The extensions/v1beta1 API is deprecated for Deployment and with 1.16 is
not served by default anymore. This breaks the examples on k8s 1.16.
See this blog post for details on the deprecations:
https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/
Amazon EKS supports IAM Roles for Service Accounts. It mounts tokens
files to `/var/run/secrets/eks.amazonaws.com/serviceaccount/token`.
Unfortunately, external-dns runs as 'nobody' so it cannot access this
file. External DNS is then unable to make any AWS API calls to work:
```
time="2019-09-11T07:31:53Z" level=error msg="WebIdentityErr: unable to read file at /var/run/secrets/eks.amazonaws.com/serviceaccount/token\ncaused by: open /var/run/secrets/eks.amazonaws.com/serviceaccount/token: permission denied"
```
See: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
Below are the file permissions mounted on External DNS pod:
```
~ $ ls -al /var/run/secrets/eks.amazonaws.com/serviceaccount/
total 0
drwxrwxrwt 3 root root 100 Sep 11 06:40 .
drwxr-xr-x 3 root root 28 Sep 11 06:40 ..
drwxr-xr-x 2 root root 60 Sep 11 06:40 ..2019_09_11_06_40_49.865776187
lrwxrwxrwx 1 root root 31 Sep 11 06:40 ..data -> ..2019_09_11_06_40_49.865776187
lrwxrwxrwx 1 root root 12 Sep 11 06:40 token -> ..data/token
~ $ ls -al /var/run/secrets/eks.amazonaws.com/serviceaccount/..data/token
-rw------- 1 root root 1028 Sep 11 06:40 /var/run/secrets/eks.amazonaws.com/serviceaccount/..data/token
```
This commit fixes this problem by specifying securityContext to make
mounted volumes with 65534 (nobody) group ownership.
Tutorial specifies version >0.4 which also removed the requirement for a trailing period. New users could misunderstand the trailing dot as a significant syntax. Removing the dot simplifies the configuration of the annotation.
Introducing support for NodePort services might break cluster which
using RBAC
* allow external-dns to list nodes
Signed-off-by: Nick Jüttner <nick@zalando.de>
* update RBAC rules in docs
* update docs with split between rbac and non
* make deployment use new sa
* docs: correctly reference service account in CRB
* docs: correctly reference service account in CRB in other docs
* [aws-doc-update] docker image version and new arg aws-zone-type
* changes after review
* remove annotation for ingress
* docs: modify docs according to suggestions
* Add RecordTTL
* Route53: test for custom TTL
* Fix tests
* Fix remaining tests
* Add ttl when endpoint is created from ingress
* Missed a word
* Fix bad refactoring
* Add ingress custom TTL test
* gofmt
* Satisfy go-lint
* Unshadow `endpoint` in azure provider
* Fix and add an output test
* Add TTL for endpoints generated from service templates
* Take TTL into account when generating update plan
* Tests for TTL change impact on the plan
* Refactor factory method name
* Refactoring
* Run gofmt
* Make endpoint string format look like BIND config
* Update plan and plan_test
* Replace NewEndpointWithTTLValue with NewEndpointWithTTL in aws
* Remove NewEndpointWithTTLValue func
* Update references to TTL
* Remove getTTLValue func
* Handle merge conflict
* Update tests
* Update README, CHANGELOG and documentation
* Run gofmt
* Move getTTLFromAnnotations to a common file
* Refactor getTTLFromAnnotations
* Gofmt
* Add tests for getTTLFromAnnotations
* Trigger build
* Add boilerplate header
* Update README/CHANGELOG according to code review
* Add ttl.md and link it from README
* change CNAME string to endpoint.RecordTypeCNAME
* fix test cases with AWS ALIAS records, these do not behave different in these tests
* Support for multiple domains within --domain-filter
The parameter accepts a comma separated list of domains with or without trailing dot. Example: --domain-filter="example.org, company.test.,staging.com". Closes#247 and #229
* Add boilerplate header
* Add documentation for methods and structs
* use StringsVar for the domain-filter flag
* go fmt
* Remove camel case from tests
* Revert changes in README.md
* Move DomainFilter to provider package
* Make a new slice and copy elements to it
* Update CHANGELOG.md
* docs: change minor spelling mistake
* adjust docs before the v0.3.0 release
* minor fixes
* docs: add missing dot
* docs: add missing dot
* docs: drop line
* docs: drop another line
* adjust documentation
* update main readme
* checkbox for releases, add --txt-owner-id flag in description
* docs: minor weird character fixes [ci skip]
* feat(aws): support hostnames as endpoint targets
* docs: describe how to run ExternalDNS on AWS
* docs: update changelog with CNAME feature
* docs: update changelog to include AWS documentation
* fix(aws): test that updating records removes the old value
* feat(google): add CNAME support to Google provider
* fix(source): sanitize source and target hostnames
* docs: update changelog to include latest changes
* docs(aws): mention that ExternalDNS takes full ownership of a hosted zone
* fix(aws): switch route53 tests to use endpoint pointers
* docs: add TODO to remove record filtering once ownership is in place
