From 8de0c392482d7e4f54f9db37609fcfa00ea0fcb2 Mon Sep 17 00:00:00 2001
From: ivan katliarchuk <ivan.katliarchuk@gmail.com>
Date: Mon, 30 Dec 2024 13:21:54 +0000
Subject: [PATCH] chore(docs): docs/flags.md generation

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>
---
 docs/flags.md                 | 170 ++++++++++++++++++++++++++++++++++
 internal/gen/main.go          | 100 ++++++++++++++++++++
 internal/gen/main_test.go     |  74 +++++++++++++++
 pkg/apis/externaldns/types.go |  18 ++--
 4 files changed, 356 insertions(+), 6 deletions(-)
 create mode 100644 docs/flags.md
 create mode 100644 internal/gen/main.go
 create mode 100644 internal/gen/main_test.go

diff --git a/docs/flags.md b/docs/flags.md
new file mode 100644
index 000000000..514a78172
--- /dev/null
+++ b/docs/flags.md
@@ -0,0 +1,170 @@
+
+# Flags
+
+<!-- THIS FILE MUST NOT BE EDITED BY HAND -->
+<!-- ON NEW FLAG ADDED PLEASE RUN go .... -->
+
+| Flag | Description  |
+| :------ | :----------- |
+| `--[no-]version` | Show application version. |
+| `--server=""` | The Kubernetes API server to connect to (default: auto-detect) |
+| `--kubeconfig=""` | Retrieve target cluster configuration from a Kubernetes configuration file (default: auto-detect) |
+| `--request-timeout=30s` | Request timeout when calling Kubernetes APIs. 0s means no timeout |
+| `--[no-]resolve-service-load-balancer-hostname` | Resolve the hostname of LoadBalancer-type Service object to IP addresses in order to create DNS A/AAAA records instead of CNAMEs |
+| `--cf-api-endpoint=""` | The fully-qualified domain name of the cloud foundry instance you are targeting |
+| `--cf-username=""` | The username to log into the cloud foundry API |
+| `--cf-password=""` | The password to log into the cloud foundry API |
+| `--gloo-namespace=gloo-system` | The Gloo Proxy namespace; specify multiple times for multiple namespaces. (default: gloo-system) |
+| `--skipper-routegroup-groupversion="zalando.org/v1"` | The resource version for skipper routegroup |
+| `--source=source` | The resource types that are queried for endpoints; specify multiple times for multiple sources (required, options: service, ingress, node, pod, fake, connector, gateway-httproute, gateway-grpcroute, gateway-tlsroute, gateway-tcproute, gateway-udproute, istio-gateway, istio-virtualservice, cloudfoundry, contour-httpproxy, gloo-proxy, crd, empty, skipper-routegroup, openshift-route, ambassador-host, kong-tcpingress, f5-virtualserver, traefik-proxy) |
+| `--openshift-router-name=OPENSHIFT-ROUTER-NAME` | if source is openshift-route then you can pass the ingress controller name. Based on this name external-dns will select the respective router from the route status and map that routerCanonicalHostname to the route host while creating a CNAME record. |
+| `--namespace=""` | Limit resources queried for endpoints to a specific namespace (default: all namespaces) |
+| `--annotation-filter=""` | Filter resources queried for endpoints by annotation, using label selector semantics |
+| `--label-filter=""` | Filter resources queried for endpoints by label selector; currently supported by source types crd, gateway-httproute, gateway-grpcroute, gateway-tlsroute, gateway-tcproute, gateway-udproute, ingress, node, openshift-route, service and ambassador-host |
+| `--ingress-class=INGRESS-CLASS` | Require an Ingress to have this class name (defaults to any class; specify multiple times to allow more than one class) |
+| `--fqdn-template=""` | A templated string that's used to generate DNS names from sources that don't define a hostname themselves, or to add a hostname suffix when paired with the fake source (optional). Accepts comma separated list for multiple global FQDN. |
+| `--[no-]combine-fqdn-annotation` | Combine FQDN template and Annotations instead of overwriting |
+| `--[no-]ignore-hostname-annotation` | Ignore hostname annotation when generating DNS names, valid only when --fqdn-template is set (default: false) |
+| `--[no-]ignore-ingress-tls-spec` | Ignore the spec.tls section in Ingress resources (default: false) |
+| `--gateway-namespace=GATEWAY-NAMESPACE` | Limit Gateways of Route endpoints to a specific namespace (default: all namespaces) |
+| `--gateway-label-filter=GATEWAY-LABEL-FILTER` | Filter Gateways of Route endpoints via label selector (default: all gateways) |
+| `--compatibility=` | Process annotation semantics from legacy implementations (optional, options: mate, molecule, kops-dns-controller) |
+| `--[no-]ignore-ingress-rules-spec` | Ignore the spec.rules section in Ingress resources (default: false) |
+| `--[no-]publish-internal-services` | Allow external-dns to publish DNS records for ClusterIP services (optional) |
+| `--[no-]publish-host-ip` | Allow external-dns to publish host-ip for headless services (optional) |
+| `--[no-]always-publish-not-ready-addresses` | Always publish also not ready addresses for headless services (optional) |
+| `--connector-source-server="localhost:8080"` | The server to connect for connector source, valid only when using connector source |
+| `--crd-source-apiversion="externaldns.k8s.io/v1alpha1"` | API version of the CRD for crd source, e.g. `externaldns.k8s.io/v1alpha1`, valid only when using crd source |
+| `--crd-source-kind="DNSEndpoint"` | Kind of the CRD for the crd source in API group and version specified by crd-source-apiversion |
+| `--service-type-filter=SERVICE-TYPE-FILTER` | The service types to take care about (default: all, expected: ClusterIP, NodePort, LoadBalancer or ExternalName) |
+| `--managed-record-types=A...` | Record types to manage; specify multiple times to include many; (default: A, AAAA, CNAME) (supported records: A, AAAA, CNAME, NS, SRV, TXT) |
+| `--exclude-record-types=EXCLUDE-RECORD-TYPES` | Record types to exclude from management; specify multiple times to exclude many; (optional) |
+| `--default-targets=DEFAULT-TARGETS` | Set globally default host/IP that will apply as a target instead of source addresses. Specify multiple times for multiple targets (optional) |
+| `--target-net-filter=TARGET-NET-FILTER` | Limit possible targets by a net filter; specify multiple times for multiple possible nets (optional) |
+| `--exclude-target-net=EXCLUDE-TARGET-NET` | Exclude target nets (optional) |
+| `--[no-]traefik-disable-legacy` | Disable listeners on Resources under the traefik.containo.us API Group |
+| `--[no-]traefik-disable-new` | Disable listeners on Resources under the traefik.io API Group |
+| `--nat64-networks=NAT64-NETWORKS` | Adding an A record for each AAAA record in NAT64-enabled networks; specify multiple times for multiple possible nets (optional) |
+| `--provider=provider` | The DNS provider where the DNS records will be created (required, options: akamai, alibabacloud, aws, aws-sd, azure, azure-dns, azure-private-dns, civo, cloudflare, coredns, designate, digitalocean, dnsimple, exoscale, gandi, godaddy, google, ibmcloud, inmemory, linode, ns1, oci, ovh, pdns, pihole, plural, rfc2136, scaleway, skydns, tencentcloud, transip, ultradns, webhook) |
+| `--provider-cache-time=0s` | The time to cache the DNS provider record list requests. |
+| `--domain-filter=` | Limit possible target zones by a domain suffix; specify multiple times for multiple domains (optional) |
+| `--exclude-domains=` | Exclude subdomains (optional) |
+| `--regex-domain-filter=` | Limit possible domains and target zones by a Regex filter; Overrides domain-filter (optional) |
+| `--regex-domain-exclusion=` | Regex filter that excludes domains and target zones matched by regex-domain-filter (optional) |
+| `--zone-name-filter=` | Filter target zones by zone domain (For now, only AzureDNS provider is using this flag); specify multiple times for multiple zones (optional) |
+| `--zone-id-filter=` | Filter target zones by hosted zone id; specify multiple times for multiple zones (optional) |
+| `--google-project=""` | When using the Google provider, current project is auto-detected, when running on GCP. Specify other project with this. Must be specified when running outside GCP. |
+| `--google-batch-change-size=1000` | When using the Google provider, set the maximum number of changes that will be applied in each batch. |
+| `--google-batch-change-interval=1s` | When using the Google provider, set the interval between batch changes. |
+| `--google-zone-visibility=` | When using the Google provider, filter for zones with this visibility (optional, options: public, private) |
+| `--alibaba-cloud-config-file="/etc/kubernetes/alibaba-cloud.json"` | When using the Alibaba Cloud provider, specify the Alibaba Cloud configuration file (required when --provider=alibabacloud) |
+| `--alibaba-cloud-zone-type=` | When using the Alibaba Cloud provider, filter for zones of this type (optional, options: public, private) |
+| `--aws-zone-type=` | When using the AWS provider, filter for zones of this type (optional, options: public, private) |
+| `--aws-zone-tags=` | When using the AWS provider, filter for zones with these tags |
+| `--aws-profile=` | When using the AWS provider, name of the profile to use |
+| `--aws-assume-role=""` | When using the AWS API, assume this IAM role. Useful for hosted zones in another AWS account. Specify the full ARN, e.g. `arn:aws:iam::123455567:role/external-dns` (optional) |
+| `--aws-assume-role-external-id=""` | When using the AWS API and assuming a role then specify this external ID` (optional) |
+| `--aws-batch-change-size=1000` | When using the AWS provider, set the maximum number of changes that will be applied in each batch. |
+| `--aws-batch-change-size-bytes=32000` | When using the AWS provider, set the maximum byte size that will be applied in each batch. |
+| `--aws-batch-change-size-values=1000` | When using the AWS provider, set the maximum total record values that will be applied in each batch. |
+| `--aws-batch-change-interval=1s` | When using the AWS provider, set the interval between batch changes. |
+| `--[no-]aws-evaluate-target-health` | When using the AWS provider, set whether to evaluate the health of a DNS target (default: enabled, disable with --no-aws-evaluate-target-health) |
+| `--aws-api-retries=3` | When using the AWS API, set the maximum number of retries before giving up. |
+| `--[no-]aws-prefer-cname` | When using the AWS provider, prefer using CNAME instead of ALIAS (default: disabled) |
+| `--aws-zones-cache-duration=0s` | When using the AWS provider, set the zones list cache TTL (0s to disable). |
+| `--[no-]aws-zone-match-parent` | Expand limit possible target by sub-domains (default: disabled) |
+| `--[no-]aws-sd-service-cleanup` | When using the AWS CloudMap provider, delete empty Services without endpoints (default: disabled) |
+| `--aws-sd-create-tag=AWS-SD-CREATE-TAG` | When using the AWS CloudMap provider, add tag to created services. The flag can be used multiple times |
+| `--azure-config-file="/etc/kubernetes/azure.json"` | When using the Azure provider, specify the Azure configuration file (required when --provider=azure) |
+| `--azure-resource-group=""` | When using the Azure provider, override the Azure resource group to use (optional) |
+| `--azure-subscription-id=""` | When using the Azure provider, override the Azure subscription to use (optional) |
+| `--azure-user-assigned-identity-client-id=""` | When using the Azure provider, override the client id of user assigned identity in config file (optional) |
+| `--azure-zones-cache-duration=0s` | When using the Azure provider, set the zones list cache TTL (0s to disable). |
+| `--tencent-cloud-config-file="/etc/kubernetes/tencent-cloud.json"` | When using the Tencent Cloud provider, specify the Tencent Cloud configuration file (required when --provider=tencentcloud) |
+| `--tencent-cloud-zone-type=` | When using the Tencent Cloud provider, filter for zones with visibility (optional, options: public, private) |
+| `--[no-]cloudflare-proxied` | When using the Cloudflare provider, specify if the proxy mode must be enabled (default: disabled) |
+| `--cloudflare-dns-records-per-page=100` | When using the Cloudflare provider, specify how many DNS records listed per page, max possible 5,000 (default: 100) |
+| `--cloudflare-region-key=CLOUDFLARE-REGION-KEY` | When using the Cloudflare provider, specify the region (default: earth) |
+| `--coredns-prefix="/skydns/"` | When using the CoreDNS provider, specify the prefix name |
+| `--akamai-serviceconsumerdomain=""` | When using the Akamai provider, specify the base URL (required when --provider=akamai and edgerc-path not specified) |
+| `--akamai-client-token=""` | When using the Akamai provider, specify the client token (required when --provider=akamai and edgerc-path not specified) |
+| `--akamai-client-secret=""` | When using the Akamai provider, specify the client secret (required when --provider=akamai and edgerc-path not specified) |
+| `--akamai-access-token=""` | When using the Akamai provider, specify the access token (required when --provider=akamai and edgerc-path not specified) |
+| `--akamai-edgerc-path=""` | When using the Akamai provider, specify the .edgerc file path. Path must be reachable form invocation environment. (required when --provider=akamai and *-token, secret serviceconsumerdomain not specified) |
+| `--akamai-edgerc-section=""` | When using the Akamai provider, specify the .edgerc file path (Optional when edgerc-path is specified) |
+| `--oci-config-file="/etc/kubernetes/oci.yaml"` | When using the OCI provider, specify the OCI configuration file (required when --provider=oci |
+| `--oci-compartment-ocid=OCI-COMPARTMENT-OCID` | When using the OCI provider, specify the OCID of the OCI compartment containing all managed zones and records.  Required when using OCI IAM instance principal authentication. |
+| `--oci-zone-scope=GLOBAL` | When using OCI provider, filter for zones with this scope (optional, options: GLOBAL, PRIVATE). Defaults to GLOBAL, setting to empty value will target both. |
+| `--[no-]oci-auth-instance-principal` | When using the OCI provider, specify whether OCI IAM instance principal authentication should be used (instead of key-based auth via the OCI config file). |
+| `--oci-zones-cache-duration=0s` | When using the OCI provider, set the zones list cache TTL (0s to disable). |
+| `--inmemory-zone=` | Provide a list of pre-configured zones for the inmemory provider; specify multiple times for multiple zones (optional) |
+| `--ovh-endpoint="ovh-eu"` | When using the OVH provider, specify the endpoint (default: ovh-eu) |
+| `--ovh-api-rate-limit=20` | When using the OVH provider, specify the API request rate limit, X operations by seconds (default: 20) |
+| `--pdns-server="http://localhost:8081"` | When using the PowerDNS/PDNS provider, specify the URL to the pdns server (required when --provider=pdns) |
+| `--pdns-server-id="localhost"` | When using the PowerDNS/PDNS provider, specify the id of the server to retrieve. Should be `localhost` except when the server is behind a proxy (optional when --provider=pdns) (default: localhost) |
+| `--pdns-api-key=""` | When using the PowerDNS/PDNS provider, specify the API key to use to authorize requests (required when --provider=pdns) |
+| `--[no-]pdns-skip-tls-verify` | When using the PowerDNS/PDNS provider, disable verification of any TLS certificates (optional when --provider=pdns) (default: false) |
+| `--ns1-endpoint=""` | When using the NS1 provider, specify the URL of the API endpoint to target (default: https://api.nsone.net/v1/) |
+| `--[no-]ns1-ignoressl` | When using the NS1 provider, specify whether to verify the SSL certificate (default: false) |
+| `--ns1-min-ttl=NS1-MIN-TTL` | Minimal TTL (in seconds) for records. This value will be used if the provided TTL for a service/ingress is lower than this. |
+| `--digitalocean-api-page-size=50` | Configure the page size used when querying the DigitalOcean API. |
+| `--ibmcloud-config-file="/etc/kubernetes/ibmcloud.json"` | When using the IBM Cloud provider, specify the IBM Cloud configuration file (required when --provider=ibmcloud |
+| `--[no-]ibmcloud-proxied` | When using the IBM provider, specify if the proxy mode must be enabled (default: disabled) |
+| `--godaddy-api-key=""` | When using the GoDaddy provider, specify the API Key (required when --provider=godaddy) |
+| `--godaddy-api-secret=""` | When using the GoDaddy provider, specify the API secret (required when --provider=godaddy) |
+| `--godaddy-api-ttl=GODADDY-API-TTL` | TTL (in seconds) for records. This value will be used if the provided TTL for a service/ingress is not provided. |
+| `--[no-]godaddy-api-ote` | When using the GoDaddy provider, use OTE api (optional, default: false, when --provider=godaddy) |
+| `--tls-ca=""` | When using TLS communication, the path to the certificate authority to verify server communications (optionally specify --tls-client-cert for two-way TLS) |
+| `--tls-client-cert=""` | When using TLS communication, the path to the certificate to present as a client (not required for TLS) |
+| `--tls-client-cert-key=""` | When using TLS communication, the path to the certificate key to use with the client certificate (not required for TLS) |
+| `--exoscale-apienv="api"` | When using Exoscale provider, specify the API environment (optional) |
+| `--exoscale-apizone="ch-gva-2"` | When using Exoscale provider, specify the API Zone (optional) |
+| `--exoscale-apikey=""` | Provide your API Key for the Exoscale provider |
+| `--exoscale-apisecret=""` | Provide your API Secret for the Exoscale provider |
+| `--rfc2136-host=""` | When using the RFC2136 provider, specify the host of the DNS server |
+| `--rfc2136-port=0` | When using the RFC2136 provider, specify the port of the DNS server |
+| `--rfc2136-zone=RFC2136-ZONE` | When using the RFC2136 provider, specify zone entries of the DNS server to use |
+| `--[no-]rfc2136-create-ptr` | When using the RFC2136 provider, enable PTR management |
+| `--[no-]rfc2136-insecure` | When using the RFC2136 provider, specify whether to attach TSIG or not (default: false, requires --rfc2136-tsig-keyname and rfc2136-tsig-secret) |
+| `--rfc2136-tsig-keyname=""` | When using the RFC2136 provider, specify the TSIG key to attached to DNS messages (required when --rfc2136-insecure=false) |
+| `--rfc2136-tsig-secret=""` | When using the RFC2136 provider, specify the TSIG (base64) value to attached to DNS messages (required when --rfc2136-insecure=false) |
+| `--rfc2136-tsig-secret-alg=""` | When using the RFC2136 provider, specify the TSIG (base64) value to attached to DNS messages (required when --rfc2136-insecure=false) |
+| `--[no-]rfc2136-tsig-axfr` | When using the RFC2136 provider, specify the TSIG (base64) value to attached to DNS messages (required when --rfc2136-insecure=false) |
+| `--rfc2136-min-ttl=0s` | When using the RFC2136 provider, specify minimal TTL (in duration format) for records. This value will be used if the provided TTL for a service/ingress is lower than this |
+| `--[no-]rfc2136-gss-tsig` | When using the RFC2136 provider, specify whether to use secure updates with GSS-TSIG using Kerberos (default: false, requires --rfc2136-kerberos-realm, --rfc2136-kerberos-username, and rfc2136-kerberos-password) |
+| `--rfc2136-kerberos-username=""` | When using the RFC2136 provider with GSS-TSIG, specify the username of the user with permissions to update DNS records (required when --rfc2136-gss-tsig=true) |
+| `--rfc2136-kerberos-password=""` | When using the RFC2136 provider with GSS-TSIG, specify the password of the user with permissions to update DNS records (required when --rfc2136-gss-tsig=true) |
+| `--rfc2136-kerberos-realm=""` | When using the RFC2136 provider with GSS-TSIG, specify the realm of the user with permissions to update DNS records (required when --rfc2136-gss-tsig=true) |
+| `--rfc2136-batch-change-size=50` | When using the RFC2136 provider, set the maximum number of changes that will be applied in each batch. |
+| `--[no-]rfc2136-use-tls` | When using the RFC2136 provider, communicate with name server over tls |
+| `--[no-]rfc2136-skip-tls-verify` | When using TLS with the RFC2136 provider, disable verification of any TLS certificates |
+| `--transip-account=""` | When using the TransIP provider, specify the account name (required when --provider=transip) |
+| `--transip-keyfile=""` | When using the TransIP provider, specify the path to the private key file (required when --provider=transip) |
+| `--pihole-server=""` | When using the Pihole provider, the base URL of the Pihole web server (required when --provider=pihole) |
+| `--pihole-password=""` | When using the Pihole provider, the password to the server if it is protected |
+| `--[no-]pihole-tls-skip-verify` | When using the Pihole provider, disable verification of any TLS certificates |
+| `--plural-cluster=""` | When using the plural provider, specify the cluster name you're running with |
+| `--plural-provider=""` | When using the plural provider, specify the provider name you're running with |
+| `--policy=sync` | Modify how DNS records are synchronized between sources and providers (default: sync, options: sync, upsert-only, create-only) |
+| `--registry=txt` | The registry implementation to use to keep track of DNS record ownership (default: txt, options: txt, noop, dynamodb, aws-sd) |
+| `--txt-owner-id="default"` | When using the TXT or DynamoDB registry, a name that identifies this instance of ExternalDNS (default: default) |
+| `--txt-prefix=""` | When using the TXT registry, a custom string that's prefixed to each ownership DNS record (optional). Could contain record type template like '%{record_type}-prefix-'. Mutual exclusive with txt-suffix! |
+| `--txt-suffix=""` | When using the TXT registry, a custom string that's suffixed to the host portion of each ownership DNS record (optional). Could contain record type template like '-%{record_type}-suffix'. Mutual exclusive with txt-prefix! |
+| `--txt-wildcard-replacement=""` | When using the TXT registry, a custom string that's used instead of an asterisk for TXT records corresponding to wildcard DNS records (optional) |
+| `--[no-]txt-encrypt-enabled` | When using the TXT registry, set if TXT records should be encrypted before stored (default: disabled) |
+| `--txt-encrypt-aes-key=""` | When using the TXT registry, set TXT record decryption and encryption 32 byte aes key (required when --txt-encrypt=true) |
+| `--dynamodb-region=""` | When using the DynamoDB registry, the AWS region of the DynamoDB table (optional) |
+| `--dynamodb-table="external-dns"` | When using the DynamoDB registry, the name of the DynamoDB table (default: "external-dns") |
+| `--txt-cache-interval=0s` | The interval between cache synchronizations in duration format (default: disabled) |
+| `--interval=1m0s` | The interval between two consecutive synchronizations in duration format (default: 1m) |
+| `--min-event-sync-interval=5s` | The minimum interval between two consecutive synchronizations triggered from kubernetes events in duration format (default: 5s) |
+| `--[no-]once` | When enabled, exits the synchronization loop after the first iteration (default: disabled) |
+| `--[no-]dry-run` | When enabled, prints DNS record changes rather than actually performing them (default: disabled) |
+| `--[no-]events` | When enabled, in addition to running every interval, the reconciliation loop will get triggered when supported sources change (default: disabled) |
+| `--log-format=text` | The format in which log messages are printed (default: text, options: text, json) |
+| `--metrics-address=":7979"` | Specify where to serve the metrics and health check endpoint (default: :7979) |
+| `--log-level=info` | Set the level of logging. (default: info, options: panic, debug, info, warning, error, fatal) |
+| `--webhook-provider-url="http://localhost:8888"` | The URL of the remote endpoint to call for the webhook provider (default: http://localhost:8888) |
+| `--webhook-provider-read-timeout=5s` | The read timeout for the webhook provider in duration format (default: 5s) |
+| `--webhook-provider-write-timeout=10s` | The write timeout for the webhook provider in duration format (default: 10s) |
+| `--[no-]webhook-server` | When enabled, runs as a webhook server instead of a controller. (default: false). |
\ No newline at end of file
diff --git a/internal/gen/main.go b/internal/gen/main.go
new file mode 100644
index 000000000..0a2b20758
--- /dev/null
+++ b/internal/gen/main.go
@@ -0,0 +1,100 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"strings"
+	"text/template"
+
+	cfg "sigs.k8s.io/external-dns/pkg/apis/externaldns"
+)
+
+type Flag struct {
+	Name        string
+	Description string
+}
+type Flags []Flag
+
+// AddFlag adds a new flag to the Flags struct
+func (f *Flags) AddFlag(name, description string) {
+	*f = append(*f, Flag{Name: name, Description: description})
+}
+
+const markdownTemplate = `
+# Flags
+
+<!-- THIS FILE MUST NOT BE EDITED BY HAND -->
+<!-- ON NEW FLAG ADDED PLEASE RUN go .... -->
+
+| Flag | Description  |
+| :------ | :----------- |
+{{- range . }}
+| {{ .Name }} | {{ .Description }} | {{- end -}}
+`
+
+// It generates a markdown file
+// with the supported flags and writes it to the 'docs/flags.md' file.
+// to re-generate `docs/flags.md` execute 'go run internal/gen/main.go'
+func main() {
+	testPath, _ := os.Getwd()
+	path := fmt.Sprintf("%s/docs/flags.md", testPath)
+	fmt.Println(fmt.Sprintf("generate file '%s' with supported flags", path))
+
+	flags := computeFlags()
+	content, err := flags.generateMarkdownTable()
+	if err != nil {
+		_ = fmt.Errorf("failed to generate markdown file '%s': %v", path, err.Error())
+	}
+	_ = writeToFile(path, content)
+}
+
+func computeFlags() Flags {
+	app := cfg.App(&cfg.Config{})
+	modelFlags := app.Model().Flags
+
+	flags := Flags{}
+
+	for _, flag := range modelFlags {
+		// do not include helpers and completion flags
+		if strings.Contains(flag.Name, "help") || strings.Contains(flag.Name, "completion-") {
+			continue
+		}
+		flagString := ""
+		flagName := flag.Name
+		if flag.IsBoolFlag() {
+			flagName = "[no-]" + flagName
+		}
+		flagString += fmt.Sprintf("--%s", flagName)
+
+		if !flag.IsBoolFlag() {
+			flagString += fmt.Sprintf("=%s", flag.FormatPlaceHolder())
+		}
+		flags.AddFlag(fmt.Sprintf("`%s`", flagString), flag.HelpWithEnvar())
+	}
+	return flags
+}
+
+func (f *Flags) generateMarkdownTable() (string, error) {
+	tmpl := template.Must(template.New("flags.md.tpl").Parse(markdownTemplate))
+
+	var b bytes.Buffer
+	err := tmpl.Execute(&b, f)
+	if err != nil {
+		return "", err
+	}
+	return b.String(), nil
+}
+
+func writeToFile(filename string, content string) error {
+	file, fileErr := os.Create(filename)
+	if fileErr != nil {
+		_ = fmt.Errorf("failed to create file: %v", fileErr)
+	}
+	defer file.Close()
+	_, writeErr := file.WriteString(content)
+	if writeErr != nil {
+		_ = fmt.Errorf("failed to write to file: %s", filename)
+	}
+	return nil
+}
diff --git a/internal/gen/main_test.go b/internal/gen/main_test.go
new file mode 100644
index 000000000..b38d87f9e
--- /dev/null
+++ b/internal/gen/main_test.go
@@ -0,0 +1,74 @@
+package main
+
+import (
+	"fmt"
+	"io/fs"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestComputeFlags(t *testing.T) {
+	flags := computeFlags()
+
+	if len(flags) == 0 {
+		t.Errorf("Expected non-zero flags, got %d", len(flags))
+	}
+
+	for _, flag := range flags {
+		if strings.Contains(flag.Name, "help") || strings.Contains(flag.Name, "completion-") {
+			t.Errorf("Unexpected flag: %s", flag.Name)
+		}
+	}
+}
+
+func TestGenerateMarkdownTableRenderer(t *testing.T) {
+	flags := Flags{
+		{Name: "flag1", Description: "description1"},
+	}
+
+	got, err := flags.generateMarkdownTable()
+	assert.NoError(t, err)
+
+	assert.Contains(t, got, "<!-- THIS FILE MUST NOT BE EDITED BY HAND -->")
+	assert.Contains(t, got, "| flag1 | description1 |")
+}
+
+func TestFlagsMdExists(t *testing.T) {
+	testPath, _ := os.Getwd()
+	fsys := os.DirFS(fmt.Sprintf("%s/../../docs", testPath))
+	filePath := "flags.md"
+	_, err := fs.Stat(fsys, filePath)
+	assert.NoError(t, err, "expected file %s to exist", filePath)
+}
+
+func TestFlagsMdUpToDate(t *testing.T) {
+	testPath, _ := os.Getwd()
+	fsys := os.DirFS(fmt.Sprintf("%s/../../docs", testPath))
+	filePath := "flags.md"
+	expected, err := fs.ReadFile(fsys, filePath)
+	assert.NoError(t, err, "expected file %s to exist", filePath)
+
+	flags := computeFlags()
+	actual, err := flags.generateMarkdownTable()
+	assert.NoError(t, err)
+
+	assert.True(t, len(expected) == len(actual), "expected file '%s' to be up to date. execute 'go run internal/gen/main.g", filePath)
+}
+
+func TestFlagsMdExtraFlagAdded(t *testing.T) {
+	testPath, _ := os.Getwd()
+	fsys := os.DirFS(fmt.Sprintf("%s/../../docs", testPath))
+	filePath := "flags.md"
+	expected, err := fs.ReadFile(fsys, filePath)
+	assert.NoError(t, err, "expected file %s to exist", filePath)
+
+	flags := computeFlags()
+	flags.AddFlag("new-flag", "description2")
+	actual, err := flags.generateMarkdownTable()
+
+	assert.NoError(t, err)
+	assert.NotEqual(t, string(expected), actual)
+}
diff --git a/pkg/apis/externaldns/types.go b/pkg/apis/externaldns/types.go
index 6cd78ee59..393f97d2a 100644
--- a/pkg/apis/externaldns/types.go
+++ b/pkg/apis/externaldns/types.go
@@ -400,6 +400,17 @@ func allLogLevelsAsStrings() []string {
 
 // ParseFlags adds and parses flags from command line
 func (cfg *Config) ParseFlags(args []string) error {
+	app := App(cfg)
+
+	_, err := app.Parse(args)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func App(cfg *Config) *kingpin.Application {
 	app := kingpin.New("external-dns", "ExternalDNS synchronizes exposed Kubernetes Services and Ingresses with DNS providers.\n\nNote that all flags may be replaced with env vars - `--flag` -> `EXTERNAL_DNS_FLAG=1` or `--flag value` -> `EXTERNAL_DNS_FLAG=value`")
 	app.Version(Version)
 	app.DefaultEnvars()
@@ -603,10 +614,5 @@ func (cfg *Config) ParseFlags(args []string) error {
 
 	app.Flag("webhook-server", "When enabled, runs as a webhook server instead of a controller. (default: false).").BoolVar(&cfg.WebhookServer)
 
-	_, err := app.Parse(args)
-	if err != nil {
-		return err
-	}
-
-	return nil
+	return app
 }