Merge branch 'master' into feature/infoblox-zone-view-query-parameters

.github/dependabot.yml

@@ -9,11 +9,26 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "daily"
+    groups:
+      dev-dependencies:
+        patterns:
+          - "*"
+    ignore:
+      - dependency-name: "github.com/openshift/api"
+      - dependency-name: "github.com/openshift/client-go"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "daily"
+    groups:
+      dev-dependencies:
+        patterns:
+          - "*" 
   - package-ecosystem: "docker" # Keep Docker dependencies up to date
     directory: "/"
     schedule:
       interval: "daily"
+    groups:
+      dev-dependencies:
+        patterns:
+          - "*"

.github/workflows/ci.yml

@@ -23,7 +23,7 @@ jobs:
     - name: Set up Go 1.x
       uses: actions/setup-go@v4
       with:
-        go-version: 1.19
+        go-version: '1.20'
       id: go
 
     - name: Check out code into the Go module directory
@@ -38,7 +38,7 @@ jobs:
             apt update
             apt install -y make gcc libc-dev git
       if: github.actor == 'nektos/act'
-  
+
     - name: Test
       run: make test
 

.github/workflows/codeql-analysis.yml

@@ -28,9 +28,9 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v3
     - name: Install go version
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
-        go-version: '^1.19'
+        go-version: '^1.20'
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/docs.yml

@@ -26,7 +26,7 @@ jobs:
 
       - uses: actions/setup-go@v4
         with:
-          go-version: ^1.19
+          go-version: '^1.20'
 
       - run: |
           pip install -r docs/scripts/requirements.txt

.github/workflows/gh-workflow-approve.yaml

@@ -17,11 +17,11 @@ jobs:
       actions: write
     steps:
       - name: Update PR
-        uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0 # v6.3.3
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         continue-on-error: true
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
-          debug: ${{ secrets.ACTIONS_RUNNER_DEBUG }}
+          debug: ${{ secrets.ACTIONS_RUNNER_DEBUG == 'true' }}
           script: |
             const result = await github.rest.actions.listWorkflowRunsForRepo({
               owner: context.repo.owner,

.github/workflows/json-yaml-validate.yml

@@ -17,7 +17,7 @@ jobs:
       - uses: actions/checkout@v3
 
       - name: json-yaml-validate
-        uses: GrantBirki/json-yaml-validate@v1.2.0
+        uses: GrantBirki/json-yaml-validate@v1.5.0
         with:
           comment: "true" # enable comment mode
           yaml_exclude_regex: "(charts/external-dns/templates.*|mkdocs.yml)"

.github/workflows/lint-test-chart.yaml

@@ -38,21 +38,21 @@ jobs:
           python-version: "3.x"
 
       - name: Set-up chart-testing
-        uses: helm/chart-testing-action@afea100a513515fbd68b0e72a7bb0ae34cb62aec
+        uses: helm/chart-testing-action@e8788873172cb653a90ca2e819d79d65a66d4e76
 
       - name: Run chart-testing (list-changed)
         id: list-changed
         run: |
           changed=$(ct list-changed)
           if [[ -n "$changed" ]]; then
-            echo "::set-output name=changed::true"
+            echo "changed=true" >> $GITHUB_OUTPUT
           fi
 
       - name: Run chart-testing (lint)
         run: ct lint --check-version-increment=false
 
       - name: Set-up Kind cluster
-        uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00
+        uses: helm/kind-action@fa81e57adff234b2908110485695db0f181f3c67
         with:
           wait: 120s
         if: steps.list-changed.outputs.changed == 'true'

.github/workflows/lint.yaml

@@ -23,13 +23,13 @@ jobs:
     - name: Set up Go 1.x
       uses: actions/setup-go@v4
       with:
-        go-version: 1.19
+        go-version: '1.20'
       id: go
 
     - name: Check out code into the Go module directory
       uses: actions/checkout@v3
 
     - name: Lint
       run: |
-        curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.50.1
+        curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.53.3
         make lint

.github/workflows/release-chart.yaml

@@ -29,7 +29,7 @@ jobs:
         run: |
           set -euo pipefail
           chart_version="$(grep -Po "(?<=^version: ).+" charts/external-dns/Chart.yaml)"
-          echo "::set-output name=version::${chart_version}"
+          echo "version=${chart_version}" >> $GITHUB_OUTPUT
 
       - name: Get changelog entry
         id: changelog_reader

.golangci.yml

@@ -19,7 +19,6 @@ linters:
   # inverted configuration with `enable-all` and `disable` is not scalable during updates of golangci-lint
   disable-all: true
   enable:
-    - depguard
     - dogsled
     - gofmt
     - goimports
@@ -61,6 +60,14 @@ issues:
         - unused
         - varcheck
         - whitespace
+    - path: source/ambassador_host.go
+      linters: [ typecheck ]
+    - path: source/contour_httpproxy.go
+      linters: [ typecheck ]
+    - path: source/f5_virtualserver.go
+      linters: [ typecheck ]
+    - path: source/kong_tcpingress.go
+      linters: [ typecheck ]
 
 run:
   skip-files:

Dockerfile

@@ -14,7 +14,7 @@
 
 # builder image
 ARG ARCH
-FROM golang:1.19 as builder
+FROM golang:1.20 as builder
 ARG ARCH
 
 WORKDIR /sigs.k8s.io/external-dns
@@ -25,9 +25,9 @@ RUN go mod download
 
 COPY . .
 
-FROM alpine:3.17
+FROM alpine:3.18
 
-RUN apk update && apk add "libcrypto3>=3.0.8-r1" "libssl3>=3.0.8-r1" && rm -rf /var/cache/apt/*
+RUN apk update && apk add "libcrypto3>=3.0.8-r4" "libssl3>=3.0.8-r4" && rm -rf /var/cache/apt/*
 
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=builder /sigs.k8s.io/external-dns/build/external-dns /bin/external-dns

Dockerfile.mini

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.19 as builder
+FROM golang:1.20 as builder
 
 WORKDIR /sigs.k8s.io/external-dns
 

OWNERS

@@ -8,6 +8,7 @@ approvers:
   - szuecs
 
 reviewers:
+  - johngmyers
   - njuettner
   - raffo
   - seanmalloy

README.md

@@ -63,11 +63,10 @@ ExternalDNS allows you to keep selected zones (via `--domain-filter`) synchroniz
 * [Plural](https://www.plural.sh/)
 * [Pi-hole](https://pi-hole.net/)
 
-From this release, ExternalDNS can become aware of the records it is managing (enabled via `--registry=txt`), therefore ExternalDNS can safely manage non-empty hosted zones. We strongly encourage you to use `v0.5` (or greater) with `--registry=txt` enabled and `--txt-owner-id` set to a unique value that doesn't change for the lifetime of your cluster. You might also want to run ExternalDNS in a dry run mode (`--dry-run` flag) to see the changes to be submitted to your DNS Provider API.
+ExternalDNS is, by default, aware of the records it is managing, therefore it can safely manage non-empty hosted zones. We strongly encourage you to set `--txt-owner-id` to a unique value that doesn't change for the lifetime of your cluster. You might also want to run ExternalDNS in a dry run mode (`--dry-run` flag) to see the changes to be submitted to your DNS Provider API.
 
 Note that all flags can be replaced with environment variables; for instance,
-`--dry-run` could be replaced with `EXTERNAL_DNS_DRY_RUN=1`, or
-`--registry txt` could be replaced with `EXTERNAL_DNS_REGISTRY=txt`.
+`--dry-run` could be replaced with `EXTERNAL_DNS_DRY_RUN=1`.
 
 ## Status of providers
 
@@ -176,6 +175,7 @@ The following tutorials are provided:
 * [Nginx Ingress Controller](docs/tutorials/nginx-ingress.md)
 * [NS1](docs/tutorials/ns1.md)
 * [NS Record Creation with CRD Source](docs/tutorials/ns-record.md)
+* [MX Record Creation with CRD Source](docs/tutorials/mx-record.md)
 * [OpenStack Designate](docs/tutorials/designate.md)
 * [Oracle Cloud Infrastructure (OCI) DNS](docs/tutorials/oracle.md)
 * [PowerDNS](docs/tutorials/pdns.md)
@@ -236,17 +236,17 @@ If the service is not of type Loadbalancer you need the --publish-internal-servi
 Locally run a single sync loop of ExternalDNS.
 
 ```console
-external-dns --registry txt --txt-owner-id my-cluster-id --provider google --google-project example-project --source service --once --dry-run
+external-dns --txt-owner-id my-cluster-id --provider google --google-project example-project --source service --once --dry-run
 ```
 
 This should output the DNS records it will modify to match the managed zone with the DNS records you desire. It also assumes you are running in the `default` namespace. See the [FAQ](docs/faq.md) for more information regarding namespaces.
 
-Note: TXT records will have `my-cluster-id` value embedded. Those are used to ensure that ExternalDNS is aware of the records it manages.
+Note: TXT records will have the `my-cluster-id` value embedded. Those are used to ensure that ExternalDNS is aware of the records it manages.
 
 Once you're satisfied with the result, you can run ExternalDNS like you would run it in your cluster: as a control loop, and **not in dry-run** mode:
 
 ```console
-external-dns --registry txt --txt-owner-id my-cluster-id --provider google --google-project example-project --source service
+external-dns --txt-owner-id my-cluster-id --provider google --google-project example-project --source service
 ```
 
 Check that ExternalDNS has created the desired DNS record for your Service and that it points to its load balancer's IP. Then try to resolve it:
@@ -270,71 +270,6 @@ If using a txt registry and attempting to use a CNAME the `--txt-prefix` must be
 
 If `externalIPs` list is defined for a `LoadBalancer` service, this list will be used instead of an assigned load balancer IP to create a DNS record. It's useful when you run bare metal Kubernetes clusters behind NAT or in a similar setup, where a load balancer IP differs from a public IP (e.g. with [MetalLB](https://metallb.universe.tf)).
 
-# Roadmap
-
-ExternalDNS was built with extensibility in mind. Adding and experimenting with new DNS providers and sources of desired DNS records should be as easy as possible. It should also be possible to modify how ExternalDNS behaves—e.g. whether it should add records but never delete them.
-
-Here's a rough outline on what is to come (subject to change):
-
-### v0.1
-
-- [x] Support for Google CloudDNS
-- [x] Support for Kubernetes Services
-
-### v0.2
-
-- [x] Support for AWS Route 53
-- [x] Support for Kubernetes Ingresses
-
-### v0.3
-
-- [x] Support for AWS Route 53 via ALIAS
-- [x] Support for multiple zones
-- [x] Ownership System
-
-### v0.4
-
-- [x] Support for AzureDNS
-- [x] Support for CloudFlare
-- [x] Support for DigitalOcean
-- [x] Multiple DNS names per Service
-
-### v0.5
-
-- [x] Support for creating DNS records to multiple targets (for Google and AWS)
-- [x] Support for OpenStack Designate
-- [x] Support for PowerDNS
-- [x] Support for Linode
-- [x] Support for RcodeZero
-- [x] Support for NS1
-- [x] Support for TransIP
-- [x] Support for Azure Private DNS
-
-### v0.6
-
-- [ ] Ability to replace kOps' [DNS Controller](https://github.com/kubernetes/kops/tree/HEAD/dns-controller) (This could also directly become `v1.0`)
-- [x] Support for OVH
-
-### v1.0
-
-- [ ] Ability to replace kOps' [DNS Controller](https://github.com/kubernetes/kops/tree/HEAD/dns-controller)
-	- [x] Add support for pod source
-	- [x] Add support for DNS Controller annotations for pod and service sources
-	- [ ] Add support for kOps gossip provider
-- [x] Ability to replace Zalando's [Mate](https://github.com/linki/mate)
-- [x] Ability to replace Molecule Software's [route53-kubernetes](https://github.com/wearemolecule/route53-kubernetes)
-
-### Yet to be defined
-
-* Support for CoreDNS
-* Support for record weights
-* Support for different behavioral policies
-* Support for Services with `type=NodePort`
-* Support for CRDs
-* Support for more advanced DNS record configurations
-
-Have a look at [the milestones](https://github.com/kubernetes-sigs/external-dns/milestones) to get an idea of where we currently stand.
-
 ## Contributing
 
 Are you interested in contributing to external-dns? We, the maintainers and community, would love your

charts/external-dns/CHANGELOG.md

@@ -11,7 +11,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### All Changes
 
-## [v1.12.2] - UNRELEASED
+- Disallowed privilege escalation in container security context and set the seccomp profile type to `RuntimeDefault`. ([#3689](https://github.com/kubernetes-sigs/external-dns/pull/3689)) [@nrvnrvn](https://github.com/nrvnrvn)
+- Added RBAC for Traefik to ClusterRole. ([#3325](https://github.com/kubernetes-sigs/external-dns/pull/3325)) [@ThomasK33](https://github.com/thomask33)
+
+## [v1.13.0] - 2023-03-30
+
+### All Changes
+
+- Updated _ExternalDNS_ version to [v0.13.5](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.13.5). ([#3661](https://github.com/kubernetes-sigs/external-dns/pull/3661)) [@GMartinez-Sisti](https://github.com/GMartinez-Sisti)
+- Adding missing gateway-httproute cluster role permission. ([#3541](https://github.com/kubernetes-sigs/external-dns/pull/3541)) [@nicon89](https://github.com/nicon89)
+
+## [v1.12.2] - 2023-03-30
 
 ### All Changes
 

charts/external-dns/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: external-dns
 description: ExternalDNS synchronizes exposed Kubernetes Services and Ingresses with DNS providers.
 type: application
-version: 1.12.2
-appVersion: 0.13.4
+version: 1.13.0
+appVersion: 0.13.5
 keywords:
   - kubernetes
   - externaldns
@@ -20,15 +20,7 @@ maintainers:
     email: [email protected]
 annotations:
   artifacthub.io/changes: |
-    - kind: added
-      description: "Added support for ServiceMonitor relabelling."
     - kind: changed
-      description: "Updated chart icon path."
-    - kind: added
-      description: "Added RBAC for Gateway-API resources to ClusterRole."
-    - kind: added
-      description: "Added RBAC for F5 VirtualServer to ClusterRole."
-    - kind: added
-      description: "Added support for running ExternalDNS with namespaced scope."
+      description: "Updated _ExternalDNS_ version to [v0.13.5](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.13.5)."
     - kind: changed
-      description: "Updated _ExternalDNS_ version to [v0.13.4](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.13.4)."
+      description: "Adding missing gateway-httproute cluster role permission."

charts/external-dns/ci/ci-values.yaml

@@ -0,0 +1 @@
+provider: inmemory

charts/external-dns/templates/clusterrole.yaml

@@ -105,6 +105,11 @@ rules:
     resources: ["tcpingresses"]
     verbs: ["get","watch","list"]
 {{- end }}
+{{- if has "traefik-proxy" .Values.sources }}
+  - apiGroups: ["traefik.containo.us", "traefik.io"]
+    resources: ["ingressroutes", "ingressroutetcps", "ingressrouteudps"]
+    verbs: ["get","watch","list"]
+{{- end }}
 {{- if has "openshift-route" .Values.sources }}
   - apiGroups: ["route.openshift.io"]
     resources: ["routes"]

charts/external-dns/values.yaml

@@ -43,8 +43,11 @@ shareProcessNamespace: false
 
 podSecurityContext:
   fsGroup: 65534
+  seccompProfile:
+    type: RuntimeDefault
 
 securityContext:
+  allowPrivilegeEscalation: false
   runAsNonRoot: true
   runAsUser: 65534
   readOnlyRootFilesystem: true