external-dns
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# Default values for external-dns.
2
# This is a YAML-formatted file.
3
# Declare variables to be passed into your templates.
4
5
global:
6
# -- Global image pull secrets.
7
imagePullSecrets: [] # @schema item: object
8
image: # @schema additionalProperties: false
9
# -- Image repository for the `external-dns` container.
10
repository: cgr.dev/chainguard-private/external-dns-fips
11
# -- Image tag for the `external-dns` container, this will default to `.Chart.AppVersion` if not set.
12
tag: latest@sha256:cb861cf01d5be75026d3b0cb9514743cc1793554993775a7335845d9b0ef657b # @schema type:[string, null]
13
# -- Image pull policy for the `external-dns` container.
14
pullPolicy: IfNotPresent # @schema enum:[IfNotPresent, Always]
15
# -- Image pull secrets.
16
imagePullSecrets: [] # @schema item: object
17
# -- (string) Override the name of the chart.
18
nameOverride: # @schema type:[string, null]; default: null
19
# -- (string) Override the full name of the chart.
20
fullnameOverride: # @schema type:[string, null]; default: null
21
# -- (string) Override the namespace that chart resources are rendered into.
22
# Defaults to the release namespace. Useful when installing the chart as a
23
# subchart that should live in its own namespace, separate from the umbrella
24
# release namespace.
25
namespaceOverride: # @schema type:[string, null]; default: null
26
# -- Labels to add to all chart resources.
27
commonLabels: {}
28
serviceAccount:
29
# -- If `true`, create a new `ServiceAccount`.
30
create: true
31
# -- Labels to add to the service account.
32
labels: {}
33
# -- Annotations to add to the service account. Templates are allowed in both the key and the value. Example: `example.com/annotation/{{ .Values.nameOverride }}: {{ .Values.nameOverride }}`
34
annotations: {}
35
# -- (string) If this is set and `serviceAccount.create` is `true` this will be used for the created `ServiceAccount` name, if set and `serviceAccount.create` is `false` then this will define an existing `ServiceAccount` to use.
36
name: # @schema type:[string, null]; default: null
37
# -- Set this to `false` to [opt out of API credential automounting](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting) for the `ServiceAccount`.
38
automountServiceAccountToken: true
39
service:
40
# -- Service annotations.
41
annotations: {}
42
# -- Service HTTP port.
43
port: 7979 # @schema minimum:0; default:7979
44
# -- Service IP families (e.g. IPv4 and/or IPv6).
45
ipFamilies: [] # @schema type: [array, null]; item: string; itemEnum: ["IPv4", "IPv6"]; minItems:0; maxItems:2; uniqueItems: true
46
# - IPv4
47
# - IPv6
48
# -- Service IP family policy.
49
ipFamilyPolicy: # @schema type: [string, null]; enum:[SingleStack, PreferDualStack, RequireDualStack, null]
50
rbac: # @schema additionalProperties: true
51
# -- If `true`, create a `ClusterRole` & `ClusterRoleBinding` with access to the Kubernetes API.
52
create: true
53
# -- Additional rules to add to the `ClusterRole`.
54
additionalPermissions: []
55
# -- Annotations to add to the `Deployment`.
56
deploymentAnnotations: {}
57
# -- Extra containers to add to the `Deployment`.
58
extraContainers: []
59
# -- [Deployment Strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy).
60
deploymentStrategy: # @schema additionalProperties: true
61
type: Recreate # @schema enum:[Recreate, RollingUpdate]; type:string; default: Recreate
62
# -- (int) Specify the number of old `ReplicaSets` to retain to allow rollback of the `Deployment``.
63
revisionHistoryLimit: # @schema type:[integer, null];minimum:0
64
# -- Labels to add to the `Pod`.
65
podLabels: {}
66
# -- Annotations to add to the `Pod`.
67
podAnnotations: {}
68
# -- (bool) Set this to `false` to [opt out of API credential automounting](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting) for the `Pod`.
69
automountServiceAccountToken: true
70
# -- If `true`, the `Pod` will have [process namespace sharing](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) enabled.
71
shareProcessNamespace: false
72
# -- [Pod security context](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#podsecuritycontext-v1-core), this supports full customisation.
73
# @default -- See _values.yaml_
74
podSecurityContext:
75
runAsNonRoot: true
76
fsGroup: 65534
77
seccompProfile:
78
type: RuntimeDefault
79
# -- (string) Priority class name for the `Pod`.
80
priorityClassName: # @schema type:[string, null]; default: null
81
# -- (int) Termination grace period for the `Pod` in seconds.
82
terminationGracePeriodSeconds: # @schema type:[integer, null]
83
# -- (string) [DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) for the pod, if not set the default will be used.
84
dnsPolicy: # @schema type:[string, null]; default: null
85
# -- (object) [DNS config](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config) for the pod, if not set the default will be used.
86
dnsConfig: # @schema type:[object, null]; default: null
87
# -- [Init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) to add to the `Pod` definition.
88
initContainers: []
89
# -- [Security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the `external-dns` container.
90
# @default -- See _values.yaml_
91
securityContext:
92
privileged: false
93
allowPrivilegeEscalation: false
94
readOnlyRootFilesystem: true
95
runAsNonRoot: true
96
runAsUser: 65532
97
runAsGroup: 65532
98
capabilities:
99
drop: ["ALL"]
100
# -- [Environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) for the `external-dns` container.
101
env: []
102
# -- [Liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container.
103
# @default -- See _values.yaml_
104
livenessProbe:
105
httpGet:
106
path: /healthz
107
port: http
108
initialDelaySeconds: 10
109
periodSeconds: 10
110
timeoutSeconds: 5
111
failureThreshold: 2
112
successThreshold: 1
113
# -- [Readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container.
114
# @default -- See _values.yaml_
115
readinessProbe:
116
httpGet:
117
path: /healthz
118
port: http
119
initialDelaySeconds: 5
120
periodSeconds: 10
121
timeoutSeconds: 5
122
failureThreshold: 6
123
successThreshold: 1
124
# -- Extra [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) for the `Pod`.
125
extraVolumes: []
126
# -- Extra [volume mounts](https://kubernetes.io/docs/concepts/storage/volumes/) for the `external-dns` container.
127
extraVolumeMounts: []
128
# -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the `external-dns` container.
129
resources: {}
130
# -- Node labels to match for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
131
nodeSelector: {}
132
# -- Affinity settings for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). If an explicit label selector is not provided for pod affinity or pod anti-affinity one will be created from the pod selector labels.
133
affinity: {}
134
# -- Topology spread constraints for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). If an explicit label selector is not provided one will be created from the pod selector labels.
135
topologySpreadConstraints: []
136
# -- Node taints which will be tolerated for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
137
tolerations: []
138
serviceMonitor:
139
# -- If `true`, create a `ServiceMonitor` resource to support the _Prometheus Operator_.
140
enabled: false
141
# -- Additional labels for the `ServiceMonitor`.
142
additionalLabels: {}
143
# -- Annotations to add to the `ServiceMonitor`.
144
annotations: {}
145
# -- (string) If set create the `ServiceMonitor` in an alternate namespace.
146
namespace: # @schema type:[string, null]; default: null
147
# -- (string) If set override the _Prometheus_ default interval.
148
interval: # @schema type:[string, null]; default: null
149
# -- (string) If set override the _Prometheus_ default scrape timeout.
150
scrapeTimeout: # @schema type:[string, null]; default: null
151
# -- (string) If set overrides the _Prometheus_ default scheme.
152
scheme: # @schema type:[string, null]; default: null
153
# -- Configure the `ServiceMonitor` [TLS config](https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig).
154
tlsConfig: {}
155
# -- (string) Provide a bearer token file for the `ServiceMonitor`.
156
bearerTokenFile: # @schema type:[string, null]; default: null
157
# -- [Relabel configs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) to apply to samples before ingestion.
158
relabelings: []
159
# -- [Metric relabel configs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) to apply to samples before ingestion.
160
metricRelabelings: []
161
# -- Provide target labels for the `ServiceMonitor`.
162
targetLabels: []
163
# -- Log level.
164
logLevel: info # @schema enum:[panic, debug, info, warning, error, fatal]; type:string; default: "info"
165
# -- Log format.
166
logFormat: text # @schema enum:["text", "json"]; type:string; default: "text"
167
# -- Interval for DNS updates.
168
interval: 1m
169
# -- If `true`, triggers run loop on create/update/delete events in addition of regular interval.
170
triggerLoopOnEvent: false
171
# -- if `true`, _ExternalDNS_ will run in a namespaced scope (`Role`` and `Rolebinding`` will be namespaced too).
172
namespaced: false
173
# -- if `true`, the Gateway API ListenerSet flag will be enabled.
174
enableGatewayListenerSets: false
175
# -- _Gateway API_ gateway namespace to watch.
176
# When `namespaced=true`, setting this value avoids creating any cluster-scoped RBAC
177
# (no ClusterRole/ClusterRoleBinding) for Gateway sources.
178
gatewayNamespace: # @schema type:[string, null]; default: null
179
# -- Source namespace to watch for Kubernetes resources other than Gateway API gateways.
180
# Used only when `namespaced=true`. Defaults to Release.Namespace
181
sourceNamespace: # @schema type:[string, null]; default: null
182
# -- _Kubernetes_ resources to monitor for DNS entries.
183
sources:
184
- service
185
- ingress
186
# -- How DNS records are synchronized between sources and providers; available values are `create-only`, `sync`, & `upsert-only`.
187
policy: upsert-only # @schema enum:[create-only, sync, upsert-only]; type:string; default: "upsert-only"
188
# -- Specify the registry for storing ownership and labels.
189
# Valid values are `txt`, `aws-sd`, `dynamodb` & `noop`.
190
registry: txt # @schema enum:[txt, aws-sd, dynamodb, noop]; default: "txt"
191
# -- (string) Specify an identifier for this instance of _ExternalDNS_ when using a registry other than `noop`.
192
txtOwnerId: # @schema type:[string, null]; default: null
193
# -- (string) Specify a prefix for the domain names of TXT records created for the `txt` registry.
194
# Mutually exclusive with `txtSuffix`.
195
txtPrefix: # @schema type:[string, null]; default: null
196
# -- (string) Specify a suffix for the domain names of TXT records created for the `txt` registry.
197
# Mutually exclusive with `txtPrefix`.
198
txtSuffix: # @schema type:[string, null]; default: null
199
# -- Limit possible target zones by domain suffixes.
200
domainFilters: []
201
# -- Intentionally exclude domains from being managed.
202
excludeDomains: []
203
# -- Filter resources queried for endpoints by label selector.
204
labelFilter: # @schema type: [string,null]; default: null
205
# -- Filter resources queried for endpoints by annotation selector.
206
annotationFilter: # @schema type: [string,null]; default: null
207
# -- Annotation prefix for external-dns annotations (useful for split horizon DNS with multiple instances).
208
annotationPrefix: # @schema type: [string,null]; default: null
209
# -- Record types to manage (default: A, AAAA, CNAME)
210
managedRecordTypes: [] # @schema type: [array, null]; item: string; uniqueItems: true
211
provider: # @schema type: [object, string]
212
# -- _ExternalDNS_ provider name; for the available providers and how to configure them see [README](https://github.com/kubernetes-sigs/external-dns/blob/master/charts/external-dns/README.md#providers).
213
name: aws
214
webhook:
215
image:
216
# -- (string) Image repository for the `webhook` container.
217
repository: cgr.dev/chainguard-private/external-dns-fips # @schema type:[string, null]; default: null
218
# -- (string) Image tag for the `webhook` container.
219
tag: latest@sha256:cb861cf01d5be75026d3b0cb9514743cc1793554993775a7335845d9b0ef657b # @schema type:[string, null]; default: null
220
# -- Image pull policy for the `webhook` container.
221
pullPolicy: IfNotPresent
222
# -- [Environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) for the `webhook` container.
223
env: []
224
# -- Extra arguments to provide for the `webhook` container.
225
args: []
226
# -- Extra [volume mounts](https://kubernetes.io/docs/concepts/storage/volumes/) for the `webhook` container.
227
extraVolumeMounts: []
228
# -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the `webhook` container.
229
resources: {}
230
# -- [Pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the `webhook` container.
231
# @default -- See _values.yaml_
232
securityContext: {}
233
# -- [Liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container.
234
# @default -- See _values.yaml_
235
livenessProbe:
236
httpGet:
237
path: /healthz # @schema type:[string, null]; default: null
238
port: http-webhook # @schema type:[integer,string]; default: string
239
initialDelaySeconds: 10 # @schema type:[integer, null]; default: null
240
periodSeconds: 10 # @schema type:[integer, null]; default: null
241
timeoutSeconds: 5 # @schema type:[integer, null]; default: null
242
failureThreshold: 2 # @schema type:[integer, null]; default: null
243
successThreshold: 1 # @schema type:[integer, null]; default: null
244
# -- [Readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `webhook` container.
245
# @default -- See _values.yaml_
246
readinessProbe:
247
httpGet:
248
path: /healthz # @schema type:[string, null]; default: null
249
port: http-webhook # @schema type:[integer,string]; default: string
250
initialDelaySeconds: 5 # @schema type:[integer, null]; default: null
251
periodSeconds: 10 # @schema type:[integer, null]; default: null
252
timeoutSeconds: 5 # @schema type:[integer, null]; default: null
253
failureThreshold: 6 # @schema type:[integer, null]; default: null
254
successThreshold: 1 # @schema type:[integer, null]; default: null
255
service:
256
# -- Webhook exposed HTTP port for the service.
257
port: 8080
258
# -- Optional [Service Monitor](https://prometheus-operator.dev/docs/operator/design/#servicemonitor) configuration for the `webhook` container.
259
# @default -- See _values.yaml_
260
serviceMonitor:
261
interval: # @schema type:[string, null]; default: null
262
scheme: # @schema type:[string, null]; default: null
263
tlsConfig: {}
264
bearerTokenFile: # @schema type:[string, null]; default: null
265
scrapeTimeout: # @schema type:[string, null]; default: null
266
metricRelabelings: []
267
relabelings: []
268
# -- Extra arguments to provide to _ExternalDNS_.
269
# An array or map can be used, with maps allowing for value overrides; maps also support slice values to use the same arg multiple times.
270
extraArgs: {} # @schema type: [array, null, object]; item: string; uniqueItems: true
271
secretConfiguration:
272
# -- If `true`, create a `Secret` to store sensitive provider configuration (**DEPRECATED**).
273
enabled: false
274
# -- Mount path for the `Secret`, this can be templated.
275
mountPath: # @schema type:[string, null]; default: null
276
# -- Sub-path for mounting the `Secret`, this can be templated.
277
subPath: # @schema type:[string, null]; default: null
278
# -- `Secret` data.
279
data: {}
280
# -- (bool) No effect - reserved for use in sub-charting.
281
enabled: # @schema type: [boolean, null]; description: No effect - reserved for use in sub-charting
282
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.