feat: migrate externaldns from Terraform to ArgoCD #43

Merged
unkinben merged 1 commits from benvin/externaldns into main 2026-03-19 01:22:40 +11:00
8 changed files with 118 additions and 0 deletions
+8
View File
@@ -0,0 +1,8 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: externaldns
+18
View File
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: externaldns
spec:
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
allowedNamespaces:
- externaldns
kubernetes:
role: externaldns
serviceAccount: externaldns
audiences:
- vault
tokenExpirationSeconds: 600
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: externaldns-tsig
namespace: externaldns
spec:
vaultAuthRef: default
mount: kv
type: kv-v2
path: service/kubernetes/au/syd1/externaldns/tsig
refreshAfter: 5m
destination:
name: externaldns-tsig
create: true
rolloutRestartTargets:
- kind: Deployment
name: externaldns
@@ -0,0 +1,14 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/externaldns
helmCharts:
- name: external-dns
repo: https://kubernetes-sigs.github.io/external-dns/
version: "1.19.0"
releaseName: externaldns
namespace: externaldns
valuesFile: values.yaml
@@ -0,0 +1,51 @@
# Service account configuration
serviceAccount:
create: true
name: externaldns
annotations: {}
# Provider configuration - using new format
provider:
name: rfc2136
# Domain filtering
domainFilters:
- "k8s.syd1.au.unkin.net"
- "200.18.198.in-addr.arpa"
# TXT registry configuration
txtOwnerId: "k8s"
registry: "txt"
# Enable deletion of records for dedicated DNS server
policy: "sync"
# Keep default sources
sources:
- service
- ingress
# Environment variables for TSIG secret and algorithm from Vault
env:
- name: EXTERNAL_DNS_RFC2136_TSIG_SECRET
valueFrom:
secretKeyRef:
name: externaldns-tsig
key: secret
- name: EXTERNAL_DNS_RFC2136_TSIG_ALGORITHM
valueFrom:
secretKeyRef:
name: externaldns-tsig
key: algorithm
# RFC2136 configuration as arguments
extraArgs:
- --rfc2136-host=ausyd1nxvm2127.main.unkin.net
- --rfc2136-port=53
- --rfc2136-zone=k8s.syd1.au.unkin.net
- --rfc2136-zone=200.18.198.in-addr.arpa
- --rfc2136-tsig-keyname=externaldns-key
- --rfc2136-tsig-secret-alg=$(EXTERNAL_DNS_RFC2136_TSIG_ALGORITHM)
- --rfc2136-tsig-axfr
- --rfc2136-tsig-secret=$(EXTERNAL_DNS_RFC2136_TSIG_SECRET)
- --ingress-class=nginx
+1
View File
@@ -14,6 +14,7 @@ spec:
- path: apps/overlays/*/cattle-system
- path: apps/overlays/*/certificates
- path: apps/overlays/*/cert-manager
- path: apps/overlays/*/externaldns
- path: apps/overlays/*/reflector-system
- path: apps/overlays/*/reloader-system
- path: apps/overlays/*/jfrog
+3
View File
@@ -12,6 +12,7 @@ spec:
- oci://ghcr.io/woodpecker-ci/helm/woodpecker
- https://releases.rancher.com/server-charts/stable
- https://charts.jetstack.io
- https://kubernetes-sigs.github.io/external-dns/
destinations:
- namespace: '*-system'
server: https://kubernetes.default.svc
@@ -21,6 +22,8 @@ spec:
server: https://kubernetes.default.svc
- namespace: 'certificates'
server: https://kubernetes.default.svc
- namespace: 'externaldns'
server: https://kubernetes.default.svc
- namespace: 'jfrog'
server: https://kubernetes.default.svc
- namespace: 'puppet'