From 0bf6e80d6fe55931a13e35cf2b3e02cd8436372d Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 19 Mar 2026 01:22:39 +1100 Subject: [PATCH] feat: migrate externaldns from Terraform to ArgoCD (#43) - Add externaldns base ArgoCD application with namespace and Vault integration - Create externaldns overlay for au-syd1 with Helm chart configuration - Update platform ApplicationSet to include externaldns deployment - Configure external-dns v1.19.0 with RFC2136 provider for DNS updates - Maintain one-to-one migration from Terraform configuration including TSIG secrets Reviewed-on: https://git.unkin.net/unkin/argocd-apps/pulls/43 --- apps/base/externaldns/kustomization.yaml | 8 +++ apps/base/externaldns/namespace.yaml | 5 ++ apps/base/externaldns/vaultauth.yaml | 18 +++++++ apps/base/externaldns/vaultstaticsecret.yaml | 18 +++++++ .../au-syd1/externaldns/kustomization.yaml | 14 +++++ apps/overlays/au-syd1/externaldns/values.yaml | 51 +++++++++++++++++++ argocd/applicationsets/platform.yaml | 1 + argocd/projects/platform.yaml | 3 ++ 8 files changed, 118 insertions(+) create mode 100644 apps/base/externaldns/kustomization.yaml create mode 100644 apps/base/externaldns/namespace.yaml create mode 100644 apps/base/externaldns/vaultauth.yaml create mode 100644 apps/base/externaldns/vaultstaticsecret.yaml create mode 100644 apps/overlays/au-syd1/externaldns/kustomization.yaml create mode 100644 apps/overlays/au-syd1/externaldns/values.yaml diff --git a/apps/base/externaldns/kustomization.yaml b/apps/base/externaldns/kustomization.yaml new file mode 100644 index 0000000..cc622a0 --- /dev/null +++ b/apps/base/externaldns/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yaml + - vaultauth.yaml + - vaultstaticsecret.yaml diff --git a/apps/base/externaldns/namespace.yaml b/apps/base/externaldns/namespace.yaml new file mode 100644 index 0000000..2084fb4 --- /dev/null +++ b/apps/base/externaldns/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: externaldns diff --git a/apps/base/externaldns/vaultauth.yaml b/apps/base/externaldns/vaultauth.yaml new file mode 100644 index 0000000..e75f8d3 --- /dev/null +++ b/apps/base/externaldns/vaultauth.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: default + namespace: externaldns +spec: + method: kubernetes + mount: k8s/au/syd1 + vaultConnectionRef: vso-system/default + allowedNamespaces: + - externaldns + kubernetes: + role: externaldns + serviceAccount: externaldns + audiences: + - vault + tokenExpirationSeconds: 600 diff --git a/apps/base/externaldns/vaultstaticsecret.yaml b/apps/base/externaldns/vaultstaticsecret.yaml new file mode 100644 index 0000000..5714441 --- /dev/null +++ b/apps/base/externaldns/vaultstaticsecret.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: externaldns-tsig + namespace: externaldns +spec: + vaultAuthRef: default + mount: kv + type: kv-v2 + path: service/kubernetes/au/syd1/externaldns/tsig + refreshAfter: 5m + destination: + name: externaldns-tsig + create: true + rolloutRestartTargets: + - kind: Deployment + name: externaldns diff --git a/apps/overlays/au-syd1/externaldns/kustomization.yaml b/apps/overlays/au-syd1/externaldns/kustomization.yaml new file mode 100644 index 0000000..faff20f --- /dev/null +++ b/apps/overlays/au-syd1/externaldns/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../base/externaldns + +helmCharts: + - name: external-dns + repo: https://kubernetes-sigs.github.io/external-dns/ + version: "1.19.0" + releaseName: externaldns + namespace: externaldns + valuesFile: values.yaml diff --git a/apps/overlays/au-syd1/externaldns/values.yaml b/apps/overlays/au-syd1/externaldns/values.yaml new file mode 100644 index 0000000..97c3417 --- /dev/null +++ b/apps/overlays/au-syd1/externaldns/values.yaml @@ -0,0 +1,51 @@ +# Service account configuration +serviceAccount: + create: true + name: externaldns + annotations: {} + +# Provider configuration - using new format +provider: + name: rfc2136 + +# Domain filtering +domainFilters: + - "k8s.syd1.au.unkin.net" + - "200.18.198.in-addr.arpa" + +# TXT registry configuration +txtOwnerId: "k8s" +registry: "txt" + +# Enable deletion of records for dedicated DNS server +policy: "sync" + +# Keep default sources +sources: + - service + - ingress + +# Environment variables for TSIG secret and algorithm from Vault +env: + - name: EXTERNAL_DNS_RFC2136_TSIG_SECRET + valueFrom: + secretKeyRef: + name: externaldns-tsig + key: secret + - name: EXTERNAL_DNS_RFC2136_TSIG_ALGORITHM + valueFrom: + secretKeyRef: + name: externaldns-tsig + key: algorithm + +# RFC2136 configuration as arguments +extraArgs: + - --rfc2136-host=ausyd1nxvm2127.main.unkin.net + - --rfc2136-port=53 + - --rfc2136-zone=k8s.syd1.au.unkin.net + - --rfc2136-zone=200.18.198.in-addr.arpa + - --rfc2136-tsig-keyname=externaldns-key + - --rfc2136-tsig-secret-alg=$(EXTERNAL_DNS_RFC2136_TSIG_ALGORITHM) + - --rfc2136-tsig-axfr + - --rfc2136-tsig-secret=$(EXTERNAL_DNS_RFC2136_TSIG_SECRET) + - --ingress-class=nginx diff --git a/argocd/applicationsets/platform.yaml b/argocd/applicationsets/platform.yaml index 5553b4f..ac5cce9 100644 --- a/argocd/applicationsets/platform.yaml +++ b/argocd/applicationsets/platform.yaml @@ -14,6 +14,7 @@ spec: - path: apps/overlays/*/cattle-system - path: apps/overlays/*/certificates - path: apps/overlays/*/cert-manager + - path: apps/overlays/*/externaldns - path: apps/overlays/*/reflector-system - path: apps/overlays/*/reloader-system - path: apps/overlays/*/jfrog diff --git a/argocd/projects/platform.yaml b/argocd/projects/platform.yaml index 830e9eb..7cb83f6 100644 --- a/argocd/projects/platform.yaml +++ b/argocd/projects/platform.yaml @@ -12,6 +12,7 @@ spec: - oci://ghcr.io/woodpecker-ci/helm/woodpecker - https://releases.rancher.com/server-charts/stable - https://charts.jetstack.io + - https://kubernetes-sigs.github.io/external-dns/ destinations: - namespace: '*-system' server: https://kubernetes.default.svc @@ -21,6 +22,8 @@ spec: server: https://kubernetes.default.svc - namespace: 'certificates' server: https://kubernetes.default.svc + - namespace: 'externaldns' + server: https://kubernetes.default.svc - namespace: 'jfrog' server: https://kubernetes.default.svc - namespace: 'puppet'