Merge branch 'master' into fix-crash-loop

* master: (78 commits)
  Update README.md with Efficient IP Provider
  feat(chart): Updated image to v0.15.0
  fix(chart): Don't use unauthenticated webhook port for health probe
  Remove unused session logic after move to aws-sdk-go-v2
  Refactor AWS provider to aws-sdk-go-v2
  Refactor AWS Cloud Map provider to aws-sdk-go-v2
  Refactor DynamoDB registry to aws-sdk-go-v2
  Update docs/release.md
  update the docs to v0.15.0
  bump kustomize version to v0.15.0
  add deprecation notice on coredns tutorial
  docs: refactor title and organisation
  review with Raffo
  chore: remove unmaintained providers
  chore(deps): bump actions/setup-python in the dev-dependencies group
  Add RouterOS provider to README.md
  feat: add annotation and label filters to Ambassador Host Source (kubernetes-sigs#2633)
  chore(deps): bump GrantBirki/json-yaml-validate
  fix linter
  fix ordering
  ...

.github/workflows/ci.yaml

@@ -20,15 +20,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
     - name: Set up Go 1.x
       uses: actions/setup-go@v5
       with:
-        go-version: '1.22.4'
+        go-version-file: go.mod
       id: go
 
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-
     - name: Install CI
       run: |
         go get -v -t -d ./...

.github/workflows/codeql-analysis.yaml

@@ -30,7 +30,7 @@ jobs:
     - name: Install go version
       uses: actions/setup-go@v5
       with:
-        go-version: '^1.22.4'
+        go-version-file: go.mod
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/docs.yaml

@@ -19,16 +19,12 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: "3.12"
           cache: "pip"
           cache-dependency-path: "./docs/scripts/requirements.txt"
 
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
-        with:
-          go-version-file: 'go.mod'
-
       - run: |
           pip install -r docs/scripts/requirements.txt
 

.github/workflows/json-yaml-validate.yml

@@ -17,7 +17,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: json-yaml-validate
-        uses: GrantBirki/json-yaml-validate@v3.0.0
+        uses: GrantBirki/json-yaml-validate@v3.2.1
         with:
           comment: "true" # enable comment mode
           yaml_exclude_regex: "(charts/external-dns/templates.*|mkdocs.yml)"

.github/workflows/lint-test-chart.yaml

@@ -19,7 +19,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install Helm Docs
-        uses: action-stars/install-tool-from-github-release@243ac555111a84756285bf7dc55df821a55d32d9 # v0.2.3
+        uses: action-stars/install-tool-from-github-release@ece2623611b240002e0dd73a0d685505733122f6 # v0.2.4
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           owner: norwoodj
@@ -40,7 +40,7 @@ jobs:
           fi
 
       - name: Install Artifact Hub CLI
-        uses: action-stars/install-tool-from-github-release@243ac555111a84756285bf7dc55df821a55d32d9 # v0.2.3
+        uses: action-stars/install-tool-from-github-release@ece2623611b240002e0dd73a0d685505733122f6 # v0.2.4
         with:
           github_token: ${{ github.token }}
           owner: artifacthub
@@ -59,7 +59,7 @@ jobs:
           version: latest
 
       - name: Install Python
-        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           token: ${{ github.token }}
           python-version: "3.x"

.github/workflows/lint.yaml

@@ -8,6 +8,7 @@ on:
 
 permissions:
   contents: read  #  to fetch code (actions/checkout)
+  checks: write
 
 jobs:
 
@@ -20,16 +21,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
     - name: Set up Go 1.x
       uses: actions/setup-go@v5
       with:
-        go-version: '1.22.4'
-      id: go
-
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        go-version-file: go.mod
 
     - name: Lint
-      run: |
-        curl -sSfL https://raw.github.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.57.2
-        make lint
+      uses: golangci/golangci-lint-action@v6
+      with:
+        args: --timeout=30m
+        version: v1.60

.github/workflows/scorecards.yml

@@ -0,0 +1,70 @@
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '25 7 * * 0'
+  push:
+    branches: [ "main" , "issue-4673"]
+  workflow_dispatch:
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif

.github/workflows/staging-image-tester.yaml

@@ -20,15 +20,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
     - name: Set up Go 1.x
       uses: actions/setup-go@v5
       with:
-        go-version: '1.22.4'
+        go-version-file: go.mod
       id: go
 
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-
     - name: Install CI
       run: |
         go get -v -t -d ./...

Makefile

@@ -41,7 +41,7 @@ CONTROLLER_GEN=$(shell which controller-gen)
 endif
 
 golangci-lint:
-	@command -v golangci-lint > /dev/null || curl -sSfL https://raw.github.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.57.2
+	@command -v golangci-lint > /dev/null || curl -sSfL https://raw.github.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.60.3
 
 # Run the golangci-lint tool
 .PHONY: go-lint

OWNERS

@@ -6,19 +6,18 @@
 # https://github.com/kubernetes/k8s.io/blob/master/registry.k8s.io/images/k8s-staging-external-dns/OWNERS
 
 approvers:
-  - johngmyers
   - mloiseleur
   - raffo
   - szuecs
 
 reviewers:
-  - johngmyers
   - mloiseleur
   - raffo
   - szuecs
 
 emeritus_approvers:
   - hjacobs
+  - johngmyers
   - linki
   - njuettner
   - seanmalloy

README.md

@@ -36,13 +36,10 @@ ExternalDNS allows you to keep selected zones (via `--domain-filter`) synchroniz
 * [AWS Route 53](https://aws.amazon.com/route53/)
 * [AWS Cloud Map](https://docs.aws.amazon.com/cloud-map/)
 * [AzureDNS](https://azure.microsoft.com/en-us/services/dns)
-* [BlueCat](https://bluecatnetworks.com)
 * [Civo](https://www.civo.com)
 * [CloudFlare](https://www.cloudflare.com/dns)
-* [RcodeZero](https://www.rcodezero.at/)
 * [DigitalOcean](https://www.digitalocean.com/products/networking)
 * [DNSimple](https://dnsimple.com/)
-* [Dyn](https://dyn.com/dns/)
 * [OpenStack Designate](https://docs.openstack.org/designate/latest/)
 * [PowerDNS](https://www.powerdns.com/)
 * [CoreDNS](https://coredns.io/)
@@ -52,14 +49,11 @@ ExternalDNS allows you to keep selected zones (via `--domain-filter`) synchroniz
 * [RFC2136](https://tools.ietf.org/html/rfc2136)
 * [NS1](https://ns1.com/)
 * [TransIP](https://www.transip.eu/domain-name/)
-* [VinylDNS](https://www.vinyldns.io)
-* [Vultr](https://www.vultr.com)
 * [OVH](https://www.ovh.com)
 * [Scaleway](https://www.scaleway.com)
 * [Akamai Edge DNS](https://learn.akamai.com/en-us/products/cloud_security/edge_dns.html)
 * [GoDaddy](https://www.godaddy.com)
 * [Gandi](https://www.gandi.net)
-* [ANS Group SafeDNS](https://portal.ans.co.uk/safedns/)
 * [IBM Cloud DNS](https://www.ibm.com/cloud/dns)
 * [TencentCloud PrivateDNS](https://cloud.tencent.com/product/privatedns)
 * [TencentCloud DNSPod](https://cloud.tencent.com/product/cns)
@@ -85,12 +79,14 @@ Known providers using webhooks:
 | Adguard Home Provider | https://github.com/muhlba91/external-dns-provider-adguard |
 | Anexia | https://github.com/ProbstenHias/external-dns-anexia-webhook |
 | Bizfly Cloud | https://github.com/bizflycloud/external-dns-bizflycloud-webhook |
+| Efficient IP | https://github.com/EfficientIP-Labs/external-dns-efficientip-webhook |
 | Gcore | https://github.com/G-Core/external-dns-gcore-webhook |
 | GleSYS | https://github.com/glesys/external-dns-glesys |
 | Hetzner | https://github.com/mconfalonieri/external-dns-hetzner-webhook |
 | IONOS | https://github.com/ionos-cloud/external-dns-ionos-webhook |
 | Infoblox | https://github.com/AbsaOSS/external-dns-infoblox-webhook |
 | Netcup | https://github.com/mrueg/external-dns-netcup-webhook |
+| RouterOS | https://github.com/benfiola/external-dns-routeros-provider |
 | STACKIT | https://github.com/stackitcloud/external-dns-stackit-webhook |
 | Unifi | https://github.com/kashalls/external-dns-unifi-webhook |
 
@@ -115,13 +111,10 @@ The following table clarifies the current status of the providers according to t
 | AWS Cloud Map | Beta | |
 | Akamai Edge DNS | Beta | |
 | AzureDNS | Stable | |
-| BlueCat | Alpha | @seanmalloy  @vinny-sabatini |
 | Civo | Alpha | @alejandrojnm |
 | CloudFlare | Beta | |
-| RcodeZero | Alpha | |
 | DigitalOcean | Alpha | |
 | DNSimple | Alpha | |
-| Dyn | Alpha | |
 | OpenStack Designate | Alpha | |
 | PowerDNS | Alpha | |
 | CoreDNS | Alpha | |
@@ -131,15 +124,12 @@ The following table clarifies the current status of the providers according to t
 | RFC2136 | Alpha | |
 | NS1 | Alpha | |
 | TransIP | Alpha | |
-| VinylDNS | Alpha | |
 | RancherDNS | Alpha | |
 | OVH | Alpha | |
 | Scaleway DNS | Alpha | @Sh4d1 |
-| Vultr | Alpha | |
 | UltraDNS | Alpha | |
 | GoDaddy | Alpha | |
 | Gandi | Alpha | @packi |
-| SafeDNS | Alpha | @assureddt |
 | IBMCloud | Alpha | @hughhuangzh |
 | TencentCloud | Alpha | @Hyzhou |
 | Plural | Alpha | @michaeljguarino |
@@ -171,48 +161,40 @@ The following tutorials are provided:
 * AWS
 	* [AWS Load Balancer Controller](docs/tutorials/aws-load-balancer-controller.md)
 	* [Route53](docs/tutorials/aws.md)
-		* [Same domain for public and private Route53 zones](docs/tutorials/public-private-route53.md)
+		* [Same domain for public and private Route53 zones](docs/tutorials/aws-public-private-route53.md)
 	* [Cloud Map](docs/tutorials/aws-sd.md)
 	* [Kube Ingress AWS Controller](docs/tutorials/kube-ingress-aws.md)
 * [Azure DNS](docs/tutorials/azure.md)
 * [Azure Private DNS](docs/tutorials/azure-private-dns.md)
 * [Civo](docs/tutorials/civo.md)
 * [Cloudflare](docs/tutorials/cloudflare.md)
-* [BlueCat](docs/tutorials/bluecat.md)
 * [CoreDNS](docs/tutorials/coredns.md)
 * [DigitalOcean](docs/tutorials/digitalocean.md)
 * [DNSimple](docs/tutorials/dnsimple.md)
-* [Dyn](docs/tutorials/dyn.md)
 * [Exoscale](docs/tutorials/exoscale.md)
 * [ExternalName Services](docs/tutorials/externalname.md)
 * Google Kubernetes Engine
 	* [Using Google's Default Ingress Controller](docs/tutorials/gke.md)
-	* [Using the Nginx Ingress Controller](docs/tutorials/nginx-ingress.md)
+	* [Using the Nginx Ingress Controller](docs/tutorials/gke-nginx.md)
 * [Headless Services](docs/tutorials/hostport.md)
-* [Istio Gateway Source](docs/tutorials/istio.md)
-* [Kubernetes Security Context](docs/tutorials/security-context.md)
+* [Istio Gateway Source](docs/sources/istio.md)
 * [Linode](docs/tutorials/linode.md)
-* [Nginx Ingress Controller](docs/tutorials/nginx-ingress.md)
 * [NS1](docs/tutorials/ns1.md)
-* [NS Record Creation with CRD Source](docs/tutorials/ns-record.md)
-* [MX Record Creation with CRD Source](docs/tutorials/mx-record.md)
+* [NS Record Creation with CRD Source](docs/sources/ns-record.md)
+* [MX Record Creation with CRD Source](docs/sources/mx-record.md)
 * [OpenStack Designate](docs/tutorials/designate.md)
 * [Oracle Cloud Infrastructure (OCI) DNS](docs/tutorials/oracle.md)
 * [PowerDNS](docs/tutorials/pdns.md)
-* [RcodeZero](docs/tutorials/rcodezero.md)
 * [RancherDNS (RDNS)](docs/tutorials/rdns.md)
 * [RFC2136](docs/tutorials/rfc2136.md)
 * [TransIP](docs/tutorials/transip.md)
-* [VinylDNS](docs/tutorials/vinyldns.md)
 * [OVH](docs/tutorials/ovh.md)
 * [Scaleway](docs/tutorials/scaleway.md)
-* [Vultr](docs/tutorials/vultr.md)
 * [UltraDNS](docs/tutorials/ultradns.md)
 * [GoDaddy](docs/tutorials/godaddy.md)
 * [Gandi](docs/tutorials/gandi.md)
-* [SafeDNS](docs/tutorials/ANS_Group_SafeDNS.md)
 * [IBM Cloud](docs/tutorials/ibmcloud.md)
-* [Nodes as source](docs/tutorials/nodes.md)
+* [Nodes as source](docs/sources/nodes.md)
 * [TencentCloud](docs/tutorials/tencentcloud.md)
 * [Plural](docs/tutorials/plural.md)
 * [Pi-hole](docs/tutorials/pihole.md)
@@ -304,7 +286,7 @@ show us what you can do!
 
 The external-dns project is currently in need of maintainers for specific DNS providers. Ideally each provider
 would have at least two maintainers. It would be nice if the maintainers run the provider in production, but it
-is not strictly required. Provider listed [here](https://github.com/kubernetes-sigs/external-dns#status-of-providers)
+is not strictly required. Provider listed [here](https://github.com/kubernetes-sigs/external-dns#status-of-in-tree-providers)
 that do not have a maintainer listed are in need of assistance.
 
 Read the [contributing guidelines](CONTRIBUTING.md) and have a look at [the contributing docs](docs/contributing/getting-started.md) to learn about building the project, the project structure, and the purpose of each package.