From c33beb42dd6ec93acd1dd0211e70b59520a68857 Mon Sep 17 00:00:00 2001
From: Ibrahim Mkusa <ibrahimmkusa@gmail.com>
Date: Fri, 30 May 2025 18:38:55 -0400
Subject: [PATCH] externaldns upgrade v0.15.0 to v0.17.0 + multi-pihole ops

---
 manifests/TIPS.md                   |  8 ++++
 manifests/external-dns/install.yaml | 62 +++++++++++++++++++++++++----
 2 files changed, 62 insertions(+), 8 deletions(-)

diff --git a/manifests/TIPS.md b/manifests/TIPS.md
index 961cc5c..9fa00fa 100644
--- a/manifests/TIPS.md
+++ b/manifests/TIPS.md
@@ -15,3 +15,11 @@ actual encryption at rest is enabled for your passwords.
 Make sure to update your main LAN dns servers to point to pihole. 2 instances
 for redundancy are highly encouraged
 
+Installing externaldns via manifests, it will look for its password in a secret named
+`pihole-externaldns-password` in the same namespace. You can create it like so
+```
+kubectl create secret generic pihole-dashboard-password
+--from-literal=EXTERNAL_DNS_PIHOLE_PASSWORD=XXXXXXXXX
+
+```
+
diff --git a/manifests/external-dns/install.yaml b/manifests/external-dns/install.yaml
index 959876e..78bb619 100644
--- a/manifests/external-dns/install.yaml
+++ b/manifests/external-dns/install.yaml
@@ -35,7 +35,7 @@ subjects:
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: external-dns
+  name: external-dns-0
 spec:
   strategy:
     type: Recreate
@@ -49,17 +49,17 @@ spec:
     spec:
       serviceAccountName: external-dns
       containers:
-      - name: external-dns
-        image: registry.k8s.io/external-dns/external-dns:v0.15.0
+      - name: external-dns-0
+        image: registry.k8s.io/external-dns/external-dns:v0.17.0
         # If authentication is disabled and/or you didn't create
         # a secret, you can remove this block.
         envFrom:
         - secretRef:
             # Change this if you gave the secret a different name
-            name: pihole-password
+            name: pihole-externaldns-password
         args:
         - --source=service
-        - --source=ingress
+        - --source=ingress # other sources 'traefik-proxy' check documentation
         # Pihole only supports A/AAAA/CNAME records so there is no mechanism to track ownership.
         # You don't need to set this flag, but if you leave it unset, you will receive warning
         # logs when ExternalDNS attempts to create TXT records.
@@ -67,9 +67,55 @@ spec:
         # IMPORTANT: If you have records that you manage manually in Pi-hole, set
         # the policy to upsert-only so they do not get deleted.
         - --policy=upsert-only
-        - --provider=pihole
-        - --pihole-tls-skip-verify
+        - --provider=pihole  # lots of other providers
+        #- --pihole-tls-skip-verify
+        - --pihole-api-version=6
         # Change this to the actual address of your Pi-hole web server
-        - --pihole-server=http://pihole-web.default.svc.cluster.local
+        #- --pihole-server=http://pihole-web.default.svc.cluster.local
+        - --pihole-server=http://192.168.0.239
+      securityContext:
+        fsGroup: 65534 # For ExternalDNS to be able to read Kubernetes token files
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-dns-1
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: external-dns
+  template:
+    metadata:
+      labels:
+        app: external-dns
+    spec:
+      serviceAccountName: external-dns
+      containers:
+      - name: external-dns-1
+        image: registry.k8s.io/external-dns/external-dns:v0.17.0
+        # If authentication is disabled and/or you didn't create
+        # a secret, you can remove this block.
+        envFrom:
+        - secretRef:
+            # Change this if you gave the secret a different name
+            name: pihole-externaldns-password
+        args:
+        - --source=service
+        - --source=ingress # other sources 'traefik-proxy' check documentation
+        # Pihole only supports A/AAAA/CNAME records so there is no mechanism to track ownership.
+        # You don't need to set this flag, but if you leave it unset, you will receive warning
+        # logs when ExternalDNS attempts to create TXT records.
+        - --registry=noop
+        # IMPORTANT: If you have records that you manage manually in Pi-hole, set
+        # the policy to upsert-only so they do not get deleted.
+        - --policy=upsert-only
+        - --provider=pihole  # lots of other providers
+        #- --pihole-tls-skip-verify
+        - --pihole-api-version=6
+        # Change this to the actual address of your Pi-hole web server
+        #- --pihole-server=http://pihole-web.default.svc.cluster.local
+        - --pihole-server=http://192.168.0.238
       securityContext:
         fsGroup: 65534 # For ExternalDNS to be able to read Kubernetes token files