Helm supports extra env, volumes and volume mounts for externaldns (#…

…1548) * Helm supports extra env variables, volumes and volume mounts for externaldns Signed-off-by: abaguas <andre.aguas@protonmail.com> * add external dns proxy docs Signed-off-by: abaguas <andre.aguas@protonmail.com> * fix title Signed-off-by: abaguas <andre.aguas@protonmail.com> * fix Signed-off-by: abaguas <andre.aguas@protonmail.com> --------- Signed-off-by: abaguas <andre.aguas@protonmail.com>
k8gb-io · May 14, 2024 · 27d87ce · 27d87ce
1 parent 6e33872
commit 27d87ce
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 3 deletions.
diff --git a/chart/k8gb/README.md b/chart/k8gb/README.md
@@ -59,6 +59,9 @@ For Kubernetes `< 1.19` use this chart and k8gb in version `0.8.8` or lower.
 | coredns.isClusterService | bool | `false` | service: refer to https://www.k8gb.io/docs/service_upgrade.html for upgrading CoreDNS service steps |
 | coredns.serviceAccount | object | `{"create":true,"name":"coredns"}` | Creates serviceAccount for coredns |
 | externaldns.dnsPolicy | string | `"ClusterFirst"` | `.spec.template.spec.dnsPolicy` for ExternalDNS deployment |
+| externaldns.extraEnv | list | `[]` | extra environment variables |
+| externaldns.extraVolumeMounts | list | `[]` | extra volume mounts |
+| externaldns.extraVolumes | list | `[]` | extra volumes |
 | externaldns.image | string | `"ghcr.io/k8gb-io/external-dns:v0.13.4-azure-ns"` | external-dns image repo:tag It is important to use the image from k8gb external-dns fork to get the full functionality. See links below https://github.com/k8gb-io/external-dns https://github.com/k8gb-io/external-dns/pkgs/container/external-dns |
 | externaldns.interval | string | `"20s"` | external-dns sync interval |
 | externaldns.securityContext.fsGroup | int | `65534` | For ExternalDNS to be able to read Kubernetes and AWS token files |

diff --git a/chart/k8gb/templates/external-dns/external-dns.yaml b/chart/k8gb/templates/external-dns/external-dns.yaml
@@ -45,30 +45,48 @@ spec:
             cpu: "500m"
         securityContext:
           readOnlyRootFilesystem: true
+        {{- with .Values.externaldns.extraEnv }}
+        env:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
       {{- if .Values.route53.secret }}
+        {{- if not .Values.externaldns.extraEnv }}
         env:
+        {{- end }}
           - name: AWS_SHARED_CREDENTIALS_FILE
             value: /.aws/credentials
         volumeMounts:
           - name: aws-credentials
             mountPath: /.aws
             readOnly: true
+          {{- with .Values.externaldns.extraVolumeMounts }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
       volumes:
         - name: aws-credentials
           secret:
             secretName: {{ .Values.route53.secret }}
+        {{- with .Values.externaldns.extraVolumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       {{- end }}
       {{- if .Values.rfc2136.rfc2136auth.gssTsig.enabled }}
         volumeMounts:
           - mountPath: /etc/krb5.conf
             name: kerberos-config-volume
             subPath: krb5.conf
+          {{- with .Values.externaldns.extraVolumeMounts }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
       dnsPolicy: {{ .Values.externaldns.dnsPolicy }}
       volumes:
         - name: kerberos-config-volume
           configMap:
             name: {{ .Values.rfc2136.rfc2136auth.gssTsig.kerberosConfigmap }}
             defaultMode: 420
+        {{- with .Values.externaldns.extraVolumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       {{- end }}
-        
+
 {{- end }}
diff --git a/chart/k8gb/values.schema.json b/chart/k8gb/values.schema.json
@@ -114,6 +114,15 @@
                     "type": "string",
                     "minLength": 1
                 },
+                "extraEnv": {
+                    "type": "array"
+                },
+                "extraVolumes": {
+                    "type": "array"
+                },
+                "extraVolumeMounts": {
+                    "type": "array"
+                },
                 "image": {
                     "type": "string",
                     "minLength": 1
@@ -616,7 +625,7 @@
             },
             "required": [
                 "enabled",
-		"zoneID"
+                "zoneID"
             ],
             "title": "Cloudflare"
         },

diff --git a/chart/k8gb/values.yaml b/chart/k8gb/values.yaml
@@ -56,6 +56,12 @@ k8gb:
 externaldns:
   # -- `.spec.template.spec.dnsPolicy` for ExternalDNS deployment
   dnsPolicy: "ClusterFirst"
+  # -- extra environment variables
+  extraEnv: []
+  # -- extra volumes
+  extraVolumes: []
+  # -- extra volume mounts
+  extraVolumeMounts: []
   # -- external-dns image repo:tag
   # It is important to use the image from k8gb external-dns fork to get the full
   # functionality. See links below
@@ -130,7 +136,7 @@ rfc2136:
     - host: host.k3d.internal
     - port: 1053
   rfc2136auth:
-    insecure: 
+    insecure:
       enabled: false
     tsig:
       enabled: true

diff --git a/docs/proxy_externaldns.md b/docs/proxy_externaldns.md
@@ -0,0 +1,20 @@
+# External DNS behind a proxy
+
+External DNS needs to communicate with a DNS server outside of the kubernetes cluster to update records. If a proxy is used for egress from the Kubernetes cluster the following should be configured:
+```
+externaldns:
+  extraEnv:
+  - name: HTTPS_PROXY
+    value: http://proxy.example.com:8080
+  extraVolumes:
+  - name: ca-bundle
+    secret:
+      secretName: ca-proxy
+  extraVolumeMounts:
+  - name: ca-bundle
+    mountPath: /etc/ssl/certs
+    readOnly: true
+```
+
+The `HTTPS_PROXY` environment variable should contain the address of the proxy.
+The volume mount should contain the proxy CA certificate so that the container can trust the proxy.