Add external-dns

deploy/base/deploy-external-dns.yaml

@@ -0,0 +1,20 @@
+# Patch external-dns with AWS credentials because helm chart inflation happens
+# too early.
+---
+- op: add
+  path: /spec/template/spec/containers/0/volumeMounts
+  value:
+  - name: aws-credentials
+    mountPath: /.aws
+    readOnly: true
+- op: replace
+  path: /spec/template/spec/volumes
+  value:
+  - name: aws-credentials
+    secret:
+      secretName: aws-do-external-dns-credentials
+- op: add
+  path: /spec/template/spec/containers/0/env
+  value:
+    - name: AWS_SHARED_CREDENTIALS_FILE
+      value: /.aws/credentials

deploy/base/inflated/external-dns/templates/clusterrole.yaml

@@ -0,0 +1,92 @@
+---
+# Source: external-dns/templates/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-dns
+  labels: 
+    app.kubernetes.io/name: external-dns
+    helm.sh/chart: external-dns-6.3.0
+    app.kubernetes.io/instance: external-dns
+    app.kubernetes.io/managed-by: Helm
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - pods
+      - nodes
+      - endpoints
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - "networking.k8s.io"
+      - getambassador.io
+    resources:
+      - ingresses
+      - hosts
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - route.openshift.io
+    resources:
+      - routes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - networking.istio.io
+    resources:
+      - gateways
+      - virtualservices
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - zalando.org
+    resources:
+      - routegroups
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - zalando.org
+    resources:
+      - routegroups/status
+    verbs:
+      - patch
+      - update
+  - apiGroups:
+      - projectcontour.io
+    resources:
+      - httpproxies
+    verbs:
+      - get
+      - watch
+      - list
+  - apiGroups:
+      - gloo.solo.io
+      - gateway.solo.io
+    resources:
+      - proxies
+      - virtualservices
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - configuration.konghq.com
+    resources:
+      - tcpingresses
+    verbs:
+      - get
+      - list
+      - watch

deploy/base/inflated/external-dns/templates/clusterrolebinding.yaml

@@ -0,0 +1,19 @@
+---
+# Source: external-dns/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: external-dns
+  labels: 
+    app.kubernetes.io/name: external-dns
+    helm.sh/chart: external-dns-6.3.0
+    app.kubernetes.io/instance: external-dns
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-dns
+subjects:
+  - kind: ServiceAccount
+    name: external-dns
+    namespace: default

deploy/base/inflated/external-dns/templates/deployment.yaml

@@ -0,0 +1,106 @@
+---
+# Source: external-dns/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-dns
+  namespace: default
+  labels: 
+    app.kubernetes.io/name: external-dns
+    helm.sh/chart: external-dns-6.3.0
+    app.kubernetes.io/instance: external-dns
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 1
+  selector:
+    matchLabels: 
+      app.kubernetes.io/name: external-dns
+      app.kubernetes.io/instance: external-dns
+  template:
+    metadata:
+      labels: 
+        app.kubernetes.io/name: external-dns
+        helm.sh/chart: external-dns-6.3.0
+        app.kubernetes.io/instance: external-dns
+        app.kubernetes.io/managed-by: Helm
+      annotations:
+    spec:
+      
+      securityContext:
+        fsGroup: 1001
+        runAsUser: 1001
+      affinity:
+        podAffinity:
+          
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - podAffinityTerm:
+                labelSelector:
+                  matchLabels:
+                    app.kubernetes.io/name: external-dns
+                    app.kubernetes.io/instance: external-dns
+                namespaces:
+                  - "default"
+                topologyKey: kubernetes.io/hostname
+              weight: 1
+        nodeAffinity:
+          
+      serviceAccountName: external-dns
+      containers:
+        - name: external-dns
+          image: "docker.io/bitnami/external-dns:0.11.1-debian-10-r1"
+          imagePullPolicy: "IfNotPresent"
+          args:
+            # Generic arguments
+            - --metrics-address=:7979
+            - --log-level=info
+            - --log-format=text
+            - --policy=upsert-only
+            - --provider=aws
+            - --registry=txt
+            - --interval=1m
+            - --source=service
+            - --source=ingress
+            # AWS arguments
+            - --aws-api-retries=3
+            - --aws-zone-type=
+            - --aws-batch-change-size=1000
+          env:
+            # AWS environment variables
+            - name: AWS_DEFAULT_REGION
+              value: us-east-1
+          envFrom:
+          ports:
+            - name: http
+              containerPort: 7979
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            timeoutSeconds: 5
+            successThreshold: 1
+            failureThreshold: 2
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 5
+            successThreshold: 1
+            failureThreshold: 6
+          resources:
+            limits: {}
+            requests: {}
+          volumeMounts:
+            # AWS mountPath(s)
+            - name: aws-credentials
+              mountPath: /.aws
+              readOnly: true
+      volumes:
+        # AWS volume(s)
+        - name: aws-credentials
+          secret:
+            secretName: foo

deploy/base/inflated/external-dns/templates/service.yaml

@@ -0,0 +1,22 @@
+---
+# Source: external-dns/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: external-dns
+  namespace: default
+  labels: 
+    app.kubernetes.io/name: external-dns
+    helm.sh/chart: external-dns-6.3.0
+    app.kubernetes.io/instance: external-dns
+    app.kubernetes.io/managed-by: Helm
+spec:
+  ports:
+    - name: http
+      port: 7979
+      protocol: TCP
+      targetPort: http
+  selector: 
+    app.kubernetes.io/name: external-dns
+    app.kubernetes.io/instance: external-dns
+  type: ClusterIP

deploy/base/inflated/external-dns/templates/serviceaccount.yaml

@@ -0,0 +1,13 @@
+---
+# Source: external-dns/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: external-dns
+  namespace: default
+  labels: 
+    app.kubernetes.io/name: external-dns
+    helm.sh/chart: external-dns-6.3.0
+    app.kubernetes.io/instance: external-dns
+    app.kubernetes.io/managed-by: Helm
+automountServiceAccountToken: true

deploy/base/inflated/kubernetes-replicator/templates/deployment.yaml

@@ -0,0 +1,59 @@
+---
+# Source: kubernetes-replicator/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kubernetes-replicator
+  labels:
+    helm.sh/chart: kubernetes-replicator-2.7.3
+    app.kubernetes.io/name: kubernetes-replicator
+    app.kubernetes.io/instance: kubernetes-replicator
+    app.kubernetes.io/version: "v2.7.3"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kubernetes-replicator
+      app.kubernetes.io/instance: kubernetes-replicator
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: kubernetes-replicator
+        app.kubernetes.io/instance: kubernetes-replicator
+    spec:
+      serviceAccountName: kubernetes-replicator
+      securityContext:
+        {}
+      containers:
+        - name: kubernetes-replicator
+          securityContext:
+            {}
+          image: "quay.io/mittwald/kubernetes-replicator:v2.7.3"
+          imagePullPolicy: Always
+          args:
+            []
+          ports:
+            - name: health
+              containerPort: 9102
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: health
+            initialDelaySeconds: 60
+            periodSeconds: 10
+            timeoutSeconds: 1
+            successThreshold: 1
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: health
+            initialDelaySeconds: 60
+            periodSeconds: 10
+            timeoutSeconds: 1
+            successThreshold: 1
+            failureThreshold: 3
+          resources:
+            {}

deploy/base/inflated/kubernetes-replicator/templates/rbac.yaml

@@ -0,0 +1,54 @@
+---
+# Source: kubernetes-replicator/templates/rbac.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubernetes-replicator
+  labels:
+    helm.sh/chart: kubernetes-replicator-2.7.3
+    app.kubernetes.io/name: kubernetes-replicator
+    app.kubernetes.io/instance: kubernetes-replicator
+    app.kubernetes.io/version: "v2.7.3"
+    app.kubernetes.io/managed-by: Helm
+---
+# Source: kubernetes-replicator/templates/rbac.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kubernetes-replicator
+  labels:
+    helm.sh/chart: kubernetes-replicator-2.7.3
+    app.kubernetes.io/name: kubernetes-replicator
+    app.kubernetes.io/instance: kubernetes-replicator
+    app.kubernetes.io/version: "v2.7.3"
+    app.kubernetes.io/managed-by: Helm
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "namespaces" ]
+    verbs: [ "get", "watch", "list" ]
+  - apiGroups: [""]
+    resources: ["secrets", "configmaps"]
+    verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["roles", "rolebindings"]
+    verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
+---
+# Source: kubernetes-replicator/templates/rbac.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kubernetes-replicator
+  labels:
+    helm.sh/chart: kubernetes-replicator-2.7.3
+    app.kubernetes.io/name: kubernetes-replicator
+    app.kubernetes.io/instance: kubernetes-replicator
+    app.kubernetes.io/version: "v2.7.3"
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  kind: ClusterRole
+  name: kubernetes-replicator
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: kubernetes-replicator
+    namespace: "default"

deploy/base/kustomization.yaml

@@ -69,6 +69,15 @@ resources:
 - inflated/grafana/templates/podsecuritypolicy.yaml
 - inflated/grafana/templates/configmap.yaml
 - inflated/grafana/templates/clusterrolebinding.yaml
+# kubernetes-replicator
+- inflated/kubernetes-replicator/templates/deployment.yaml
+- inflated/kubernetes-replicator/templates/rbac.yaml
+# external-dns
+- inflated/external-dns/templates/serviceaccount.yaml
+- inflated/external-dns/templates/deployment.yaml
+- inflated/external-dns/templates/service.yaml
+- inflated/external-dns/templates/clusterrole.yaml
+- inflated/external-dns/templates/clusterrolebinding.yaml
 
 - ingress.yaml
 
@@ -105,6 +114,11 @@ configMapGenerator:
   - init-directory-structure.sh=gitea-init-directory-structure.sh
   - setup.sh=gitea-setup.sh
 
+secretGenerator:
+- name: aws-do-external-dns-credentials
+  files:
+  - credentials=secrets/aws-do-external-dns-credentials
+
 patches:
 # Patch the ingress-nginx service to expose port 22 for Gitea SSH access.
 - target:
@@ -116,3 +130,8 @@ patches:
     kind: Deployment
     name: ingress-nginx-controller
   path: deploy-ingress-nginx.yaml
+
+- target:
+    kind: Deployment
+    name: external-dns
+  path: deploy-external-dns.yaml