Skip to content

Commit

Permalink
Merge remote-tracking branch 'upstream/master' into fix/txt-encrypt-s…
Browse files Browse the repository at this point in the history 
…table-nonce
  • Loading branch information
@Sewci0
Sewci0 committed Oct 5, 2023
2 parents f6861b8 + 4eb7e75 commit 4976722
Show file tree
Hide file tree
Showing 58 changed files with 2,281 additions and 742 deletions.
4 changes: 4 additions & 0 deletions OWNERS
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
# See the OWNERS file documentation:
# https://github.com/kubernetes/community/blob/HEAD/contributors/guide/owners.md

# These OWNERS files should stay in sync:
# https://github.com/kubernetes/test-infra/blob/master/config/jobs/kubernetes-sigs/external-dns/OWNERS
# https://github.com/kubernetes/k8s.io/blob/master/registry.k8s.io/images/k8s-staging-external-dns/OWNERS

approvers:
- johngmyers
- raffo
Expand Down
5 changes: 4 additions & 1 deletion controller/controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,8 +181,10 @@ type Controller struct {
nextRunAt time.Time
// The nextRunAtMux is for atomic updating of nextRunAt
nextRunAtMux sync.Mutex
// DNS record types that will be considered for management
// MangedRecordTypes are DNS record types that will be considered for management.
ManagedRecordTypes []string
// ExcludeRecordTypes are DNS record types that will be excluded from management.
ExcludeRecordTypes []string
// MinEventSyncInterval is used as window for batching events
MinEventSyncInterval time.Duration
}
Expand Down Expand Up @@ -227,6 +229,7 @@ func (c *Controller) RunOnce(ctx context.Context) error {
Desired: endpoints,
DomainFilter: endpoint.MatchAllDomainFilters{&c.DomainFilter, &registryFilter},
ManagedRecords: c.ManagedRecordTypes,
ExcludeRecords: c.ExcludeRecordTypes,
OwnerID: c.Registry.OwnerID(),
}

Expand Down
43 changes: 22 additions & 21 deletions docs/annotations/annotations.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,30 +4,31 @@ ExternalDNS sources support a number of annotations on the Kubernetes resources

The following table documents which sources support which annotations:

| Source | controller | hostname | internal-hostname | target | ttl | (provider-specific) |
|--------------|------------|----------|-------------------|---------|-----|---------------------|
| Ambassador | | | | | Yes | |
| Connector | | | | | | |
| Contour | Yes | Yes[^1] | | Yes | Yes | Yes |
| CloudFoundry | | | | | | |
| CRD | | | | | | |
| F5 | | | | | Yes | |
| Gateway | Yes | Yes[^1] | | Yes[^4] | Yes | Yes |
| Gloo | | | | | Yes | Yes |
| Ingress | Yes | Yes[^1] | | Yes | Yes | Yes |
| Istio | Yes | Yes[^1] | | Yes | Yes | Yes |
| Kong | | Yes | | | Yes | Yes |
| Node | Yes | | | | Yes | |
| OpenShift | Yes | Yes[^1] | | Yes | Yes | Yes |
| Pod | | Yes | Yes | | | |
| Service | Yes | Yes[^1] | Yes[^1][^2] | Yes[^3] | Yes | Yes |
| Skipper | Yes | Yes[^1] | | Yes | Yes | Yes |
| Traefik | | Yes | | Yes | Yes | Yes |
| Source | controller | hostname | internal-hostname | target | ttl | (provider-specific) |
|--------------|------------|----------|-------------------|---------|---------|---------------------|
| Ambassador | | | | Yes | Yes | |
| Connector | | | | | | |
| Contour | Yes | Yes[^1] | | Yes | Yes | Yes |
| CloudFoundry | | | | | | |
| CRD | | | | | | |
| F5 | | | | Yes | Yes | |
| Gateway | Yes | Yes[^1] | | Yes[^4] | Yes | Yes |
| Gloo | | | | Yes | Yes[^5] | Yes[^5] |
| Ingress | Yes | Yes[^1] | | Yes | Yes | Yes |
| Istio | Yes | Yes[^1] | | Yes | Yes | Yes |
| Kong | | Yes | | Yes | Yes | Yes |
| Node | Yes | | | Yes | Yes | |
| OpenShift | Yes | Yes[^1] | | Yes | Yes | Yes |
| Pod | | Yes | Yes | Yes | | |
| Service | Yes | Yes[^1] | Yes[^1][^2] | Yes[^3] | Yes | Yes |
| Skipper | Yes | Yes[^1] | | Yes | Yes | Yes |
| Traefik | | Yes | | Yes | Yes | Yes |

[^1]: Unless the `--ignore-hostname-annotation` flag is specified.
[^2]: Only behaves differently than `hostname` for `Service`s of type `LoadBalancer`.
[^2]: Only behaves differently than `hostname` for `Service`s of type `ClusterIP` or `LoadBalancer`.
[^3]: Also supported on `Pods` referenced from a headless `Service`'s `Endpoints`.
[^4]: The annotation should be on the `Gateway`
[^4]: The annotation must be on the `Gateway`.
[^5]: The annotation must be on the listener's `VirtualService`.

## external-dns.alpha.kubernetes.io/access

Expand Down
Binary file added docs/img/webhook-provider.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
82 changes: 82 additions & 0 deletions docs/sources/gateway.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
# Gateway sources

The gateway-grcproute, gateway-httproute, gateway-tcproute, gateway-tlsroute, and gateway-udproute
sources create DNS entries based on their respective `gateway.networking.k8s.io` resources.

## Filtering the Routes considered

These sources support the `--label-filter` flag, which filters *Route resources
by a set of labels.

## Domain names

To calculate the Domain names created from a *Route, this source first collects a set
of [domain names from the *Route](#domain-names-from-route).

It then iterates over each of the `status.parents` with
a [matching Gateway](#matching-gateways) and at least one [matching listener](#matching-listeners).
For each matching listener, if the
listener has a `hostname`, it narrows the set of domain names from the *Route to the portion
that overlaps the `hostname`. If a matching listener does not have a `hostname`, it uses
the un-narrowed set of domain names.

### Domain names from Route

The set of domain names from a *Route is sourced from the following places:

* If the *Route is a GRPCRoute, HTTPRoute, or TLSRoute, adds each of the`spec.hostnames`.

* Adds the hostnames from any `external-dns.alpha.kubernetes.io/hostname` annotation on the *Route.
This behavior is suppressed if the `--ignore-hostname-annotation` flag was specified.

* If no endpoints were produced by the previous steps
or the `--combine-fqdn-annotation` flag was specified, then adds hostnames
generated from any`--fqdn-template` flag.

* If no endpoints were produced by the previous steps, each
attached Gateway listener will use its `hostname`, if present.

### Matching Gateways

Matching Gateways are discovered by iterating over the *Route's `status.parents`:

* Ignores parents with a `parentRef.group` other than
`gateway.networking.k8s.io` or a `parentRef.kind` other than `Gateway`.

* If the `--gateway-namespace` flag was specified, ignores parents with a `parentRef.namespace` other
than the specified value.

* If the `--gateway-label-filter` flag was specified, ignores parents whose Gateway does not match the
specified label filter.

* Ignores parents whose Gateway either does not exist or has not accepted the route.

### Matching listeners

Iterates over all listeners for the parent's `parentRef.sectionName`:

* Ignores listeners whose `protocol` field does not match the kind of the *Route per the following table:

| kind | protocols |
|------------|-------------|
| GRPCRoute | HTTP, HTTPS |
| HTTPRoute | HTTP, HTTPS |
| TCPRoute | TCP |
| TLSRoute | TLS |
| UDPRoute | UDP |

* If the parent's `parentRef.port` port is specified, ignores listeners without a matching `port`.

* Ignores listeners which specify an `allowedRoutes` which does not allow the route.

## Targets

The targets of the DNS entries created from a *Route are sourced from the following places:

1. If a matching parent Gateway has an `external-dns.alpha.kubernetes.io/target` annotation, uses
the values from that.

2. Otherwise, iterates over that parent Gateway's `status.addresses`,
adding each address's `value`.

The targets from each parent Gateway matching the *Route are then combined and de-duplicated.
3 changes: 2 additions & 1 deletion docs/sources/service.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,8 @@ or the `--publish-host-ip` flag was specified, uses the Pod's `status.hostIP` fi

### ClusterIP (not headless)

1. If the `--publish-internal-services` flag is specified, uses the `spec.ServiceIP`.
1. If the hostname came from an `external-dns.alpha.kubernetes.io/internal-hostname` annotation
or the `--publish-internal-services` flag was specified, uses the `spec.ServiceIP`.

2. Otherwise, does not create any targets.

Expand Down
48 changes: 24 additions & 24 deletions docs/sources/sources.md
View file
Original file line number Diff line number Diff line change
@@ -1,26 +1,26 @@
# Sources

| Source | Resources | annotation-filter | label-filter |
|-----------------------|-------------------------------------------------------------------------------|-------------------|--------------|
| ambassador-host | Host.getambassador.io | | |
| connector | | | |
| contour-httpproxy | HttpProxy.projectcontour.io | Yes | |
| cloudfoundry | | | |
| crd | DNSEndpoint.externaldns.k8s.io | Yes | Yes |
| f5-virtualserver | VirtualServer.cis.f5.com | Yes | |
| gateway-grpcroute | GRPCRoute.gateway.networking.k8s.io | Yes | Yes |
| gateway-httproute | HTTPRoute.gateway.networking.k8s.io | Yes | Yes |
| gateway-tcproute | TCPRoute.gateway.networking.k8s.io | Yes | Yes |
| gateway-tlsroute | TLSRoute.gateway.networking.k8s.io | Yes | Yes |
| gateway-udproute | UDPRoute.gateway.networking.k8s.io | Yes | Yes |
| gloo-proxy | Proxy.gloo.solo.io | | |
| [ingress](ingress.md) | Ingress.networking.k8s.io | Yes | Yes |
| istio-gateway | Gateway.networking.istio.io | Yes | |
| istio-virtualservice | VirtualService.networking.istio.io | Yes | |
| kong-tcpingress | TCPIngress.configuration.konghq.com | Yes | |
| node | Node | Yes | |
| openshift-route | Route.route.openshift.io | Yes | Yes |
| pod | Pod | | |
| [service](service.md) | Service | Yes | Yes |
| skipper-routegroup | RouteGroup.zalando.org | Yes | |
| traefik-proxy | IngressRoute.traefik.io IngressRouteTCP.traefik.io IngressRouteUDP.traefik.io | Yes | |
| Source | Resources | annotation-filter | label-filter |
|---------------------------------|-------------------------------------------------------------------------------|-------------------|--------------|
| ambassador-host | Host.getambassador.io | | |
| connector | | | |
| contour-httpproxy | HttpProxy.projectcontour.io | Yes | |
| cloudfoundry | | | |
| crd | DNSEndpoint.externaldns.k8s.io | Yes | Yes |
| f5-virtualserver | VirtualServer.cis.f5.com | Yes | |
| [gateway-grpcroute](gateway.md) | GRPCRoute.gateway.networking.k8s.io | Yes | Yes |
| [gateway-httproute](gateway.md) | HTTPRoute.gateway.networking.k8s.io | Yes | Yes |
| [gateway-tcproute](gateway.md) | TCPRoute.gateway.networking.k8s.io | Yes | Yes |
| [gateway-tlsroute](gateway.md) | TLSRoute.gateway.networking.k8s.io | Yes | Yes |
| [gateway-udproute](gateway.md) | UDPRoute.gateway.networking.k8s.io | Yes | Yes |
| gloo-proxy | Proxy.gloo.solo.io | | |
| [ingress](ingress.md) | Ingress.networking.k8s.io | Yes | Yes |
| istio-gateway | Gateway.networking.istio.io | Yes | |
| istio-virtualservice | VirtualService.networking.istio.io | Yes | |
| kong-tcpingress | TCPIngress.configuration.konghq.com | Yes | |
| node | Node | Yes | Yes |
| openshift-route | Route.route.openshift.io | Yes | Yes |
| pod | Pod | | |
| [service](service.md) | Service | Yes | Yes |
| skipper-routegroup | RouteGroup.zalando.org | Yes | |
| traefik-proxy | IngressRoute.traefik.io IngressRouteTCP.traefik.io IngressRouteUDP.traefik.io | Yes | |
3 changes: 3 additions & 0 deletions docs/tutorials/pihole.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ This tutorial describes how to setup ExternalDNS to sync records with Pi-hole's
Pi-hole has an internal list it checks last when resolving requests. This list can contain any number of arbitrary A or CNAME records.
There is a pseudo-API exposed that ExternalDNS is able to use to manage these records.

__NOTE:__ Your Pi-hole must be running [version 5.9 or newer](https://pi-hole.net/blog/2022/02/12/pi-hole-ftl-v5-14-web-v5-11-and-core-v5-9-released).


## Deploy ExternalDNS

You can skip to the [manifest](#externaldns-manifest) if authentication is disabled on your Pi-hole instance or you don't want to use secrets.
Expand Down

0 comments on commit 4976722

Please sign in to comment.