404347b535
CronJob (*/5 мин) reconcile ConfigMap → Yandex 360 DNS API.
Safe mode: управляет только записями с managed: true.
Никогда не удаляет неуправляемые записи (MX, DKIM, SPF и т.д.).
Удаление только при двух условиях одновременно:
1. Запись была создана контроллером (есть в state ConfigMap)
2. Запись полностью удалена из ConfigMap (не просто managed: false)
Переключение managed: true → false = release без удаления из DNS.
API: /directory/v1/org/{org_id}/domains/{domain}/dns
Fields: A→content, CNAME→target, TXT→text, MX→exchange+preference
136 lines
5.8 KiB
YAML
136 lines
5.8 KiB
YAML
---
|
|
# ── Validate inputs ───────────────────────────────────────────────────────────
|
|
|
|
- name: Validate yandex_dns credentials
|
|
ansible.builtin.assert:
|
|
that:
|
|
- yandex_dns is defined
|
|
- yandex_dns.org_id is defined and yandex_dns.org_id | length > 0
|
|
- yandex_dns.token is defined and yandex_dns.token | length > 0
|
|
fail_msg: >
|
|
yandex_dns.org_id and yandex_dns.token must be set in vault.yml.
|
|
Get org_id from https://admin.yandex.ru/company-profile
|
|
Get token from https://oauth.yandex.ru/
|
|
|
|
- name: Validate yandex_dns_controller_zones has at least one domain
|
|
ansible.builtin.assert:
|
|
that:
|
|
- yandex_dns_controller_zones.domains is defined
|
|
- yandex_dns_controller_zones.domains | length > 0
|
|
fail_msg: >
|
|
yandex_dns_controller_zones.domains is empty.
|
|
Define at least one domain in group_vars/all/addons.yml.
|
|
|
|
# ── Create namespace ──────────────────────────────────────────────────────────
|
|
|
|
- name: Create yandex-dns-controller namespace
|
|
ansible.builtin.command: >
|
|
k3s kubectl create namespace {{ yandex_dns_controller_namespace }}
|
|
--dry-run=client -o yaml | k3s kubectl apply -f -
|
|
become: true
|
|
changed_when: false
|
|
|
|
# ── Copy Helm chart to master node ───────────────────────────────────────────
|
|
|
|
- name: Ensure chart temp directory is clean
|
|
ansible.builtin.file:
|
|
path: /tmp/yandex-dns-controller-chart
|
|
state: absent
|
|
become: true
|
|
|
|
- name: Create chart temp directory
|
|
ansible.builtin.file:
|
|
path: /tmp/yandex-dns-controller-chart
|
|
state: directory
|
|
mode: "0755"
|
|
become: true
|
|
|
|
- name: Copy Helm chart to master
|
|
ansible.builtin.copy:
|
|
src: "{{ role_path }}/chart/"
|
|
dest: /tmp/yandex-dns-controller-chart/
|
|
mode: preserve
|
|
become: true
|
|
|
|
# ── Template Helm values ──────────────────────────────────────────────────────
|
|
|
|
- name: Template Helm values
|
|
ansible.builtin.template:
|
|
src: values.yaml.j2
|
|
dest: /tmp/yandex-dns-controller-values.yaml
|
|
mode: "0600"
|
|
become: true
|
|
no_log: true # contains OAuth token
|
|
|
|
# ── Lint chart ────────────────────────────────────────────────────────────────
|
|
|
|
- name: Lint Helm chart
|
|
ansible.builtin.command: >
|
|
helm lint /tmp/yandex-dns-controller-chart
|
|
--values /tmp/yandex-dns-controller-values.yaml
|
|
become: true
|
|
changed_when: false
|
|
register: _helm_lint
|
|
failed_when: _helm_lint.rc != 0
|
|
|
|
# ── Deploy chart ──────────────────────────────────────────────────────────────
|
|
|
|
- name: Deploy yandex-dns-controller via Helm
|
|
ansible.builtin.command: >
|
|
helm upgrade --install {{ yandex_dns_controller_release_name }}
|
|
/tmp/yandex-dns-controller-chart
|
|
--namespace {{ yandex_dns_controller_namespace }}
|
|
--values /tmp/yandex-dns-controller-values.yaml
|
|
--atomic
|
|
--wait
|
|
--timeout 120s
|
|
become: true
|
|
register: _helm_result
|
|
changed_when: true
|
|
|
|
# ── Cleanup temp values file (contains token) ─────────────────────────────────
|
|
|
|
- name: Remove temp values file
|
|
ansible.builtin.file:
|
|
path: /tmp/yandex-dns-controller-values.yaml
|
|
state: absent
|
|
become: true
|
|
|
|
# ── Verify ────────────────────────────────────────────────────────────────────
|
|
|
|
- name: Get CronJob status
|
|
ansible.builtin.command: >
|
|
k3s kubectl -n {{ yandex_dns_controller_namespace }} get cronjob -o wide
|
|
become: true
|
|
changed_when: false
|
|
register: _cronjob_status
|
|
|
|
# ── Summary ───────────────────────────────────────────────────────────────────
|
|
|
|
- name: "=== yandex-dns-controller Ready ==="
|
|
ansible.builtin.debug:
|
|
msg:
|
|
- "╔══════════════════════════════════════════════════════════════╗"
|
|
- "║ Yandex 360 DNS Controller — Deployed ║"
|
|
- "╚══════════════════════════════════════════════════════════════╝"
|
|
- ""
|
|
- " Namespace : {{ yandex_dns_controller_namespace }}"
|
|
- " Schedule : {{ yandex_dns_controller_schedule }}"
|
|
- " Dry-run : {{ yandex_dns_controller_dry_run }}"
|
|
- " Domains : {{ yandex_dns_controller_zones.domains | map(attribute='name') | list | join(', ') }}"
|
|
- ""
|
|
- " CronJob:"
|
|
- "{{ _cronjob_status.stdout_lines | to_yaml }}"
|
|
- ""
|
|
- " Manual trigger:"
|
|
- " kubectl create job --from=cronjob/yandex-dns-controller dns-manual-1 \\"
|
|
- " -n {{ yandex_dns_controller_namespace }}"
|
|
- ""
|
|
- " Logs:"
|
|
- " kubectl -n {{ yandex_dns_controller_namespace }} logs \\"
|
|
- " -l app.kubernetes.io/name=yandex-dns-controller --tail=100 -f"
|
|
- ""
|
|
- " State:"
|
|
- " kubectl -n {{ yandex_dns_controller_namespace }} get cm yandex-dns-controller-state \\"
|
|
- " -o jsonpath='{.data.state\\.json}' | jq ."
|