Documentation for supported flags and environment variables

[luckury]

What would you like to be added: Documentation for the supported flags for external-dns. Why is this needed: Really struggling to understand what all the features of external-dns are and how to configure the app. In the source-code there are all the flags specified here: https://github.com/kubernetes-sigs/external-dns/blob/master/pkg/apis/externaldns/types.go. I think we should extract them and put them on a dedicated doc page.

Here is a table for other people looking for this in the meantime:

Flag name	Description
Flags related to Kubernetes
server	The Kubernetes API server to connect to (default: auto-detect)
kubeconfig	Retrieve target cluster configuration from a Kubernetes configuration file (default: auto-detect)
request-timeout	Request timeout when calling Kubernetes APIs. 0s means no timeout
resolve-service-load-balancer-hostname	Resolve the hostname of LoadBalancer-type Service object to IP addresses in order to create DNS A/AAAA records instead of CNAMEs
Flags related to cloud foundry
cf-api-endpoint	The fully-qualified domain name of the cloud foundry instance you are targeting
cf-username	The username to log into the cloud foundry API
cf-password	The password to log into the cloud foundry API
Flags related to Gloo
gloo-namespace	The Gloo Proxy namespace; specify multiple times for multiple namespaces. (default: gloo-system)
Flags related to Skipper RouteGroup
skipper-routegroup-groupversion	The resource version for skipper routegroup
Flags related to processing source
source	The resource types that are queried for endpoints; specify multiple times for multiple sources (required, options: service, ingress, node, pod, fake, connector, gateway-httproute, gateway-grpcroute, gateway-tlsroute, gateway-tcproute, gateway-udproute, istio-gateway, istio-virtualservice, cloudfoundry, contour-httpproxy, gloo-proxy, crd, empty, skipper-routegroup, openshift-route, ambassador-host, kong-tcpingress, f5-virtualserver, traefik-proxy)
openshift-router-name	if source is openshift-route then you can pass the ingress controller name. Based on this name external-dns will select the respective router from the route status and map that routerCanonicalHostname to the route host while creating a CNAME record.
namespace	Limit resources queried for endpoints to a specific namespace (default: all namespaces)
annotation-filter	Filter resources queried for endpoints by annotation, using label selector semantics
label-filter	Filter resources queried for endpoints by label selector; currently supported by source types crd, gateway-httproute, gateway-grpcroute, gateway-tlsroute, gateway-tcproute, gateway-udproute, ingress, node, openshift-route, and service
ingress-class	Require an Ingress to have this class name (defaults to any class; specify multiple times to allow more than one class)
fqdn-template	A templated string that's used to generate DNS names from sources that don't define a hostname themselves, or to add a hostname suffix when paired with the fake source (optional). Accepts comma separated list for multiple global FQDN.
combine-fqdn-annotation	Combine FQDN template and Annotations instead of overwriting
ignore-hostname-annotation	Ignore hostname annotation when generating DNS names, valid only when --fqdn-template is set (default: false)
ignore-ingress-tls-spec	Ignore the spec.tls section in Ingress resources (default: false)
gateway-namespace	Limit Gateways of Route endpoints to a specific namespace (default: all namespaces)
gateway-label-filter	Filter Gateways of Route endpoints via label selector (default: all gateways)
compatibility	Process annotation semantics from legacy implementations (optional, options: mate, molecule, kops-dns-controller)
ignore-ingress-rules-spec	Ignore the spec.rules section in Ingress resources (default: false)
publish-internal-services	Allow external-dns to publish DNS records for ClusterIP services (optional)
publish-host-ip	Allow external-dns to publish host-ip for headless services (optional)
always-publish-not-ready-addresses	Always publish also not ready addresses for headless services (optional)
connector-source-server	The server to connect for connector source, valid only when using connector source
crd-source-apiversion	API version of the CRD for crd source, e.g. externaldns.k8s.io/v1alpha1, valid only when using crd source
crd-source-kind	Kind of the CRD for the crd source in API group and version specified by crd-source-apiversion
service-type-filter	The service types to take care about (default: all, expected: ClusterIP, NodePort, LoadBalancer or ExternalName)
managed-record-types	Record types to manage; specify multiple times to include many; (default: A, AAAA, CNAME) (supported records: A, AAAA, CNAME, NS, SRV, TXT)
exclude-record-types	Record types to exclude from management; specify multiple times to exclude many; (optional)
default-targets	Set globally default host/IP that will apply as a target instead of source addresses. Specify multiple times for multiple targets (optional)
target-net-filter	Limit possible targets by a net filter; specify multiple times for multiple possible nets (optional)
exclude-target-net	Exclude target nets (optional)
traefik-disable-legacy	Disable listeners on Resources under the traefik.containo.us API Group
traefik-disable-new	Disable listeners on Resources under the traefik.io API Group
Flags related to providers
providers := []string{"akamai	alibabacloud	aws	aws-sd	azure	azure-dns	azure-private-dns	bluecat	civo	cloudflare	coredns	designate	digitalocean	dnsimple	dyn	exoscale	gandi	godaddy	google	ibmcloud	infoblox	inmemory	linode	ns1	oci	ovh	pdns	pihole	plural	rcodezero	rdns	rfc2136	safedns	scaleway	skydns	tencentcloud	transip	ultradns	vinyldns	vultr	webhook"}
provider	The DNS provider where the DNS records will be created (required, options: "+strings.Join(providers,	)+")
domain-filter	Limit possible target zones by a domain suffix; specify multiple times for multiple domains (optional)
exclude-domains	Exclude subdomains (optional)
regex-domain-filter	Limit possible domains and target zones by a Regex filter; Overrides domain-filter (optional)
regex-domain-exclusion	Regex filter that excludes domains and target zones matched by regex-domain-filter (optional)
zone-name-filter	Filter target zones by zone domain (For now, only AzureDNS provider is using this flag); specify multiple times for multiple zones (optional)
zone-id-filter	Filter target zones by hosted zone id; specify multiple times for multiple zones (optional)
google-project	When using the Google provider, current project is auto-detected, when running on GCP. Specify other project with this. Must be specified when running outside GCP.
google-batch-change-size	When using the Google provider, set the maximum number of changes that will be applied in each batch.
google-batch-change-interval	When using the Google provider, set the interval between batch changes.
google-zone-visibility	When using the Google provider, filter for zones with this visibility (optional, options: public, private)
alibaba-cloud-config-file	When using the Alibaba Cloud provider, specify the Alibaba Cloud configuration file (required when --provider=alibabacloud)
alibaba-cloud-zone-type	When using the Alibaba Cloud provider, filter for zones of this type (optional, options: public, private)
aws-zone-type	When using the AWS provider, filter for zones of this type (optional, options: public, private)
aws-zone-tags	When using the AWS provider, filter for zones with these tags
aws-assume-role	When using the AWS API, assume this IAM role. Useful for hosted zones in another AWS account. Specify the full ARN, e.g. arn:aws:iam::123455567:role/external-dns (optional)
aws-assume-role-external-id	When using the AWS API and assuming a role then specify this external ID` (optional)
aws-batch-change-size	When using the AWS provider, set the maximum number of changes that will be applied in each batch.
aws-batch-change-size-bytes	When using the AWS provider, set the maximum byte size that will be applied in each batch.
aws-batch-change-size-values	When using the AWS provider, set the maximum total record values that will be applied in each batch.
aws-batch-change-interval	When using the AWS provider, set the interval between batch changes.
aws-evaluate-target-health	When using the AWS provider, set whether to evaluate the health of a DNS target (default: enabled, disable with --no-aws-evaluate-target-health)
aws-api-retries	When using the AWS API, set the maximum number of retries before giving up.
aws-prefer-cname	When using the AWS provider, prefer using CNAME instead of ALIAS (default: disabled)
aws-zones-cache-duration	When using the AWS provider, set the zones list cache TTL (0s to disable).
aws-zone-match-parent	Expand limit possible target by sub-domains (default: disabled)
aws-sd-service-cleanup	When using the AWS CloudMap provider, delete empty Services without endpoints (default: disabled)
azure-config-file	When using the Azure provider, specify the Azure configuration file (required when --provider=azure)
azure-resource-group	When using the Azure provider, override the Azure resource group to use (required when --provider=azure-private-dns)
azure-subscription-id	When using the Azure provider, specify the Azure configuration file (required when --provider=azure-private-dns)
azure-user-assigned-identity-client-id	When using the Azure provider, override the client id of user assigned identity in config file (optional)
tencent-cloud-config-file	When using the Tencent Cloud provider, specify the Tencent Cloud configuration file (required when --provider=tencentcloud)
tencent-cloud-zone-type	When using the Tencent Cloud provider, filter for zones with visibility (optional, options: public, private)
Flags related to BlueCat provider
bluecat-dns-configuration	When using the Bluecat provider, specify the Bluecat DNS configuration string (optional when --provider=bluecat)
bluecat-config-file	When using the Bluecat provider, specify the Bluecat configuration file (optional when --provider=bluecat)
bluecat-dns-view	When using the Bluecat provider, specify the Bluecat DNS view string (optional when --provider=bluecat)
bluecat-gateway-host	When using the Bluecat provider, specify the Bluecat Gateway Host (optional when --provider=bluecat)
bluecat-root-zone	When using the Bluecat provider, specify the Bluecat root zone (optional when --provider=bluecat)
bluecat-skip-tls-verify	When using the Bluecat provider, specify to skip TLS verification (optional when --provider=bluecat) (default: false)
bluecat-dns-server-name	When using the Bluecat provider, specify the Bluecat DNS Server to initiate deploys against. This is only used if --bluecat-dns-deploy-type is not 'no-deploy' (optional when --provider=bluecat)
bluecat-dns-deploy-type	When using the Bluecat provider, specify the type of DNS deployment to initiate after records are updated. Valid options are 'full-deploy' and 'no-deploy'. Deploy will only execute if --bluecat-dns-server-name is set (optional when --provider=bluecat)
cloudflare-proxied	When using the Cloudflare provider, specify if the proxy mode must be enabled (default: disabled)
cloudflare-dns-records-per-page	When using the Cloudflare provider, specify how many DNS records listed per page, max possible 5,000 (default: 100)
coredns-prefix	When using the CoreDNS provider, specify the prefix name
akamai-serviceconsumerdomain	When using the Akamai provider, specify the base URL (required when --provider=akamai and edgerc-path not specified)
akamai-client-token	When using the Akamai provider, specify the client token (required when --provider=akamai and edgerc-path not specified)
akamai-client-secret	When using the Akamai provider, specify the client secret (required when --provider=akamai and edgerc-path not specified)
akamai-access-token	When using the Akamai provider, specify the access token (required when --provider=akamai and edgerc-path not specified)
akamai-edgerc-path	When using the Akamai provider, specify the .edgerc file path. Path must be reachable form invocation environment. (required when --provider=akamai and *-token, secret serviceconsumerdomain not specified)
akamai-edgerc-section	When using the Akamai provider, specify the .edgerc file path (Optional when edgerc-path is specified)
infoblox-grid-host	When using the Infoblox provider, specify the Grid Manager host (required when --provider=infoblox)
infoblox-wapi-port	When using the Infoblox provider, specify the WAPI port (default: 443)
infoblox-wapi-username	When using the Infoblox provider, specify the WAPI username (default: admin)
infoblox-wapi-password	When using the Infoblox provider, specify the WAPI password (required when --provider=infoblox)
infoblox-wapi-version	When using the Infoblox provider, specify the WAPI version (default: 2.3.1)
infoblox-ssl-verify	When using the Infoblox provider, specify whether to verify the SSL certificate (default: true, disable with --no-infoblox-ssl-verify)
infoblox-view	DNS view (default: \"\")
infoblox-max-results	Add _max_results as query parameter to the URL on all API requests. The default is 0 which means _max_results is not set and the default of the server is used.
infoblox-fqdn-regex	Apply this regular expression as a filter for obtaining zone_auth objects. This is disabled by default.
infoblox-name-regex	Apply this regular expression as a filter on the name field for obtaining infoblox records. This is disabled by default.
infoblox-create-ptr	When using the Infoblox provider, create a ptr entry in addition to an entry
infoblox-cache-duration	When using the Infoblox provider, set the record TTL (0s to disable).
dyn-customer-name	When using the Dyn provider, specify the Customer Name
dyn-username	When using the Dyn provider, specify the Username
dyn-password	When using the Dyn provider, specify the password
dyn-min-ttl	Minimal TTL (in seconds) for records. This value will be used if the provided TTL for a service/ingress is lower than this.
oci-config-file	When using the OCI provider, specify the OCI configuration file (required when --provider=oci
oci-compartment-ocid	When using the OCI provider, specify the OCID of the OCI compartment containing all managed zones and records. Required when using OCI IAM instance principal authentication.
oci-zone-scope	When using OCI provider, filter for zones with this scope (optional, options: GLOBAL, PRIVATE). Defaults to GLOBAL, setting to empty value will target both.
oci-auth-instance-principal	When using the OCI provider, specify whether OCI IAM instance principal authentication should be used (instead of key-based auth via the OCI config file).
oci-zones-cache-duration	When using the OCI provider, set the zones list cache TTL (0s to disable).
rcodezero-txt-encrypt	When using the Rcodezero provider with txt registry option, set if TXT rrs are encrypted (default: false)
inmemory-zone	Provide a list of pre-configured zones for the inmemory provider; specify multiple times for multiple zones (optional)
ovh-endpoint	When using the OVH provider, specify the endpoint (default: ovh-eu)
ovh-api-rate-limit	When using the OVH provider, specify the API request rate limit, X operations by seconds (default: 20)
pdns-server	When using the PowerDNS/PDNS provider, specify the URL to the pdns server (required when --provider=pdns)
pdns-api-key	When using the PowerDNS/PDNS provider, specify the API key to use to authorize requests (required when --provider=pdns)
pdns-skip-tls-verify	When using the PowerDNS/PDNS provider, disable verification of any TLS certificates (optional when --provider=pdns) (default: false)
ns1-endpoint	When using the NS1 provider, specify the URL of the API endpoint to target (default: https://api.nsone.net/v1/)
ns1-ignoressl	When using the NS1 provider, specify whether to verify the SSL certificate (default: false)
ns1-min-ttl	Minimal TTL (in seconds) for records. This value will be used if the provided TTL for a service/ingress is lower than this.
digitalocean-api-page-size	Configure the page size used when querying the DigitalOcean API.
ibmcloud-config-file	When using the IBM Cloud provider, specify the IBM Cloud configuration file (required when --provider=ibmcloud
ibmcloud-proxied	When using the IBM provider, specify if the proxy mode must be enabled (default: disabled)
GoDaddy flags
godaddy-api-key	When using the GoDaddy provider, specify the API Key (required when --provider=godaddy)
godaddy-api-secret	When using the GoDaddy provider, specify the API secret (required when --provider=godaddy)
godaddy-api-ttl	TTL (in seconds) for records. This value will be used if the provided TTL for a service/ingress is not provided.
godaddy-api-ote	When using the GoDaddy provider, use OTE api (optional, default: false, when --provider=godaddy)
Flags related to TLS communication
tls-ca	When using TLS communication, the path to the certificate authority to verify server communications (optionally specify --tls-client-cert for two-way TLS)
tls-client-cert	When using TLS communication, the path to the certificate to present as a client (not required for TLS)
tls-client-cert-key	When using TLS communication, the path to the certificate key to use with the client certificate (not required for TLS)
Flags related to Exoscale provider
exoscale-apienv	When using Exoscale provider, specify the API environment (optional)
exoscale-apizone	When using Exoscale provider, specify the API Zone (optional)
exoscale-apikey	Provide your API Key for the Exoscale provider
exoscale-apisecret	Provide your API Secret for the Exoscale provider
Flags related to RFC2136 provider
rfc2136-host	When using the RFC2136 provider, specify the host of the DNS server
rfc2136-port	When using the RFC2136 provider, specify the port of the DNS server
rfc2136-zone	When using the RFC2136 provider, specify zone entries of the DNS server to use
rfc2136-insecure	When using the RFC2136 provider, specify whether to attach TSIG or not (default: false, requires --rfc2136-tsig-keyname and rfc2136-tsig-secret)
rfc2136-tsig-keyname	When using the RFC2136 provider, specify the TSIG key to attached to DNS messages (required when --rfc2136-insecure=false)
rfc2136-tsig-secret	When using the RFC2136 provider, specify the TSIG (base64) value to attached to DNS messages (required when --rfc2136-insecure=false)
rfc2136-tsig-secret-alg	When using the RFC2136 provider, specify the TSIG (base64) value to attached to DNS messages (required when --rfc2136-insecure=false)
rfc2136-tsig-axfr	When using the RFC2136 provider, specify the TSIG (base64) value to attached to DNS messages (required when --rfc2136-insecure=false)
rfc2136-min-ttl	When using the RFC2136 provider, specify minimal TTL (in duration format) for records. This value will be used if the provided TTL for a service/ingress is lower than this
rfc2136-gss-tsig	When using the RFC2136 provider, specify whether to use secure updates with GSS-TSIG using Kerberos (default: false, requires --rfc2136-kerberos-realm, --rfc2136-kerberos-username, and rfc2136-kerberos-password)
rfc2136-kerberos-username	When using the RFC2136 provider with GSS-TSIG, specify the username of the user with permissions to update DNS records (required when --rfc2136-gss-tsig=true)
rfc2136-kerberos-password	When using the RFC2136 provider with GSS-TSIG, specify the password of the user with permissions to update DNS records (required when --rfc2136-gss-tsig=true)
rfc2136-kerberos-realm	When using the RFC2136 provider with GSS-TSIG, specify the realm of the user with permissions to update DNS records (required when --rfc2136-gss-tsig=true)
rfc2136-batch-change-size	When using the RFC2136 provider, set the maximum number of changes that will be applied in each batch.
Flags related to TransIP provider
transip-account	When using the TransIP provider, specify the account name (required when --provider=transip)
transip-keyfile	When using the TransIP provider, specify the path to the private key file (required when --provider=transip)
Flags related to Pihole provider
pihole-server	When using the Pihole provider, the base URL of the Pihole web server (required when --provider=pihole)
pihole-password	When using the Pihole provider, the password to the server if it is protected
pihole-tls-skip-verify	When using the Pihole provider, disable verification of any TLS certificates
Flags related to the Plural provider
plural-cluster	When using the plural provider, specify the cluster name you're running with
plural-provider	When using the plural provider, specify the provider name you're running with
Flags related to policies
policy	Modify how DNS records are synchronized between sources and providers (default: sync, options: sync, upsert-only, create-only)
Flags related to the registry
registry	The registry implementation to use to keep track of DNS record ownership (default: txt, options: txt, noop, dynamodb, aws-sd)
txt-owner-id	When using the TXT or DynamoDB registry, a name that identifies this instance of ExternalDNS (default: default)
txt-prefix	When using the TXT registry, a custom string that's prefixed to each ownership DNS record (optional). Could contain record type template like '%{record_type}-prefix-'. Mutual exclusive with txt-suffix!
txt-suffix	When using the TXT registry, a custom string that's suffixed to the host portion of each ownership DNS record (optional). Could contain record type template like '-%{record_type}-suffix'. Mutual exclusive with txt-prefix!
txt-wildcard-replacement	When using the TXT registry, a custom string that's used instead of an asterisk for TXT records corresponding to wildcard DNS records (optional)
txt-encrypt-enabled	When using the TXT registry, set if TXT records should be encrypted before stored (default: disabled)
txt-encrypt-aes-key	When using the TXT registry, set TXT record decryption and encryption 32 byte aes key (required when --txt-encrypt=true)
dynamodb-region	When using the DynamoDB registry, the AWS region of the DynamoDB table (optional)
dynamodb-table	When using the DynamoDB registry, the name of the DynamoDB table (default: \"external-dns\")
Flags related to the main control loop
txt-cache-interval	The interval between cache synchronizations in duration format (default: disabled)
interval	The interval between two consecutive synchronizations in duration format (default: 1m)
min-event-sync-interval	The minimum interval between two consecutive synchronizations triggered from kubernetes events in duration format (default: 5s)
once	When enabled, exits the synchronization loop after the first iteration (default: disabled)
dry-run	When enabled, prints DNS record changes rather than actually performing them (default: disabled)
events	When enabled, in addition to running every interval, the reconciliation loop will get triggered when supported sources change (default: disabled)
Miscellaneous flags
log-format	The format in which log messages are printed (default: text, options: text, json)
metrics-address	Specify where to serve the metrics and health check endpoint (default: :7979)
log-level	Set the level of logging. (default: info, options: panic, debug, info, warning, error, fatal)
Webhook provider
webhook-provider-url	[EXPERIMENTAL] The URL of the remote endpoint to call for the webhook provider (default: http://localhost:8888)
webhook-provider-read-timeout	[EXPERIMENTAL] The read timeout for the webhook provider in duration format (default: 5s)
webhook-provider-write-timeout	[EXPERIMENTAL] The write timeout for the webhook provider in duration format (default: 10s)
webhook-server	[EXPERIMENTAL] When enabled, runs as a webhook server instead of a controller. (default: false).

Flag defaults

```go APIServerURL: "", KubeConfig: "", RequestTimeout: time.Second * 30, DefaultTargets: []string{}, GlooNamespaces: []string{"gloo-system"}, SkipperRouteGroupVersion: "zalando.org/v1", Sources: nil, Namespace: "", AnnotationFilter: "", LabelFilter: labels.Everything().String(), IngressClassNames: nil, FQDNTemplate: "", CombineFQDNAndAnnotation: false, IgnoreHostnameAnnotation: false, IgnoreIngressTLSSpec: false, IgnoreIngressRulesSpec: false, GatewayNamespace: "", GatewayLabelFilter: "", Compatibility: "", PublishInternal: false, PublishHostIP: false, ConnectorSourceServer: "localhost:8080", Provider: "", GoogleProject: "", GoogleBatchChangeSize: 1000, GoogleBatchChangeInterval: time.Second, GoogleZoneVisibility: "", DomainFilter: []string{}, ZoneIDFilter: []string{}, ExcludeDomains: []string{}, RegexDomainFilter: regexp.MustCompile(""), RegexDomainExclusion: regexp.MustCompile(""), TargetNetFilter: []string{}, ExcludeTargetNets: []string{}, AlibabaCloudConfigFile: "/etc/kubernetes/alibaba-cloud.json", AWSZoneType: "", AWSZoneTagFilter: []string{}, AWSZoneMatchParent: false, AWSAssumeRole: "", AWSAssumeRoleExternalID: "", AWSBatchChangeSize: 1000, AWSBatchChangeSizeBytes: 32000, AWSBatchChangeSizeValues: 1000, AWSBatchChangeInterval: time.Second, AWSEvaluateTargetHealth: true, AWSAPIRetries: 3, AWSPreferCNAME: false, AWSZoneCacheDuration: 0 * time.Second, AWSSDServiceCleanup: false, AWSDynamoDBRegion: "", AWSDynamoDBTable: "external-dns", AzureConfigFile: "/etc/kubernetes/azure.json", AzureResourceGroup: "", AzureSubscriptionID: "", BluecatConfigFile: "/etc/kubernetes/bluecat.json", BluecatDNSDeployType: "no-deploy", CloudflareProxied: false, CloudflareDNSRecordsPerPage: 100, CoreDNSPrefix: "/skydns/", RcodezeroTXTEncrypt: false, AkamaiServiceConsumerDomain: "", AkamaiClientToken: "", AkamaiClientSecret: "", AkamaiAccessToken: "", AkamaiEdgercSection: "", AkamaiEdgercPath: "", InfobloxGridHost: "", InfobloxWapiPort: 443, InfobloxWapiUsername: "admin", InfobloxWapiPassword: "", InfobloxWapiVersion: "2.3.1", InfobloxSSLVerify: true, InfobloxView: "", InfobloxMaxResults: 0, InfobloxFQDNRegEx: "", InfobloxCreatePTR: false, InfobloxCacheDuration: 0, OCIConfigFile: "/etc/kubernetes/oci.yaml", OCIZoneScope: "GLOBAL", OCIZoneCacheDuration: 0 * time.Second, InMemoryZones: []string{}, OVHEndpoint: "ovh-eu", OVHApiRateLimit: 20, PDNSServer: "http://localhost:8081", PDNSAPIKey: "", PDNSSkipTLSVerify: false, TLSCA: "", TLSClientCert: "", TLSClientCertKey: "", Policy: "sync", Registry: "txt", TXTOwnerID: "default", TXTPrefix: "", TXTSuffix: "", TXTCacheInterval: 0, TXTWildcardReplacement: "", MinEventSyncInterval: 5 * time.Second, TXTEncryptEnabled: false, TXTEncryptAESKey: "", Interval: time.Minute, Once: false, DryRun: false, UpdateEvents: false, LogFormat: "text", MetricsAddress: ":7979", LogLevel: logrus.InfoLevel.String(), ExoscaleAPIEnvironment: "api", ExoscaleAPIZone: "ch-gva-2", ExoscaleAPIKey: "", ExoscaleAPISecret: "", CRDSourceAPIVersion: "externaldns.k8s.io/v1alpha1", CRDSourceKind: "DNSEndpoint", ServiceTypeFilter: []string{}, CFAPIEndpoint: "", CFUsername: "", CFPassword: "", RFC2136Host: "", RFC2136Port: 0, RFC2136Zone: []string{}, RFC2136Insecure: false, RFC2136GSSTSIG: false, RFC2136KerberosRealm: "", RFC2136KerberosUsername: "", RFC2136KerberosPassword: "", RFC2136TSIGKeyName: "", RFC2136TSIGSecret: "", RFC2136TSIGSecretAlg: "", RFC2136TAXFR: true, RFC2136MinTTL: 0, RFC2136BatchChangeSize: 50, NS1Endpoint: "", NS1IgnoreSSL: false, TransIPAccountName: "", TransIPPrivateKeyFile: "", DigitalOceanAPIPageSize: 50, ManagedDNSRecordTypes: []string{endpoint.RecordTypeA, endpoint.RecordTypeAAAA, endpoint.RecordTypeCNAME}, ExcludeDNSRecordTypes: []string{}, GoDaddyAPIKey: "", GoDaddySecretKey: "", GoDaddyTTL: 600, GoDaddyOTE: false, IBMCloudProxied: false, IBMCloudConfigFile: "/etc/kubernetes/ibmcloud.json", TencentCloudConfigFile: "/etc/kubernetes/tencent-cloud.json", TencentCloudZoneType: "", PiholeServer: "", PiholePassword: "", PiholeTLSInsecureSkipVerify: false, PluralCluster: "", PluralProvider: "", WebhookProviderURL: "http://localhost:8888", WebhookProviderReadTimeout: 5 * time.Second, WebhookProviderWriteTimeout: 10 * time.Second, WebhookServer: false, TraefikDisableLegacy: false, TraefikDisableNew: false, ```

Flag types

```go APIServerURL string KubeConfig string RequestTimeout time.Duration DefaultTargets []string GlooNamespaces []string SkipperRouteGroupVersion string Sources []string Namespace string AnnotationFilter string LabelFilter string IngressClassNames []string FQDNTemplate string CombineFQDNAndAnnotation bool IgnoreHostnameAnnotation bool IgnoreIngressTLSSpec bool IgnoreIngressRulesSpec bool GatewayNamespace string GatewayLabelFilter string Compatibility string PublishInternal bool PublishHostIP bool AlwaysPublishNotReadyAddresses bool ConnectorSourceServer string Provider string GoogleProject string GoogleBatchChangeSize int GoogleBatchChangeInterval time.Duration GoogleZoneVisibility string DomainFilter []string ExcludeDomains []string RegexDomainFilter *regexp.Regexp RegexDomainExclusion *regexp.Regexp ZoneNameFilter []string ZoneIDFilter []string TargetNetFilter []string ExcludeTargetNets []string AlibabaCloudConfigFile string AlibabaCloudZoneType string AWSZoneType string AWSZoneTagFilter []string AWSAssumeRole string AWSAssumeRoleExternalID string AWSBatchChangeSize int AWSBatchChangeSizeBytes int AWSBatchChangeSizeValues int AWSBatchChangeInterval time.Duration AWSEvaluateTargetHealth bool AWSAPIRetries int AWSPreferCNAME bool AWSZoneCacheDuration time.Duration AWSSDServiceCleanup bool AWSZoneMatchParent bool AWSDynamoDBRegion string AWSDynamoDBTable string AzureConfigFile string AzureResourceGroup string AzureSubscriptionID string AzureUserAssignedIdentityClientID string BluecatDNSConfiguration string BluecatConfigFile string BluecatDNSView string BluecatGatewayHost string BluecatRootZone string BluecatDNSServerName string BluecatDNSDeployType string BluecatSkipTLSVerify bool CloudflareProxied bool CloudflareDNSRecordsPerPage int CoreDNSPrefix string RcodezeroTXTEncrypt bool AkamaiServiceConsumerDomain string AkamaiClientToken string AkamaiClientSecret string AkamaiAccessToken string AkamaiEdgercPath string AkamaiEdgercSection string InfobloxGridHost string InfobloxWapiPort int InfobloxWapiUsername string InfobloxWapiPassword string `secure:"yes"` InfobloxWapiVersion string InfobloxSSLVerify bool InfobloxView string InfobloxMaxResults int InfobloxFQDNRegEx string InfobloxNameRegEx string InfobloxCreatePTR bool InfobloxCacheDuration int DynCustomerName string DynUsername string DynPassword string `secure:"yes"` DynMinTTLSeconds int OCIConfigFile string OCICompartmentOCID string OCIAuthInstancePrincipal bool OCIZoneScope string OCIZoneCacheDuration time.Duration InMemoryZones []string OVHEndpoint string OVHApiRateLimit int PDNSServer string PDNSAPIKey string `secure:"yes"` PDNSSkipTLSVerify bool TLSCA string TLSClientCert string TLSClientCertKey string Policy string Registry string TXTOwnerID string TXTPrefix string TXTSuffix string TXTEncryptEnabled bool TXTEncryptAESKey string `secure:"yes"` Interval time.Duration MinEventSyncInterval time.Duration Once bool DryRun bool UpdateEvents bool LogFormat string MetricsAddress string LogLevel string TXTCacheInterval time.Duration TXTWildcardReplacement string ExoscaleEndpoint string ExoscaleAPIKey string `secure:"yes"` ExoscaleAPISecret string `secure:"yes"` ExoscaleAPIEnvironment string ExoscaleAPIZone string CRDSourceAPIVersion string CRDSourceKind string ServiceTypeFilter []string CFAPIEndpoint string CFUsername string CFPassword string ResolveServiceLoadBalancerHostname bool RFC2136Host string RFC2136Port int RFC2136Zone []string RFC2136Insecure bool RFC2136GSSTSIG bool RFC2136KerberosRealm string RFC2136KerberosUsername string RFC2136KerberosPassword string `secure:"yes"` RFC2136TSIGKeyName string RFC2136TSIGSecret string `secure:"yes"` RFC2136TSIGSecretAlg string RFC2136TAXFR bool RFC2136MinTTL time.Duration RFC2136BatchChangeSize int NS1Endpoint string NS1IgnoreSSL bool NS1MinTTLSeconds int TransIPAccountName string TransIPPrivateKeyFile string DigitalOceanAPIPageSize int ManagedDNSRecordTypes []string ExcludeDNSRecordTypes []string GoDaddyAPIKey string `secure:"yes"` GoDaddySecretKey string `secure:"yes"` GoDaddyTTL int64 GoDaddyOTE bool OCPRouterName string IBMCloudProxied bool IBMCloudConfigFile string TencentCloudConfigFile string TencentCloudZoneType string PiholeServer string PiholePassword string `secure:"yes"` PiholeTLSInsecureSkipVerify bool PluralCluster string PluralProvider string WebhookProviderURL string WebhookProviderReadTimeout time.Duration WebhookProviderWriteTimeout time.Duration WebhookServer bool TraefikDisableLegacy bool TraefikDisableNew bool ```

[luckury]

This probably needs the label "missing docs"

[kOstovic]

Thanks, without this I was getting lost, this definitely needs to go into official docs

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[luckury]

/remove-lifecycle stale

[lucasfcnunes]

--txt-encrypt-enabled or --txt-encrypt=true?