From 20f1337ef0d3de4cd3f7e20ef13dc71d1436f299 Mon Sep 17 00:00:00 2001
From: akrieg-ionos <alexander.krieg@ionos.com>
Date: Mon, 30 Sep 2024 12:16:58 +0200
Subject: [PATCH] feat(README): document namespaced mode

---
 README.md                            | 24 +++++++++++++++++-
 deployments/rbac-for-namespaced.yaml | 37 ++++++++++++++++++++++++++++
 2 files changed, 60 insertions(+), 1 deletion(-)
 create mode 100644 deployments/rbac-for-namespaced.yaml

diff --git a/README.md b/README.md
index 3edda66..77d81f6 100644
--- a/README.md
+++ b/README.md
@@ -37,11 +37,13 @@ image:
 logLevel: debug # reduce in production
 
 # -- if true, _ExternalDNS_ will run in a namespaced scope (Role and Rolebinding will be namespaced too).
-namespaced: true
+namespaced: false
 
 # -- _Kubernetes_ resources to monitor for DNS entries.
 sources:
   - ingress
+  - service
+  - crd
 
 extraArgs:
   ## must override the default value with port 8888 with port 8080 because this is hard-coded in the helm chart
@@ -81,6 +83,26 @@ EOF
 helm upgrade external-dns-ionos external-dns/external-dns --version 1.15.0 -f external-dns-ionos-values.yaml --install
 ```
 
+### namespaced mode
+
+Currently, the rbac created for a namespaced deployment is not sufficient for the ExternalDNS to work.
+In order to get ExternalDNS running in a namespaced mode, you need to create the necessary cluster-role-(binding) resources manually:
+
+```shell
+# don't forget to adjust the namespace for the service account in the rbac-for-namespaced.yaml file, if you are using a different namespace than 'default'
+kubectl apply -f deployments/rbac-for-namespaced.yaml
+```
+
+In the helm chart configuration you then can skip the rbac configuration, so in the helm values file you set:
+
+```yaml
+namespaced: true
+
+rbac:
+  create: false
+```
+
+
 See [here](./cmd/webhook/init/configuration/configuration.go) for all available configuration options of the ionos webhook.
 
 ## Verify the image resource integrity
diff --git a/deployments/rbac-for-namespaced.yaml b/deployments/rbac-for-namespaced.yaml
new file mode 100644
index 0000000..d8fc8b4
--- /dev/null
+++ b/deployments/rbac-for-namespaced.yaml
@@ -0,0 +1,37 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-dns-ionos
+  labels:
+    app.kubernetes.io/name: external-dns
+    app.kubernetes.io/instance: external-dns-ionos
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["list","watch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get","watch","list"]
+  - apiGroups: [""]
+    resources: ["services","endpoints"]
+    verbs: ["get","watch","list"]
+  - apiGroups: ["extensions","networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get","watch","list"]
+---
+# Source: external-dns/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: external-dns-ionos-viewer
+  labels:
+    app.kubernetes.io/name: external-dns
+    app.kubernetes.io/instance: external-dns-ionos
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-dns-ionos
+subjects:
+  - kind: ServiceAccount
+    name: external-dns-ionos
+    namespace: default
\ No newline at end of file