provider, specify the Infoblox WAPI username | `admin` | -| `infoblox.wapiPassword` | When using the Infoblox provider, specify the Infoblox WAPI password (required when provider=infoblox) | `""` | -| `infoblox.gridHost` | When using the Infoblox provider, specify the Infoblox Grid host (required when provider=infoblox) | `""` | -| `infoblox.view` | Infoblox view | `""` | -| `infoblox.secretName` | Existing secret name, when in place wapiUsername and wapiPassword are not required | `""` | -| `infoblox.domainFilter` | When using the Infoblox provider, specify the domain (optional) | `""` | -| `infoblox.nameRegex` | When using the Infoblox provider, specify the name regex filter (optional) | `""` | -| `infoblox.noSslVerify` | When using the Infoblox provider, disable SSL verification (optional) | `false` | -| `infoblox.wapiPort` | When using the Infoblox provider, specify the Infoblox WAPI port (optional) | `""` | -| `infoblox.wapiVersion` | When using the Infoblox provider, specify the Infoblox WAPI version (optional) | `""` | -| `infoblox.wapiConnectionPoolSize` | When using the Infoblox provider, specify the Infoblox WAPI request connection pool size (optional) | `""` | -| `infoblox.wapiHttpTimeout` | When using the Infoblox provider, specify the Infoblox WAPI request timeout in seconds (optional) | `""` | -| `infoblox.maxResults` | When using the Infoblox provider, specify the Infoblox Max Results (optional) | `""` | -| `linode.apiToken` | When using the Linode provider, `LINODE_TOKEN` to set (optional) | `""` | -| `linode.secretName` | Use an existing secret with key "linode_api_token" defined. | `""` | -| `ns1.minTTL` | When using the ns1 provider, specify minimal TTL, as an integer, for records | `10` | -| `ns1.apiKey` | When using the ns1 provider, specify the API key to use | `""` | -| `ns1.secretName` | Use an existing secret with key "ns1-api-key" defined. | `""` | -| `oci.region` | When using the OCI provider, specify the region, where your zone is located in. | `""` | -| `oci.tenancyOCID` | When using the OCI provider, specify your Tenancy OCID | `""` | -| `oci.userOCID` | When using the OCI provider, specify your User OCID | `""` | -| `oci.compartmentOCID` | When using the OCI provider, specify your Compartment OCID where your DNS Zone is located in. | `""` | -| `oci.privateKey` | When using the OCI provider, paste in your RSA private key file for the Oracle API | `""` | -| `oci.privateKeyFingerprint` | When using the OCI provider, put in the fingerprint of your privateKey | `""` | -| `oci.privateKeyPassphrase` | When using the OCI provider and your privateKey has a passphrase, put it in here. (optional) | `""` | -| `oci.secretName` | When using the OCI provider, it's the name of the secret containing `oci.yaml` file. | `""` | -| `ovh.consumerKey` | When using the OVH provider, specify the existing consumer key. (required when provider=ovh and `ovh.secretName` is not provided.) | `""` | -| `ovh.applicationKey` | When using the OVH provider with an existing application, specify the application key. (required when provider=ovh and `ovh.secretName` is not provided.) | `""` | -| `ovh.applicationSecret` | When using the OVH provider with an existing application, specify the application secret. (required when provider=ovh and `ovh.secretName` is not provided.) | `""` | -| `ovh.secretName` | When using the OVH provider, it's the name of the secret containing `ovh_consumer_key`, `ovh_application_key` and `ovh_application_secret`. Disables usage of other `ovh`. | `""` | -| `scaleway.scwAccessKey` | When using the Scaleway provider, specify an existing access key. (required when provider=scaleway) | `""` | -| `scaleway.scwSecretKey` | When using the Scaleway provider, specify an existing secret key. (required when provider=scaleway) | `""` | -| `rfc2136.host` | When using the rfc2136 provider, specify the RFC2136 host (required when provider=rfc2136) | `""` | -| `rfc2136.port` | When using the rfc2136 provider, specify the RFC2136 port (optional) | `53` | -| `rfc2136.zone` | When using the rfc2136 provider, specify the zone (required when provider=rfc2136) | `""` | -| `rfc2136.tsigSecret` | When using the rfc2136 provider, specify the tsig secret to enable security. (do not specify if `rfc2136.secretName` is provided.) (optional) | `""` | -| `rfc2136.secretName` | When using the rfc2136 provider, specify the existing secret which contains your tsig secret in the key "rfc2136_tsig_secret". Disables the usage of `rfc2136.tsigSecret` (optional) | `""` | -| `rfc2136.tsigSecretAlg` | When using the rfc2136 provider, specify the tsig secret to enable security (optional) | `hmac-sha256` | -| `rfc2136.tsigKeyname` | When using the rfc2136 provider, specify the tsig keyname to enable security (optional) | `rfc2136_tsig_secret` | -| `rfc2136.tsigAxfr` | When using the rfc2136 provider, enable AFXR to enable security (optional) | `true` | -| `rfc2136.minTTL` | When using the rfc2136 provider, specify minimal TTL (in duration format) for records[ns, us, ms, s, m, h], see more | `0s` | -| `rfc2136.rfc3645Enabled` | When using the rfc2136 provider, extend using RFC3645 to support secure updates over Kerberos with GSS-TSIG | `false` | -| `rfc2136.kerberosConfig` | When using the rfc2136 provider with rfc3645Enabled, the contents of a configuration file for krb5 (optional) | `""` | -| `rfc2136.kerberosUsername` | When using the rfc2136 provider with rfc3645Enabled, specify the username to authenticate with (optional) | `""` | -| `rfc2136.kerberosPassword` | When using the rfc2136 provider with rfc3645Enabled, specify the password to authenticate with (optional) | `""` | -| `rfc2136.kerberosRealm` | When using the rfc2136 provider with rfc3645Enabled, specify the realm to authenticate to (required when provider=rfc2136 and rfc2136.rfc3645Enabled=true) | `""` | -| `pdns.apiUrl` | When using the PowerDNS provider, specify the API URL of the server. | `""` | -| `pdns.apiPort` | When using the PowerDNS provider, specify the API port of the server. | `8081` | -| `pdns.apiKey` | When using the PowerDNS provider, specify the API key of the server. | `""` | -| `pdns.secretName` | When using the PowerDNS provider, specify as secret name containing the API Key | `""` | -| `transip.account` | When using the TransIP provider, specify the account name. | `""` | -| `transip.apiKey` | When using the TransIP provider, specify the API key to use. | `""` | -| `vinyldns.host` | When using the VinylDNS provider, specify the VinylDNS API host. | `""` | -| `vinyldns.accessKey` | When using the VinylDNS provider, specify the Access Key to use. | `""` | -| `vinyldns.secretKey` | When using the VinylDNS provider, specify the Secret key to use. | `""` | -| `domainFilters` | Limit possible target zones by domain suffixes (optional) | `[]` | -| `excludeDomains` | Exclude subdomains (optional) | `[]` | -| `regexDomainFilter` | Limit possible target zones by regex domain suffixes (optional) | `""` | -| `regexDomainExclusion` | Exclude subdomains by using regex pattern (optional) | `""` | -| `zoneNameFilters` | Filter target zones by zone domain (optional) | `[]` | -| `zoneIdFilters` | Limit possible target zones by zone id (optional) | `[]` | -| `annotationFilter` | Filter sources managed by external-dns via annotation using label selector (optional) | `""` | -| `labelFilter` | Select sources managed by external-dns using label selector (optional) | `""` | -| `ingressClassFilters` | Filter sources managed by external-dns via IngressClass (optional) | `[]` | -| `managedRecordTypesFilters` | Filter record types managed by external-dns (optional) | `[]` | -| `dryRun` | When enabled, prints DNS record changes rather than actually performing them (optional) | `false` | -| `triggerLoopOnEvent` | When enabled, triggers run loop on create/update/delete events in addition to regular interval (optional) | `false` | -| `interval` | Interval update period to use | `1m` | -| `logLevel` | Verbosity of the logs (options: panic, debug, info, warning, error, fatal, trace) | `info` | -| `logFormat` | Which format to output logs in (options: text, json) | `text` | -| `policy` | Modify how DNS records are synchronized between sources and providers (options: sync, upsert-only ) | `upsert-only` | -| `registry` | Registry method to use (options: txt, aws-sd, dynamodb, noop) | `txt` | -| `txtPrefix` | When using the TXT registry, a prefix for ownership records that avoids collision with CNAME entries (optional) (Mutual exclusive with txt-suffix) | `""` | -| `txtSuffix` | When using the TXT registry, a suffix for ownership records that avoids collision with CNAME entries (optional).suffix (Mutual exclusive with txt-prefix) | `""` | -| `txtOwnerId` | A name that identifies this instance of ExternalDNS. Currently used by registry types: txt & aws-sd (optional) | `""` | -| `forceTxtOwnerId` | (backward compatibility) When using the non-TXT registry, it will pass the value defined by `txtOwnerId` down to the application (optional) | `false` | -| `extraArgs` | Extra arguments to be passed to external-dns | `{}` | -| `extraEnvVars` | An array to add extra env vars | `[]` | -| `extraEnvVarsCM` | ConfigMap containing extra env vars | `""` | -| `extraEnvVarsSecret` | Secret containing extra env vars (in case of sensitive data) | `""` | -| `lifecycleHooks` | Override default etcd container hooks | `{}` | -| `schedulerName` | Alternative scheduler | `""` | -| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | -| `replicaCount` | Desired number of ExternalDNS replicas | `1` | -| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | -| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | -| `affinity` | Affinity for pod assignment | `{}` | -| `nodeSelector` | Node labels for pod assignment | `{}` | -| `tolerations` | Tolerations for pod assignment | `[]` | -| `podAnnotations` | Additional annotations to apply to the pod. | `{}` | -| `podLabels` | Additional labels to be added to pods | `{}` | -| `priorityClassName` | priorityClassName | `""` | -| `secretAnnotations` | Additional annotations to apply to the secret | `{}` | -| `crd.create` | Install and use the integrated DNSEndpoint CRD | `false` | -| `crd.apiversion` | Sets the API version for the CRD to watch | `""` | -| `crd.kind` | Sets the kind for the CRD to watch | `""` | -| `service.enabled` | Whether to create Service resource or not | `true` | -| `service.type` | Kubernetes Service type | `ClusterIP` | -| `service.ports.http` | ExternalDNS client port | `7979` | -| `service.nodePorts.http` | Port to bind to for NodePort service type (client port) | `""` | -| `service.clusterIP` | IP address to assign to service | `""` | -| `service.externalIPs` | Service external IP addresses | `[]` | -| `service.externalName` | Service external name | `""` | -| `service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` | -| `service.loadBalancerSourceRanges` | List of IP CIDRs allowed access to load balancer (if supported) | `[]` | -| `service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | -| `service.extraPorts` | Extra ports to expose in the service (normally used with the `sidecar` value) | `[]` | -| `service.annotations` | Annotations to add to service | `{}` | -| `service.labels` | Provide any additional labels which may be required. | `{}` | -| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `serviceAccount.create` | Determine whether a Service Account should be created or it should reuse a exiting one. | `true` | -| `serviceAccount.name` | ServiceAccount to use. A name is generated using the external-dns.fullname template if it is not set | `""` | -| `serviceAccount.annotations` | Additional Service Account annotations | `{}` | -| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a service account. | `true` | -| `serviceAccount.labels` | Additional labels to be included on the service account | `{}` | -| `rbac.create` | Whether to create & use RBAC resources or not | `true` | -| `rbac.clusterRole` | Whether to create Cluster Role. When set to false creates a Role in `namespace` | `true` | -| `rbac.apiVersion` | Version of the RBAC API | `v1` | -| `rbac.pspEnabled` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | -| `containerSecurityContext.enabled` | Enabled Apache Server containers' Security Context | `true` | -| `containerSecurityContext.runAsUser` | Set ExternalDNS containers' Security Context runAsUser | `1001` | -| `containerSecurityContext.runAsNonRoot` | Set ExternalDNS container's Security Context runAsNonRoot | `true` | -| `containerSecurityContext.privileged` | Set primary container's Security Context privileged | `false` | -| `containerSecurityContext.allowPrivilegeEscalation` | Set primary container's Security Context allowPrivilegeEscalation | `false` | -| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | -| `containerSecurityContext.readOnlyRootFilesystem` | Set container readonlyRootFilesystem | `false` | -| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `podSecurityContext.enabled` | Enable pod security context | `true` | -| `podSecurityContext.fsGroup` | Group ID for the container | `1001` | -| `resources.limits` | The resources limits for the container | `{}` | -| `resources.requests` | The requested resources for the container | `{}` | -| `livenessProbe.enabled` | Enable livenessProbe | `true` | -| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | -| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `2` | -| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `readinessProbe.enabled` | Enable readinessProbe | `true` | -| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | -| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `startupProbe.enabled` | Enable startupProbe | `false` | -| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | -| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` | -| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `customLivenessProbe` | Override default liveness probe | `{}` | -| `customReadinessProbe` | Override default readiness probe | `{}` | -| `customStartupProbe` | Override default startup probe | `{}` | -| `extraVolumes` | A list of volumes to be added to the pod | `[]` | -| `extraVolumeMounts` | A list of volume mounts to be added to the pod | `[]` | -| `podDisruptionBudget` | Configure PodDisruptionBudget | `{}` | -| `metrics.enabled` | Enable prometheus to access external-dns metrics endpoint | `false` | -| `metrics.podAnnotations` | Annotations for enabling prometheus to access the metrics endpoint | `{}` | -| `metrics.serviceMonitor.enabled` | Create ServiceMonitor object | `false` | -| `metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` | -| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `""` | -| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.selector` | Additional labels for ServiceMonitor object | `{}` | -| `metrics.serviceMonitor.metricRelabelings` | Specify Metric Relabelings to add to the scrape endpoint | `[]` | -| `metrics.serviceMonitor.relabelings` | Prometheus relabeling rules | `[]` | -| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.serviceMonitor.labels` | Used to pass Labels that are required by the installed Prometheus Operator | `{}` | -| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | -| `metrics.googlePodMonitor.enabled` | Create Google Managed Prometheus PodMonitoring object | `false` | -| `metrics.googlePodMonitor.namespace` | Namespace in which PodMonitoring created | `""` | -| `metrics.googlePodMonitor.interval` | Interval at which metrics should be scraped by Google Managed Prometheus | `60s` | -| `metrics.googlePodMonitor.endpoint` | The endpoint for Google Managed Prometheus scraping the metrics | `/metrics` | - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, - -```console -helm install my-release \ - --set provider=aws oci://REGISTRY_NAME/REPOSITORY_NAME/external-dns -``` +## Configuration and installation details -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +### Resource requests and limits -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. -```console -helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/external-dns -``` - -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. -> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/external-dns/values.yaml) - -## Configuration and installation details +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). -### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) +### [Rolling VS Immutable tags](https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-understand-rolling-tags-containers-index.html) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. @@ -426,12 +95,378 @@ helm install my-release \ > Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +## Parameters + +### Global parameters + +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | + +### Common parameters + +| Name | Description | Value | +| ----------------------- | -------------------------------------------------------------------------------------------- | --------------- | +| `nameOverride` | String to partially override external-dns.fullname template (will maintain the release name) | `""` | +| `fullnameOverride` | String to fully override external-dns.fullname template | `""` | +| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` | +| `commonLabels` | Labels to add to all deployed objects | `{}` | +| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | +| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template). | `[]` | +| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` | +| `watchReleaseNamespace` | Watch only namepsace used for the release | `false` | + +### external-dns parameters + +| Name | Description | Value | +| --------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | +| `image.registry` | ExternalDNS image registry | `REGISTRY_NAME` | +| `image.repository` | ExternalDNS image repository | `REPOSITORY_NAME/external-dns` | +| `image.digest` | ExternalDNS image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | ExternalDNS image pull policy | `IfNotPresent` | +| `image.pullSecrets` | ExternalDNS image pull secrets | `[]` | +| `automountServiceAccountToken` | Mount Service Account token in pod | `true` | +| `hostAliases` | Deployment pod host aliases | `[]` | +| `updateStrategy` | update strategy type | `{}` | +| `command` | Override kiam default command | `[]` | +| `args` | Override kiam default args | `[]` | +| `sources` | K8s resources type to be observed for new DNS entries by ExternalDNS | `[]` | +| `provider` | DNS provider where the DNS records will be created. | `aws` | +| `initContainers` | Attach additional init containers to the pod (evaluated as a template) | `[]` | +| `dnsPolicy` | Specifies the DNS policy for the external-dns deployment | `""` | +| `dnsConfig` | allows users more control on the DNS settings for a Pod. Required if `dnsPolicy` is set to `None` | `{}` | +| `sidecars` | Attach additional containers to the pod (evaluated as a template) | `[]` | +| `namespace` | Limit sources of endpoints to a specific namespace (default: all namespaces) | `""` | +| `fqdnTemplates` | Templated strings that are used to generate DNS names from sources that don't define a hostname themselves | `[]` | +| `containerPorts.http` | HTTP Container port | `7979` | +| `combineFQDNAnnotation` | Combine FQDN template and annotations instead of overwriting | `false` | +| `ignoreHostnameAnnotation` | Ignore hostname annotation when generating DNS names, valid only when fqdn-template is set | `false` | +| `publishInternalServices` | Allow external-dns to publish DNS records for ClusterIP services | `false` | +| `publishHostIP` | Allow external-dns to publish host-ip for headless services | `false` | +| `serviceTypeFilter` | The service types to take care about (default: all, options: ClusterIP, NodePort, LoadBalancer, ExternalName) | `[]` | +| `validation.enabled` | Enable chart validation | `true` | +| `akamai.host` | Hostname to use for EdgeGrid auth | `""` | +| `akamai.accessToken` | Access Token to use for EdgeGrid auth | `""` | +| `akamai.clientToken` | Client Token to use for EdgeGrid auth | `""` | +| `akamai.clientSecret` | When using the Akamai provider, `AKAMAI_CLIENT_SECRET` to set (optional) | `""` | +| `akamai.secretName` | Use an existing secret with key "akamai_api_seret" defined. | `""` | +| `alibabacloud.accessKeyId` | When using the Alibaba Cloud provider, set `accessKeyId` in the Alibaba Cloud configuration file (optional) | `""` | +| `alibabacloud.accessKeySecret` | When using the Alibaba Cloud provider, set `accessKeySecret` in the Alibaba Cloud configuration file (optional) | `""` | +| `alibabacloud.regionId` | When using the Alibaba Cloud provider, set `regionId` in the Alibaba Cloud configuration file (optional) | `""` | +| `alibabacloud.vpcId` | Alibaba Cloud VPC Id | `""` | +| `alibabacloud.secretName` | Use an existing secret with key "alibaba-cloud.json" defined. | `""` | +| `alibabacloud.zoneType` | Zone Filter. Available values are: public, private, or no value for both | `""` | +| `aws.credentials.secretKey` | When using the AWS provider, set `aws_secret_access_key` in the AWS credentials (optional) | `""` | +| `aws.credentials.accessKey` | When using the AWS provider, set `aws_access_key_id` in the AWS credentials (optional) | `""` | +| `aws.credentials.mountPath` | When using the AWS provider, determine `mountPath` for `credentials` secret | `/.aws` | +| `aws.credentials.secretName` | Use an existing secret with key "credentials" defined. | `""` | +| `aws.credentials.accessKeyIDSecretRef.name` | Define the name of the secret that stores aws_access_key_id. | `""` | +| `aws.credentials.accessKeyIDSecretRef.key` | Define the key of the secret that stores aws_access_key_id. | `""` | +| `aws.credentials.secretAccessKeySecretRef.name` | Define the name of the secret that stores aws_secret_access_key | `""` | +| `aws.credentials.secretAccessKeySecretRef.key` | Define the key of the secret that stores aws_secret_access_key | `""` | +| `aws.region` | When using the AWS provider, `AWS_DEFAULT_REGION` to set in the environment (optional) | `us-east-1` | +| `aws.zoneType` | When using the AWS provider, filter for zones of this type (optional, options: public, private) | `""` | +| `aws.assumeRoleArn` | When using the AWS provider, assume role by specifying --aws-assume-role to the external-dns daemon | `""` | +| `aws.roleArn` | Specify role ARN to the external-dns daemon | `""` | +| `aws.apiRetries` | Maximum number of retries for AWS API calls before giving up | `3` | +| `aws.batchChangeSize` | When using the AWS provider, set the maximum number of changes that will be applied in each batch | `1000` | +| `aws.zonesCacheDuration` | If the list of Route53 zones managed by ExternalDNS doesn't change frequently, cache it by setting a TTL | `0` | +| `aws.zoneTags` | When using the AWS provider, filter for zones with these tags | `[]` | +| `aws.preferCNAME` | When using the AWS provider, replaces Alias records with CNAME (options: true, false) | `""` | +| `aws.evaluateTargetHealth` | When using the AWS provider, sets the evaluate target health flag (options: true, false) | `""` | +| `aws.dynamodbTable` | When using the AWS provider, sets the DynamoDB table name to use for dynamodb registry | `""` | +| `aws.dynamodbRegion` | When using the AWS provider, sets the DynamoDB table region to use for dynamodb registry | `""` | +| `aws.zoneMatchParent` | When using the AWS provider, lets a domain filter match subdomains within the same zone by using their parent domain | `false` | +| `azure.secretName` | When using the Azure provider, set the secret containing the `azure.json` file | `""` | +| `azure.cloud` | When using the Azure provider, set the Azure Cloud | `""` | +| `azure.resourceGroup` | When using the Azure provider, set the Azure Resource Group | `""` | +| `azure.tenantId` | When using the Azure provider, set the Azure Tenant ID | `""` | +| `azure.subscriptionId` | When using the Azure provider, set the Azure Subscription ID | `""` | +| `azure.aadClientId` | When using the Azure provider, set the Azure AAD Client ID | `""` | +| `azure.aadClientSecret` | When using the Azure provider, set the Azure AAD Client Secret | `""` | +| `azure.useWorkloadIdentityExtension` | When using the Azure provider, set if you use Workload Identity extension. | `false` | +| `azure.useManagedIdentityExtension` | When using the Azure provider, set if you use Azure MSI | `false` | +| `azure.userAssignedIdentityID` | When using the Azure provider with Azure MSI, set Client ID of Azure user-assigned managed identity (optional, otherwise system-assigned managed identity is used) | `""` | +| `civo.apiToken` | When using the Civo provider, `CIVO_TOKEN` to set (optional) | `""` | +| `civo.secretName` | Use an existing secret with key "apiToken" defined. | `""` | +| `cloudflare.apiToken` | When using the Cloudflare provider, `CF_API_TOKEN` to set (optional) | `""` | +| `cloudflare.apiKey` | When using the Cloudflare provider, `CF_API_KEY` to set (optional) | `""` | +| `cloudflare.secretName` | When using the Cloudflare provider, it's the name of the secret containing cloudflare_api_token or cloudflare_api_key. | `""` | +| `cloudflare.email` | When using the Cloudflare provider, `CF_API_EMAIL` to set (optional). Needed when using CF_API_KEY | `""` | +| `cloudflare.proxied` | When using the Cloudflare provider, enable the proxy feature (DDOS protection, CDN...) (optional) | `true` | +| `cloudflare.dnsRecordsPerPage` | Number of DNS records to fetch per page. (optional) | `100` | +| `coredns.etcdEndpoints` | When using the CoreDNS provider, set etcd backend endpoints (comma-separated list) | `http://etcd-extdns:2379` | +| `coredns.etcdTLS.enabled` | When using the CoreDNS provider, enable secure communication with etcd | `false` | +| `coredns.etcdTLS.autoGenerated` | Generate automatically self-signed TLS certificates | `false` | +| `coredns.etcdTLS.secretName` | When using the CoreDNS provider, specify a name of existing Secret with etcd certs and keys | `etcd-client-certs` | +| `coredns.etcdTLS.mountPath` | When using the CoreDNS provider, set destination dir to mount data from `coredns.etcdTLS.secretName` to | `/etc/coredns/tls/etcd` | +| `coredns.etcdTLS.caFilename` | When using the CoreDNS provider, specify CA PEM file name from the `coredns.etcdTLS.secretName` | `ca.crt` | +| `coredns.etcdTLS.certFilename` | When using the CoreDNS provider, specify cert PEM file name from the `coredns.etcdTLS.secretName` | `cert.pem` | +| `coredns.etcdTLS.keyFilename` | When using the CoreDNS provider, specify private key PEM file name from the `coredns.etcdTLS.secretName` | `key.pem` | +| `designate.username` | When using the Designate provider, specify the OpenStack authentication username. (optional) | `""` | +| `designate.password` | When using the Designate provider, specify the OpenStack authentication password. (optional) | `""` | +| `designate.applicationCredentialId` | When using the Designate provider, specify the OpenStack authentication application credential ID. This conflicts with `designate.username`. (optional) | `""` | +| `designate.applicationCredentialSecret` | When using the Designate provider, specify the OpenStack authentication application credential ID. This conflicts with `designate.password`. (optional) | `""` | +| `designate.authUrl` | When using the Designate provider, specify the OpenStack authentication Url. (optional) | `""` | +| `designate.regionName` | When using the Designate provider, specify the OpenStack region name. (optional) | `""` | +| `designate.userDomainName` | When using the Designate provider, specify the OpenStack user domain name. (optional) | `""` | +| `designate.projectName` | When using the Designate provider, specify the OpenStack project name. (optional) | `""` | +| `designate.authType` | When using the Designate provider, specify the OpenStack auth type. (optional) | `""` | +| `designate.customCAHostPath` | When using the Designate provider, use a CA file already on the host to validate Openstack APIs. This conflicts with `designate.customCA.enabled` | `""` | +| `designate.customCA.enabled` | When using the Designate provider, enable a custom CA (optional) | `false` | +| `designate.customCA.content` | When using the Designate provider, set the content of the custom CA | `""` | +| `designate.customCA.mountPath` | When using the Designate provider, set the mountPath in which to mount the custom CA configuration | `/config/designate` | +| `designate.customCA.filename` | When using the Designate provider, set the custom CA configuration filename | `designate-ca.pem` | +| `exoscale.apiKey` | When using the Exoscale provider, `EXTERNAL_DNS_EXOSCALE_APIKEY` to set (optional) | `""` | +| `exoscale.apiToken` | When using the Exoscale provider, `EXTERNAL_DNS_EXOSCALE_APISECRET` to set (optional) | `""` | +| `exoscale.secretName` | Use an existing secret with keys "exoscale_api_key" and "exoscale_api_token" defined. | `""` | +| `digitalocean.apiToken` | When using the DigitalOcean provider, `DO_TOKEN` to set (optional) | `""` | +| `digitalocean.secretName` | Use an existing secret with key "digitalocean_api_token" defined. | `""` | +| `google.project` | When using the Google provider, specify the Google project (required when provider=google) | `""` | +| `google.batchChangeSize` | When using the google provider, set the maximum number of changes that will be applied in each batch | `1000` | +| `google.serviceAccountSecret` | When using the Google provider, specify the existing secret which contains credentials.json (optional) | `""` | +| `google.serviceAccountSecretKey` | When using the Google provider with an existing secret, specify the key name (optional) | `credentials.json` | +| `google.serviceAccountKey` | When using the Google provider, specify the service account key JSON file. In this case a new secret will be created holding this service account (optional) | `""` | +| `google.zoneVisibility` | When using the Google provider, fiter for zones of a specific visibility (private or public) | `""` | +| `hetzner.token` | When using the Hetzner provider, specify your token here. (required when `hetzner.secretName` is not provided. In this case a new secret will be created holding the token.) | `""` | +| `hetzner.secretName` | When using the Hetzner provider, specify the existing secret which contains your token. Disables the usage of `hetzner.token` (optional) | `""` | +| `hetzner.secretKey` | When using the Hetzner provider with an existing secret, specify the key name (optional) | `hetzner_token` | +| `infoblox.wapiUsername` | When using the Infoblox provider, specify the Infoblox WAPI username | `admin` | +| `infoblox.wapiPassword` | When using the Infoblox provider, specify the Infoblox WAPI password (required when provider=infoblox) | `""` | +| `infoblox.gridHost` | When using the Infoblox provider, specify the Infoblox Grid host (required when provider=infoblox) | `""` | +| `infoblox.view` | Infoblox view | `""` | +| `infoblox.secretName` | Existing secret name, when in place wapiUsername and wapiPassword are not required | `""` | +| `infoblox.domainFilter` | When using the Infoblox provider, specify the domain (optional) | `""` | +| `infoblox.nameRegex` | When using the Infoblox provider, specify the name regex filter (optional) | `""` | +| `infoblox.noSslVerify` | When using the Infoblox provider, disable SSL verification (optional) | `false` | +| `infoblox.wapiPort` | When using the Infoblox provider, specify the Infoblox WAPI port (optional) | `""` | +| `infoblox.wapiVersion` | When using the Infoblox provider, specify the Infoblox WAPI version (optional) | `""` | +| `infoblox.wapiConnectionPoolSize` | When using the Infoblox provider, specify the Infoblox WAPI request connection pool size (optional) | `""` | +| `infoblox.wapiHttpTimeout` | When using the Infoblox provider, specify the Infoblox WAPI request timeout in seconds (optional) | `""` | +| `infoblox.maxResults` | When using the Infoblox provider, specify the Infoblox Max Results (optional) | `""` | +| `linode.apiToken` | When using the Linode provider, `LINODE_TOKEN` to set (optional) | `""` | +| `linode.secretName` | Use an existing secret with key "linode_api_token" defined. | `""` | +| `ns1.minTTL` | When using the ns1 provider, specify minimal TTL, as an integer, for records | `10` | +| `ns1.apiKey` | When using the ns1 provider, specify the API key to use | `""` | +| `ns1.secretName` | Use an existing secret with key "ns1-api-key" defined. | `""` | +| `pihole.server` | When using the Pi-hole provider, specify The address of the Pi-hole web server | `""` | +| `pihole.tlsSkipVerify` | When using the Pi-hole provider, specify wheter to skip verification of any TLS certificates served by the Pi-hole web server | `""` | +| `pihole.secretName` | Use an existing secret with key "pihole_password" defined. | `""` | +| `oci.region` | When using the OCI provider, specify the region, where your zone is located in. | `""` | +| `oci.tenancyOCID` | When using the OCI provider, specify your Tenancy OCID | `""` | +| `oci.userOCID` | When using the OCI provider, specify your User OCID | `""` | +| `oci.compartmentOCID` | When using the OCI provider, specify your Compartment OCID where your DNS Zone is located in. | `""` | +| `oci.privateKey` | When using the OCI provider, paste in your RSA private key file for the Oracle API | `""` | +| `oci.privateKeyFingerprint` | When using the OCI provider, put in the fingerprint of your privateKey | `""` | +| `oci.privateKeyPassphrase` | When using the OCI provider and your privateKey has a passphrase, put it in here. (optional) | `""` | +| `oci.secretName` | When using the OCI provider, it's the name of the secret containing `oci.yaml` file. | `""` | +| `oci.useInstancePrincipal` | When using the OCI provider, enable IAM Instance Principal | `false` | +| `oci.useWorkloadIdentity` | When using the OCI provider, enable IAM Workload Identity | `false` | +| `ovh.consumerKey` | When using the OVH provider, specify the existing consumer key. (required when provider=ovh and `ovh.secretName` is not provided.) | `""` | +| `ovh.applicationKey` | When using the OVH provider with an existing application, specify the application key. (required when provider=ovh and `ovh.secretName` is not provided.) | `""` | +| `ovh.applicationSecret` | When using the OVH provider with an existing application, specify the application secret. (required when provider=ovh and `ovh.secretName` is not provided.) | `""` | +| `ovh.secretName` | When using the OVH provider, it's the name of the secret containing `ovh_consumer_key`, `ovh_application_key` and `ovh_application_secret`. Disables usage of other `ovh`. | `""` | +| `scaleway.scwAccessKey` | When using the Scaleway provider, specify an existing access key. (required when provider=scaleway) | `""` | +| `scaleway.scwSecretKey` | When using the Scaleway provider, specify an existing secret key. (required when provider=scaleway) | `""` | +| `rfc2136.host` | When using the rfc2136 provider, specify the RFC2136 host (required when provider=rfc2136) | `""` | +| `rfc2136.port` | When using the rfc2136 provider, specify the RFC2136 port (optional) | `53` | +| `rfc2136.zone` | When using the rfc2136 provider, specify the zone (required when provider=rfc2136) | `""` | +| `rfc2136.tsigSecret` | When using the rfc2136 provider, specify the tsig secret to enable security. (do not specify if `rfc2136.secretName` is provided.) (optional) | `""` | +| `rfc2136.secretName` | When using the rfc2136 provider, specify the existing secret which contains your tsig secret in the key "rfc2136_tsig_secret". Disables the usage of `rfc2136.tsigSecret` (optional) | `""` | +| `rfc2136.tsigSecretAlg` | When using the rfc2136 provider, specify the tsig secret to enable security (optional) | `hmac-sha256` | +| `rfc2136.tsigKeyname` | When using the rfc2136 provider, specify the tsig keyname to enable security (optional) | `rfc2136_tsig_secret` | +| `rfc2136.tsigAxfr` | When using the rfc2136 provider, enable AFXR to enable security (optional) | `true` | +| `rfc2136.minTTL` | When using the rfc2136 provider, specify minimal TTL (in duration format) for records[ns, us, ms, s, m, h], see more | `0s` | +| `rfc2136.rfc3645Enabled` | When using the rfc2136 provider, extend using RFC3645 to support secure updates over Kerberos with GSS-TSIG | `false` | +| `rfc2136.kerberosConfig` | When using the rfc2136 provider with rfc3645Enabled, the contents of a configuration file for krb5 (optional) | `""` | +| `rfc2136.kerberosUsername` | When using the rfc2136 provider with rfc3645Enabled, specify the username to authenticate with (optional) | `""` | +| `rfc2136.kerberosPassword` | When using the rfc2136 provider with rfc3645Enabled, specify the password to authenticate with (optional) | `""` | +| `rfc2136.kerberosRealm` | When using the rfc2136 provider with rfc3645Enabled, specify the realm to authenticate to (required when provider=rfc2136 and rfc2136.rfc3645Enabled=true) | `""` | +| `pdns.apiUrl` | When using the PowerDNS provider, specify the API URL of the server. | `""` | +| `pdns.apiPort` | When using the PowerDNS provider, specify the API port of the server. | `8081` | +| `pdns.apiKey` | When using the PowerDNS provider, specify the API key of the server. | `""` | +| `pdns.secretName` | When using the PowerDNS provider, specify as secret name containing the API Key | `""` | +| `transip.account` | When using the TransIP provider, specify the account name. | `""` | +| `transip.apiKey` | When using the TransIP provider, specify the API key to use. | `""` | +| `vinyldns.host` | When using the VinylDNS provider, specify the VinylDNS API host. | `""` | +| `vinyldns.accessKey` | When using the VinylDNS provider, specify the Access Key to use. | `""` | +| `vinyldns.secretKey` | When using the VinylDNS provider, specify the Secret key to use. | `""` | +| `domainFilters` | Limit possible target zones by domain suffixes (optional) | `[]` | +| `excludeDomains` | Exclude subdomains (optional) | `[]` | +| `regexDomainFilter` | Limit possible target zones by regex domain suffixes (optional) | `""` | +| `regexDomainExclusion` | Exclude subdomains by using regex pattern (optional) | `""` | +| `zoneNameFilters` | Filter target zones by zone domain (optional) | `[]` | +| `zoneIdFilters` | Limit possible target zones by zone id (optional) | `[]` | +| `annotationFilter` | Filter sources managed by external-dns via annotation using label selector (optional) | `""` | +| `labelFilter` | Select sources managed by external-dns using label selector (optional) | `""` | +| `ingressClassFilters` | Filter sources managed by external-dns via IngressClass (optional) | `[]` | +| `managedRecordTypesFilters` | Filter record types managed by external-dns (optional) | `[]` | +| `dryRun` | When enabled, prints DNS record changes rather than actually performing them (optional) | `false` | +| `triggerLoopOnEvent` | When enabled, triggers run loop on create/update/delete events in addition to regular interval (optional) | `false` | +| `interval` | Interval update period to use | `1m` | +| `logLevel` | Verbosity of the logs (options: panic, debug, info, warning, error, fatal, trace) | `info` | +| `logFormat` | Which format to output logs in (options: text, json) | `text` | +| `policy` | Modify how DNS records are synchronized between sources and providers (options: sync, upsert-only ) | `upsert-only` | +| `registry` | Registry method to use (options: txt, aws-sd, dynamodb, noop) | `txt` | +| `txtPrefix` | When using the TXT registry, a prefix for ownership records that avoids collision with CNAME entries (optional) (Mutual exclusive with txt-suffix) | `""` | +| `txtSuffix` | When using the TXT registry, a suffix for ownership records that avoids collision with CNAME entries (optional).suffix (Mutual exclusive with txt-prefix) | `""` | +| `txtOwnerId` | A name that identifies this instance of ExternalDNS. Currently used by registry types: txt & aws-sd (optional) | `""` | +| `forceTxtOwnerId` | (backward compatibility) When using the non-TXT registry, it will pass the value defined by `txtOwnerId` down to the application (optional) | `false` | +| `txtEncrypt.enabled` | Enable TXT record encrypencryption | `false` | +| `txtEncrypt.aesKey` | 32-byte AES-256-GCM encryption key. | `""` | +| `txtEncrypt.secretName` | Use an existing secret with key "txt_aes_encryption_key" defined. | `""` | +| `extraArgs` | Extra arguments to be passed to external-dns | `{}` | +| `extraEnvVars` | An array to add extra env vars | `[]` | +| `extraEnvVarsCM` | ConfigMap containing extra env vars | `""` | +| `extraEnvVarsSecret` | Secret containing extra env vars (in case of sensitive data) | `""` | +| `lifecycleHooks` | Override default etcd container hooks | `{}` | +| `schedulerName` | Alternative scheduler | `""` | +| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | +| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | +| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | +| `affinity` | Affinity for pod assignment | `{}` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `tolerations` | Tolerations for pod assignment | `[]` | +| `podAnnotations` | Additional annotations to apply to the pod. | `{}` | +| `podLabels` | Additional labels to be added to pods | `{}` | +| `priorityClassName` | priorityClassName | `""` | +| `secretAnnotations` | Additional annotations to apply to the secret | `{}` | +| `crd.create` | Install and use the integrated DNSEndpoint CRD | `false` | +| `crd.apiversion` | Sets the API version for the CRD to watch | `""` | +| `crd.kind` | Sets the kind for the CRD to watch | `""` | +| `service.enabled` | Whether to create Service resource or not | `true` | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.ports.http` | ExternalDNS client port | `7979` | +| `service.nodePorts.http` | Port to bind to for NodePort service type (client port) | `""` | +| `service.clusterIP` | IP address to assign to service | `""` | +| `service.externalIPs` | Service external IP addresses | `[]` | +| `service.externalName` | Service external name | `""` | +| `service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` | +| `service.loadBalancerSourceRanges` | List of IP CIDRs allowed access to load balancer (if supported) | `[]` | +| `service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `service.extraPorts` | Extra ports to expose in the service (normally used with the `sidecar` value) | `[]` | +| `service.annotations` | Annotations to add to service | `{}` | +| `service.labels` | Provide any additional labels which may be required. | `{}` | +| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `serviceAccount.create` | Determine whether a Service Account should be created or it should reuse a exiting one. | `true` | +| `serviceAccount.name` | ServiceAccount to use. A name is generated using the external-dns.fullname template if it is not set | `""` | +| `serviceAccount.annotations` | Additional Service Account annotations | `{}` | +| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a service account. | `false` | +| `serviceAccount.labels` | Additional labels to be included on the service account | `{}` | +| `rbac.create` | Whether to create & use RBAC resources or not | `true` | +| `rbac.clusterRole` | Whether to create Cluster Role. When set to false creates a Role in `namespace` | `true` | +| `rbac.apiVersion` | Version of the RBAC API | `v1` | +| `rbac.pspEnabled` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | +| `containerSecurityContext.enabled` | Enabled Apache Server containers' Security Context | `true` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `containerSecurityContext.runAsUser` | Set ExternalDNS containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set ExternalDNS containers' Security Context runAsGroup | `1001` | +| `containerSecurityContext.runAsNonRoot` | Set ExternalDNS container's Security Context runAsNonRoot | `true` | +| `containerSecurityContext.privileged` | Set primary container's Security Context privileged | `false` | +| `containerSecurityContext.allowPrivilegeEscalation` | Set primary container's Security Context allowPrivilegeEscalation | `false` | +| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set container readonlyRootFilesystem | `true` | +| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `podSecurityContext.enabled` | Enable pod security context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `podSecurityContext.fsGroup` | Group ID for the container | `1001` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano` | +| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `livenessProbe.enabled` | Enable livenessProbe | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `2` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readinessProbe.enabled` | Enable readinessProbe | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `startupProbe.enabled` | Enable startupProbe | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` | +| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `customLivenessProbe` | Override default liveness probe | `{}` | +| `customReadinessProbe` | Override default readiness probe | `{}` | +| `customStartupProbe` | Override default startup probe | `{}` | +| `extraVolumes` | A list of volumes to be added to the pod | `[]` | +| `extraVolumeMounts` | A list of volume mounts to be added to the pod | `[]` | +| `pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` | +| `pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | +| `pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. | `""` | +| `metrics.enabled` | Enable prometheus to access external-dns metrics endpoint | `false` | +| `metrics.podAnnotations` | Annotations for enabling prometheus to access the metrics endpoint | `{}` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor object | `false` | +| `metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `""` | +| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.selector` | Additional labels for ServiceMonitor object | `{}` | +| `metrics.serviceMonitor.metricRelabelings` | Specify Metric Relabelings to add to the scrape endpoint | `[]` | +| `metrics.serviceMonitor.relabelings` | Prometheus relabeling rules | `[]` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.labels` | Used to pass Labels that are required by the installed Prometheus Operator | `{}` | +| `metrics.serviceMonitor.annotations` | Additional custom annotations for the ServiceMonitor | `{}` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.googlePodMonitor.enabled` | Create Google Managed Prometheus PodMonitoring object | `false` | +| `metrics.googlePodMonitor.namespace` | Namespace in which PodMonitoring created | `""` | +| `metrics.googlePodMonitor.interval` | Interval at which metrics should be scraped by Google Managed Prometheus | `60s` | +| `metrics.googlePodMonitor.endpoint` | The endpoint for Google Managed Prometheus scraping the metrics | `/metrics` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +helm install my-release \ + --set provider=aws oci://REGISTRY_NAME/REPOSITORY_NAME/external-dns +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```console +helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/external-dns +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/external-dns/values.yaml) + ## Troubleshooting Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). ## Upgrading +### To 7.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + ### To 6.0.0 Some of the chart values were changed to adapt to the latest Bitnami standards. More specifically: @@ -471,7 +506,7 @@ This version also introduces `bitnami/common`, a [library chart](https://helm.sh #### Useful links -- +- - - @@ -507,7 +542,7 @@ Other mayor changes included in this major version are: ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/.helmignore b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/.helmignore index 50af03172..d0e10845d 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/.helmignore +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/.helmignore @@ -20,3 +20,7 @@ .idea/ *.tmproj .vscode/ +# img folder +img/ +# Changelog +CHANGELOG.md diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/Chart.yaml b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/Chart.yaml index 40cd22d77..23ba4e4e7 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/Chart.yaml +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.13.3 +appVersion: 2.20.3 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -14,10 +14,10 @@ keywords: - function - bitnami maintainers: -- name: VMware, Inc. +- name: Broadcom, Inc. All Rights Reserved. url: https://github.com/bitnami/charts name: common sources: -- https://github.com/bitnami/charts +- https://github.com/bitnami/charts/tree/main/bitnami/common type: library -version: 2.13.3 +version: 2.20.3 diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/README.md b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/README.md index 80da4cc2f..82d78a384 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/README.md +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/README.md @@ -24,14 +24,14 @@ data: myvalue: "Hello World" ``` +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. -Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites - Kubernetes 1.23+ @@ -214,13 +214,13 @@ helm install test mychart --set path.to.value00="",path.to.value01="" #### Useful links -- +- - - ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_affinities.tpl b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_affinities.tpl index e85b1df45..c2d290792 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_affinities.tpl +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_affinities.tpl @@ -1,5 +1,5 @@ {{/* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_capabilities.tpl b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_capabilities.tpl index 115674af8..2fe81d32d 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_capabilities.tpl +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_capabilities.tpl @@ -1,5 +1,5 @@ {{/* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} @@ -9,22 +9,15 @@ SPDX-License-Identifier: APACHE-2.0 Return the target Kubernetes version */}} {{- define "common.capabilities.kubeVersion" -}} -{{- if .Values.global }} - {{- if .Values.global.kubeVersion }} - {{- .Values.global.kubeVersion -}} - {{- else }} - {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} - {{- end -}} -{{- else }} -{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} -{{- end -}} +{{- default (default .Capabilities.KubeVersion.Version .Values.kubeVersion) ((.Values.global).kubeVersion) -}} {{- end -}} {{/* Return the appropriate apiVersion for poddisruptionbudget. */}} {{- define "common.capabilities.policy.apiVersion" -}} -{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} {{- print "policy/v1beta1" -}} {{- else -}} {{- print "policy/v1" -}} @@ -35,7 +28,8 @@ Return the appropriate apiVersion for poddisruptionbudget. Return the appropriate apiVersion for networkpolicy. */}} {{- define "common.capabilities.networkPolicy.apiVersion" -}} -{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.7-0" $kubeVersion) -}} {{- print "extensions/v1beta1" -}} {{- else -}} {{- print "networking.k8s.io/v1" -}} @@ -46,7 +40,8 @@ Return the appropriate apiVersion for networkpolicy. Return the appropriate apiVersion for cronjob. */}} {{- define "common.capabilities.cronjob.apiVersion" -}} -{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} {{- print "batch/v1beta1" -}} {{- else -}} {{- print "batch/v1" -}} @@ -57,7 +52,8 @@ Return the appropriate apiVersion for cronjob. Return the appropriate apiVersion for daemonset. */}} {{- define "common.capabilities.daemonset.apiVersion" -}} -{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} {{- print "extensions/v1beta1" -}} {{- else -}} {{- print "apps/v1" -}} @@ -68,7 +64,8 @@ Return the appropriate apiVersion for daemonset. Return the appropriate apiVersion for deployment. */}} {{- define "common.capabilities.deployment.apiVersion" -}} -{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} {{- print "extensions/v1beta1" -}} {{- else -}} {{- print "apps/v1" -}} @@ -79,7 +76,8 @@ Return the appropriate apiVersion for deployment. Return the appropriate apiVersion for statefulset. */}} {{- define "common.capabilities.statefulset.apiVersion" -}} -{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} {{- print "apps/v1beta1" -}} {{- else -}} {{- print "apps/v1" -}} @@ -90,30 +88,24 @@ Return the appropriate apiVersion for statefulset. Return the appropriate apiVersion for ingress. */}} {{- define "common.capabilities.ingress.apiVersion" -}} -{{- if .Values.ingress -}} -{{- if .Values.ingress.apiVersion -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if (.Values.ingress).apiVersion -}} {{- .Values.ingress.apiVersion -}} -{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} {{- print "extensions/v1beta1" -}} -{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}} {{- print "networking.k8s.io/v1beta1" -}} {{- else -}} {{- print "networking.k8s.io/v1" -}} {{- end }} -{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "extensions/v1beta1" -}} -{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "networking.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "networking.k8s.io/v1" -}} -{{- end -}} {{- end -}} {{/* Return the appropriate apiVersion for RBAC resources. */}} {{- define "common.capabilities.rbac.apiVersion" -}} -{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.17-0" $kubeVersion) -}} {{- print "rbac.authorization.k8s.io/v1beta1" -}} {{- else -}} {{- print "rbac.authorization.k8s.io/v1" -}} @@ -124,7 +116,8 @@ Return the appropriate apiVersion for RBAC resources. Return the appropriate apiVersion for CRDs. */}} {{- define "common.capabilities.crd.apiVersion" -}} -{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}} {{- print "apiextensions.k8s.io/v1beta1" -}} {{- else -}} {{- print "apiextensions.k8s.io/v1" -}} @@ -135,7 +128,8 @@ Return the appropriate apiVersion for CRDs. Return the appropriate apiVersion for APIService. */}} {{- define "common.capabilities.apiService.apiVersion" -}} -{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.10-0" $kubeVersion) -}} {{- print "apiregistration.k8s.io/v1beta1" -}} {{- else -}} {{- print "apiregistration.k8s.io/v1" -}} @@ -146,7 +140,8 @@ Return the appropriate apiVersion for APIService. Return the appropriate apiVersion for Horizontal Pod Autoscaler. */}} {{- define "common.capabilities.hpa.apiVersion" -}} -{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} {{- if .beta2 -}} {{- print "autoscaling/v2beta2" -}} {{- else -}} @@ -161,7 +156,8 @@ Return the appropriate apiVersion for Horizontal Pod Autoscaler. Return the appropriate apiVersion for Vertical Pod Autoscaler. */}} {{- define "common.capabilities.vpa.apiVersion" -}} -{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} {{- if .beta2 -}} {{- print "autoscaling/v2beta2" -}} {{- else -}} @@ -176,7 +172,8 @@ Return the appropriate apiVersion for Vertical Pod Autoscaler. Returns true if PodSecurityPolicy is supported */}} {{- define "common.capabilities.psp.supported" -}} -{{- if semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if or (empty $kubeVersion) (semverCompare "<1.25-0" $kubeVersion) -}} {{- true -}} {{- end -}} {{- end -}} @@ -185,7 +182,8 @@ Returns true if PodSecurityPolicy is supported Returns true if AdmissionConfiguration is supported */}} {{- define "common.capabilities.admissionConfiguration.supported" -}} -{{- if semverCompare ">=1.23-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if or (empty $kubeVersion) (not (semverCompare "<1.23-0" $kubeVersion)) -}} {{- true -}} {{- end -}} {{- end -}} @@ -194,9 +192,10 @@ Returns true if AdmissionConfiguration is supported Return the appropriate apiVersion for AdmissionConfiguration. */}} {{- define "common.capabilities.admissionConfiguration.apiVersion" -}} -{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} {{- print "apiserver.config.k8s.io/v1alpha1" -}} -{{- else if semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .) -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} {{- print "apiserver.config.k8s.io/v1beta1" -}} {{- else -}} {{- print "apiserver.config.k8s.io/v1" -}} @@ -207,9 +206,10 @@ Return the appropriate apiVersion for AdmissionConfiguration. Return the appropriate apiVersion for PodSecurityConfiguration. */}} {{- define "common.capabilities.podSecurityConfiguration.apiVersion" -}} -{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} {{- print "pod-security.admission.config.k8s.io/v1alpha1" -}} -{{- else if semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .) -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} {{- print "pod-security.admission.config.k8s.io/v1beta1" -}} {{- else -}} {{- print "pod-security.admission.config.k8s.io/v1" -}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_compatibility.tpl b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_compatibility.tpl new file mode 100644 index 000000000..eb4061d7d --- /dev/null +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_compatibility.tpl @@ -0,0 +1,42 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} + +{{- if (((.context.Values.global).compatibility).openshift) -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{/* Remove fields that are disregarded when running the container in privileged mode */}} +{{- if $adaptedContext.privileged -}} + {{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_errors.tpl b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_errors.tpl index 07ded6f64..e96536519 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_errors.tpl +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_errors.tpl @@ -1,5 +1,5 @@ {{/* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_images.tpl b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_images.tpl index 1bcb779df..6821b1ce2 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_images.tpl +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_images.tpl @@ -1,5 +1,5 @@ {{/* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} @@ -9,15 +9,11 @@ Return the proper image name {{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global ) }} */}} {{- define "common.images.image" -}} -{{- $registryName := .imageRoot.registry -}} +{{- $registryName := default .imageRoot.registry ((.global).imageRegistry) -}} {{- $repositoryName := .imageRoot.repository -}} {{- $separator := ":" -}} {{- $termination := .imageRoot.tag | toString -}} -{{- if .global }} - {{- if .global.imageRegistry }} - {{- $registryName = .global.imageRegistry -}} - {{- end -}} -{{- end -}} + {{- if .imageRoot.digest }} {{- $separator = "@" -}} {{- $termination = .imageRoot.digest | toString -}} @@ -36,14 +32,12 @@ Return the proper Docker Image Registry Secret Names (deprecated: use common.ima {{- define "common.images.pullSecrets" -}} {{- $pullSecrets := list }} - {{- if .global }} - {{- range .global.imagePullSecrets -}} - {{- if kindIs "map" . -}} - {{- $pullSecrets = append $pullSecrets .name -}} - {{- else -}} - {{- $pullSecrets = append $pullSecrets . -}} - {{- end }} - {{- end -}} + {{- range ((.global).imagePullSecrets) -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets .name -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end }} {{- end -}} {{- range .images -}} @@ -56,7 +50,7 @@ Return the proper Docker Image Registry Secret Names (deprecated: use common.ima {{- end -}} {{- end -}} - {{- if (not (empty $pullSecrets)) }} + {{- if (not (empty $pullSecrets)) -}} imagePullSecrets: {{- range $pullSecrets | uniq }} - name: {{ . }} @@ -72,13 +66,11 @@ Return the proper Docker Image Registry Secret Names evaluating values as templa {{- $pullSecrets := list }} {{- $context := .context }} - {{- if $context.Values.global }} - {{- range $context.Values.global.imagePullSecrets -}} - {{- if kindIs "map" . -}} - {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} - {{- else -}} - {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} - {{- end -}} + {{- range (($context.Values.global).imagePullSecrets) -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} {{- end -}} {{- end -}} @@ -92,7 +84,7 @@ Return the proper Docker Image Registry Secret Names evaluating values as templa {{- end -}} {{- end -}} - {{- if (not (empty $pullSecrets)) }} + {{- if (not (empty $pullSecrets)) -}} imagePullSecrets: {{- range $pullSecrets | uniq }} - name: {{ . }} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_ingress.tpl b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_ingress.tpl index efa5b85c7..7d2b87985 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_ingress.tpl +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_ingress.tpl @@ -1,5 +1,5 @@ {{/* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_labels.tpl b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_labels.tpl index d90a6cdc0..0a0cc5488 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_labels.tpl +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_labels.tpl @@ -1,5 +1,5 @@ {{/* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_names.tpl b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_names.tpl index a222924f1..ba8395685 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_names.tpl +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_names.tpl @@ -1,5 +1,5 @@ {{/* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_resources.tpl b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_resources.tpl new file mode 100644 index 000000000..b4491f782 --- /dev/null +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_resources.tpl @@ -0,0 +1,50 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a resource request/limit object based on a given preset. +These presets are for basic testing and not meant to be used in production +{{ include "common.resources.preset" (dict "type" "nano") -}} +*/}} +{{- define "common.resources.preset" -}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage and xlarge/2xlarge sizes)*/}} +{{- $presets := dict + "nano" (dict + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi") + ) + "micro" (dict + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi") + ) + "small" (dict + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi") + ) + "medium" (dict + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi") + ) + "large" (dict + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi") + ) + "xlarge" (dict + "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi") + ) + "2xlarge" (dict + "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi") + ) + }} +{{- if hasKey $presets .type -}} +{{- index $presets .type | toYaml -}} +{{- else -}} +{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}} +{{- end -}} +{{- end -}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_secrets.tpl b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_secrets.tpl index a193c46b6..e87575a88 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_secrets.tpl +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_secrets.tpl @@ -1,5 +1,5 @@ {{/* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} @@ -78,6 +78,8 @@ Params: - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - context - Context - Required - Parent context. - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. The order in which this function returns a secret password: 1. Already existing 'Secret' resource (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) @@ -91,7 +93,6 @@ The order in which this function returns a secret password: {{- $password := "" }} {{- $subchart := "" }} -{{- $failOnNew := default true .failOnNew }} {{- $chartName := default "" .chartName }} {{- $passwordLength := default 10 .length }} {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} @@ -99,12 +100,14 @@ The order in which this function returns a secret password: {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} {{- if $secretData }} {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else if $failOnNew }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} {{- end -}} {{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} + {{- $password = $providedPasswordValue | toString }} {{- else }} {{- if .context.Values.enabled }} @@ -120,12 +123,19 @@ The order in which this function returns a secret password: {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} {{- $password = randAscii $passwordLength }} {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- $password = randAlphaNum $passwordLength }} {{- end }} {{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} {{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} {{- end -}} {{/* diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_storage.tpl b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_storage.tpl index 16405a0f8..7780da18b 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_storage.tpl +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_storage.tpl @@ -1,5 +1,5 @@ {{/* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} @@ -10,13 +10,7 @@ Return the proper Storage Class */}} {{- define "common.storage.class" -}} -{{- $storageClass := .persistence.storageClass -}} -{{- if .global -}} - {{- if .global.storageClass -}} - {{- $storageClass = .global.storageClass -}} - {{- end -}} -{{- end -}} - +{{- $storageClass := default .persistence.storageClass ((.global).storageClass) -}} {{- if $storageClass -}} {{- if (eq "-" $storageClass) -}} {{- printf "storageClassName: \"\"" -}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_tplvalues.tpl b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_tplvalues.tpl index a8ed7637e..c84d72c80 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_tplvalues.tpl +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_tplvalues.tpl @@ -1,5 +1,5 @@ {{/* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_utils.tpl b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_utils.tpl index bfbddf054..d53c74aa2 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_utils.tpl +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_utils.tpl @@ -1,5 +1,5 @@ {{/* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_warnings.tpl b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_warnings.tpl index 66dffc1fe..e4dbecde2 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_warnings.tpl +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/_warnings.tpl @@ -1,5 +1,5 @@ {{/* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} @@ -13,7 +13,97 @@ Usage: {{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ ++info https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-understand-rolling-tags-containers-index.html {{- end }} +{{- end -}} + +{{/* +Warning about replaced images from the original. +Usage: +{{ include "common.warnings.modifiedImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }} +*/}} +{{- define "common.warnings.modifiedImages" -}} +{{- $affectedImages := list -}} +{{- $printMessage := false -}} +{{- $originalImages := .context.Chart.Annotations.images -}} +{{- range .images -}} + {{- $fullImageName := printf (printf "%s/%s:%s" .registry .repository .tag) -}} + {{- if not (contains $fullImageName $originalImages) }} + {{- $affectedImages = append $affectedImages (printf "%s/%s:%s" .registry .repository .tag) -}} + {{- $printMessage = true -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +⚠ SECURITY WARNING: Original containers have been substituted. This Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Tanzu Application Catalog containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables. + +Substituted images detected: +{{- range $affectedImages }} + - {{ . }} +{{- end }} +{{- end -}} +{{- end -}} +{{/* +Warning about not setting the resource object in all deployments. +Usage: +{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }} +Example: +{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }} +The list in the example assumes that the following values exist: + - csiProvider.provider.resources + - server.resources + - volumePermissions.resources + - resources +*/}} +{{- define "common.warnings.resources" -}} +{{- $values := .context.Values -}} +{{- $printMessage := false -}} +{{ $affectedSections := list -}} +{{- range .sections -}} + {{- if eq . "" -}} + {{/* Case where the resources section is at the root (one main deployment in the chart) */}} + {{- if not (index $values "resources") -}} + {{- $affectedSections = append $affectedSections "resources" -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}} + {{- $keys := split "." . -}} + {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}} + {{- $section := $values -}} + {{- range $keys -}} + {{- $section = index $section . -}} + {{- end -}} + {{- if not (index $section "resources") -}} + {{/* If the section has enabled=false or replicaCount=0, do not include it */}} + {{- if and (hasKey $section "enabled") -}} + {{- if index $section "enabled" -}} + {{/* enabled=true */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else if and (hasKey $section "replicaCount") -}} + {{/* We need a casting to int because number 0 is not treated as an int by default */}} + {{- if (gt (index $section "replicaCount" | int) 0) -}} + {{/* replicaCount > 0 */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Default case, add it to the affected sections */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs: +{{- range $affectedSections }} + - {{ . }} +{{- end }} ++info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +{{- end -}} {{- end -}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_cassandra.tpl b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_cassandra.tpl index eda9aada5..3f41ff8fc 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_cassandra.tpl +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_cassandra.tpl @@ -1,5 +1,5 @@ {{/* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_mariadb.tpl b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_mariadb.tpl index 17d83a2fd..6ea8c0f45 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_mariadb.tpl +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_mariadb.tpl @@ -1,5 +1,5 @@ {{/* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_mongodb.tpl b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_mongodb.tpl index bbb445b86..d4cd38cbb 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_mongodb.tpl +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_mongodb.tpl @@ -1,5 +1,5 @@ {{/* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_mysql.tpl b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_mysql.tpl index ca3953f86..924812a93 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_mysql.tpl +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_mysql.tpl @@ -1,5 +1,5 @@ {{/* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_postgresql.tpl b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_postgresql.tpl index 8c9aa570e..0fa0b1467 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_postgresql.tpl +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_postgresql.tpl @@ -1,5 +1,5 @@ {{/* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_redis.tpl b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_redis.tpl index fc0d208dd..f4778256d 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_redis.tpl +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_redis.tpl @@ -1,5 +1,5 @@ {{/* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_validations.tpl b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_validations.tpl index 31ceda871..7cdee6170 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_validations.tpl +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/templates/validations/_validations.tpl @@ -1,5 +1,5 @@ {{/* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/values.yaml b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/values.yaml index 9abe0e154..de2cac57d 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/charts/common/values.yaml +++ b/argocd-helm-charts/external-dns/charts/external-dns/charts/common/values.yaml @@ -1,4 +1,4 @@ -# Copyright VMware, Inc. +# Copyright Broadcom, Inc. All Rights Reserved. # SPDX-License-Identifier: APACHE-2.0 ## bitnami/common diff --git a/argocd-helm-charts/external-dns/charts/external-dns/templates/NOTES.txt b/argocd-helm-charts/external-dns/charts/external-dns/templates/NOTES.txt index 361657125..ac162a876 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/templates/NOTES.txt +++ b/argocd-helm-charts/external-dns/charts/external-dns/templates/NOTES.txt @@ -10,3 +10,5 @@ To verify that external-dns has started, run: {{ include "external-dns.validateValues" . }} {{ include "external-dns.checkRollingTags" . }} +{{- include "common.warnings.resources" (dict "sections" (list "") "context" $) }} +{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image) "context" $) }} \ No newline at end of file diff --git a/argocd-helm-charts/external-dns/charts/external-dns/templates/_helpers.tpl b/argocd-helm-charts/external-dns/charts/external-dns/templates/_helpers.tpl index 5b6a71aa5..702368f76 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/templates/_helpers.tpl +++ b/argocd-helm-charts/external-dns/charts/external-dns/templates/_helpers.tpl @@ -1,5 +1,5 @@ {{/* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} @@ -130,7 +130,10 @@ Return true if a secret object should be created {{- true -}} {{- else if and (eq .Values.provider "civo") .Values.civo.apiToken (not .Values.civo.secretName) -}} {{- true -}} -{{- else -}} +{{- else if and (eq .Values.provider "pihole") .Values.pihole.secretName (not .Values.pihole.secretName) -}} + {{- true -}} +{{- else if and .Values.txtEncrypt.enabled (not .Values.txtEncrypt.secretName) -}} + {{- true -}} {{- end -}} {{- end -}} @@ -184,6 +187,8 @@ Return the name of the Secret used to store the passwords {{- .Values.ns1.secretName }} {{- else if and (eq .Values.provider "civo") .Values.civo.secretName }} {{- .Values.civo.secretName }} +{{- else if and (eq .Values.provider "pihole") .Values.pihole.secretName }} +{{- .Values.pihole.secretName }} {{- else -}} {{- template "external-dns.fullname" . }} {{- end -}} @@ -252,6 +257,12 @@ region = {{ .Values.aws.region }} } {{ end }} {{- define "external-dns.oci-credentials" -}} +{{- if .Values.oci.useWorkloadIdentity }} +auth: + region: {{ .Values.oci.region }} + useWorkloadIdentity: true +compartment: {{ .Values.oci.compartmentOCID }} +{{- else }} auth: region: {{ .Values.oci.region }} tenancy: {{ .Values.oci.tenancyOCID }} @@ -263,7 +274,8 @@ auth: passphrase: {{ .Values.oci.privateKeyPassphrase }} {{- end }} compartment: {{ .Values.oci.compartmentOCID }} -{{ end }} +{{- end }} +{{- end }} {{/* Compile all warnings into a single message, and call fail if the validation is enabled @@ -459,7 +471,7 @@ external-dns: pdns.apiKey {{- define "external-dns.checkRollingTags" -}} {{- if and (contains "bitnami/" .Values.image.repository) (not (.Values.image.tag | toString | regexFind "-r\\d+$|sha256:")) }} WARNING: Rolling tag detected ({{ .Values.image.repository }}:{{ .Values.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ ++info https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/tutorials/GUID-understand-rolling-tags-containers-index.html {{- end }} {{- end -}} @@ -891,3 +903,14 @@ Return true if a TLS secret object should be created {{- true -}} {{- end -}} {{- end -}} + +{{/* +Returns the name of the default secret if the AES key is set via `.Values.txtEncrypt.aesKey` and the name of the custom secret when `.Values.txtEncrypt.secretName` is used. +*/}} +{{- define "external-dns.txtEncryptKeySecretName" -}} +{{- if and .Values.txtEncrypt.enabled .Values.txtEncrypt.secretName }} + {{- printf "%s" .Values.txtEncrypt.secretName -}} +{{- else if and .Values.txtEncrypt.enabled (not .Values.txtEncrypt.secretName) -}} + {{ template "external-dns.secretName" . }} +{{- end -}} +{{- end -}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/templates/clusterrole.yaml b/argocd-helm-charts/external-dns/charts/external-dns/templates/clusterrole.yaml index 44d2318a2..500c97b13 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/templates/clusterrole.yaml +++ b/argocd-helm-charts/external-dns/charts/external-dns/templates/clusterrole.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/templates/clusterrolebinding.yaml b/argocd-helm-charts/external-dns/charts/external-dns/templates/clusterrolebinding.yaml index 27539dbb7..880ef69bd 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/templates/clusterrolebinding.yaml +++ b/argocd-helm-charts/external-dns/charts/external-dns/templates/clusterrolebinding.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/templates/configmap.yaml b/argocd-helm-charts/external-dns/charts/external-dns/templates/configmap.yaml index f04e178db..b3666f10f 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/templates/configmap.yaml +++ b/argocd-helm-charts/external-dns/charts/external-dns/templates/configmap.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/templates/crds/crd.yaml b/argocd-helm-charts/external-dns/charts/external-dns/templates/crds/crd.yaml index a50a1a997..8cc43d6bd 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/templates/crds/crd.yaml +++ b/argocd-helm-charts/external-dns/charts/external-dns/templates/crds/crd.yaml @@ -1,11 +1,13 @@ +# Source: https://raw.githubusercontent.com/kubernetes-sigs/external-dns/v{version}/docs/contributing/crd-source/crd-manifest.yaml +# Version: 0.14.2 +# Conditional: .Values.crd.create {{- if .Values.crd.create }} +--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.5.0 - api-approved.kubernetes.io: "https://github.com/kubernetes-sigs/external-dns/pull/2007" - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: dnsendpoints.externaldns.k8s.io spec: group: externaldns.k8s.io @@ -21,10 +23,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -33,7 +44,8 @@ spec: properties: endpoints: items: - description: Endpoint is a high-level way of a connection between a service and an IP + description: Endpoint is a high-level way of a connection between + a service and an IP properties: dnsName: description: The hostname of the DNS record @@ -46,7 +58,8 @@ spec: providerSpecific: description: ProviderSpecific stores provider specific config items: - description: ProviderSpecificProperty holds the name and value of a configuration which is specific to individual DNS providers + description: ProviderSpecificProperty holds the name and value + of a configuration which is specific to individual DNS providers properties: name: type: string @@ -59,10 +72,13 @@ spec: format: int64 type: integer recordType: - description: RecordType type of record, e.g. CNAME, A, SRV, TXT etc + description: RecordType type of record, e.g. CNAME, A, AAAA, + SRV, TXT etc type: string setIdentifier: - description: Identifier to distinguish multiple records with the same name and type (e.g. Route53 records with routing policies other than 'simple') + description: Identifier to distinguish multiple records with + the same name and type (e.g. Route53 records with routing + policies other than 'simple') type: string targets: description: The targets the DNS record points to @@ -85,10 +101,4 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] {{- end }} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/templates/dep-ds.yaml b/argocd-helm-charts/external-dns/charts/external-dns/templates/deployment.yaml similarity index 91% rename from argocd-helm-charts/external-dns/charts/external-dns/templates/dep-ds.yaml rename to argocd-helm-charts/external-dns/charts/external-dns/templates/deployment.yaml index 0f7ae24cd..d36712ff7 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/templates/dep-ds.yaml +++ b/argocd-helm-charts/external-dns/charts/external-dns/templates/deployment.yaml @@ -1,25 +1,19 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} apiVersion: apps/v1 -{{- if .Values.useDaemonset }} -kind: DaemonSet -{{- else }} kind: Deployment -{{- end }} metadata: name: {{ template "external-dns.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} spec: - {{ if not .Values.useDaemonset -}} - replicas: {{ coalesce .Values.replicas .Values.replicaCount }} - {{- end }} + replicas: 1 {{- if .Values.updateStrategy }} strategy: {{- toYaml .Values.updateStrategy | nindent 4 }} {{- end }} @@ -44,7 +38,7 @@ spec: spec: {{- include "external-dns.imagePullSecrets" . | nindent 6 }} {{- if .Values.podSecurityContext.enabled }} - securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} {{- end }} {{- if .Values.affinity }} affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} @@ -57,6 +51,7 @@ spec: {{- if .Values.schedulerName }} schedulerName: {{ .Values.schedulerName | quote }} {{- end }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} {{- if .Values.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} {{- end }} @@ -73,6 +68,12 @@ spec: {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName | quote }} {{- end }} + {{- if .Values.dnsPolicy }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- end }} + {{- if .Values.dnsConfig }} + dnsConfig: {{- include "common.tplvalues.render" (dict "value" .Values.dnsConfig "context" $) | nindent 8 }} + {{- end }} {{- if .Values.initContainers }} initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} {{- end }} @@ -123,16 +124,16 @@ spec: - --service-type-filter={{ . }} {{- end }} {{- range .Values.domainFilters }} - - --domain-filter={{ . }} + - --domain-filter={{- include "common.tplvalues.render" (dict "value" . "context" $) }} {{- end }} {{- range .Values.excludeDomains }} - - --exclude-domains={{ . }} + - --exclude-domains={{- include "common.tplvalues.render" (dict "value" . "context" $) }} {{- end }} {{- if .Values.regexDomainFilter }} - - --regex-domain-filter={{ .Values.regexDomainFilter }} + - --regex-domain-filter={{- include "common.tplvalues.render" (dict "value" .Values.regexDomainFilter "context" $) }} {{- end }} {{- if .Values.regexDomainExclusion }} - - --regex-domain-exclusion={{ .Values.regexDomainExclusion }} + - --regex-domain-exclusion={{- include "common.tplvalues.render" (dict "value" .Values.regexDomainExclusion "context" $) }} {{- end }} {{- range .Values.zoneNameFilters }} - --zone-name-filter={{ . }} @@ -220,6 +221,9 @@ spec: {{- if and (kindIs "bool" .Values.aws.evaluateTargetHealth) (not .Values.aws.evaluateTargetHealth) }} - --no-aws-evaluate-target-health {{- end }} + {{- if .Values.aws.zoneMatchParent }} + - --aws-zone-match-parent + {{- end }} {{- if or (and (eq .Values.provider "azure") (not .Values.azure.secretName)) (eq .Values.provider "azure-private-dns") }} # Azure Arguments {{- if .Values.azure.resourceGroup }} @@ -236,6 +240,9 @@ spec: {{- if .Values.cloudflare.proxied }} - --cloudflare-proxied {{- end }} + {{- if .Values.cloudflare.dnsRecordsPerPage }} + - --cloudflare-dns-records-per-page={{ .Values.cloudflare.dnsRecordsPerPage }} + {{- end }} {{- end }} {{- if eq .Values.provider "google" }} # Google Arguments @@ -274,10 +281,25 @@ spec: - --infoblox-max-results={{ .Values.infoblox.maxResults }} {{- end }} {{- end }} + {{- if and (eq .Values.provider "oci") .Values.oci.useInstancePrincipal }} + # OCI Arguments + - --oci-auth-instance-principal + {{- if .Values.oci.compartmentOCID }} + - --oci-compartment-ocid={{ .Values.oci.compartmentOCID }} + {{- end }} + {{- end }} {{- if eq .Values.provider "ns1" }} # ns1 arguments - --ns1-min-ttl={{ .Values.ns1.minTTL }} {{- end }} + {{- if eq .Values.provider "pihole" }} + {{- if .Values.pihole.server }} + - --pihole-server={{ .Values.pihole.server }} + {{- end }} + {{- if .Values.pihole.tlsSkipVerify }} + - --pihole-tls-skip-verify + {{- end }} + {{- end }} {{- if eq .Values.provider "rfc2136" }} # RFC 2136 arguments - --rfc2136-host={{ required "rfc2136.host must be supplied for provider 'rfc2136'" .Values.rfc2136.host }} @@ -309,6 +331,11 @@ spec: - --transip-account={{ .Values.transip.account }} - --transip-keyfile=/transip/transip-api-key {{- end }} + {{- if .Values.txtEncrypt.enabled }} + # TXT registry encryption + - --txt-encrypt-enabled + - --txt-encrypt-aes-key=$(TXT_AES_ENCRYPTION_KEY) + {{- end }} {{- range $key, $value := .Values.extraArgs }} # Extra arguments {{- if $value }} @@ -638,6 +665,13 @@ spec: {{- if .Values.extraEnvVars }} {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} {{- end }} + {{- if .Values.pihole.secretName }} + - name: EXTERNAL_DNS_PIHOLE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "external-dns.secretName" . }} + key: pihole_password + {{- end }} {{- if eq .Values.provider "ns1" }} # NS1 environment variables {{- if or (.Values.ns1.apiKey) (.Values.ns1.secretName) }} @@ -648,6 +682,13 @@ spec: key: ns1-api-key {{- end }} {{- end }} + {{- if and .Values.txtEncrypt.enabled }} + - name: TXT_AES_ENCRYPTION_KEY + valueFrom: + secretKeyRef: + name: {{ template "external-dns.txtEncryptKeySecretName" . }} + key: txt_aes_encryption_key + {{- end }} envFrom: {{- if .Values.extraEnvVarsCM }} - configMapRef: @@ -664,8 +705,7 @@ spec: livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} {{- else if .Values.livenessProbe.enabled }} livenessProbe: - httpGet: - path: /healthz + tcpSocket: port: http initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.livenessProbe.periodSeconds }} @@ -700,15 +740,20 @@ spec: failureThreshold: {{ .Values.startupProbe.failureThreshold }} {{- end }} {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} {{- end }} {{- if .Values.lifecycleHooks }} lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} {{- end }} {{- if .Values.resources }} resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if and (eq .Values.provider "alibabacloud") (or (and .Values.alibabacloud.accessKeyId .Values.alibabacloud.accessKeySecret) .Values.alibabacloud.secretName) }} # Alibaba Cloud mountPath(s) - name: alibabacloud-config-file @@ -742,7 +787,7 @@ spec: - name: google-service-account mountPath: /etc/secrets/service-account/ {{- end }} - {{- if eq .Values.provider "oci" }} + {{- if and (eq .Values.provider "oci") (not .Values.oci.useInstancePrincipal) }} - name: oci-config-file mountPath: /etc/kubernetes/ {{- end }} @@ -779,6 +824,8 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} {{- if and (eq .Values.provider "alibabacloud") (or (and .Values.alibabacloud.accessKeyId .Values.alibabacloud.accessKeySecret) .Values.alibabacloud.secretName) }} # Alibaba Cloud volume(s) - name: alibabacloud-config-file @@ -809,7 +856,7 @@ spec: type: File {{- end }} {{- end }} - {{- if (eq .Values.provider "oci")}} + {{- if and (eq .Values.provider "oci") (not .Values.oci.useInstancePrincipal) }} - name: oci-config-file secret: secretName: {{ template "external-dns.secretName" . }} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/templates/extra-list.yaml b/argocd-helm-charts/external-dns/charts/external-dns/templates/extra-list.yaml index 2d35a580e..329f5c653 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/templates/extra-list.yaml +++ b/argocd-helm-charts/external-dns/charts/external-dns/templates/extra-list.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/templates/networkpolicy.yaml b/argocd-helm-charts/external-dns/charts/external-dns/templates/networkpolicy.yaml new file mode 100644 index 000000000..8b0ec356c --- /dev/null +++ b/argocd-helm-charts/external-dns/charts/external-dns/templates/networkpolicy.yaml @@ -0,0 +1,69 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: controller + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + policyTypes: + - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + {{- range $port := .Values.networkPolicy.kubeAPIServerPorts }} + - port: {{ $port }} + {{- end }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.http }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/argocd-helm-charts/external-dns/charts/external-dns/templates/pdb.yaml b/argocd-helm-charts/external-dns/charts/external-dns/templates/pdb.yaml index a20d49043..b24aecdf5 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/templates/pdb.yaml +++ b/argocd-helm-charts/external-dns/charts/external-dns/templates/pdb.yaml @@ -1,9 +1,9 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if .Values.podDisruptionBudget -}} +{{- if and .Values.pdb.create }} apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} kind: PodDisruptionBudget metadata: @@ -14,8 +14,13 @@ metadata: annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} spec: + {{- if .Values.pdb.minAvailable }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- end }} + {{- if or .Values.pdb.maxUnavailable (not .Values.pdb.minAvailable) }} + maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }} + {{- end }} {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} selector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} -{{- include "common.tplvalues.render" (dict "value" .Values.podDisruptionBudget "context" $) | nindent 2 }} {{- end -}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/templates/podmonitor.yaml b/argocd-helm-charts/external-dns/charts/external-dns/templates/podmonitor.yaml index 3679f473c..7447a4007 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/templates/podmonitor.yaml +++ b/argocd-helm-charts/external-dns/charts/external-dns/templates/podmonitor.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/templates/psp-clusterrole.yaml b/argocd-helm-charts/external-dns/charts/external-dns/templates/psp-clusterrole.yaml index 1674513f0..af04ae6e6 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/templates/psp-clusterrole.yaml +++ b/argocd-helm-charts/external-dns/charts/external-dns/templates/psp-clusterrole.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/templates/psp-clusterrolebinding.yaml b/argocd-helm-charts/external-dns/charts/external-dns/templates/psp-clusterrolebinding.yaml index b77d2b1c7..4fc3abac9 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/templates/psp-clusterrolebinding.yaml +++ b/argocd-helm-charts/external-dns/charts/external-dns/templates/psp-clusterrolebinding.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/templates/psp.yaml b/argocd-helm-charts/external-dns/charts/external-dns/templates/psp.yaml index 35f6d8d37..fa3c9597a 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/templates/psp.yaml +++ b/argocd-helm-charts/external-dns/charts/external-dns/templates/psp.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/templates/role.yaml b/argocd-helm-charts/external-dns/charts/external-dns/templates/role.yaml index 6d57ec006..6697c58eb 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/templates/role.yaml +++ b/argocd-helm-charts/external-dns/charts/external-dns/templates/role.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/templates/rolebindings.yaml b/argocd-helm-charts/external-dns/charts/external-dns/templates/rolebindings.yaml index 584d51cd2..d1a2b627f 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/templates/rolebindings.yaml +++ b/argocd-helm-charts/external-dns/charts/external-dns/templates/rolebindings.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/templates/secret.yaml b/argocd-helm-charts/external-dns/charts/external-dns/templates/secret.yaml index 32f83e67a..11a7b99bf 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/templates/secret.yaml +++ b/argocd-helm-charts/external-dns/charts/external-dns/templates/secret.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} @@ -75,7 +75,7 @@ data: {{- if eq .Values.provider "linode" }} linode_api_token: {{ .Values.linode.apiToken | b64enc | quote }} {{- end }} - {{- if eq .Values.provider "oci" }} + {{- if and (eq .Values.provider "oci") (not .Values.useInstancePrincipal) }} oci.yaml: {{ include "external-dns.oci-credentials" . | b64enc | quote }} {{- end }} {{- if eq .Values.provider "pdns" }} @@ -105,4 +105,10 @@ data: {{- if eq .Values.provider "ns1" }} ns1-api-key: {{ .Values.ns1.apiKey | b64enc | quote }} {{- end }} + {{- if .Values.pihole.password }} + pihole_password: {{ .Values.pihole.password | b64enc | quote }} + {{- end }} + {{- if .Values.txtEncrypt.enabled }} + txt_aes_encryption_key: {{ .Values.txtEncrypt.aesKey | default (randAlphaNum 32 | replace "+" "-" | replace "/" "_") | b64enc | quote }} + {{- end }} {{- end }} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/templates/service.yaml b/argocd-helm-charts/external-dns/charts/external-dns/templates/service.yaml index 0539f3754..5b43f9d65 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/templates/service.yaml +++ b/argocd-helm-charts/external-dns/charts/external-dns/templates/service.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/templates/serviceaccount.yaml b/argocd-helm-charts/external-dns/charts/external-dns/templates/serviceaccount.yaml index cac87ba47..d441a7327 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/templates/serviceaccount.yaml +++ b/argocd-helm-charts/external-dns/charts/external-dns/templates/serviceaccount.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/templates/servicemonitor.yaml b/argocd-helm-charts/external-dns/charts/external-dns/templates/servicemonitor.yaml index 3790d0dcb..ab62f7c93 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/templates/servicemonitor.yaml +++ b/argocd-helm-charts/external-dns/charts/external-dns/templates/servicemonitor.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} @@ -11,30 +11,28 @@ metadata: namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} - {{- if .Values.metrics.serviceMonitor.additionalLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.additionalLabels "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- if or .Values.metrics.serviceMonitor.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.metrics.serviceMonitor.annotations .Values.commonAnnotations) "context" .) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} {{- end }} spec: endpoints: - port: http path: /metrics - {{- with .Values.metrics.serviceMonitor.interval }} - interval: {{ . }} + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} {{- end }} - {{- with .Values.metrics.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ . }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} {{- end }} {{- if .Values.metrics.serviceMonitor.honorLabels }} honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} {{- end }} {{- if .Values.metrics.serviceMonitor.metricRelabelings }} - metricRelabelings: {{- toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 6 }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }} {{- end }} {{- if .Values.metrics.serviceMonitor.relabelings }} - relabelings: {{ toYaml .Values.metrics.serviceMonitor.relabelings | nindent 6 }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }} {{- end }} {{- if .Values.metrics.serviceMonitor.jobLabel }} jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/templates/tls-secret.yaml b/argocd-helm-charts/external-dns/charts/external-dns/templates/tls-secret.yaml index 2f6efb7a6..76299db23 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/templates/tls-secret.yaml +++ b/argocd-helm-charts/external-dns/charts/external-dns/templates/tls-secret.yaml @@ -1,5 +1,5 @@ {{- /* -Copyright VMware, Inc. +Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 */}} diff --git a/argocd-helm-charts/external-dns/charts/external-dns/values.yaml b/argocd-helm-charts/external-dns/charts/external-dns/values.yaml index 981d83d8f..6c16a51fa 100644 --- a/argocd-helm-charts/external-dns/charts/external-dns/values.yaml +++ b/argocd-helm-charts/external-dns/charts/external-dns/values.yaml @@ -1,4 +1,4 @@ -# Copyright VMware, Inc. +# Copyright Broadcom, Inc. All Rights Reserved. # SPDX-License-Identifier: APACHE-2.0 ## @section Global parameters @@ -17,7 +17,15 @@ global: ## - myRegistryKeySecretName ## imagePullSecrets: [] - + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto ## @section Common parameters ## @@ -30,7 +38,6 @@ fullnameOverride: "" ## @param clusterDomain Kubernetes Cluster Domain ## clusterDomain: cluster.local - ## @param commonLabels Labels to add to all deployed objects ## commonLabels: {} @@ -47,11 +54,6 @@ kubeVersion: "" ## @param watchReleaseNamespace Watch only namepsace used for the release ## watchReleaseNamespace: false -## @param useDaemonset Use ExternalDNS in Daemonset mode -## If set to false, Deployment will be used. -## -useDaemonset: false - ## @section external-dns parameters ## @@ -67,11 +69,11 @@ useDaemonset: false image: registry: docker.io repository: bitnami/external-dns - tag: 0.14.0-debian-11-r1 + tag: 0.14.2-debian-12-r4 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -82,24 +84,23 @@ image: ## - myRegistryKeySecretName ## pullSecrets: [] - +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: true ## @param hostAliases Deployment pod host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## hostAliases: [] - ## @param updateStrategy update strategy type ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#update-strategies ## updateStrategy: {} - ## @param command Override kiam default command ## command: [] ## @param args Override kiam default args ## args: [] - ## @param sources [array] K8s resources type to be observed for new DNS entries by ExternalDNS ## sources: @@ -115,6 +116,28 @@ provider: aws ## @param initContainers Attach additional init containers to the pod (evaluated as a template) ## initContainers: [] +## DNS-Pod services +## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +## @param dnsPolicy Specifies the DNS policy for the external-dns deployment +## DNS policies can be set on a per-Pod basis. Currently Kubernetes supports the following Pod-specific DNS policies. +## Available options: Default, ClusterFirst, ClusterFirstWithHostNet, None +## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +dnsPolicy: "" +## @param dnsConfig allows users more control on the DNS settings for a Pod. Required if `dnsPolicy` is set to `None` +## The dnsConfig field is optional and it can work with any dnsPolicy settings. +## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config +## E.g. +## dnsConfig: +## nameservers: +## - 192.0.2.1 # this is an example +## searches: +## - ns1.svc.cluster-domain.example +## - my.dns.search.suffix +## options: +## - name: ndots +## value: "2" +## - name: edns0 +dnsConfig: {} ## @param sidecars Attach additional containers to the pod (evaluated as a template) ## sidecars: [] @@ -265,6 +288,9 @@ aws: ## ref: https://github.com/kubernetes-sigs/external-dns/blob/0483ffde22e60436f16be154b9fe1a388a1400d0/docs/registry/dynamodb.md ## dynamodbRegion: "" + ## @param aws.zoneMatchParent When using the AWS provider, lets a domain filter match subdomains within the same zone by using their parent domain + ## + zoneMatchParent: false ## Azure configuration to be set via arguments/env. variables ## azure: @@ -328,6 +354,10 @@ cloudflare: ## @param cloudflare.proxied When using the Cloudflare provider, enable the proxy feature (DDOS protection, CDN...) (optional) ## proxied: true + ## @param cloudflare.dnsRecordsPerPage Number of DNS records to fetch per page. (optional) + ## When using the Cloudflare provider, specify how many DNS records listed per page, max possible 5,000 (default: 100) + ## + dnsRecordsPerPage: 100 ## CoreDNS configuration to be set via arguments/env variables ## coredns: @@ -527,7 +557,6 @@ linode: ## This ignores linode.apiToken ## secretName: "" - ## NS1 configuration to be set via arguments/env. variables ## ns1: @@ -541,7 +570,18 @@ ns1: ## This ignores ns1.apiToken ## secretName: "" - +## Pi-hole configuration to be set via arguments/env. variables +## +pihole: + ## @param pihole.server When using the Pi-hole provider, specify The address of the Pi-hole web server + ## + server: "" + ## @param pihole.tlsSkipVerify When using the Pi-hole provider, specify wheter to skip verification of any TLS certificates served by the Pi-hole web server + ## + tlsSkipVerify: "" + ## @param pihole.secretName Use an existing secret with key "pihole_password" defined. + ## + secretName: "" ## oci configuration to be set via arguments/env. variables ## oci: @@ -572,6 +612,12 @@ oci: ## Ref: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/oracle.md#deploy-externaldns ## secretName: "" + ## @param oci.useInstancePrincipal When using the OCI provider, enable IAM Instance Principal + ## Ref: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/oracle.md#oci-iam-instance-principal + useInstancePrincipal: false + ## @param oci.useWorkloadIdentity When using the OCI provider, enable IAM Workload Identity + ## Ref: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/oracle.md#oci-iam-instance-principal + useWorkloadIdentity: false ## OVH configuration to be set via arguments/env. variables ## ovh: @@ -646,7 +692,6 @@ rfc2136: ## @param rfc2136.kerberosRealm When using the rfc2136 provider with rfc3645Enabled, specify the realm to authenticate to (required when provider=rfc2136 and rfc2136.rfc3645Enabled=true) ## kerberosRealm: "" - ## PowerDNS configuration to be set via arguments/env. variables ## pdns: @@ -763,6 +808,22 @@ txtOwnerId: "" ## value passed as txtOwnerId when forceTxtOwnerId=true ## forceTxtOwnerId: false +## TXT registry record encryption +## ref: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/registry/txt.md#encryption +## +txtEncrypt: + ## @param txtEncrypt.enabled Enable TXT record encrypencryption + ## + enabled: false + ## @param txtEncrypt.aesKey 32-byte AES-256-GCM encryption key. + ## ref: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/registry/txt.md#generating-the-txt-encryption-key + ## Note: If txtEncrypt.enabled is enabled and txtEncrypt.aesKey is not set a default key will be generated. + ## + aesKey: "" + ## @param txtEncrypt.secretName Use an existing secret with key "txt_aes_encryption_key" defined. + ## This ignores txtEncrypt.aesKey + ## + secretName: "" ## @param extraArgs Extra arguments to be passed to external-dns ## extraArgs: {} @@ -787,9 +848,6 @@ schedulerName: "" ## The value is evaluated as a template ## topologySpreadConstraints: [] -## @param replicaCount Desired number of ExternalDNS replicas -## -replicaCount: 1 ## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## @@ -824,7 +882,7 @@ nodeAffinityPreset: ## affinity: {} ## @param nodeSelector Node labels for pod assignment -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param tolerations Tolerations for pod assignment @@ -917,6 +975,64 @@ service: ## timeoutSeconds: 300 ## sessionAffinityConfig: {} +## Network Policies +## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## ServiceAccount parameters ## https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ ## @@ -932,7 +1048,7 @@ serviceAccount: annotations: {} ## @param serviceAccount.automountServiceAccountToken Automount API credentials for a service account. ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## @param serviceAccount.labels [object] Additional labels to be included on the service account ## labels: {} @@ -953,7 +1069,9 @@ rbac: ## pspEnabled: false ## @param containerSecurityContext.enabled Enabled Apache Server containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param containerSecurityContext.runAsUser Set ExternalDNS containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set ExternalDNS containers' Security Context runAsGroup ## @param containerSecurityContext.runAsNonRoot Set ExternalDNS container's Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set primary container's Security Context privileged ## @param containerSecurityContext.allowPrivilegeEscalation Set primary container's Security Context allowPrivilegeEscalation @@ -970,44 +1088,50 @@ rbac: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] seccompProfile: type: "RuntimeDefault" - ## @param podSecurityContext.enabled Enable pod security context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups ## @param podSecurityContext.fsGroup Group ID for the container ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Container resource requests and limits -## ref: https://kubernetes.io/docs/user-guide/compute-resources/ +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. -## @param resources.limits The resources limits for the container -## @param resources.requests The requested resources for the container -## -resources: - ## Example: - ## limits: - ## cpu: 50m - ## memory: 50Mi - ## - limits: {} - ## Examples: - ## requests: - ## cpu: 10m - ## memory: 50Mi - ## - requests: {} +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "nano" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: {} ## Configure extra options for liveness probe ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes ## @param livenessProbe.enabled Enable livenessProbe @@ -1071,11 +1195,14 @@ extraVolumes: [] ## @param extraVolumeMounts A list of volume mounts to be added to the pod ## extraVolumeMounts: [] -## @param podDisruptionBudget Configure PodDisruptionBudget -## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +## @param pdb.create Enable/disable a Pod Disruption Budget creation +## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled +## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. ## - -podDisruptionBudget: {} +pdb: + create: true + minAvailable: "" + maxUnavailable: "" ## Prometheus Exporter / Metrics ## metrics: @@ -1119,11 +1246,13 @@ metrics: ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint ## honorLabels: false - ## DEPRECATED metrics.serviceMonitor.additionalLabels will be removed in a future release - Please use metrics.serviceMonitor.labels instead ## @param metrics.serviceMonitor.labels Used to pass Labels that are required by the installed Prometheus Operator ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec ## labels: {} + ## @param metrics.serviceMonitor.annotations Additional custom annotations for the ServiceMonitor + ## + annotations: {} ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. ## jobLabel: "" @@ -1142,4 +1271,3 @@ metrics: ## @param metrics.googlePodMonitor.endpoint The endpoint for Google Managed Prometheus scraping the metrics ## endpoint: /metrics -