bitnami/external-dns Add support for OCI IAM instance principle and workload identity (#24708)

* Add support for OCI IAM

Signed-off-by: cloudoutloud <39462069+cloudoutloud@users.noreply.github.com>

* bump minor chart version

Signed-off-by: cloudoutloud <39462069+cloudoutloud@users.noreply.github.com>

* revert readme

Signed-off-by: cloudoutloud <39462069+cloudoutloud@users.noreply.github.com>

* update readme

Signed-off-by: cloudoutloud <39462069+cloudoutloud@users.noreply.github.com>

* Add if statement

Signed-off-by: cloudoutloud <39462069+cloudoutloud@users.noreply.github.com>

* Add compartment id flag for instance principle

Signed-off-by: cloudoutloud <39462069+cloudoutloud@users.noreply.github.com>

* Update helpers and values

Signed-off-by: cloudoutloud <39462069+cloudoutloud@users.noreply.github.com>

---------

Signed-off-by: cloudoutloud <39462069+cloudoutloud@users.noreply.github.com>

Author: cloudoutloud

bitnami/external-dns/Chart.yaml

@@ -28,4 +28,4 @@ maintainers:
 name: external-dns
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/external-dns
-version: 7.1.2
+version: 7.2.0

bitnami/external-dns/README.md

@@ -262,6 +262,8 @@ helm install my-release \
 | `oci.privateKeyFingerprint`                         | When using the OCI provider, put in the fingerprint of your privateKey                                                                                                                                            | `""`                           |
 | `oci.privateKeyPassphrase`                          | When using the OCI provider and your privateKey has a passphrase, put it in here. (optional)                                                                                                                      | `""`                           |
 | `oci.secretName`                                    | When using the OCI provider, it's the name of the secret containing `oci.yaml` file.                                                                                                                              | `""`                           |
+| `oci.useInstancePrincipal`                          | When using the OCI provider, enable IAM Instance Principal                                                                                                                                                        | `false`                        |
+| `oci.useWorkloadIdentity`                           | When using the OCI provider, enable IAM Workload Identity                                                                                                                                                         | `false`                        |
 | `ovh.consumerKey`                                   | When using the OVH provider, specify the existing consumer key. (required when provider=ovh and `ovh.secretName` is not provided.)                                                                                | `""`                           |
 | `ovh.applicationKey`                                | When using the OVH provider with an existing application, specify the application key. (required when provider=ovh and `ovh.secretName` is not provided.)                                                         | `""`                           |
 | `ovh.applicationSecret`                             | When using the OVH provider with an existing application, specify the application secret. (required when provider=ovh and `ovh.secretName` is not provided.)                                                      | `""`                           |

bitnami/external-dns/templates/_helpers.tpl

@@ -257,6 +257,12 @@ region = {{ .Values.aws.region }}
 }
 {{ end }}
 {{- define "external-dns.oci-credentials" -}}
+{{- if .Values.oci.useWorkloadIdentity }}
+auth:
+  region: {{ .Values.oci.region }}
+  useWorkloadIdentity: true
+compartment: {{ .Values.oci.compartmentOCID }}
+{{- else }}
 auth:
   region: {{ .Values.oci.region }}
   tenancy: {{ .Values.oci.tenancyOCID }}
@@ -268,7 +274,8 @@ auth:
   passphrase: {{ .Values.oci.privateKeyPassphrase }}
   {{- end }}
 compartment: {{ .Values.oci.compartmentOCID }}
-{{ end }}
+{{- end }}
+{{- end }}
 
 {{/*
 Compile all warnings into a single message, and call fail if the validation is enabled

bitnami/external-dns/templates/dep-ds.yaml

@@ -282,6 +282,13 @@ spec:
             - --infoblox-max-results={{ .Values.infoblox.maxResults }}
               {{- end }}
             {{- end }}
+            {{- if and (eq .Values.provider "oci") .Values.oci.useInstancePrincipal }}
+            # OCI Arguments
+            - --oci-auth-instance-principal
+              {{- if .Values.oci.compartmentOCID }}
+            - --oci-compartment-ocid={{ .Values.oci.compartmentOCID }}
+              {{- end }}
+            {{- end }}
             {{- if eq .Values.provider "ns1" }}
             # ns1 arguments
             - --ns1-min-ttl={{ .Values.ns1.minTTL }}
@@ -782,7 +789,7 @@ spec:
             - name: google-service-account
               mountPath: /etc/secrets/service-account/
             {{- end }}
-            {{- if eq .Values.provider "oci" }}
+            {{- if and (eq .Values.provider "oci") (not .Values.oci.useInstancePrincipal) }}
             - name: oci-config-file
               mountPath: /etc/kubernetes/
             {{- end }}
@@ -851,7 +858,7 @@ spec:
             type: File
           {{- end }}
         {{- end }}
-        {{- if (eq .Values.provider "oci")}}
+        {{- if and (eq .Values.provider "oci") (not .Values.oci.useInstancePrincipal) }}
         - name: oci-config-file
           secret:
             secretName: {{ template "external-dns.secretName" . }}

bitnami/external-dns/templates/secret.yaml

@@ -75,7 +75,7 @@ data:
   {{- if eq .Values.provider "linode" }}
   linode_api_token: {{ .Values.linode.apiToken | b64enc | quote }}
   {{- end }}
-  {{- if eq .Values.provider "oci" }}
+  {{- if and (eq .Values.provider "oci") (not .Values.useInstancePrincipal) }}
   oci.yaml: {{ include "external-dns.oci-credentials" . | b64enc | quote }}
   {{- end }}
   {{- if eq .Values.provider "pdns" }}

bitnami/external-dns/values.yaml

@@ -612,6 +612,12 @@ oci:
   ## Ref: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/oracle.md#deploy-externaldns
   ##
   secretName: ""
+  ## @param oci.useInstancePrincipal When using the OCI provider, enable IAM Instance Principal
+  ## Ref: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/oracle.md#oci-iam-instance-principal
+  useInstancePrincipal: false
+  ## @param oci.useWorkloadIdentity When using the OCI provider, enable IAM Workload Identity
+  ## Ref: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/oracle.md#oci-iam-instance-principal
+  useWorkloadIdentity: false
 ## OVH configuration to be set via arguments/env. variables
 ##
 ovh: