diff --git a/kubernetes/apps/networking/external-dns/app/externalsecret.yaml b/kubernetes/apps/networking/external-dns/app/externalsecret.yaml
index fc6df9b584..a1e778ea4e 100644
--- a/kubernetes/apps/networking/external-dns/app/externalsecret.yaml
+++ b/kubernetes/apps/networking/external-dns/app/externalsecret.yaml
@@ -10,12 +10,11 @@ spec:
   target:
     name: external-dns-secret
     creationPolicy: Owner
-  data:
-    - secretKey: zone-id
-      remoteRef:
+    template:
+      engineVersion: v2
+      data:
+        CF_ZONE_ID: "{{ .CLOUDFLARE_ZONE_ID }}"
+        CF_API_TOKEN: "{{ .CLOUDFLARE_API_TOKEN }}"
+  dataFrom:
+    - extract:
         key: cloudflare
-        property: CLOUDFLARE_ZONE_ID
-    - secretKey: api-token
-      remoteRef:
-        key: cloudflare
-        property: CLOUDFLARE_API_TOKEN
diff --git a/kubernetes/apps/networking/external-dns/app/helmrelease.yaml b/kubernetes/apps/networking/external-dns/app/helmrelease.yaml
index 7d29697c42..7932c74fc6 100644
--- a/kubernetes/apps/networking/external-dns/app/helmrelease.yaml
+++ b/kubernetes/apps/networking/external-dns/app/helmrelease.yaml
@@ -2,16 +2,16 @@
 apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:
-  name: external-dns
+  name: &app external-dns
 spec:
   interval: 30m
   chart:
     spec:
-      chart: external-dns
-      version: 1.13.1
+      chart: app-template
+      version: 2.4.0
       sourceRef:
         kind: HelmRepository
-        name: external-dns-charts
+        name: bjw-s-charts
         namespace: flux-system
   install:
     remediation:
@@ -23,31 +23,74 @@ spec:
   uninstall:
     keepHistory: false
   values:
-    provider: cloudflare
-    env:
-      - name: CF_API_TOKEN
-        valueFrom:
-          secretKeyRef:
-            name: external-dns-secret
-            key: api-token
-      - name: CF_ZONE_ID
-        valueFrom:
-          secretKeyRef:
-            name: external-dns-secret
-            key: zone-id
-    extraArgs:
-      - --cloudflare-proxied
-      - --zone-id-filter=$(CF_ZONE_ID)
-      - --annotation-filter=external-dns.alpha.kubernetes.io/target
-    policy: sync
-    sources:
-      - service
-      - ingress
-    txtOwnerId: k8s
-    txtPrefix: k8s.
-    domainFilters:
-      - ${PUBLIC_DOMAIN}
+    controllers:
+      main:
+        strategy: Recreate
+        annotations:
+          reloader.stakater.com/auto: "true"
+        containers:
+          main:
+            image:
+              repository: registry.k8s.io/external-dns/external-dns
+              tag: v0.14.0@sha256:474077b3dfccb3021db0a6638274967d0f64ce60dd9730a6f464bee2f78b046f
+            args:
+              - --cloudflare-proxied
+              - --zone-id-filter=$(CF_ZONE_ID)
+              - --annotation-filter=external-dns.alpha.kubernetes.io/target
+              - --ingress-class=external
+              - --interval=1m
+              - --log-format=text
+              - --log-level=info
+              - --metrics-address=:7979
+              - --policy=sync
+              - --provider=cloudflare
+              - --registry=txt
+              - --source=ingress
+              - --txt-owner-id=k8s
+              - --txt-prefix=k8s.
+            envFrom:
+              - secretRef:
+                  name: external-dns-secret
+            probes:
+              liveness: &probes
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /healthz
+                    port: &port 7979
+                  initialDelaySeconds: 0
+                  periodSeconds: 10
+                  timeoutSeconds: 1
+                  failureThreshold: 3
+              readiness: *probes
+              startup:
+                enabled: false
+            resources:
+              requests:
+                cpu: 5m
+                memory: 128M
+              limits:
+                memory: 256M
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities:
+                drop:
+                  - ALL
+        pod:
+          securityContext:
+            runAsUser: 568
+            runAsGroup: 568
+            runAsNonRoot: true
+    service:
+      main:
+        ports:
+          http:
+            port: *port
+    serviceAccount:
+      create: true
+      name: *app
     serviceMonitor:
-      enabled: true
-    podAnnotations:
-      reloader.stakater.com/auto: "true"
+      main:
+        enabled: true
diff --git a/kubernetes/apps/networking/external-dns/app/kustomization.yaml b/kubernetes/apps/networking/external-dns/app/kustomization.yaml
index 2708f09eed..b711e25438 100644
--- a/kubernetes/apps/networking/external-dns/app/kustomization.yaml
+++ b/kubernetes/apps/networking/external-dns/app/kustomization.yaml
@@ -4,3 +4,4 @@ kind: Kustomization
 resources:
   - ./externalsecret.yaml
   - ./helmrelease.yaml
+  - ./rbac.yaml
diff --git a/kubernetes/apps/networking/external-dns/app/rbac.yaml b/kubernetes/apps/networking/external-dns/app/rbac.yaml
new file mode 100644
index 0000000000..7d355b81a1
--- /dev/null
+++ b/kubernetes/apps/networking/external-dns/app/rbac.yaml
@@ -0,0 +1,58 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-dns
+  labels:
+    app.kubernetes.io/instance: external-dns
+    app.kubernetes.io/name: external-dns
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - watch
+      - list
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+    verbs:
+      - get
+      - watch
+      - list
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - watch
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: external-dns-viewer
+  labels:
+    app.kubernetes.io/instance: external-dns
+    app.kubernetes.io/name: external-dns
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-dns
+subjects:
+  - kind: ServiceAccount
+    name: external-dns
+    namespace: networking
diff --git a/kubernetes/apps/networking/k8s-gateway/app/helmrelease.yaml b/kubernetes/apps/networking/k8s-gateway/app/helmrelease.yaml
index a75f3b3e81..c90936db71 100644
--- a/kubernetes/apps/networking/k8s-gateway/app/helmrelease.yaml
+++ b/kubernetes/apps/networking/k8s-gateway/app/helmrelease.yaml
@@ -109,9 +109,9 @@ spec:
             enabled: true
             port: 53
             protocol: UDP
-    serviceMonitor:
-      main:
-        enabled: true
     serviceAccount:
       create: true
       name: *app
+    serviceMonitor:
+      main:
+        enabled: true
diff --git a/kubernetes/flux/repositories/helm/external-dns-charts.yaml b/kubernetes/flux/repositories/helm/external-dns-charts.yaml
deleted file mode 100644
index 60a9d90093..0000000000
--- a/kubernetes/flux/repositories/helm/external-dns-charts.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: HelmRepository
-metadata:
-  name: external-dns-charts
-  namespace: flux-system
-spec:
-  interval: 2h
-  url: https://kubernetes-sigs.github.io/external-dns
diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml
index 5d072a5e52..78d8629232 100644
--- a/kubernetes/flux/repositories/helm/kustomization.yaml
+++ b/kubernetes/flux/repositories/helm/kustomization.yaml
@@ -12,7 +12,6 @@ resources:
   - ./coredns-charts.yaml
   - ./deliveryhero-charts.yaml
   - ./democratic-csi-charts.yaml
-  - ./external-dns-charts.yaml
   - ./external-secrets-charts.yaml
   - ./fairwinds-charts.yaml
   - ./grafana-charts.yaml