chore(cloudflare): migrate customhostname to v5

.github/workflows/dependency-update.yaml

@@ -17,7 +17,7 @@ jobs:
         uses: actions/[email protected]
       # https://github.com/renovatebot/github-action
       - name: self-hosted renovate
-        uses: renovatebot/[email protected].1
+        uses: renovatebot/[email protected].2
         with:
           # https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/end-to-end-tests.yml

@@ -0,0 +1,19 @@
+name: end to end test
+
+on:
+  push:
+    branches:
+  pull_request:
+    branches: [ master ]
+  workflow_dispatch:
+
+jobs:
+  e2e-tests:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+    - name: e2e
+      run: |
+        ./scripts/e2e-test.sh

.github/workflows/lint.yaml

@@ -6,13 +6,11 @@ on:
 
 jobs:
   lint:
-    name: Markdown, Go and OAS
+    name: Markdown and Go
     runs-on: ubuntu-latest
     permissions:
       # Required: allow read access to the content for analysis.
       contents: read
-      # For OAS check
-      checks: write
       # For go lang linter
       pull-requests: read
     steps:
@@ -50,13 +48,6 @@ jobs:
         args: --timeout=30m
         version: v2.5
 
-      # https://github.com/daveshanley/vacuum
-    - name: Lint OpenAPI spec
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Increases rate limit from 60 to 5000 requests
-      run: |
-        go tool vacuum lint -d --fail-severity warn --show-rules api/*.yaml
-
     - uses: actions/setup-python@v6
     # https://github.com/pre-commit/action
     - name: Verify with pre-commit

Makefile

@@ -57,14 +57,9 @@ licensecheck:
 			exit 1; \
 		fi
 
-#? oas-lint: Execute OpenAPI Specification (OAS) linting https://quobix.com/vacuum/
-.PHONY: go-lint
-oas-lint:
-	go tool -modfile=go.tool.mod vacuum lint -d --fail-severity warn api/*.yaml
-
 #? lint: Run all the linters
 .PHONY: lint
-lint: licensecheck go-lint oas-lint
+lint: licensecheck go-lint
 
 #? crd: Generates CRD using controller-gen and copy it into chart
 .PHONY: crd

README.md

@@ -115,6 +115,7 @@ from the usage of any externally developed webhook.
 | STACKIT               | https://github.com/stackitcloud/external-dns-stackit-webhook         |
 | Unbound               | https://github.com/guillomep/external-dns-unbound-webhook            |
 | Unifi                 | https://github.com/kashalls/external-dns-unifi-webhook               |
+| UniFi                 | https://github.com/lexfrei/external-dns-unifios-webhook              |
 | Volcengine Cloud      | https://github.com/volcengine/external-dns-volcengine-webhook        |
 | Vultr                 | https://github.com/vultr/external-dns-vultr-webhook                  |
 | Yandex Cloud          | https://github.com/ismailbaskin/external-dns-yandex-webhook/         |
@@ -168,7 +169,7 @@ Breaking changes were introduced in external-dns in the following versions:
 
 - [`v0.10.0`](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.10.0): use of `networking.k8s.io/ingresses` instead of `extensions/ingresses` (see [#2281](https://github.com/kubernetes-sigs/external-dns/pull/2281))
 - [`v0.18.0`](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.18.0): use of `discovery.k8s.io/endpointslices` instead of `endpoints` (see [#5493](https://github.com/kubernetes-sigs/external-dns/pull/5493))
-- [`v0.19.0`](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.19.0): expose external ipv6 by default (see [#5575](https://github.com/kubernetes-sigs/external-dns/pull/5575) and disable legacy listeners on traefik.containo.us API Group (see [#5565](https://github.com/kubernetes-sigs/external-dns/pull/5565))
+- [`v0.20.0`](https://github.com/kubernetes-sigs/external-dns/releases/tag/v0.20.0): expose external ipv6 by default (see [#5575](https://github.com/kubernetes-sigs/external-dns/pull/5575) and disable legacy listeners on traefik.containo.us API Group (see [#5565](https://github.com/kubernetes-sigs/external-dns/pull/5565))
 
 | ExternalDNS                  |      ≤ 0.9.x       | ≥ 0.10.x and ≤ 0.17.x |      ≥ 0.18.x      |
 | ---------------------------- | :----------------: | :-------------------: | :----------------: |

charts/external-dns/CHANGELOG.md

@@ -22,6 +22,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Add option to set `annotationPrefix` ([#5889](https://github.com/kubernetes-sigs/external-dns/pull/5889)) _@lexfrei_
 
+### Changed
+
+- Grant `networking.k8s.io/ingresses` and `gateway.solo.io/gateways` permissions when using `gloo-proxy` source. ([#5909](https://github.com/kubernetes-sigs/external-dns/pull/5909)) _@cucxabong_
+
 ## [v1.19.0] - 2025-09-08
 
 ### Added

charts/external-dns/templates/clusterrole.yaml

@@ -26,7 +26,7 @@ rules:
     resources: ["endpointslices"]
     verbs: ["get","watch","list"]
 {{- end }}
-{{- if or (has "ingress" .Values.sources) (has "istio-gateway" .Values.sources) (has "istio-virtualservice" .Values.sources) (has "contour-httpproxy" .Values.sources) (has "openshift-route" .Values.sources) (has "skipper-routegroup" .Values.sources) }}
+{{- if or (has "ingress" .Values.sources) (has "istio-gateway" .Values.sources) (has "istio-virtualservice" .Values.sources) (has "contour-httpproxy" .Values.sources) (has "openshift-route" .Values.sources) (has "skipper-routegroup" .Values.sources) (has "gloo-proxy" .Values.sources) }}
   - apiGroups: ["extensions","networking.k8s.io"]
     resources: ["ingresses"]
     verbs: ["get","watch","list"]
@@ -99,7 +99,7 @@ rules:
 {{- end }}
 {{- if has "gloo-proxy" .Values.sources }}
   - apiGroups: ["gloo.solo.io","gateway.solo.io"]
-    resources: ["proxies","virtualservices"]
+    resources: ["proxies","virtualservices","gateways"]
     verbs: ["get","watch","list"]
 {{- end }}
 {{- if has "kong-tcpingress" .Values.sources }}

charts/external-dns/tests/rbac_test.yaml

@@ -520,3 +520,27 @@ tests:
               resources: ["virtualservices"]
               verbs: ["get","watch","list"]
         template: clusterrole.yaml
+  - it: should create default RBAC rules for 'GlooEdge' when 'gloo-proxy' is set
+    set:
+      sources:
+        - gloo-proxy
+    asserts:
+      - template: clusterrole.yaml
+        equal:
+          path: rules
+          value:
+            - apiGroups: [""]
+              resources: ["nodes"]
+              verbs: ["list","watch"]
+            - apiGroups: [""]
+              resources: ["pods"]
+              verbs: ["get","watch","list"]
+            - apiGroups: [""]
+              resources: ["services"]
+              verbs: ["get","watch","list"]
+            - apiGroups: ["extensions","networking.k8s.io"]
+              resources: ["ingresses"]
+              verbs: ["get","watch","list"]
+            - apiGroups: ["gloo.solo.io","gateway.solo.io"]
+              resources: ["proxies","virtualservices","gateways"]
+              verbs: ["get","watch","list"]

docs/advanced/import-records.md

@@ -84,7 +84,7 @@ spec:
         env:
         - name: AWS_DEFAULT_REGION
           value: us-west-2
-        image: registry.k8s.io/external-dns/external-dns:v0.19.0
+        image: registry.k8s.io/external-dns/external-dns:v0.20.0
         imagePullPolicy: IfNotPresent
         name: external-dns
       securityContext:

docs/annotations/annotations.md

@@ -151,14 +151,108 @@ If the annotation is not present, use the domains from both the spec and annotat
 
 ## external-dns.alpha.kubernetes.io/ingress
 
-This annotation allows ExternalDNS to work with Istio Gateways that don't have a public IP.
+This annotation allows ExternalDNS to work with Istio & GlooEdge Gateways that don't have a public IP.
 
-It can be used to address a specific architectural pattern, when a Kubernetes Ingress directs all public traffic to the Istio Gateway:
+It can be used to address a specific architectural pattern, when a Kubernetes Ingress directs all public traffic to an Istio or GlooEdge Gateway:
 
 - **The Challenge**: By default, ExternalDNS sources the public IP address for a DNS record from a Service of type LoadBalancer.
-However, in some service mesh setups, the Istio Gateway's Service is of type ClusterIP, with all public traffic routed to it via a separate Kubernetes Ingress object. This setup leaves the Gateway without a public IP that ExternalDNS can discover.
+However, in some setups, the Gateway's Service is of type ClusterIP, with all public traffic routed to it via a separate Kubernetes Ingress object. This setup leaves the Gateway without a public IP that ExternalDNS can discover.
 
-- **The Solution**: The annotation on the Istio Gateway tells ExternalDNS to ignore the Gateway's Service IP. Instead, it directs ExternalDNS to a specified Ingress resource to find the target LoadBalancer IP address.
+- **The Solution**: The annotation on the Istio/GlooEdge Gateway tells ExternalDNS to ignore the Gateway's Service IP. Instead, it directs ExternalDNS to a specified Ingress resource to find the target LoadBalancer IP address.
+
+### Use Cases for `external-dns.alpha.kubernetes.io/ingress` annotation
+
+#### Getting target from Ingress backed Gloo Gateway
+
+```yml
+apiVersion: gateway.solo.io/v1
+kind: Gateway
+metadata:
+  annotations:
+    external-dns.alpha.kubernetes.io/ingress: gateway-proxy
+  labels:
+    app: gloo
+  name: gateway-proxy
+  namespace: gloo-system
+spec:
+  bindAddress: '::'
+  bindPort: 8080
+  options: {}
+  proxyNames:
+  - gateway-proxy
+  ssl: false
+  useProxyProto: false
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gateway-proxy
+  namespace: gloo-system
+spec:
+  ingressClassName: alb
+  rules:
+  - host: cool-service.example.com
+    http:
+      paths:
+      - backend:
+          service:
+            name: gateway-proxy
+            port:
+              name: http
+        path: /
+        pathType: Prefix
+status:
+  loadBalancer:
+    ingress:
+    - hostname: k8s-alb-c4aa37c880-740590208.us-east-1.elb.amazonaws.com
+---
+# This object is generated by GlooEdge Control Plane from Gateway and VirtualService.
+# We have no direct control on this resource
+apiVersion: gloo.solo.io/v1
+kind: Proxy
+metadata:
+  labels:
+    created_by: gloo-gateway
+  name: gateway-proxy
+  namespace: gloo-system
+spec:
+  listeners:
+  - bindAddress: '::'
+    bindPort: 8080
+    httpListener:
+      virtualHosts:
+      - domains:
+        - cool-service.example.com
+        metadataStatic:
+          sources:
+          - observedGeneration: "6652"
+            resourceKind: '*v1.VirtualService'
+            resourceRef:
+              name: cool-service
+              namespace: gloo-system
+        name: cool-service
+        routes:
+        - matchers:
+          - prefix: /
+          metadataStatic:
+            sources:
+            - observedGeneration: "6652"
+              resourceKind: '*v1.VirtualService'
+              resourceRef:
+                name: cool-service
+                namespace: gloo-system
+            upgrades:
+            - websocket: {}
+    metadataStatic:
+      sources:
+      - observedGeneration: "6111"
+        resourceKind: '*v1.Gateway'
+        resourceRef:
+          name: gateway-proxy
+          namespace: gloo-system
+    name: listener-::-8080
+    useProxyProto: false
+```
 
 ## external-dns.alpha.kubernetes.io/internal-hostname
 

docs/faq.md

@@ -193,7 +193,7 @@ $ docker run \
   -e EXTERNAL_DNS_SOURCE=$'service\ningress' \
   -e EXTERNAL_DNS_PROVIDER=google \
   -e EXTERNAL_DNS_DOMAIN_FILTER=$'foo.com\nbar.com' \
-  registry.k8s.io/external-dns/external-dns:v0.19.0
+  registry.k8s.io/external-dns/external-dns:v0.20.0
 time="2017-08-08T14:10:26Z" level=info msg="config: &{APIServerURL: KubeConfig: Sources:[service ingress] Namespace: ...
 ```
 

docs/registry/dynamodb.md

@@ -81,7 +81,7 @@ spec:
     spec:
       containers:
         - name: external-dns
-          image: registry.k8s.io/external-dns/external-dns:v0.19.0
+          image: registry.k8s.io/external-dns/external-dns:v0.20.0
           args:
             - --source=service
             - --source=ingress

docs/registry/txt.md

@@ -238,7 +238,7 @@ spec:
       serviceAccountName: external-dns
       containers:
       - name: external-dns
-        image: registry.k8s.io/external-dns/external-dns:v0.19.0
+        image: registry.k8s.io/external-dns/external-dns:v0.20.0
         imagePullPolicy: Always
         args:
         - "--txt-prefix=%{record_type}-"
@@ -276,7 +276,7 @@ spec:
       containers:
       - name: external-dns
         imagePullPolicy: Always
-        image: registry.k8s.io/external-dns/external-dns:v0.19.0
+        image: registry.k8s.io/external-dns/external-dns:v0.20.0
         args:
         - "--txt-prefix=%{record_type}-"
         - "--txt-cache-interval=2m"

docs/release.md

@@ -14,7 +14,7 @@ A new staging image is released weekly and can be found at [gcr.io/k8s-staging-e
 Example command to fetch `10` most recent staging images:
 
 ```sh
-export EXT_DNS_VERSION="v0.19.0"
+export EXT_DNS_VERSION="v0.20.0"
 curl -sLk https://gcr.io/v2/k8s-staging-external-dns/external-dns/tags/list | jq | grep "$EXT_DNS_VERSION" | tail -n 10
 ```
 

docs/sources/gateway-api.md

@@ -194,7 +194,7 @@ spec:
       serviceAccountName: external-dns
       containers:
       - name: external-dns
-        image: registry.k8s.io/external-dns/external-dns:v0.19.0
+        image: registry.k8s.io/external-dns/external-dns:v0.20.0
         args:
         # Add desired Gateway API Route sources.
         - --source=gateway-httproute

docs/sources/gloo-proxy.md

@@ -24,7 +24,7 @@ spec:
       containers:
       - name: external-dns
         # update this to the desired external-dns version
-        image: registry.k8s.io/external-dns/external-dns:v0.19.0
+        image: registry.k8s.io/external-dns/external-dns:v0.20.0
         args:
         - --source=gloo-proxy
         - --gloo-namespace=custom-gloo-system # gloo system namespace. Specify multiple times for multiple namespaces. Omit to use the default (gloo-system)
@@ -96,11 +96,60 @@ spec:
       containers:
       - name: external-dns
         # update this to the desired external-dns version
-        image: registry.k8s.io/external-dns/external-dns:v0.19.0
+        image: registry.k8s.io/external-dns/external-dns:v0.20.0
         args:
         - --source=gloo-proxy
         - --gloo-namespace=custom-gloo-system # gloo system namespace. Specify multiple times for multiple namespaces. Omit to use the default (gloo-system)
         - --provider=aws
         - --registry=txt
         - --txt-owner-id=my-identifier
 ```
+
+## Gateway Annotation
+
+To support setups where an Ingress resource is used to provision an external LB you can add the following annotation to your Gateway
+
+**Note:** The Ingress namespace can be omitted if its in the same namespace as the gateway
+
+```bash
+$ cat <<EOF | kubectl apply -f -
+apiVersion: gloo.solo.io/v1
+kind: Proxy
+metadata:
+  labels:
+    created_by: gloo-gateway
+  name: gateway-proxy
+  namespace: gloo-system
+spec:
+  listeners:
+  - bindAddress: '::'
+    metadataStatic:
+      sources:
+      - resourceKind: '*v1.Gateway'
+        resourceRef:
+          name: gateway-proxy
+          namespace: gloo-system
+---
+apiVersion: gateway.solo.io/v1
+kind: Gateway
+metadata:
+  annotations:
+    external-dns.alpha.kubernetes.io/ingress: "$ingressNamespace/$ingressName"
+  labels:
+    app: gloo
+  name: gateway-proxy
+  namespace: gloo-system
+spec: {}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  labels:
+    gateway-proxy-id: gateway-proxy
+    gloo: gateway-proxy
+  name: gateway-proxy
+  namespace: gloo-system
+spec:
+  ingressClassName: alb
+EOF
+```