External-dns and new clusterissuer dns01 Cloudflare (#374)

Overview

This pull request introduces the integration of External-DNS into the
full bundles and adds support for a dns01 ClusterIssuer using
Cloudflare. It enhances the DNS management capabilities for our
deployments by allowing dynamic DNS record management directly from
Kubernetes resources.

Changes Made

 1. **External-DNS Integration:**
 
   - Added External-DNS to the full deployment bundles.

- Configured External-DNS to automatically manage DNS records for
services within the Kubernetes cluster ( we must discuss how to
configure external-dns via configmap or create an application in tenant
`external-dns` where we can define values).

We must define some additional annotations for ingresses in order to
make external-dns work , so we must discuss this also which is best
method to configure it ( from configmap or dashboard ).

**2. dns01 ClusterIssuer for Cloudflare:**

- Implemented support for a dns01 ClusterIssuer using Cloudflare.
- This allows for automated certificate issuance via DNS challenge,
leveraging Cloudflare as the DNS provider.
- The configuration can be defined in the Cozystack ConfigMap

3. Default Ingress Configuration: 

- Updated the default Ingress resources to use Cloudflare for DNS
challenges.
- Ensured that if the Cloudflare issuer is defined in the Cozystack
ConfigMap, it will be utilized for all default Ingresses, streamlining
the deployment process and improving reliability.

**Benefits**

- Automated DNS Management: With External-DNS, DNS entries will be
created and updated automatically based on the state of Kubernetes
resources, reducing manual overhead.
- Seamless Certificate Management: The dns01 ClusterIssuer integration
allows for automated SSL/TLS certificate issuance, enhancing security
for deployed applications.
- Flexibility in Configuration: Users can easily switch between
different issuers by updating the Cozystack ConfigMap, providing
flexibility in the choice of DNS and certificate management solutions.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

## Release Notes

- **New Features**
- Introduced a new `external-dns` release with support for managing DNS
records in Kubernetes.
- Added configuration options for DNS synchronization policies and
provider settings.
  - Implemented a new lookup for issuer types in Ingress configurations.
- Expanded configuration with new entries for `external-dns` in multiple
deployment files, enhancing deployment flexibility.

- **Documentation**
- Comprehensive README and configuration schema for the `external-dns`
Helm chart added, detailing installation and customization options.

- **Improvements**
  - Enhanced RBAC configuration for flexible permissions management.
- Updated annotations and health check configurations for better service
monitoring.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
Co-authored-by: Andrei Kvapil <kvapss@gmail.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

packages/core/platform/bundles/distro-full.yaml

@@ -142,8 +142,14 @@ releases:
   namespace: cozy-telepresence
   dependsOn: []
 
+- name: external-dns
+  releaseName: external-dns
+  chart: cozy-external-dns
+  namespace: cozy-external-dns
+  dependsOn: [cilium]
+
 - name: external-secrets-operator
   releaseName: external-secrets-operator
   chart: cozy-external-secrets-operator
   namespace: cozy-external-secrets-operator
-  dependsOn: [cilium]
+  dependsOn: [cilium]

packages/core/platform/bundles/distro-hosted.yaml

@@ -93,6 +93,12 @@ releases:
   namespace: cozy-telepresence
   dependsOn: []
 
+- name: external-dns
+  releaseName: external-dns
+  chart: cozy-external-dns
+  namespace: cozy-external-dns
+  dependsOn: [] 
+
 - name: external-secrets-operator
   releaseName: external-secrets-operator
   chart: cozy-external-secrets-operator

packages/core/platform/bundles/paas-full.yaml

@@ -217,8 +217,14 @@ releases:
   privileged: true
   dependsOn: [cilium,kubeovn,capi-operator]
 
+- name: external-dns
+  releaseName: external-dns
+  chart: cozy-external-dns
+  namespace: cozy-external-dns
+  dependsOn: [cilium,kubeovn]
+
 - name: external-secrets-operator
   releaseName: external-secrets-operator
   chart: cozy-external-secrets-operator
   namespace: cozy-external-secrets-operator
-  dependsOn: [cilium,kubeovn]
+  dependsOn: [cilium,kubeovn]

packages/core/platform/bundles/paas-hosted.yaml

@@ -99,6 +99,12 @@ releases:
   namespace: cozy-telepresence
   dependsOn: []
 
+- name: external-dns
+  releaseName: external-dns
+  chart: cozy-external-dns
+  namespace: cozy-external-dns
+  dependsOn: [cilium,kubeovn]
+
 - name: external-secrets-operator
   releaseName: external-secrets-operator
   chart: cozy-external-secrets-operator

packages/extra/ingress/templates/dashboard.yaml

@@ -1,29 +1,36 @@
-{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
-{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
-{{- if .Values.dashboard }}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    acme.cert-manager.io/http01-ingress-class: tenant-root
-  name: dashboard-{{ .Release.Namespace }}
-  namespace: cozy-dashboard
-spec:
-  ingressClassName: {{ .Release.Namespace }}
-  rules:
-  - host: dashboard.{{ $host }}
-    http:
-      paths:
-      - backend:
-          service:
-            name: dashboard
-            port:
-              number: 80
-        path: /
-        pathType: Prefix
-  tls:
-  - hosts:
-    - dashboard.{{ $host }}
-    secretName: dashboard-{{ .Release.Namespace }}-tls
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}  
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}  
+
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}  
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}  
+
+{{- if .Values.dashboard }}  
+apiVersion: networking.k8s.io/v1  
+kind: Ingress  
+metadata:  
+  annotations:  
+    cert-manager.io/cluster-issuer: letsencrypt-prod  
+    {{- if eq $issuerType "cloudflare" }} 
+    {{- else }}  
+    acme.cert-manager.io/http01-ingress-class: {{ .Release.Namespace }}  
+    {{- end }}  
+  name: dashboard-{{ .Release.Namespace }}  
+  namespace: cozy-dashboard  
+spec:  
+  ingressClassName: {{ .Release.Namespace }}  
+  rules:  
+  - host: dashboard.{{ $host }}  
+    http:  
+      paths:  
+      - backend:  
+          service:  
+            name: dashboard  
+            port:  
+              number: 80  
+        path: /  
+        pathType: Prefix  
+  tls:  
+  - hosts:  
+    - dashboard.{{ $host }}  
+    secretName: dashboard-{{ .Release.Namespace }}-tls  
 {{- end }}

packages/extra/monitoring/templates/alerta/alerta.yaml

@@ -1,3 +1,6 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}  
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}
+
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 {{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
 {{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
@@ -146,7 +149,9 @@ metadata:
     app: alerta
   annotations:
     acme.cert-manager.io/http01-ingress-class: {{ $ingress }}
-    cert-manager.io/cluster-issuer: letsencrypt-prod
+    {{- if ne $issuerType "cloudflare" }} 
+    acme.cert-manager.io/http01-ingress-class: {{ $ingress }}  
+    {{- end }} 
 spec:
   ingressClassName: {{ $ingress }}
   tls:

packages/extra/monitoring/templates/grafana/grafana.yaml

@@ -1,3 +1,6 @@
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}  
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }} 
+
 {{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
 {{- $ingress := index $myNS.metadata.annotations "namespace.cozystack.io/ingress" }}
 {{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
@@ -90,7 +93,9 @@ spec:
   ingress:
     metadata:
       annotations:
-        acme.cert-manager.io/http01-ingress-class: "{{ $ingress }}"
+        {{- if ne $issuerType "cloudflare" }}
+        acme.cert-manager.io/http01-ingress-class: "{{ $ingress }}"  
+        {{- end }}
         cert-manager.io/cluster-issuer: letsencrypt-prod
     spec:
       ingressClassName: "{{ $ingress }}"

packages/system/cert-manager-issuers/templates/cluster-issuers.yaml

@@ -1,35 +1,56 @@
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  annotations:
-  name: letsencrypt-prod
-spec:
-  acme:
-    privateKeySecretRef:
-      name: letsencrypt-prod
-    server: https://acme-v02.api.letsencrypt.org/directory
-    solvers:
-    - http01:
-        ingress:
-          class: nginx
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-stage
-spec:
-  acme:
-    privateKeySecretRef:
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}  
+{{- $issuerType := (index $cozyConfig.data "clusterissuer") | default "http01" }}  
+
+apiVersion: cert-manager.io/v1 
+kind: ClusterIssuer  
+metadata:  
+  name: letsencrypt-prod  
+spec:  
+  acme:  
+    privateKeySecretRef:  
+      name: letsencrypt-prod  
+    server: https://acme-v02.api.letsencrypt.org/directory  
+    solvers:  
+    - {{- if eq $issuerType "cloudflare" }}  
+        dns01:  
+          cloudflare:  
+            apiTokenSecretRef:  
+              name: cloudflare-api-token-secret  
+              key: api-token  
+      {{- else }}  
+        http01:  
+          ingress:  
+            class: nginx  
+      {{- end }}  
+
+---  
+
+apiVersion: cert-manager.io/v1  
+kind: ClusterIssuer  
+metadata:  
+  name: letsencrypt-stage  
+  acme:  
+    privateKeySecretRef:  
       name: letsencrypt-stage
-    server: https://acme-staging-v02.api.letsencrypt.org/directory
-    solvers:
-    - http01:
-        ingress:
-          class: nginx
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: selfsigned-cluster-issuer
-spec:
-  selfSigned: {}
+    server: https://acme-staging-v02.api.letsencrypt.org/directory  
+    solvers:  
+    - {{- if eq $issuerType "cloudflare" }}  
+        dns01:  
+          cloudflare:  
+            apiTokenSecretRef:  
+              name: cloudflare-api-token-secret  
+              key: api-token  
+      {{- else }}  
+        http01:  
+          ingress:  
+            class: nginx  
+      {{- end }}  
+
+---  
+
+apiVersion: cert-manager.io/v1  
+kind: ClusterIssuer  
+metadata:  
+  name: selfsigned-cluster-issuer  
+spec:  
+  selfSigned: {}

packages/system/external-dns/.helmignore

@@ -0,0 +1,3 @@
+images
+hack
+.gitkeep

packages/system/external-dns/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-external-dns
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/external-dns/Makefile

@@ -0,0 +1,10 @@
+export NAME=external-dns
+export NAMESPACE=cozy-$(NAME)
+
+include ../../../scripts/package.mk
+
+update:
+	rm -rf charts
+	helm repo add external-dns https://kubernetes-sigs.github.io/external-dns/
+	helm repo update external-dns
+	helm pull external-dns/external-dns --untar --untardir charts

packages/system/external-dns/charts/external-dns/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

packages/system/external-dns/charts/external-dns/CHANGELOG.md

@@ -0,0 +1,219 @@
+# ExternalDNS Helm Chart Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+---
+
+<!--
+### Added - For new features.
+### Changed - For changes in existing functionality.
+### Deprecated - For soon-to-be removed features.
+### Removed - For now removed features.
+### Fixed - For any bug fixes.
+### Security - In case of vulnerabilities.
+-->
+
+## [UNRELEASED]
+
+## [v1.15.0] - 2023-09-10
+
+### Changed
+
+- Updated _ExternalDNS_ OCI image version to [v0.15.0](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.15.0). ([#xxxx](https://github.com/kubernetes-sigs/external-dns/pull/xxxx)) _@stevehipwell_
+
+### Fixed
+
+- Fixed `provider.webhook.resources` behavior to correctly leverage resource limits. ([#4560](https://github.com/kubernetes-sigs/external-dns/pull/4560)) _@crutonjohn_
+- Fixed `provider.webhook.imagePullPolicy` behavior to correctly leverage pull policy. ([#4643](https://github.com/kubernetes-sigs/external-dns/pull/4643)) _@kimsondrup_
+- Fixed to add correct webhook metric port to `Service` and `ServiceMonitor`. ([#4643](https://github.com/kubernetes-sigs/external-dns/pull/4643)) _@kimsondrup_
+- Fixed to no longer require the unauthenticated webhook provider port to be exposed for health probes. ([#4691](https://github.com/kubernetes-sigs/external-dns/pull/4691)) _@kimsondrup_ & _@hatrx_
+
+## [v1.14.5] - 2023-06-10
+
+### Added
+
+- Added support for `extraContainers` argument. ([#4432](https://github.com/kubernetes-sigs/external-dns/pull/4432)) _@omerap12_
+- Added support for setting `excludeDomains` argument.  ([#4380](https://github.com/kubernetes-sigs/external-dns/pull/4380)) _@bford-evs_
+
+### Changed
+
+- Updated _ExternalDNS_ OCI image version to [v0.14.2](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.14.2). ([#4541](https://github.com/kubernetes-sigs/external-dns/pull/4541)) _@stevehipwell_
+- Updated `DNSEndpoint` CRD. ([#4541](https://github.com/kubernetes-sigs/external-dns/pull/4541)) _@stevehipwell_
+- Changed the implementation for `revisionHistoryLimit` to be more generic. ([#4541](https://github.com/kubernetes-sigs/external-dns/pull/4541)) _@stevehipwell_
+
+### Fixed
+
+- Fixed the `ServiceMonitor` job name to correctly use the instance label. ([#4541](https://github.com/kubernetes-sigs/external-dns/pull/4541)) _@stevehipwell_
+
+## [v1.14.4] - 2023-04-03
+
+### Added
+
+- Added support for setting `dnsConfig`. ([#4265](https://github.com/kubernetes-sigs/external-dns/pull/4265)) _@davhdavh_
+- Added support for `DNSEndpoint` CRD. ([#4322](https://github.com/kubernetes-sigs/external-dns/pull/4322)) _@onedr0p_
+
+### Changed
+
+- Updated _ExternalDNS_ OCI image version to [v0.14.1](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.14.1). ([#4357](https://github.com/kubernetes-sigs/external-dns/pull/4357)) _@stevehipwell_
+
+## [v1.14.3] - 2023-01-26
+
+### Fixed
+
+- Fixed args for webhook deployment. ([#4202](https://github.com/kubernetes-sigs/external-dns/pull/4202)) [@webwurst](https://github.com/webwurst)
+- Fixed support for `gateway-grpcroute`, `gateway-tlsroute`, `gateway-tcproute` & `gateway-udproute`. ([#4205](https://github.com/kubernetes-sigs/external-dns/pull/4205)) [@orenlevi111](https://github.com/orenlevi111)
+- Fixed incorrect implementation for setting the `automountServiceAccountToken`. ([#4208](https://github.com/kubernetes-sigs/external-dns/pull/4208)) [@stevehipwell](https://github.com/stevehipwell)
+
+## [v1.14.2] - 2024-01-22
+
+### Fixed
+
+- Restore template support in `.Values.provider` and `.Values.provider.name`
+
+## [v1.14.1] - 2024-01-11
+
+### Fixed
+
+- Fixed webhook install failure: `"http-webhook-metrics": must be no more than 15 characters`. ([#4173](https://github.com/kubernetes-sigs/external-dns/pull/4173)) [@gabe565](https://github.com/gabe565)
+
+## [v1.14.0] - 2024-01-10
+
+### Added
+
+- Added the option to explicitly enable or disable service account token automounting. ([#3983](https://github.com/kubernetes-sigs/external-dns/pull/3983)) [@gilles-gosuin](https://github.com/gilles-gosuin)
+- Added the option to configure revisionHistoryLimit on the K8s Deployment resource. ([#4008](https://github.com/kubernetes-sigs/external-dns/pull/4008)) [@arnisoph](https://github.com/arnisoph)
+- Added support for webhook providers, as a sidecar. ([#4032](https://github.com/kubernetes-sigs/external-dns/pull/4032) [@mloiseleur](https://github.com/mloiseleur)
+- Added the option to configure ipFamilyPolicy and ipFamilies of external-dns Service.  ([#4153](https://github.com/kubernetes-sigs/external-dns/pull/4153)) [@dongjiang1989](https://github.com/dongjiang1989)
+
+### Changed
+
+- Avoid unnecessary pod restart on each helm chart version. ([#4103](https://github.com/kubernetes-sigs/external-dns/pull/4103)) [@jkroepke](https://github.com/jkroepke)
+- Updated _ExternalDNS_ OCI image version to [v0.14.0](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.14.0). ([#4073](https://github.com/kubernetes-sigs/external-dns/pull/4073)) [@appkins](https://github.com/appkins)
+
+### Deprecated
+
+- The `secretConfiguration` value has been deprecated in favour of creating secrets external to the Helm chart and configuring their use via the `extraVolumes` & `extraVolumeMounts` values. ([#4161](https://github.com/kubernetes-sigs/external-dns/pull/4161)) [@stevehipwell](https://github.com/stevehipwell)
+
+## [v1.13.1] - 2023-09-07
+
+### Added
+
+- Added RBAC for Traefik to ClusterRole. ([#3325](https://github.com/kubernetes-sigs/external-dns/pull/3325)) [@ThomasK33](https://github.com/thomask33)
+- Added support for init containers. ([#3325](https://github.com/kubernetes-sigs/external-dns/pull/3838)) [@calvinbui](https://github.com/calvinbui)
+
+### Changed
+
+- Disallowed privilege escalation in container security context and set the seccomp profile type to `RuntimeDefault`. ([#3689](https://github.com/kubernetes-sigs/external-dns/pull/3689)) [@nrvnrvn](https://github.com/nrvnrvn)
+- Updated _ExternalDNS_ OCI image version to [v0.13.6](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.13.6). ([#3917](https://github.com/kubernetes-sigs/external-dns/pull/3917)) [@stevehipwell](https://github.com/stevehipwell)
+
+### Removed
+
+- Removed RBAC rule for already removed `contour-ingressroute` source. ([#3764](https://github.com/kubernetes-sigs/external-dns/pull/3764)) [@johngmyers](https://github.com/johngmyers)
+
+## [v1.13.0] - 2023-03-30
+
+### All Changes
+
+- Updated _ExternalDNS_ version to [v0.13.5](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.13.5). ([#3661](https://github.com/kubernetes-sigs/external-dns/pull/3661)) [@GMartinez-Sisti](https://github.com/GMartinez-Sisti)
+- Adding missing gateway-httproute cluster role permission. ([#3541](https://github.com/kubernetes-sigs/external-dns/pull/3541)) [@nicon89](https://github.com/nicon89)
+
+## [v1.12.2] - 2023-03-30
+
+### All Changes
+
+- Added support for ServiceMonitor relabelling. ([#3366](https://github.com/kubernetes-sigs/external-dns/pull/3366)) [@jkroepke](https://github.com/jkroepke)
+- Updated chart icon path. ([#3492](https://github.com/kubernetes-sigs/external-dns/pull/3494)) [kundan2707](https://github.com/kundan2707)
+- Added RBAC for Gateway-API resources to ClusterRole. ([#3499](https://github.com/kubernetes-sigs/external-dns/pull/3499)) [@michaelvl](https://github.com/MichaelVL)
+- Added RBAC for F5 VirtualServer to ClusterRole. ([#3503](https://github.com/kubernetes-sigs/external-dns/pull/3503)) [@mikejoh](https://github.com/mikejoh)
+- Added support for running ExternalDNS with namespaced scope. ([#3403](https://github.com/kubernetes-sigs/external-dns/pull/3403)) [@jkroepke](https://github.com/jkroepke)
+- Updated _ExternalDNS_ version to [v0.13.4](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.13.4). ([#3516](https://github.com/kubernetes-sigs/external-dns/pull/3516)) [@stevehipwell](https://github.com/stevehipwell)
+
+## [v1.12.1] - 2023-02-06
+
+### All Changes
+
+- Updated _ExternalDNS_ version to [v0.13.2](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.13.2). ([#3371](https://github.com/kubernetes-sigs/external-dns/pull/3371)) [@stevehipwell](https://github.com/stevehipwell)
+- Added `secretConfiguration.subPath` to mount specific files from secret as a sub-path. ([#3227](https://github.com/kubernetes-sigs/external-dns/pull/3227)) [@jkroepke](https://github.com/jkroepke)
+- Changed to use `registry.k8s.io` instead of `k8s.gcr.io`. ([#3261](https://github.com/kubernetes-sigs/external-dns/pull/3261)) [@johngmyers](https://github.com/johngmyers)
+
+## [v1.12.0] - 2022-11-29
+
+### All Changes
+
+- Added ability to provide ExternalDNS with secret configuration via `secretConfiguration`. ([#3144](https://github.com/kubernetes-sigs/external-dns/pull/3144)) [@jkroepke](https://github.com/jkroepke)
+- Added the ability to template `provider` & `extraArgs`. ([#3144](https://github.com/kubernetes-sigs/external-dns/pull/3144)) [@jkroepke](https://github.com/jkroepke)
+- Added the ability to customise the service account labels. ([#3145](https://github.com/kubernetes-sigs/external-dns/pull/3145)) [@jkroepke](https://github.com/jkroepke)
+- Updated _ExternalDNS_ version to [v0.13.1](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.13.1). ([#3197](https://github.com/kubernetes-sigs/external-dns/pull/3197)) [@stevehipwell](https://github.com/stevehipwell)
+
+## [v1.11.0] - 2022-08-10
+
+### Added
+
+- Added support to configure `dnsPolicy` on the Helm chart deployment. [@michelzanini](https://github.com/michelzanini)
+- Added ability to customise the deployment strategy. [mac-chaffee](https://github.com/mac-chaffee)
+
+### Changed
+
+- Updated _ExternalDNS_ version to [v0.12.2](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.12.2). [@stevehipwell](https://github.com/stevehipwell)
+- Changed default deployment strategy to `Recreate`. [mac-chaffee](https://github.com/mac-chaffee)
+
+## [v1.10.1] - 2022-07-11
+
+### Fixed
+
+- Fixed incorrect addition of `namespace` to `ClusterRole` & `ClusterRoleBinding`. [@stevehipwell](https://github.com/stevehipwell)
+
+## [v1.10.0] - 2022-07-08
+
+### Added
+
+- Added `commonLabels` value to allow the addition of labels to all resources. [@stevehipwell](https://github.com/stevehipwell)
+- Added support for [Process Namespace Sharing](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) via the `shareProcessNamespace`
+ value. ([#2715](https://github.com/kubernetes-sigs/external-dns/pull/2715)) [@wolffberg](https://github.com/wolffberg)
+
+### Changed
+
+- Update _ExternalDNS_ version to [v0.12.0](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.12.0). [@vojtechmares](https://github.com/vojtechmares)
+- Set resource namespaces to `{{ .Release.Namespace }}` in the templates instead of waiting until apply time for inference. [@stevehipwell](https://github.com/stevehipwell)
+- Fixed `rbac.additionalPermissions` default value.([#2796](https://github.com/kubernetes-sigs/external-dns/pull/2796)) [@tamalsaha](https://github.com/tamalsaha)
+
+## [v1.9.0] - 2022-04-19
+
+### Changed
+
+- Update _ExternalDNS_ version to [v0.11.0](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.11.0). ([#2690](https://github.com/kubernetes-sigs/external-dns/pull/2690)) [@stevehipwell](https://github.com/stevehipwell)
+
+## [v1.8.0] - 2022-04-13
+
+### Added
+
+- Add annotations to Deployment. ([#2477](https://github.com/kubernetes-sigs/external-dns/pull/2477)) [@beastob](https://github.com/beastob)
+
+### Changed
+
+- Fix RBAC for `istio-virtualservice` source when `istio-gateway` isn't also added. ([#2564](https://github.com/kubernetes-sigs/external-dns/pull/2564)) [@mcwarman](https://github.com/mcwarman)
+
+<!--
+RELEASE LINKS
+-->
+[UNRELEASED]: https://github.com/kubernetes-sigs/external-dns/tree/master/charts/external-dns
+[v1.15.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.15.0
+[v1.14.5]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.14.5
+[v1.14.4]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.14.4
+[v1.14.3]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.14.3
+[v1.14.2]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.14.2
+[v1.14.1]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.14.1
+[v1.14.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.14.0
+[v1.13.1]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.13.1
+[v1.13.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.13.0
+[v1.12.2]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.12.2
+[v1.12.1]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.12.1
+[v1.12.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.12.0
+[v1.11.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.11.0
+[v1.10.1]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.10.1
+[v1.10.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.10.0
+[v1.9.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.9.0
+[v1.8.0]: https://github.com/kubernetes-sigs/external-dns/releases/tag/external-dns-helm-chart-1.8.0

packages/system/external-dns/charts/external-dns/Chart.yaml

@@ -0,0 +1,33 @@
+annotations:
+  artifacthub.io/changes: |
+    - kind: changed
+      description: "Updated _ExternalDNS_ OCI image version to [v0.15.0](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.15.0)."
+    - kind: fixed
+      description: "Fixed `provider.webhook.resources` behavior to correctly leverage resource limits."
+    - kind: fixed
+      description: "Fixed `provider.webhook.imagePullPolicy` behavior to correctly leverage pull policy."
+    - kind: fixed
+      description: "Fixed to add correct webhook metric port to `Service` and `ServiceMonitor`."
+    - kind: fixed
+      description: "Fixed to no longer require the unauthenticated webhook provider port to be exposed for health probes."
+apiVersion: v2
+appVersion: 0.15.0
+description: ExternalDNS synchronizes exposed Kubernetes Services and Ingresses with
+  DNS providers.
+home: https://github.com/kubernetes-sigs/external-dns/
+icon: https://github.com/kubernetes-sigs/external-dns/raw/master/docs/img/external-dns.png
+keywords:
+- kubernetes
+- externaldns
+- external-dns
+- dns
+- service
+- ingress
+maintainers:
+- email: steve.hipwell@gmail.com
+  name: stevehipwell
+name: external-dns
+sources:
+- https://github.com/kubernetes-sigs/external-dns/
+type: application
+version: 1.15.0

packages/system/external-dns/charts/external-dns/README.md

@@ -0,0 +1,182 @@
+# external-dns
+
+![Version: 1.15.0](https://img.shields.io/badge/Version-1.15.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.15.0](https://img.shields.io/badge/AppVersion-0.15.0-informational?style=flat-square)
+
+ExternalDNS synchronizes exposed Kubernetes Services and Ingresses with DNS providers.
+
+**Homepage:** <https://github.com/kubernetes-sigs/external-dns/>
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| stevehipwell | <steve.hipwell@gmail.com> |  |
+
+## Source Code
+
+* <https://github.com/kubernetes-sigs/external-dns/>
+
+## Installing the Chart
+
+Before you can install the chart you will need to add the `external-dns` repo to [Helm](https://helm.sh/).
+
+```shell
+helm repo add external-dns https://kubernetes-sigs.github.io/external-dns/
+```
+
+After you've installed the repo you can install the chart.
+
+```shell
+helm upgrade --install external-dns external-dns/external-dns --version 1.15.0
+```
+
+## Providers
+
+Configuring the _ExternalDNS_ provider should be done via the `provider.name` value with provider specific configuration being set via the `provider.<name>.<key>` values, where supported, and the `extraArgs` value. For legacy support `provider` can be set to the name of the provider with all additional configuration being set via the `extraArgs` value.
+See [documentation](https://kubernetes-sigs.github.io/external-dns/#new-providers) for more info on available providers and tutorials.
+
+### Providers with Specific Configuration Support
+
+| Provider               | Supported  |
+|------------------------|------------|
+| `webhook`              | ✅         |
+
+### Other Providers
+
+For set up for a specific provider using the Helm chart, see the following links:
+
+- [AWS](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#using-helm-with-oidc)
+- [akamai-edgedns](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/akamai-edgedns.md#using-helm)
+- [cloudflare](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/cloudflare.md#using-helm)
+- [digitalocean](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/digitalocean.md#using-helm)
+- [godaddy](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/godaddy.md#using-helm)
+- [ns1](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/ns1.md#using-helm)
+- [plural](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/plural.md#using-helm)
+
+## Namespaced Scoped Installation
+
+external-dns supports running on a namespaced only scope, too.
+If `namespaced=true` is defined, the helm chart will setup `Roles` and `RoleBindings` instead `ClusterRoles` and `ClusterRoleBindings`.
+
+### Limited Supported
+
+Not all sources are supported in namespaced scope, since some sources depends on cluster-wide resources.
+For example: Source `node` isn't supported, since `kind: Node` has scope `Cluster`.
+Sources like `istio-virtualservice` only work, if all resources like `Gateway` and `VirtualService` are present in the same
+namespaces as `external-dns`.
+
+The annotation `external-dns.alpha.kubernetes.io/endpoints-type: NodeExternalIP` is not supported.
+
+If `namespaced` is set to `true`, please ensure that `sources` my only contains supported sources (Default: `service,ingress`).
+
+### Support Matrix
+
+| Source                 | Supported  | Infos                  |
+|------------------------|------------|------------------------|
+| `ingress`              | ✅         |                        |
+| `istio-gateway`        | ✅         |                        |
+| `istio-virtualservice` | ✅         |                        |
+| `crd`                  | ✅         |                        |
+| `kong-tcpingress`      | ✅         |                        |
+| `openshift-route`      | ✅         |                        |
+| `skipper-routegroup`   | ✅         |                        |
+| `gloo-proxy`           | ✅         |                        |
+| `contour-httpproxy`    | ✅         |                        |
+| `service`              | ⚠️️         | NodePort not supported |
+| `node`                 | ❌         |                        |
+| `pod`                  | ❌         |                        |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` | Affinity settings for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). If an explicit label selector is not provided for pod affinity or pod anti-affinity one will be created from the pod selector labels. |
+| automountServiceAccountToken | bool | `nil` | Set this to `false` to [opt out of API credential automounting](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting) for the `Pod`. |
+| commonLabels | object | `{}` | Labels to add to all chart resources. |
+| deploymentAnnotations | object | `{}` | Annotations to add to the `Deployment`. |
+| deploymentStrategy | object | `{"type":"Recreate"}` | [Deployment Strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy). |
+| dnsConfig | object | `nil` | [DNS config](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config) for the pod, if not set the default will be used. |
+| dnsPolicy | string | `nil` | [DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) for the pod, if not set the default will be used. |
+| domainFilters | list | `[]` |  |
+| env | list | `[]` | [Environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) for the `external-dns` container. |
+| excludeDomains | list | `[]` |  |
+| extraArgs | list | `[]` | Extra arguments to provide to _ExternalDNS_. |
+| extraContainers | object | `{}` | Extra containers to add to the `Deployment`. |
+| extraVolumeMounts | list | `[]` | Extra [volume mounts](https://kubernetes.io/docs/concepts/storage/volumes/) for the `external-dns` container. |
+| extraVolumes | list | `[]` | Extra [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) for the `Pod`. |
+| fullnameOverride | string | `nil` | Override the full name of the chart. |
+| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy for the `external-dns` container. |
+| image.repository | string | `"registry.k8s.io/external-dns/external-dns"` | Image repository for the `external-dns` container. |
+| image.tag | string | `nil` | Image tag for the `external-dns` container, this will default to `.Chart.AppVersion` if not set. |
+| imagePullSecrets | list | `[]` | Image pull secrets. |
+| initContainers | list | `[]` | [Init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) to add to the `Pod` definition. |
+| interval | string | `"1m"` | Interval for DNS updates. |
+| livenessProbe | object | See _values.yaml_ | [Liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container. |
+| logFormat | string | `"text"` | Log format. |
+| logLevel | string | `"info"` | Log level. |
+| nameOverride | string | `nil` | Override the name of the chart. |
+| namespaced | bool | `false` | if `true`, _ExternalDNS_ will run in a namespaced scope (`Role`` and `Rolebinding`` will be namespaced too). |
+| nodeSelector | object | `{}` | Node labels to match for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). |
+| podAnnotations | object | `{}` | Annotations to add to the `Pod`. |
+| podLabels | object | `{}` | Labels to add to the `Pod`. |
+| podSecurityContext | object | See _values.yaml_ | [Pod security context](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#podsecuritycontext-v1-core), this supports full customisation. |
+| policy | string | `"upsert-only"` | How DNS records are synchronized between sources and providers; available values are `sync` & `upsert-only`. |
+| priorityClassName | string | `nil` | Priority class name for the `Pod`. |
+| provider.name | string | `"aws"` | _ExternalDNS_ provider name; for the available providers and how to configure them see [README](https://github.com/kubernetes-sigs/external-dns/blob/master/charts/external-dns/README.md#providers). |
+| provider.webhook.args | list | `[]` | Extra arguments to provide for the `webhook` container. |
+| provider.webhook.env | list | `[]` | [Environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) for the `webhook` container. |
+| provider.webhook.extraVolumeMounts | list | `[]` | Extra [volume mounts](https://kubernetes.io/docs/concepts/storage/volumes/) for the `webhook` container. |
+| provider.webhook.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy for the `webhook` container. |
+| provider.webhook.image.repository | string | `nil` | Image repository for the `webhook` container. |
+| provider.webhook.image.tag | string | `nil` | Image tag for the `webhook` container. |
+| provider.webhook.livenessProbe | object | See _values.yaml_ | [Liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container. |
+| provider.webhook.readinessProbe | object | See _values.yaml_ | [Readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `webhook` container. |
+| provider.webhook.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the `webhook` container. |
+| provider.webhook.securityContext | object | See _values.yaml_ | [Pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the `webhook` container. |
+| provider.webhook.service.port | int | `8080` | Webhook exposed HTTP port for the service. |
+| provider.webhook.serviceMonitor | object | See _values.yaml_ | Optional [Service Monitor](https://prometheus-operator.dev/docs/operator/design/#servicemonitor) configuration for the `webhook` container. |
+| rbac.additionalPermissions | list | `[]` | Additional rules to add to the `ClusterRole`. |
+| rbac.create | bool | `true` | If `true`, create a `ClusterRole` & `ClusterRoleBinding` with access to the Kubernetes API. |
+| readinessProbe | object | See _values.yaml_ | [Readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container. |
+| registry | string | `"txt"` | Specify the registry for storing ownership and labels. Valid values are `txt`, `aws-sd`, `dynamodb` & `noop`. |
+| resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the `external-dns` container. |
+| revisionHistoryLimit | int | `nil` | Specify the number of old `ReplicaSets` to retain to allow rollback of the `Deployment``. |
+| secretConfiguration.data | object | `{}` | `Secret` data. |
+| secretConfiguration.enabled | bool | `false` | If `true`, create a `Secret` to store sensitive provider configuration (**DEPRECATED**). |
+| secretConfiguration.mountPath | string | `nil` | Mount path for the `Secret`, this can be templated. |
+| secretConfiguration.subPath | string | `nil` | Sub-path for mounting the `Secret`, this can be templated. |
+| securityContext | object | See _values.yaml_ | [Security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the `external-dns` container. |
+| service.annotations | object | `{}` | Service annotations. |
+| service.ipFamilies | list | `[]` | Service IP families. |
+| service.ipFamilyPolicy | string | `nil` | Service IP family policy. |
+| service.port | int | `7979` | Service HTTP port. |
+| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
+| serviceAccount.automountServiceAccountToken | string | `nil` | Set this to `false` to [opt out of API credential automounting](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting) for the `ServiceAccount`. |
+| serviceAccount.create | bool | `true` | If `true`, create a new `ServiceAccount`. |
+| serviceAccount.labels | object | `{}` | Labels to add to the service account. |
+| serviceAccount.name | string | `nil` | If this is set and `serviceAccount.create` is `true` this will be used for the created `ServiceAccount` name, if set and `serviceAccount.create` is `false` then this will define an existing `ServiceAccount` to use. |
+| serviceMonitor.additionalLabels | object | `{}` | Additional labels for the `ServiceMonitor`. |
+| serviceMonitor.annotations | object | `{}` | Annotations to add to the `ServiceMonitor`. |
+| serviceMonitor.bearerTokenFile | string | `nil` | Provide a bearer token file for the `ServiceMonitor`. |
+| serviceMonitor.enabled | bool | `false` | If `true`, create a `ServiceMonitor` resource to support the _Prometheus Operator_. |
+| serviceMonitor.interval | string | `nil` | If set override the _Prometheus_ default interval. |
+| serviceMonitor.metricRelabelings | list | `[]` | [Metric relabel configs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) to apply to samples before ingestion. |
+| serviceMonitor.namespace | string | `nil` | If set create the `ServiceMonitor` in an alternate namespace. |
+| serviceMonitor.relabelings | list | `[]` | [Relabel configs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) to apply to samples before ingestion. |
+| serviceMonitor.scheme | string | `nil` | If set overrides the _Prometheus_ default scheme. |
+| serviceMonitor.scrapeTimeout | string | `nil` | If set override the _Prometheus_ default scrape timeout. |
+| serviceMonitor.targetLabels | list | `[]` | Provide target labels for the `ServiceMonitor`. |
+| serviceMonitor.tlsConfig | object | `{}` | Configure the `ServiceMonitor` [TLS config](https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig). |
+| shareProcessNamespace | bool | `false` | If `true`, the `Pod` will have [process namespace sharing](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) enabled. |
+| sources | list | `["service","ingress"]` | _Kubernetes_ resources to monitor for DNS entries. |
+| terminationGracePeriodSeconds | int | `nil` | Termination grace period for the `Pod` in seconds. |
+| tolerations | list | `[]` | Node taints which will be tolerated for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). |
+| topologySpreadConstraints | list | `[]` | Topology spread constraints for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). If an explicit label selector is not provided one will be created from the pod selector labels. |
+| triggerLoopOnEvent | bool | `false` | If `true`, triggers run loop on create/update/delete events in addition of regular interval. |
+| txtOwnerId | string | `nil` | Specify an identifier for this instance of _ExternalDNS_ wWhen using a registry other than `noop`. |
+| txtPrefix | string | `nil` | Specify a prefix for the domain names of TXT records created for the `txt` registry. Mutually exclusive with `txtSuffix`. |
+| txtSuffix | string | `nil` | Specify a suffix for the domain names of TXT records created for the `txt` registry. Mutually exclusive with `txtPrefix`. |
+
+----------------------------------------------
+
+Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs/).

packages/system/external-dns/charts/external-dns/README.md.gotmpl

@@ -0,0 +1,91 @@
+{{ template "chart.header" . }}
+{{ template "chart.deprecationWarning" . }}
+
+{{ template "chart.badgesSection" . }}
+
+{{ template "chart.description" . }}
+
+{{ template "chart.homepageLine" . }}
+
+{{ template "chart.maintainersSection" . }}
+
+{{ template "chart.sourcesSection" . }}
+
+## Installing the Chart
+
+Before you can install the chart you will need to add the `external-dns` repo to [Helm](https://helm.sh/).
+
+```shell
+helm repo add external-dns https://kubernetes-sigs.github.io/external-dns/
+```
+
+After you've installed the repo you can install the chart.
+
+```shell
+helm upgrade --install {{ template "chart.name" . }} external-dns/{{ template "chart.name" . }} --version {{ template "chart.version" . }}
+```
+
+## Providers
+
+Configuring the _ExternalDNS_ provider should be done via the `provider.name` value with provider specific configuration being set via the `provider.<name>.<key>` values, where supported, and the `extraArgs` value. For legacy support `provider` can be set to the name of the provider with all additional configuration being set via the `extraArgs` value.
+See [documentation](https://kubernetes-sigs.github.io/external-dns/#new-providers) for more info on available providers and tutorials.
+
+### Providers with Specific Configuration Support
+
+| Provider               | Supported  |
+|------------------------|------------|
+| `webhook`              | ✅         |
+
+### Other Providers
+
+For set up for a specific provider using the Helm chart, see the following links:
+
+- [AWS](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#using-helm-with-oidc)
+- [akamai-edgedns](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/akamai-edgedns.md#using-helm)
+- [cloudflare](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/cloudflare.md#using-helm)
+- [digitalocean](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/digitalocean.md#using-helm)
+- [godaddy](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/godaddy.md#using-helm)
+- [ns1](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/ns1.md#using-helm)
+- [plural](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/plural.md#using-helm)
+
+## Namespaced Scoped Installation
+
+external-dns supports running on a namespaced only scope, too.
+If `namespaced=true` is defined, the helm chart will setup `Roles` and `RoleBindings` instead `ClusterRoles` and `ClusterRoleBindings`.
+
+### Limited Supported
+
+Not all sources are supported in namespaced scope, since some sources depends on cluster-wide resources.
+For example: Source `node` isn't supported, since `kind: Node` has scope `Cluster`.
+Sources like `istio-virtualservice` only work, if all resources like `Gateway` and `VirtualService` are present in the same
+namespaces as `external-dns`.
+
+The annotation `external-dns.alpha.kubernetes.io/endpoints-type: NodeExternalIP` is not supported.
+
+If `namespaced` is set to `true`, please ensure that `sources` my only contains supported sources (Default: `service,ingress`).
+
+### Support Matrix
+
+| Source                 | Supported  | Infos                  |
+|------------------------|------------|------------------------|
+| `ingress`              | ✅         |                        |
+| `istio-gateway`        | ✅         |                        |
+| `istio-virtualservice` | ✅         |                        |
+| `crd`                  | ✅         |                        |
+| `kong-tcpingress`      | ✅         |                        |
+| `openshift-route`      | ✅         |                        |
+| `skipper-routegroup`   | ✅         |                        |
+| `gloo-proxy`           | ✅         |                        |
+| `contour-httpproxy`    | ✅         |                        |
+| `service`              | ⚠️️         | NodePort not supported |
+| `node`                 | ❌         |                        |
+| `pod`                  | ❌         |                        |
+
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.valuesSection" . }}
+
+----------------------------------------------
+
+Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs/).

packages/system/external-dns/charts/external-dns/RELEASE.md

@@ -0,0 +1,10 @@
+### Changed
+
+- Updated _ExternalDNS_ OCI image version to [v0.15.0](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.15.0). ([#xxxx](https://github.com/kubernetes-sigs/external-dns/pull/xxxx)) _@stevehipwell_
+
+### Fixed
+
+- Fixed `provider.webhook.resources` behavior to correctly leverage resource limits. ([#4560](https://github.com/kubernetes-sigs/external-dns/pull/4560)) _@crutonjohn_
+- Fixed `provider.webhook.imagePullPolicy` behavior to correctly leverage pull policy. ([#4643](https://github.com/kubernetes-sigs/external-dns/pull/4643)) _@kimsondrup_
+- Fixed to add correct webhook metric port to `Service` and `ServiceMonitor`. ([#4643](https://github.com/kubernetes-sigs/external-dns/pull/4643)) _@kimsondrup_
+- Fixed to no longer require the unauthenticated webhook provider port to be exposed for health probes. ([#4691](https://github.com/kubernetes-sigs/external-dns/pull/4691)) _@kimsondrup_ & _@hatrx_

packages/system/external-dns/charts/external-dns/ci/ci-values.yaml

@@ -0,0 +1,2 @@
+provider:
+  name: inmemory

packages/system/external-dns/charts/external-dns/crds/dnsendpoint.yaml

@@ -0,0 +1,102 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: dnsendpoints.externaldns.k8s.io
+  annotations:
+    api-approved.kubernetes.io: https://github.com/kubernetes-sigs/external-dns/pull/2007
+spec:
+  group: externaldns.k8s.io
+  names:
+    kind: DNSEndpoint
+    listKind: DNSEndpointList
+    plural: dnsendpoints
+    singular: dnsendpoint
+  scope: Namespaced
+  versions:
+    - name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          properties:
+            apiVersion:
+              description: |-
+                APIVersion defines the versioned schema of this representation of an object.
+                Servers should convert recognized schemas to the latest internal value, and
+                may reject unrecognized values.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+              type: string
+            kind:
+              description: |-
+                Kind is a string value representing the REST resource this object represents.
+                Servers may infer this from the endpoint the client submits requests to.
+                Cannot be updated.
+                In CamelCase.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: DNSEndpointSpec defines the desired state of DNSEndpoint
+              properties:
+                endpoints:
+                  items:
+                    description:
+                      Endpoint is a high-level way of a connection between
+                      a service and an IP
+                    properties:
+                      dnsName:
+                        description: The hostname of the DNS record
+                        type: string
+                      labels:
+                        additionalProperties:
+                          type: string
+                        description: Labels stores labels defined for the Endpoint
+                        type: object
+                      providerSpecific:
+                        description: ProviderSpecific stores provider specific config
+                        items:
+                          description:
+                            ProviderSpecificProperty holds the name and value
+                            of a configuration which is specific to individual DNS providers
+                          properties:
+                            name:
+                              type: string
+                            value:
+                              type: string
+                          type: object
+                        type: array
+                      recordTTL:
+                        description: TTL for the record
+                        format: int64
+                        type: integer
+                      recordType:
+                        description:
+                          RecordType type of record, e.g. CNAME, A, AAAA,
+                          SRV, TXT etc
+                        type: string
+                      setIdentifier:
+                        description:
+                          Identifier to distinguish multiple records with
+                          the same name and type (e.g. Route53 records with routing
+                          policies other than 'simple')
+                        type: string
+                      targets:
+                        description: The targets the DNS record points to
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  type: array
+              type: object
+            status:
+              description: DNSEndpointStatus defines the observed state of DNSEndpoint
+              properties:
+                observedGeneration:
+                  description: The generation observed by the external-dns controller.
+                  format: int64
+                  type: integer
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}

packages/system/external-dns/charts/external-dns/templates/NOTES.txt

@@ -0,0 +1,7 @@
+***********************************************************************
+* External DNS                                                        *
+***********************************************************************
+  Chart version: {{ .Chart.Version }}
+  App version:   {{ .Chart.AppVersion }}
+  Image tag:     {{ include "external-dns.image" . }}
+***********************************************************************

packages/system/external-dns/charts/external-dns/templates/_helpers.tpl

@@ -0,0 +1,95 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "external-dns.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "external-dns.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "external-dns.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "external-dns.labels" -}}
+helm.sh/chart: {{ include "external-dns.chart" . }}
+{{ include "external-dns.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.commonLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "external-dns.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "external-dns.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "external-dns.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "external-dns.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+The image to use
+*/}}
+{{- define "external-dns.image" -}}
+{{- printf "%s:%s" .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) }}
+{{- end }}
+
+{{/*
+Provider name, Keeps backward compatibility on provider
+*/}}
+{{- define "external-dns.providerName" -}}
+{{- if eq (typeOf .Values.provider) "string" }}
+{{- .Values.provider }}
+{{- else }}
+{{- .Values.provider.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+The image to use for optional webhook sidecar
+*/}}
+{{- define "external-dns.webhookImage" -}}
+{{- with .image }}
+{{- if or (empty .repository) (empty .tag) }}
+{{- fail "ERROR: webhook provider needs an image repository and a tag" }}
+{{- end }}
+{{- printf "%s:%s" .repository .tag }}
+{{- end }}
+{{- end }}

packages/system/external-dns/charts/external-dns/templates/clusterrole.yaml

@@ -0,0 +1,127 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ .Values.namespaced | ternary "Role" "ClusterRole" }}
+metadata:
+  name: {{ template "external-dns.fullname" . }}
+  labels:
+    {{- include "external-dns.labels" . | nindent 4 }}
+rules:
+{{- if and (not .Values.namespaced) (or (has "node" .Values.sources) (has "pod" .Values.sources) (has "service" .Values.sources) (has "contour-httpproxy" .Values.sources) (has "gloo-proxy" .Values.sources) (has "openshift-route" .Values.sources) (has "skipper-routegroup" .Values.sources)) }}
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["list","watch"]
+{{- end }}
+{{- if or (has "pod" .Values.sources) (has "service" .Values.sources) (has "contour-httpproxy" .Values.sources) (has "gloo-proxy" .Values.sources) (has "openshift-route" .Values.sources) (has "skipper-routegroup" .Values.sources) }}
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if or (has "service" .Values.sources) (has "contour-httpproxy" .Values.sources) (has "gloo-proxy" .Values.sources) (has "istio-gateway" .Values.sources) (has "istio-virtualservice" .Values.sources) (has "openshift-route" .Values.sources) (has "skipper-routegroup" .Values.sources) }}
+  - apiGroups: [""]
+    resources: ["services","endpoints"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if or (has "ingress" .Values.sources) (has "contour-httpproxy" .Values.sources) (has "openshift-route" .Values.sources) (has "skipper-routegroup" .Values.sources) }}
+  - apiGroups: ["extensions","networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if or (has "istio-gateway" .Values.sources) (has "istio-virtualservice" .Values.sources) }}
+  - apiGroups: ["networking.istio.io"]
+    resources: ["gateways"]
+    verbs: ["get","watch","list"]
+{{- end }}
+
+{{- if has "istio-virtualservice" .Values.sources }}
+  - apiGroups: ["networking.istio.io"]
+    resources: ["virtualservices"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "ambassador-host" .Values.sources }}
+  - apiGroups: ["getambassador.io"]
+    resources: ["hosts","ingresses"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "contour-httpproxy" .Values.sources }}
+  - apiGroups: ["projectcontour.io"]
+    resources: ["httpproxies"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "crd" .Values.sources }}
+  - apiGroups: ["externaldns.k8s.io"]
+    resources: ["dnsendpoints"]
+    verbs: ["get","watch","list"]
+  - apiGroups: ["externaldns.k8s.io"]
+    resources: ["dnsendpoints/status"]
+    verbs: ["*"]
+{{- end }}
+{{- if or (has "gateway-httproute" .Values.sources) (has "gateway-grpcroute" .Values.sources) (has "gateway-tlsroute" .Values.sources) (has "gateway-tcproute" .Values.sources) (has "gateway-udproute" .Values.sources) }}
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gateways"]
+    verbs: ["get","watch","list"]
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get","watch","list"]    
+{{- end }}
+{{- if has "gateway-httproute" .Values.sources }}
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["httproutes"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "gateway-grpcroute" .Values.sources }}
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["grpcroutes"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "gateway-tlsroute" .Values.sources }}
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["tlsroutes"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "gateway-tcproute" .Values.sources }}
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["tcproutes"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "gateway-udproute" .Values.sources }}
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["udproutes"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "gloo-proxy" .Values.sources }}
+  - apiGroups: ["gloo.solo.io","gateway.solo.io"]
+    resources: ["proxies","virtualservices"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "kong-tcpingress" .Values.sources }}
+  - apiGroups: ["configuration.konghq.com"]
+    resources: ["tcpingresses"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "traefik-proxy" .Values.sources }}
+  - apiGroups: ["traefik.containo.us", "traefik.io"]
+    resources: ["ingressroutes", "ingressroutetcps", "ingressrouteudps"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "openshift-route" .Values.sources }}
+  - apiGroups: ["route.openshift.io"]
+    resources: ["routes"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- if has "skipper-routegroup" .Values.sources }}
+  - apiGroups: ["zalando.org"]
+    resources: ["routegroups"]
+    verbs: ["get","watch","list"]
+  - apiGroups: ["zalando.org"]
+    resources: ["routegroups/status"]
+    verbs: ["patch","update"]
+{{- end }}
+{{- if has "f5-virtualserver" .Values.sources }}
+  - apiGroups: ["cis.f5.com"]
+    resources: ["virtualservers"]
+    verbs: ["get","watch","list"]
+{{- end }}
+{{- with .Values.rbac.additionalPermissions }}
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}

packages/system/external-dns/charts/external-dns/templates/clusterrolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ .Values.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }}
+metadata:
+  name: {{ printf "%s-viewer" (include "external-dns.fullname" .) }}
+  labels:
+    {{- include "external-dns.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: {{ .Values.namespaced | ternary "Role" "ClusterRole" }}
+  name: {{ template "external-dns.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "external-dns.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}

packages/system/external-dns/charts/external-dns/templates/deployment.yaml

@@ -0,0 +1,209 @@
+{{- $providerName := tpl (include "external-dns.providerName" .) $ }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "external-dns.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "external-dns.labels" . | nindent 4 }}
+  {{- with .Values.deploymentAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "external-dns.selectorLabels" . | nindent 6 }}
+  strategy:
+    {{- toYaml .Values.deploymentStrategy | nindent 4 }}
+  {{- if not (has (quote .Values.revisionHistoryLimit) (list "" (quote ""))) }}
+  revisionHistoryLimit: {{ .Values.revisionHistoryLimit | int64 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        {{- include "external-dns.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if or .Values.secretConfiguration.enabled .Values.podAnnotations }}
+      annotations:
+        {{- if .Values.secretConfiguration.enabled }}
+        checksum/secret: {{ tpl (toYaml .Values.secretConfiguration.data) . | sha256sum }}
+        {{- end }}
+        {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- end }}
+    spec:
+    {{- if not (quote .Values.automountServiceAccountToken | empty) }}
+      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
+    {{- end }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "external-dns.serviceAccountName" . }}
+      {{- with .Values.shareProcessNamespace }}
+      shareProcessNamespace: {{ . }}
+      {{- end }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.priorityClassName }}
+      priorityClassName: {{ . | quote }}
+      {{- end }}
+      {{- with .Values.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ . }}
+      {{- end }}
+      {{- with .Values.dnsPolicy }}
+      dnsPolicy: {{ . }}
+      {{- end }}
+      {{- with .Values.dnsConfig }}
+      dnsConfig:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.initContainers }}
+      initContainers:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+      {{- with .Values.extraContainers }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+        - name: external-dns
+          {{- with .Values.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          image: {{ include "external-dns.image" . }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- with .Values.env }}
+          env:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          args:
+            - --log-level={{ .Values.logLevel }}
+            - --log-format={{ .Values.logFormat }}
+            - --interval={{ .Values.interval }}
+            {{- if .Values.triggerLoopOnEvent }}
+            - --events
+            {{- end }}
+            {{- range .Values.sources }}
+            - --source={{ . }}
+            {{- end }}
+            - --policy={{ .Values.policy }}
+            - --registry={{ .Values.registry }}
+            {{- if .Values.txtOwnerId }}
+            - --txt-owner-id={{ .Values.txtOwnerId }}
+            {{- end }}
+            {{- if .Values.txtPrefix }}
+            - --txt-prefix={{ .Values.txtPrefix }}
+            {{- end }}
+            {{- if and (eq .Values.txtPrefix "") (ne .Values.txtSuffix "") }}
+            - --txt-suffix={{ .Values.txtSuffix }}
+            {{- end }}
+            {{- if .Values.namespaced }}
+            - --namespace={{ .Release.Namespace }}
+            {{- end }}
+            {{- range .Values.domainFilters }}
+            - --domain-filter={{ . }}
+            {{- end }}
+            {{- range .Values.excludeDomains }}
+            - --exclude-domains={{ . }}
+            {{- end }}
+            - --provider={{ $providerName }}
+          {{- range .Values.extraArgs }}
+            - {{ tpl . $ }}
+          {{- end }}
+          ports:
+            - name: http
+              protocol: TCP
+              containerPort: 7979
+          livenessProbe:
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .Values.readinessProbe | nindent 12 }}
+          {{- if or .Values.secretConfiguration.enabled .Values.extraVolumeMounts }}
+          volumeMounts:
+            {{- if .Values.secretConfiguration.enabled }}
+            - name: secrets
+              mountPath: {{ tpl .Values.secretConfiguration.mountPath $ }}
+            {{- with .Values.secretConfiguration.subPath }}
+              subPath: {{ tpl . $ }}
+            {{- end }}
+            {{- end }}
+            {{- with .Values.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- end }}
+          {{- with .Values.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+        {{- if eq $providerName "webhook" }}
+        {{- with .Values.provider.webhook }}
+        - name: webhook
+          image: {{ include "external-dns.webhookImage" . }}
+          imagePullPolicy: {{ .image.pullPolicy }}
+          {{- with .env }}
+          env:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .args }}
+          args:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          ports:
+            - name: http-webhook
+              protocol: TCP
+              containerPort: 8080
+          livenessProbe:
+            {{- toYaml .livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .readinessProbe | nindent 12 }}
+          {{- if .extraVolumeMounts }}
+          volumeMounts:
+            {{- with .extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- end }}
+          {{- with .resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+        {{- end }}
+        {{- end }}
+      {{- if or .Values.secretConfiguration.enabled .Values.extraVolumes }}
+      volumes:
+        {{- if .Values.secretConfiguration.enabled }}
+        - name: secrets
+          secret:
+            secretName: {{ include "external-dns.fullname" . }}
+        {{- end }}
+        {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

packages/system/external-dns/charts/external-dns/templates/secret.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.secretConfiguration.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "external-dns.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "external-dns.labels" . | nindent 4 }}
+data:
+{{- range $key, $value := .Values.secretConfiguration.data }}
+  {{ $key }}: {{ tpl $value $ | b64enc | quote }}
+{{- end }}
+{{- end }}

packages/system/external-dns/charts/external-dns/templates/service.yaml

@@ -0,0 +1,36 @@
+{{- $providerName := include "external-dns.providerName" . }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "external-dns.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "external-dns.labels" . | nindent 4 }}
+  {{- with .Values.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+{{- with .Values.service.ipFamilies }}
+  ipFamilies:
+    {{- toYaml . | nindent 4 }}
+{{- end }}
+{{- with .Values.service.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ . }}
+{{- end }}
+  type: ClusterIP
+  selector:
+    {{- include "external-dns.selectorLabels" . | nindent 4 }}
+  ports:
+    - name: http
+      port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+    {{- if eq $providerName "webhook" }}
+    {{- with .Values.provider.webhook.service }}
+    - name: http-webhook
+      port: {{ .port }}
+      targetPort: http-webhook
+      protocol: TCP
+    {{- end }}
+    {{- end }}

packages/system/external-dns/charts/external-dns/templates/serviceaccount.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "external-dns.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "external-dns.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+{{- end }}

packages/system/external-dns/charts/external-dns/templates/servicemonitor.yaml

@@ -0,0 +1,86 @@
+{{- if .Values.serviceMonitor.enabled -}}
+{{- $providerName := include "external-dns.providerName" . }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "external-dns.fullname" . }}
+  namespace: {{ default .Release.Namespace .Values.serviceMonitor.namespace }}
+  {{- with .Values.serviceMonitor.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "external-dns.labels" . | nindent 4 }}
+  {{- with .Values.serviceMonitor.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  jobLabel: app.kubernetes.io/instance
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      {{- include "external-dns.selectorLabels" . | nindent 6 }}
+  endpoints:
+    - port: http
+      path: /metrics
+      {{- with .Values.serviceMonitor.interval }}
+      interval: {{ . }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.scheme }}
+      scheme: {{ . }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.bearerTokenFile }}
+      bearerTokenFile: {{ . }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.tlsConfig }}
+      tlsConfig:
+        {{- toYaml .| nindent 8 }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ . }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.metricRelabelings }}
+      metricRelabelings:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.relabelings }}
+      relabelings:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- if eq $providerName "webhook" }}
+    {{- with .Values.provider.webhook.serviceMonitor }}
+    - port: http-webhook
+      path: /metrics
+      {{- with .interval }}
+      interval: {{ . }}
+      {{- end }}
+      {{- with .scheme }}
+      scheme: {{ . }}
+      {{- end }}
+      {{- with .bearerTokenFile }}
+      bearerTokenFile: {{ . }}
+      {{- end }}
+      {{- with .tlsConfig }}
+      tlsConfig:
+        {{- toYaml .| nindent 8 }}
+      {{- end }}
+      {{- with .scrapeTimeout }}
+      scrapeTimeout: {{ . }}
+      {{- end }}
+      {{- with .metricRelabelings }}
+      metricRelabelings:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .relabelings }}
+      relabelings:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- end }}
+    {{- end }}
+  {{- with .Values.serviceMonitor.targetLabels }}
+  targetLabels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

packages/system/external-dns/charts/external-dns/values.schema.json

@@ -0,0 +1,91 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema",
+  "type": "object",
+  "properties": {
+    "provider": {
+      "anyOf": [
+        {
+          "type": "string"
+        },
+        {
+          "type": "object",
+          "properties": {
+            "name": {
+              "type": "string"
+            }
+          }
+        }
+      ]
+    },
+    "extraArgs": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      }
+    },
+    "secretConfiguration": {
+      "$comment": "This value is DEPRECATED as secrets should be configured external to the chart and exposed to the container via extraVolumes & extraVolumeMounts.",
+      "type": "object",
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        },
+        "mountPath": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "subPath": {
+          "type": [
+            "string",
+            "null"
+          ]
+        },
+        "data": {
+          "type": "object",
+          "patternProperties": {
+            ".+": {
+              "type": "string"
+            }
+          }
+        }
+      }
+    },
+    "service": {
+      "type": "object",
+      "properties": {
+        "annotations": {
+          "type": "object"
+        },
+        "ipFamilies": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "enum": [
+              "IPv6",
+              "IPv4"
+            ]
+          }
+        },
+        "ipFamilyPolicy": {
+          "type": [
+            "string",
+            "null"
+          ],
+          "items": {
+            "type": "string",
+            "enum": [
+              "SingleStack",
+              "PreferDualStack",
+              "RequireDualStack"
+            ]
+          }
+        },
+        "port": {
+          "type": "integer"
+        }
+      }
+    }
+  }
+}

packages/system/external-dns/charts/external-dns/values.yaml

@@ -0,0 +1,297 @@
+# Default values for external-dns.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+image:
+  # -- Image repository for the `external-dns` container.
+  repository: registry.k8s.io/external-dns/external-dns
+  # -- (string) Image tag for the `external-dns` container, this will default to `.Chart.AppVersion` if not set.
+  tag:
+  # -- Image pull policy for the `external-dns` container.
+  pullPolicy: IfNotPresent
+
+# -- Image pull secrets.
+imagePullSecrets: []
+
+# -- (string) Override the name of the chart.
+nameOverride:
+
+# -- (string) Override the full name of the chart.
+fullnameOverride:
+
+# -- Labels to add to all chart resources.
+commonLabels: {}
+
+serviceAccount:
+  # -- If `true`, create a new `ServiceAccount`.
+  create: true
+  # -- Labels to add to the service account.
+  labels: {}
+  # -- Annotations to add to the service account.
+  annotations: {}
+  # -- (string) If this is set and `serviceAccount.create` is `true` this will be used for the created `ServiceAccount` name, if set and `serviceAccount.create` is `false` then this will define an existing `ServiceAccount` to use.
+  name:
+  # -- Set this to `false` to [opt out of API credential automounting](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting) for the `ServiceAccount`.
+  automountServiceAccountToken:
+
+service:
+  # -- Service annotations.
+  annotations: {}
+  # -- Service HTTP port.
+  port: 7979
+  # -- Service IP families.
+  ipFamilies: []
+  # -- (string) Service IP family policy.
+  ipFamilyPolicy:
+
+rbac:
+  # -- If `true`, create a `ClusterRole` & `ClusterRoleBinding` with access to the Kubernetes API.
+  create: true
+  # -- Additional rules to add to the `ClusterRole`.
+  additionalPermissions: []
+
+# -- Annotations to add to the `Deployment`.
+deploymentAnnotations: {}
+
+# -- Extra containers to add to the `Deployment`.
+extraContainers: {}
+
+# -- [Deployment Strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy).
+deploymentStrategy:
+  type: Recreate
+
+# -- (int) Specify the number of old `ReplicaSets` to retain to allow rollback of the `Deployment``.
+revisionHistoryLimit:
+
+# -- Labels to add to the `Pod`.
+podLabels: {}
+
+# -- Annotations to add to the `Pod`.
+podAnnotations: {}
+
+# -- (bool) Set this to `false` to [opt out of API credential automounting](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting) for the `Pod`.
+automountServiceAccountToken:
+
+# -- If `true`, the `Pod` will have [process namespace sharing](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) enabled.
+shareProcessNamespace: false
+
+# -- [Pod security context](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#podsecuritycontext-v1-core), this supports full customisation.
+# @default -- See _values.yaml_
+podSecurityContext:
+  runAsNonRoot: true
+  fsGroup: 65534
+  seccompProfile:
+    type: RuntimeDefault
+
+# -- (string) Priority class name for the `Pod`.
+priorityClassName:
+
+# -- (int) Termination grace period for the `Pod` in seconds.
+terminationGracePeriodSeconds:
+
+# -- (string) [DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) for the pod, if not set the default will be used.
+dnsPolicy:
+
+# -- (object) [DNS config](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config) for the pod, if not set the default will be used.
+dnsConfig:
+
+# -- [Init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) to add to the `Pod` definition.
+initContainers: []
+
+# -- [Security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the `external-dns` container.
+# @default -- See _values.yaml_
+securityContext:
+  privileged: false
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 65532
+  runAsGroup: 65532
+  capabilities:
+    drop: ["ALL"]
+
+# -- [Environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) for the `external-dns` container.
+env: []
+
+# -- [Liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container.
+# @default -- See _values.yaml_
+livenessProbe:
+  httpGet:
+    path: /healthz
+    port: http
+  initialDelaySeconds: 10
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 2
+  successThreshold: 1
+
+# -- [Readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container.
+# @default -- See _values.yaml_
+readinessProbe:
+  httpGet:
+    path: /healthz
+    port: http
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  timeoutSeconds: 5
+  failureThreshold: 6
+  successThreshold: 1
+
+# -- Extra [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) for the `Pod`.
+extraVolumes: []
+
+# -- Extra [volume mounts](https://kubernetes.io/docs/concepts/storage/volumes/) for the `external-dns` container.
+extraVolumeMounts: []
+
+# -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the `external-dns` container.
+resources: {}
+
+# -- Node labels to match for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
+nodeSelector: {}
+
+# -- Affinity settings for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). If an explicit label selector is not provided for pod affinity or pod anti-affinity one will be created from the pod selector labels.
+affinity: {}
+
+# -- Topology spread constraints for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). If an explicit label selector is not provided one will be created from the pod selector labels.
+topologySpreadConstraints: []
+
+# -- Node taints which will be tolerated for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
+tolerations: []
+
+serviceMonitor:
+  # -- If `true`, create a `ServiceMonitor` resource to support the _Prometheus Operator_.
+  enabled: false
+  # -- Additional labels for the `ServiceMonitor`.
+  additionalLabels: {}
+  # -- Annotations to add to the `ServiceMonitor`.
+  annotations: {}
+  # -- (string) If set create the `ServiceMonitor` in an alternate namespace.
+  namespace:
+  # -- (string) If set override the _Prometheus_ default interval.
+  interval:
+  # -- (string) If set override the _Prometheus_ default scrape timeout.
+  scrapeTimeout:
+  # -- (string) If set overrides the _Prometheus_ default scheme.
+  scheme:
+  # -- Configure the `ServiceMonitor` [TLS config](https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig).
+  tlsConfig: {}
+  # -- (string) Provide a bearer token file for the `ServiceMonitor`.
+  bearerTokenFile:
+  # -- [Relabel configs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) to apply to samples before ingestion.
+  relabelings: []
+  # -- [Metric relabel configs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) to apply to samples before ingestion.
+  metricRelabelings: []
+  # -- Provide target labels for the `ServiceMonitor`.
+  targetLabels: []
+
+# -- Log level.
+logLevel: info
+
+# -- Log format.
+logFormat: text
+
+# -- Interval for DNS updates.
+interval: 1m
+
+# -- If `true`, triggers run loop on create/update/delete events in addition of regular interval.
+triggerLoopOnEvent: false
+
+# -- if `true`, _ExternalDNS_ will run in a namespaced scope (`Role`` and `Rolebinding`` will be namespaced too).
+namespaced: false
+
+# -- _Kubernetes_ resources to monitor for DNS entries.
+sources:
+  - service
+  - ingress
+
+# -- How DNS records are synchronized between sources and providers; available values are `sync` & `upsert-only`.
+policy: upsert-only
+
+# -- Specify the registry for storing ownership and labels.
+# Valid values are `txt`, `aws-sd`, `dynamodb` & `noop`.
+registry: txt
+# -- (string) Specify an identifier for this instance of _ExternalDNS_ wWhen using a registry other than `noop`.
+txtOwnerId:
+# -- (string) Specify a prefix for the domain names of TXT records created for the `txt` registry.
+# Mutually exclusive with `txtSuffix`.
+txtPrefix:
+# -- (string) Specify a suffix for the domain names of TXT records created for the `txt` registry.
+# Mutually exclusive with `txtPrefix`.
+txtSuffix:
+
+## - Limit possible target zones by domain suffixes.
+domainFilters: []
+
+## -- Intentionally exclude domains from being managed.
+excludeDomains: []
+
+provider:
+  # -- _ExternalDNS_ provider name; for the available providers and how to configure them see [README](https://github.com/kubernetes-sigs/external-dns/blob/master/charts/external-dns/README.md#providers).
+  name: aws
+  webhook:
+    image:
+      # -- (string) Image repository for the `webhook` container.
+      repository:
+      # -- (string) Image tag for the `webhook` container.
+      tag:
+      # -- Image pull policy for the `webhook` container.
+      pullPolicy: IfNotPresent
+    # -- [Environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) for the `webhook` container.
+    env: []
+    # -- Extra arguments to provide for the `webhook` container.
+    args: []
+    # -- Extra [volume mounts](https://kubernetes.io/docs/concepts/storage/volumes/) for the `webhook` container.
+    extraVolumeMounts: []
+    # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the `webhook` container.
+    resources: {}
+    # -- [Pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the `webhook` container.
+    # @default -- See _values.yaml_
+    securityContext: {}
+    # -- [Liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container.
+    # @default -- See _values.yaml_
+    livenessProbe:
+      httpGet:
+        path: /healthz
+        port: http-webhook
+      initialDelaySeconds: 10
+      periodSeconds: 10
+      timeoutSeconds: 5
+      failureThreshold: 2
+      successThreshold: 1
+    # -- [Readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `webhook` container.
+    # @default -- See _values.yaml_
+    readinessProbe:
+      httpGet:
+        path: /healthz
+        port: http-webhook
+      initialDelaySeconds: 5
+      periodSeconds: 10
+      timeoutSeconds: 5
+      failureThreshold: 6
+      successThreshold: 1
+    service:
+      # -- Webhook exposed HTTP port for the service.
+      port: 8080
+    # -- Optional [Service Monitor](https://prometheus-operator.dev/docs/operator/design/#servicemonitor) configuration for the `webhook` container.
+    # @default -- See _values.yaml_
+    serviceMonitor:
+      interval:
+      scheme:
+      tlsConfig: {}
+      bearerTokenFile:
+      scrapeTimeout:
+      metricRelabelings: []
+      relabelings: []
+
+# -- Extra arguments to provide to _ExternalDNS_.
+extraArgs: []
+
+secretConfiguration:
+  # -- If `true`, create a `Secret` to store sensitive provider configuration (**DEPRECATED**).
+  enabled: false
+  # -- Mount path for the `Secret`, this can be templated.
+  mountPath:
+  # -- Sub-path for mounting the `Secret`, this can be templated.
+  subPath:
+  # -- `Secret` data.
+  data: {}

packages/system/external-dns/values.yaml

@@ -0,0 +1,23 @@
+external-dns:
+    # -- How DNS records are synchronized between sources and providers; available values are `sync` & `upsert-only`.
+  policy: upsert-only
+  # -- Specify the registry for storing ownership and labels.
+  # Valid values are `txt`, `aws-sd`, `dynamodb` & `noop`.
+  registry: txt
+  # -- (string) Specify an identifier for this instance of _ExternalDNS_ wWhen using a registry other than `noop`.
+  txtOwnerId:
+  # -- (string) Specify a prefix for the domain names of TXT records created for the `txt` registry.
+  # Mutually exclusive with `txtSuffix`.
+  txtPrefix:
+  # -- (string) Specify a suffix for the domain names of TXT records created for the `txt` registry.
+  # Mutually exclusive with `txtPrefix`.
+  txtSuffix:
+
+    ## - Limit possible target zones by domain suffixes.
+  domainFilters: []
+  ## -- Intentionally exclude domains from being managed.
+  excludeDomains: []
+
+  # -- Specify the DNS provider (e.g., "aws", "google", "azure", etc.)
+  provider:
+    name: ""