kubernetes-sigs · aceeric · Jun 29, 2025 · Aug 23, 2025 · Aug 23, 2025
diff --git a/charts/external-dns/README.md b/charts/external-dns/README.md
@@ -94,7 +94,6 @@ If `namespaced` is set to `true`, please ensure that `sources` my only contains
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Affinity settings for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). If an explicit label selector is not provided for pod affinity or pod anti-affinity one will be created from the pod selector labels. |
-| annotationFilter | string | `nil` | Filter resources queried for endpoints by annotation selector. |
 | automountServiceAccountToken | bool | `true` | Set this to `false` to [opt out of API credential automounting](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting) for the `Pod`. |
 | commonLabels | object | `{}` | Labels to add to all chart resources. |
 | deploymentAnnotations | object | `{}` | Annotations to add to the `Deployment`. |
@@ -131,19 +130,38 @@ If `namespaced` is set to `true`, please ensure that `sources` my only contains
 | podSecurityContext | object | See _values.yaml_ | [Pod security context](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#podsecuritycontext-v1-core), this supports full customisation. |
 | policy | string | `"upsert-only"` | How DNS records are synchronized between sources and providers; available values are `create-only`, `sync`, & `upsert-only`. |
 | priorityClassName | string | `nil` | Priority class name for the `Pod`. |
+| provider | object | See _values.yaml_ | Provider configuration |
 | provider.name | string | `"aws"` | _ExternalDNS_ provider name; for the available providers and how to configure them see [README](https://github.com/kubernetes-sigs/external-dns/blob/master/charts/external-dns/README.md#providers). |
+| provider.webhook | object | See _values.yaml_ | Webhook configuration |
 | provider.webhook.args | list | `[]` | Extra arguments to provide for the `webhook` container. |
 | provider.webhook.env | list | `[]` | [Environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) for the `webhook` container. |
 | provider.webhook.extraVolumeMounts | list | `[]` | Extra [volume mounts](https://kubernetes.io/docs/concepts/storage/volumes/) for the `webhook` container. |
 | provider.webhook.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy for the `webhook` container. |
 | provider.webhook.image.repository | string | `nil` | Image repository for the `webhook` container. |
 | provider.webhook.image.tag | string | `nil` | Image tag for the `webhook` container. |
 | provider.webhook.livenessProbe | object | See _values.yaml_ | [Liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container. |
+| provider.webhook.readTimeout | integer | `nil` | Webhook read timeout |
 | provider.webhook.readinessProbe | object | See _values.yaml_ | [Readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `webhook` container. |
 | provider.webhook.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the `webhook` container. |
 | provider.webhook.securityContext | object | See _values.yaml_ | [Pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the `webhook` container. |
 | provider.webhook.service.port | int | `8080` | Webhook exposed HTTP port for the service. |
 | provider.webhook.serviceMonitor | object | See _values.yaml_ | Optional [Service Monitor](https://prometheus-operator.dev/docs/operator/design/#servicemonitor) configuration for the `webhook` container. |
+| provider.webhook.sidecar | object | See _values.yaml_ | Webhook sidecar container configuration |
+| provider.webhook.sidecar.args | list | `[]` | Extra arguments to provide for the `webhook` container. |
+| provider.webhook.sidecar.enabled | boolean | `false` | Whether or not to include a webhook sidecar in the external dns deployment |
+| provider.webhook.sidecar.env | list | `[]` | [Environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) for the `webhook` container. |
+| provider.webhook.sidecar.extraVolumeMounts | list | `[]` | Extra [volume mounts](https://kubernetes.io/docs/concepts/storage/volumes/) for the `webhook` container. |
+| provider.webhook.sidecar.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy for the `webhook` container. |
+| provider.webhook.sidecar.image.repository | string | `nil` | Image repository for the `webhook` container. |
+| provider.webhook.sidecar.image.tag | string | `nil` | Image tag for the `webhook` container. |
+| provider.webhook.sidecar.livenessProbe | object | See _values.yaml_ | [Liveness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container. |
+| provider.webhook.sidecar.readinessProbe | object | See _values.yaml_ | [Readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `webhook` container. |
+| provider.webhook.sidecar.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the `webhook` container. |
+| provider.webhook.sidecar.securityContext | object | See _values.yaml_ | [Pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the `webhook` container. |
+| provider.webhook.sidecar.service.port | int | `8080` | Webhook exposed HTTP port for the service. |
+| provider.webhook.sidecar.serviceMonitor | object | See _values.yaml_ | Optional [Service Monitor](https://prometheus-operator.dev/docs/operator/design/#servicemonitor) configuration for the `webhook` container. |
+| provider.webhook.url | string | `nil` | Webhook URL |
+| provider.webhook.writeTimeout | integer | `nil` | Webhook write timeout |
 | rbac.additionalPermissions | list | `[]` | Additional rules to add to the `ClusterRole`. |
 | rbac.create | bool | `true` | If `true`, create a `ClusterRole` & `ClusterRoleBinding` with access to the Kubernetes API. |
 | readinessProbe | object | See _values.yaml_ | [Readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `external-dns` container. |

diff --git a/charts/external-dns/schema/values.yaml b/charts/external-dns/schema/values.yaml
@@ -11,6 +11,15 @@ resources:
 
 provider:
   webhook:
+    sidecar:
+      requests:
+        cpu: 200m
+        memory: 128Mi
+      limits:
+        cpu: 300m
+        memory: 200Mi
+
+    # deprecated:
     requests:
       cpu: 200m
       memory: 128Mi

diff --git a/charts/external-dns/templates/deployment.yaml b/charts/external-dns/templates/deployment.yaml
@@ -130,6 +130,17 @@ spec:
             - --managed-record-types={{ . }}
             {{- end }}
             - --provider={{ $providerName }}
+            {{- if kindIs "map" .Values.provider }}
+            {{- if .Values.provider.webhook.readTimeout  }}
+            - --webhook-provider-read-timeout={{ .Values.provider.webhook.readTimeout }}
+            {{- end }}
+            {{- if .Values.provider.webhook.writeTimeout }}
+            - --webhook-provider-write-timeout={{ .Values.provider.webhook.writeTimeout }}
+            {{- end }}
+            {{- if .Values.provider.webhook.url }}
+            - --webhook-provider-url={{ .Values.provider.webhook.url }}
+            {{- end }}
+            {{- end }}
             {{- if kindIs "map" .Values.extraArgs }}
             {{- range $key, $value := .Values.extraArgs }}
             {{- if not (kindIs "invalid" $value) }}
@@ -175,7 +186,44 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-        {{- if eq $providerName "webhook" }}
+        {{- if eq $providerName "webhook"  }}
+        {{- if and .Values.provider.webhook.sidecar .Values.provider.webhook.sidecar.enabled }}
+        {{- with .Values.provider.webhook.sidecar }}
+        - name: webhook
+          image: {{ include "external-dns.webhookImage" . }}
+          imagePullPolicy: {{ .image.pullPolicy }}
+          {{- with .env }}
+          env:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .args }}
+          args:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          ports:
+            - name: http-webhook
+              protocol: TCP
+              containerPort: 8080
+          livenessProbe:
+            {{- toYaml .livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .readinessProbe | nindent 12 }}
+          {{- if .extraVolumeMounts }}
+          volumeMounts:
+            {{- with .extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- end }}
+          {{- with .resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+        {{- end }}
+        {{- else if not .Values.provider.webhook.sidecar }}
         {{- with .Values.provider.webhook }}
         - name: webhook
           image: {{ include "external-dns.webhookImage" . }}
@@ -212,6 +260,7 @@ spec:
           {{- end }}
         {{- end }}
         {{- end }}
+        {{- end }}
       {{- if or .Values.secretConfiguration.enabled .Values.extraVolumes }}
       volumes:
         {{- if .Values.secretConfiguration.enabled }}

diff --git a/charts/external-dns/templates/service.yaml b/charts/external-dns/templates/service.yaml
@@ -27,10 +27,19 @@ spec:
       targetPort: http
       protocol: TCP
     {{- if eq $providerName "webhook" }}
+    {{- if and .Values.provider.webhook.sidecar .Values.provider.webhook.sidecar.enabled }}
+    {{- with .Values.provider.webhook.sidecar.service }}
+    - name: http-webhook
+      port: {{ .port }}
+      targetPort: http-webhook
+      protocol: TCP
+    {{- end }}
+    {{- else }}
     {{- with .Values.provider.webhook.service }}
     - name: http-webhook
       port: {{ .port }}
       targetPort: http-webhook
       protocol: TCP
     {{- end }}
     {{- end }}
+    {{- end }}
diff --git a/charts/external-dns/templates/servicemonitor.yaml b/charts/external-dns/templates/servicemonitor.yaml
@@ -50,6 +50,36 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
     {{- if eq $providerName "webhook" }}
+    {{- if and .Values.provider.webhook.sidecar .Values.provider.webhook.sidecar.enabled }}
+    {{- with .Values.provider.webhook.sidecar.serviceMonitor }}
+    - port: http-webhook
+      path: /metrics
+      {{- with .interval }}
+      interval: {{ . }}
+      {{- end }}
+      {{- with .scheme }}
+      scheme: {{ . }}
+      {{- end }}
+      {{- with .bearerTokenFile }}
+      bearerTokenFile: {{ . }}
+      {{- end }}
+      {{- with .tlsConfig }}
+      tlsConfig:
+        {{- toYaml .| nindent 8 }}
+      {{- end }}
+      {{- with .scrapeTimeout }}
+      scrapeTimeout: {{ . }}
+      {{- end }}
+      {{- with .metricRelabelings }}
+      metricRelabelings:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .relabelings }}
+      relabelings:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- end }}
+    {{- else }}
     {{- with .Values.provider.webhook.serviceMonitor }}
     - port: http-webhook
       path: /metrics
@@ -79,6 +109,7 @@ spec:
       {{- end }}
     {{- end }}
     {{- end }}
+    {{- end }}
   {{- with .Values.serviceMonitor.targetLabels }}
   targetLabels:
     {{- toYaml . | nindent 4 }}

diff --git a/charts/external-dns/tests/webhook_test.yaml b/charts/external-dns/tests/webhook_test.yaml
@@ -0,0 +1,89 @@
+suite: Webhook configuration
+templates:
+  - deployment.yaml
+release:
+  namespace: default
+tests:
+  - it: should use the new sidecar values for the webhook container if enabled
+    set:
+      provider.name: webhook
+      provider.webhook.sidecar.enabled: true
+      provider.webhook.sidecar.image.repository: docker.io/new/webhook-container
+      provider.webhook.sidecar.image.tag: v0
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[?(@.name == "webhook")].image
+          value: docker.io/new/webhook-container:v0
+
+  - it: should omit the webhook container if new sidecar is disabled
+    set:
+      provider.name: webhook
+      provider.webhook.sidecar.enabled: false
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[?(@.name == "webhook")]
+
+  - it: should use the deprecated values for the webhook container if new sidecar values are empty
+    set:
+      provider.name: webhook
+      provider.webhook.sidecar:
+      provider.webhook.image.repository: docker.io/deprecated/webhook-container
+      provider.webhook.image.tag: v0
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[?(@.name == "webhook")].image
+          value: docker.io/deprecated/webhook-container:v0
+
+  - it: should use the common webhook fields if set and legecy sidecar enabled
+    set:
+      provider.name: webhook
+      provider.webhook.sidecar:
+      provider.webhook.image.repository: docker.io/deprecated/webhook-container
+      provider.webhook.image.tag: v1.1.1
+      provider.webhook.url: https://webhook:8080
+      provider.webhook.readTimeout: 111
+      provider.webhook.writeTimeout: 222
+    asserts:
+      - exists :
+          path: spec.template.spec.containers[?(@.name == "external-dns")]
+      - equal :
+          path: spec.template.spec.containers[?(@.name == "external-dns")].args
+          value:
+            - --log-level=info
+            - --log-format=text
+            - --interval=1m
+            - --source=service
+            - --source=ingress
+            - --policy=upsert-only
+            - --registry=txt
+            - --provider=webhook
+            - --webhook-provider-read-timeout=111
+            - --webhook-provider-write-timeout=222
+            - --webhook-provider-url=https://webhook:8080
+
+  - it: should use the common webhook fields if set and new sidecar enabled
+    set:
+      provider.name: webhook
+      provider.webhook.sidecar.enabled: true
+      provider.webhook.sidecar.image.repository: docker.io/new/webhook-container
+      provider.webhook.sidecar.image.tag: v0
+      provider.webhook.url: https://webhook:8888
+      provider.webhook.readTimeout: 222
+      provider.webhook.writeTimeout: 333
+    asserts:
+      - exists :
+          path: spec.template.spec.containers[?(@.name == "external-dns")]
+      - equal :
+          path: spec.template.spec.containers[?(@.name == "external-dns")].args
+          value:
+            - --log-level=info
+            - --log-format=text
+            - --interval=1m
+            - --source=service
+            - --source=ingress
+            - --policy=upsert-only
+            - --registry=txt
+            - --provider=webhook
+            - --webhook-provider-read-timeout=222
+            - --webhook-provider-write-timeout=333
+            - --webhook-provider-url=https://webhook:8888