From e852136e24d99ed9e0da9121e033c64925ac7342 Mon Sep 17 00:00:00 2001 From: David Fernandez Date: Wed, 1 Jul 2026 15:39:35 -0300 Subject: [PATCH] fix(commons/external_dns): use only the crd source, drop unused gateway-httproute external-dns is configured to consume only the crd source by default. The gateway-httproute source and its associated RBAC (gateway.networking.k8s.io gateways/httproutes) are removed, since they only served that source and no consumer uses it. This reverts the default introduced in #282; the dnsendpoints RBAC is kept because it is the CRD the crd source relies on. - variables.tf: sources default ["crd", "gateway-httproute"] -> ["crd"] - locals.tf: drop the gateway.networking.k8s.io RBAC additionalPermissions - tests: lock in the crd-only default and the absence of gateway RBAC - README.md: update documented default No functional impact: no consumer relies on the gateway-httproute source, so existing deployments are unaffected. Co-Authored-By: Claude Opus 4.8 (1M context) --- infrastructure/commons/external_dns/README.md | 2 +- infrastructure/commons/external_dns/locals.tf | 5 --- .../tests/external_dns_aws.tftest.hcl | 31 +++++++++++++++++++ .../commons/external_dns/variables.tf | 2 +- 4 files changed, 33 insertions(+), 7 deletions(-) diff --git a/infrastructure/commons/external_dns/README.md b/infrastructure/commons/external_dns/README.md index 70106213..80b36cf9 100644 --- a/infrastructure/commons/external_dns/README.md +++ b/infrastructure/commons/external_dns/README.md @@ -171,7 +171,7 @@ resource "example_resource" "this" { | [oci\_zone\_scope](#input\_oci\_zone\_scope) | The scope of the DNS zones in OCI (GLOBAL or PRIVATE) | `string` | `"GLOBAL"` | no | | [oci\_zones\_cache\_duration](#input\_oci\_zones\_cache\_duration) | The duration to cache OCI DNS zones (e.g., '30s', '1m'). Set to '0s' to disable caching. | `string` | `"30s"` | no | | [policy](#input\_policy) | The policy to external dns manage the DNS records | `string` | `"sync"` | no | -| [sources](#input\_sources) | Array contents the sources to external dns work | `list(string)` |
[
"crd",
"gateway-httproute"
]
| no | +| [sources](#input\_sources) | Array contents the sources to external dns work | `list(string)` |
[
"crd"
]
| no | | [txt\_owner\_id](#input\_txt\_owner\_id) | The TXT owner ID used by ExternalDNS to identify DNS records it manages | `string` | `"external_dns"` | no | | [type](#input\_type) | Determines whether the external-dns deployment is public or private | `string` | `"public"` | no | | [zone\_id\_filter](#input\_zone\_id\_filter) | The Route53 public or private hosted zone ID for ExternalDNS to manage (required when dns\_provider\_name is 'aws') | `string` | `""` | no | diff --git a/infrastructure/commons/external_dns/locals.tf b/infrastructure/commons/external_dns/locals.tf index bcc0bb71..0bd7d99c 100644 --- a/infrastructure/commons/external_dns/locals.tf +++ b/infrastructure/commons/external_dns/locals.tf @@ -46,11 +46,6 @@ locals { apiGroups = ["externaldns.k8s.io"] resources = ["dnsendpoints"] verbs = ["get", "list", "watch", "create", "update", "patch", "delete"] - }, - { - apiGroups = ["gateway.networking.k8s.io"] - resources = ["gateways", "httproutes"] - verbs = ["get", "list", "watch"] } ] } diff --git a/infrastructure/commons/external_dns/tests/external_dns_aws.tftest.hcl b/infrastructure/commons/external_dns/tests/external_dns_aws.tftest.hcl index 1ce114f2..ed1b1ff5 100644 --- a/infrastructure/commons/external_dns/tests/external_dns_aws.tftest.hcl +++ b/infrastructure/commons/external_dns/tests/external_dns_aws.tftest.hcl @@ -43,6 +43,37 @@ run "aws_zone_filtering_args" { } } +run "default_sources_is_crd_only" { + command = plan + + assert { + condition = length(local.base_config.sources) == 1 && local.base_config.sources[0] == "crd" + error_message = "Default sources should be crd-only (no gateway-httproute)" + } +} + +run "rbac_has_no_gateway_permissions" { + command = plan + + assert { + condition = length(local.route53_config.rbac.additionalPermissions) == 1 + error_message = "RBAC should only grant the crd (dnsendpoints) permission" + } + + assert { + condition = local.route53_config.rbac.additionalPermissions[0].apiGroups == ["externaldns.k8s.io"] + error_message = "The only additional RBAC permission should be for externaldns.k8s.io/dnsendpoints" + } + + assert { + condition = !contains( + [for p in local.route53_config.rbac.additionalPermissions : p.apiGroups[0]], + "gateway.networking.k8s.io" + ) + error_message = "RBAC must not include gateway.networking.k8s.io permissions after removing the gateway-httproute source" + } +} + run "no_cloudflare_secret_for_aws" { command = plan diff --git a/infrastructure/commons/external_dns/variables.tf b/infrastructure/commons/external_dns/variables.tf index 919a7aee..159e40d7 100644 --- a/infrastructure/commons/external_dns/variables.tf +++ b/infrastructure/commons/external_dns/variables.tf @@ -44,7 +44,7 @@ variable "policy" { variable "sources" { description = "Array contents the sources to external dns work" type = list(string) - default = ["crd", "gateway-httproute"] + default = ["crd"] } variable "type" {