use octodns

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "infrastructure/external-dns/octodns"]
+	path = infrastructure/external-dns/octodns
+	url = ssh://git@git.kluster.moll.re:2222/remoll/dns.git

infrastructure/external-dns/cloudflare-api.sealedsecret.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: cloudflare-api
+  namespace: external-dns
+spec:
+  encryptedData:
+    CLOUDFLARE_ACCOUNT_ID: AgCq4cWeBKbpqC4MgM2qkDgThjpmuOBMAA76SrOQqV7xW7KQaqkcVgwpdSWpcI3nhkx+5bdrm4RrwU4T5+svWN7TGu9BK003b0aHEkJwi0R5EQhVqCrmc9544rUrUHbfO5zgQtzU05zxs2jigs8YRJ1xEL0RzQ5scYUj385kzasdCqaHLNx5SLE0eCDBOcoOaqdorrZN3JpvM9ObNtGAUVb+zLNac3CAtQnG4ZxcClcr6t23ybwXdq1h2q6JPauet6kW+SViaE99AbqW7UPTZ5JfQ+KRl3Sz4JiqwO17qWc8gSLrU/V2fOrjqszxcRPC8u0N9YDZQeKCcSTIq/iMG9Jjuqwpr6G9D6rfNFuXzMCWgG/u80TTbnKVF+OKjUvX9jMyQjp6C3MyL14qLWTCkLsB1gfvg9nddC+AWmR1tV9rxNDQp8RS0aPHzuICNx6BfRIT/IGk7RpSppZyYYzdhtPjpcZICp2YpXFX0djFQmnTs1H56TNek9NVsx8A73jUGp0yq7d4WNY9zWPz1sV6qZYIiStwq1gD/pAZ7UE3aRjfdY4T+AgaUvUhHNSgjazkA3cty7xj80gHe9/ys8xrUAZB2ang2bvk9/UuwuqUZQdbLrWboI2phoUp48ZA2GEOvDa0mysFI8+inTBSXR0nQTO5j3FVp2tbYytQhN9w7ND3gvvHXc1iobL6IsqygWfnoyCTlH5lpnVTJY8ZRJiojxMUVsL1alut3LcOJc5bv2FBcA==
+    CLOUDFLARE_API_TOKEN: AgCiMDrPuEmucL5ZWMP6iA5VYQ+GRu7lJwyKgleitrNeFuiFOYcUg3zC+q3zot9xTTcZSTknzvT97lbvO8pIuN0HqSoL5DOi+b06Tl8vQ+LDPbjMRonULzt69EaRuU0XZIW0cPd5LxLVrRmKkNoV2y0z7BHZuR0GGGd5esfSLmUx9AJj27MQC+ucAV3QtyXaAoNtgK+E4h6ZlhIzUWGijtrBKc+A5oCtg3TunXvJ7EhiFDaWCvlNQAakrxrffT7GEmJcMN2j2ZMzChlMB6dpvH9xy7aj59JaQJHdzr8J5LU3n5aTDTZbRYAQNiYe6M/nmiiVWdob3XeZNXSdjskrw/sb6EIZbTeckVxQK0lbSoQ9ER5ihgL/WpKNRJytksm/7c0FD7NI4rBdyn7YrIllVUnQX/g7MOfNRdrveW47mNl2m2/y8jHBguYXn21YLTqKaZvRydtsJ1h+UnFyMmM7h5vH3iJ4WGdE7UHNitvZU5FuvcaZU79Xmd7KzG/Bo1NoPQFZ8bBteHoDYy7M9ROXXjVsXq60pLL8MO7nHz2XWKTu8QxgoehxW+xksN4HUZw1u4mcVo0vHAdoAn747MrEL0E58c1a7L9XMOlgofFshFbgOC6ieI2hbge5huVFTIlevxSzAGMYIZ6QcUPnKBdyayC2Njmgpeh5xGl8NV5Mt6v92wI5mzLVH9UblmbcfMuf4FJx2UprUSXdC6dc6XeaghXGJDHK2hEyoIwuqb4nRp2nlrYCfUYs8UbU
+    CLOUDFLARE_EMAIL: AgCuaYGqT6kY2bMazYHkzFe09btYA6NT3GpX7ZOyJceplv3IKGxl4b9FRuGI22qtzV2B7y/g2lRpeLMsFobk8sIRsk76wBE5LzQ6WdM3rXQ1QvIIodrzwlcwNreafh7vad85zcVb5RDMcTJGmkNAwGkThfmUIlUpuUBEgbc6q1KHUxVCjKFRUMvhhHMT3sQQBwwbfg2uQLP5AivC9VJXiKIw0JXc5VAWw9HbMjtagD+dW2VEwauTi3DHHTaTYfl2Jbuhcr3HtVj4cskWMkR5R8A7KugizBxfU0Gr2ac+DGG7MxN681GtmtgGymjzCdJBDrnu5B2xh12XHbl3/U5WBGb5m9OghtkbWJVpEKmypLqYpYfbWx+Kv9ryNOH8NnKoWruNTNx0bGSIeU9ZYgg3dnvT/7P7cMLJurWry8TfWcs+Q6n4P9Rhml5tYAx3Pgqew1GZgnq37ZxjSSrr8oAMoDMIOvX55Ip1MQZEeTLGTvaU47Tuc/nNqB7whTu9cskYafGIK8dKk/f33RnXWiy8JMRMjVIbj4MMbQHkxXhrvfjwDj+h00nARbSToc+7Vs7IFKbGSrss8YvyfDsKMnu8C3YU2Bj0D44IK8pxI7Onrme6SO9tUd7+rdojZFKONQZpQlRfeUNEReHwe8rFqfnkWgCN9M8xga3u4jDsFXyURXbfD9kHHkjeeoqr35gwyjOVR93iyheB/HldmH5J9LD0myLabTg5
+  template:
+    metadata:
+      creationTimestamp: null
+      name: cloudflare-api
+      namespace: external-dns
+    type: Opaque

infrastructure/external-dns/cloudflare.sealedsecret.yaml

@@ -1,16 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: cloudflare-api
-  namespace: external-dns
-spec:
-  encryptedData:
-    api-token: AgCk1ymW3g9a6kIqpZtjeaeVYB/gGw06bs7E8u2MWX0wJlegoYW5uRJ52QhKZJrD7Omh609WdfXaJlZFByteNWWUEpUO+AkpFXvUd0y8qazEzdRkhDuJBCcRS0Gi9p/FgmqOQ7q0ot3vKMPA0sqmNFeKrG1b8wCyLVbuoYSX2WD4LE1ibVUyeTBXuLTVQy+XnEI2CnQ/sq7tAHGpHxOrLqGdcW5CzVPxva1TBtBrYG9DxFpX08IaG1dIXNCm4tpCSAoceSfgTRtbWZEg2Y0MovxYS79t7NTqx7odLeZnTeqAcM0hE+fCHUwMk03MKtGhe88K9xsCKqZBe/qrY/t+1LNug0p26HoO4tjqGgXjKNEkk1Fpp2UuNq0GEJOgitIoo/TGAR4mefBZZ6KinHYTw3D3nQKphU7pDy9a5ivH+aFO+Bm7vlRvyAtjK4SHbPQOZDmbE/jkkgVZ6yP4koPMTibyLeY2gTPs3Dvviq6BhanUaAQSgjujU0T+9FagC2wKQdppzJCx0wcD9vWSn1Dikhb9SfpicTnztAKH3Ww7fA/siZvuJmMRB40e7rGXZqG3esMNtptlnt8mGlfWG4MzJ4dyRT7M67lfJVC8yDxHlGWyJic6eDEFxfzvBmiZg9kwA0GwkBFf0w/iIgXlkHlKCg8WBMa9U2gTPxcOiMJMlDi1m/NkwhrOL39++WThcP9ahJNoSkhV8feWJ632vP21ldd15TiOcr+hTOxTPj2u252X/i7OOJTgzmf5
-  template:
-    metadata:
-      creationTimestamp: null
-      name: cloudflare-api
-      namespace: external-dns
-    type: Opaque

infrastructure/external-dns/cronjob.yaml

@@ -0,0 +1,52 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: octodns-deployment
+spec:
+  schedule: "*/1 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: git
+              image: alpine/git
+              command: ["git"]
+              args:
+                - clone
+                - https://git.kluster.moll.re/remoll/dns.git
+                - /etc/octodns/dns
+              volumeMounts:
+                - name: octodns-config
+                  mountPath: /etc/octodns
+
+            - name: octodns
+              image: octodns
+              env:
+                - name: CLOUDFLARE_ACCOUNT_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: cloudflare-api
+                      key: CLOUDFLARE_ACCOUNT_ID
+                - name: CLOUDFLARE_API_TOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      name: cloudflare-api
+                      key: CLOUDFLARE_API_TOKEN
+                - name: CLOUDFLARE_EMAIL
+                  valueFrom:
+                    secretKeyRef:
+                      name: cloudflare-api
+                      key: CLOUDFLARE_EMAIL
+
+              command: ["octodns-sync"]
+              args:
+                - octodns-sync --config-file /etc/octodns/config.yaml # --doit
+              volumeMounts:
+                - name: octodns-config
+                  mountPath: /etc/octodns
+
+          volumes:
+          - name: octodns-config
+            emptyDir: {}
+          restartPolicy: Never

infrastructure/external-dns/deployment.yaml

@@ -1,29 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: external-dns
-spec:
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: external-dns
-  template:
-    metadata:
-      labels:
-        app: external-dns
-    spec:
-      serviceAccountName: external-dns
-      containers:
-      - name: external-dns
-        image: external-dns
-        args:
-        - --source=traefik-proxy
-        - --domain-filter=moll.re
-        - --provider=cloudflare
-        env:
-        - name: CF_API_TOKEN
-          valueFrom:
-            secretKeyRef:
-              name: cloudflare-api
-              key: api-token

infrastructure/external-dns/kustomization.yaml

@@ -5,11 +5,10 @@ namespace: external-dns
 
 resources:
   - namespace.yaml
-  - cloudflare.sealedsecret.yaml
+  - cloudflare-api.sealedsecret.yaml
-  - deployment.yaml
+  - cronjob.yaml
-  - rbac.yaml
 
 images:
-  - name: external-dns
+  - name: octodns
-    newName: registry.k8s.io/external-dns/external-dns
+    newName: octodns/octodns # has all plugins
-    newTag: v0.14.0
+    newTag: "2023.12"

infrastructure/external-dns/rbac.yaml

@@ -1,32 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-dns
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: external-dns
-rules:
-- apiGroups: [""]
-  resources: ["services","endpoints","pods"]
-  verbs: ["get","watch","list"]
-- apiGroups: [""]
-  resources: ["nodes"]
-  verbs: ["list","watch"]
-- apiGroups: ["traefik.containo.us","traefik.io"]
-  resources: ["ingressroutes", "ingressroutetcps", "ingressrouteudps"]
-  verbs: ["get","watch","list"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: external-dns-viewer
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: external-dns
-subjects:
-- kind: ServiceAccount
-  name: external-dns
-  namespace: external-dns