feat: migrate externaldns from Terraform to ArgoCD
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful

- Add externaldns base ArgoCD application with namespace and Vault integration
- Create externaldns overlay for au-syd1 with Helm chart configuration
- Update platform ApplicationSet to include externaldns deployment
- Configure external-dns v1.19.0 with RFC2136 provider for DNS updates
- Maintain one-to-one migration from Terraform configuration including TSIG secrets
This commit is contained in:
2026-03-18 21:43:16 +11:00
parent ed300fabed
commit c7ff6f0ab5
8 changed files with 118 additions and 0 deletions
+8
View File
@@ -0,0 +1,8 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: externaldns
+18
View File
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: externaldns
spec:
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
allowedNamespaces:
- externaldns
kubernetes:
role: externaldns
serviceAccount: externaldns
audiences:
- vault
tokenExpirationSeconds: 600
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: externaldns-tsig
namespace: externaldns
spec:
vaultAuthRef: default
mount: kv
type: kv-v2
path: service/kubernetes/au/syd1/externaldns/tsig
refreshAfter: 5m
destination:
name: externaldns-tsig
create: true
rolloutRestartTargets:
- kind: Deployment
name: externaldns
@@ -0,0 +1,14 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/externaldns
helmCharts:
- name: external-dns
repo: https://kubernetes-sigs.github.io/external-dns/
version: "1.19.0"
releaseName: externaldns
namespace: externaldns
valuesFile: values.yaml
@@ -0,0 +1,51 @@
# Service account configuration
serviceAccount:
create: true
name: externaldns
annotations: {}
# Provider configuration - using new format
provider:
name: rfc2136
# Domain filtering
domainFilters:
- "k8s.syd1.au.unkin.net"
- "200.18.198.in-addr.arpa"
# TXT registry configuration
txtOwnerId: "k8s"
registry: "txt"
# Enable deletion of records for dedicated DNS server
policy: "sync"
# Keep default sources
sources:
- service
- ingress
# Environment variables for TSIG secret and algorithm from Vault
env:
- name: EXTERNAL_DNS_RFC2136_TSIG_SECRET
valueFrom:
secretKeyRef:
name: externaldns-tsig
key: secret
- name: EXTERNAL_DNS_RFC2136_TSIG_ALGORITHM
valueFrom:
secretKeyRef:
name: externaldns-tsig
key: algorithm
# RFC2136 configuration as arguments
extraArgs:
- --rfc2136-host=ausyd1nxvm2127.main.unkin.net
- --rfc2136-port=53
- --rfc2136-zone=k8s.syd1.au.unkin.net
- --rfc2136-zone=200.18.198.in-addr.arpa
- --rfc2136-tsig-keyname=externaldns-key
- --rfc2136-tsig-secret-alg=$(EXTERNAL_DNS_RFC2136_TSIG_ALGORITHM)
- --rfc2136-tsig-axfr
- --rfc2136-tsig-secret=$(EXTERNAL_DNS_RFC2136_TSIG_SECRET)
- --ingress-class=nginx