diff --git a/charts/external-dns/README.md b/charts/external-dns/README.md index 67ab1f5df..bfdb56deb 100644 --- a/charts/external-dns/README.md +++ b/charts/external-dns/README.md @@ -69,6 +69,7 @@ The following table lists the configurable parameters of the _ExternalDNS_ chart | `logFormat` | Formats of the logs, available values are: `text`, `json`. | `text` | | `interval` | The interval for DNS updates. | `1m` | | `triggerLoopOnEvent` | When enabled, triggers run loop on create/update/delete events in addition of regular interval. | `false` | +| `namespaced` | When enabled, external-dns runs on namespace scope. Additionally, Role and Rolebinding will be namespaced, too. | `false` | | `sources` | K8s resources type to be observed for new DNS entries. | See _values.yaml_ | | `policy` | How DNS records are synchronized between sources and providers, available values are: `sync`, `upsert-only`. | `upsert-only` | | `registry` | Registry Type, available types are: `txt`, `noop`. | `txt` | @@ -82,3 +83,36 @@ The following table lists the configurable parameters of the _ExternalDNS_ chart | `secretConfiguration.mountPath` | Mount path of secret configuration secret (this can be templated). | `""` | | `secretConfiguration.data` | Secret configuration secret data. Could be used to store DNS provider credentials. | `{}` | | `secretConfiguration.subPath` | Sub-path of secret configuration secret (this can be templated). | `""` | + +## Namespaced scoped installation + +external-dns supports running on a namespaced only scope, too. +If `namespaced=true` is defined, the helm chart will setup `Roles` and `RoleBindings` instead `ClusterRoles` and `ClusterRoleBindings`. + +### Limited supported +Not all sources are supported in namespaced scope, since some sources depends on cluster-wide resources. +For example: Source `node` isn't supported, since `kind: Node` has scope `Cluster`. +Sources like `istio-virtualservice` only work, if all resources like `Gateway` and `VirtualService` are present in the same +namespaces as `external-dns`. + +The annotation `external-dns.alpha.kubernetes.io/endpoints-type: NodeExternalIP` is not supported. + +If `namespaced` is set to `true`, please ensure that `sources` my only contains supported sources (Default: `service,ingress`. + +### Support matrix + +| Source | Supported | Infos | +|------------------------|-----------|------------------------| +| `ingress` | ✅ | | +| `istio-gateway` | ✅ | | +| `istio-virtualservice` | ✅ | | +| `contour-ingressroute` | ✅ | | +| `crd` | ✅ | | +| `kong-tcpingress` | ✅ | | +| `openshift-route` | ✅ | | +| `skipper-routegroup` | ✅ | | +| `gloo-proxy` | ✅ | | +| `contour-httpproxy` | ✅ | | +| `service` | ⚠️️ | NodePort not supported | +| `node` | ❌ | | +| `pod` | ❌ | | diff --git a/charts/external-dns/templates/clusterrole.yaml b/charts/external-dns/templates/clusterrole.yaml index 6a7db92e9..9cab6a6eb 100644 --- a/charts/external-dns/templates/clusterrole.yaml +++ b/charts/external-dns/templates/clusterrole.yaml @@ -1,12 +1,12 @@ {{- if .Values.rbac.create -}} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.namespaced | ternary "Role" "ClusterRole" }} metadata: name: {{ template "external-dns.fullname" . }} labels: {{- include "external-dns.labels" . | nindent 4 }} rules: -{{- if or (has "node" .Values.sources) (has "pod" .Values.sources) (has "service" .Values.sources) (has "contour-httpproxy" .Values.sources) (has "gloo-proxy" .Values.sources) (has "openshift-route" .Values.sources) (has "skipper-routegroup" .Values.sources) }} +{{- if and (not .Values.namespaced) (or (has "node" .Values.sources) (has "pod" .Values.sources) (has "service" .Values.sources) (has "contour-httpproxy" .Values.sources) (has "gloo-proxy" .Values.sources) (has "openshift-route" .Values.sources) (has "skipper-routegroup" .Values.sources)) }} - apiGroups: [""] resources: ["nodes"] verbs: ["list","watch"] diff --git a/charts/external-dns/templates/clusterrolebinding.yaml b/charts/external-dns/templates/clusterrolebinding.yaml index 9028c6f96..74a51476f 100644 --- a/charts/external-dns/templates/clusterrolebinding.yaml +++ b/charts/external-dns/templates/clusterrolebinding.yaml @@ -1,13 +1,13 @@ {{- if .Values.rbac.create -}} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ .Values.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }} metadata: name: {{ printf "%s-viewer" (include "external-dns.fullname" .) }} labels: {{- include "external-dns.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: {{ .Values.namespaced | ternary "Role" "ClusterRole" }} name: {{ template "external-dns.fullname" . }} subjects: - kind: ServiceAccount diff --git a/charts/external-dns/templates/deployment.yaml b/charts/external-dns/templates/deployment.yaml index 70952675d..5c3e1128f 100644 --- a/charts/external-dns/templates/deployment.yaml +++ b/charts/external-dns/templates/deployment.yaml @@ -89,6 +89,9 @@ spec: - --txt-suffix={{ .Values.txtSuffix }} {{- end }} {{- end }} + {{- if .Values.namespaced }} + - --namespace={{ .Release.Namespace }} + {{- end }} {{- range .Values.domainFilters }} - --domain-filter={{ . }} {{- end }} diff --git a/charts/external-dns/values.yaml b/charts/external-dns/values.yaml index 5b30a9c0e..6e0f80265 100644 --- a/charts/external-dns/values.yaml +++ b/charts/external-dns/values.yaml @@ -151,6 +151,8 @@ logFormat: text interval: 1m triggerLoopOnEvent: false +namespaced: false + sources: - service - ingress