feat: migrate externaldns from Terraform to ArgoCD (#43)

- Add externaldns base ArgoCD application with namespace and Vault integration
- Create externaldns overlay for au-syd1 with Helm chart configuration
- Update platform ApplicationSet to include externaldns deployment
- Configure external-dns v1.19.0 with RFC2136 provider for DNS updates
- Maintain one-to-one migration from Terraform configuration including TSIG secrets

Reviewed-on: #43
This commit was merged in pull request #43.
This commit is contained in:
2026-03-19 01:22:39 +11:00
parent ed300fabed
commit 0bf6e80d6f
8 changed files with 118 additions and 0 deletions
@@ -0,0 +1,14 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/externaldns
helmCharts:
- name: external-dns
repo: https://kubernetes-sigs.github.io/external-dns/
version: "1.19.0"
releaseName: externaldns
namespace: externaldns
valuesFile: values.yaml
@@ -0,0 +1,51 @@
# Service account configuration
serviceAccount:
create: true
name: externaldns
annotations: {}
# Provider configuration - using new format
provider:
name: rfc2136
# Domain filtering
domainFilters:
- "k8s.syd1.au.unkin.net"
- "200.18.198.in-addr.arpa"
# TXT registry configuration
txtOwnerId: "k8s"
registry: "txt"
# Enable deletion of records for dedicated DNS server
policy: "sync"
# Keep default sources
sources:
- service
- ingress
# Environment variables for TSIG secret and algorithm from Vault
env:
- name: EXTERNAL_DNS_RFC2136_TSIG_SECRET
valueFrom:
secretKeyRef:
name: externaldns-tsig
key: secret
- name: EXTERNAL_DNS_RFC2136_TSIG_ALGORITHM
valueFrom:
secretKeyRef:
name: externaldns-tsig
key: algorithm
# RFC2136 configuration as arguments
extraArgs:
- --rfc2136-host=ausyd1nxvm2127.main.unkin.net
- --rfc2136-port=53
- --rfc2136-zone=k8s.syd1.au.unkin.net
- --rfc2136-zone=200.18.198.in-addr.arpa
- --rfc2136-tsig-keyname=externaldns-key
- --rfc2136-tsig-secret-alg=$(EXTERNAL_DNS_RFC2136_TSIG_ALGORITHM)
- --rfc2136-tsig-axfr
- --rfc2136-tsig-secret=$(EXTERNAL_DNS_RFC2136_TSIG_SECRET)
- --ingress-class=nginx