--- # Playbook: Cloudflare DNS Management # Description: Configures DNS records for container.mom zone # Usage: ansible-playbook -i ansible/inventories/hub_cluster.yml ansible/playbooks/dns.yaml # Note: API credentials are stored in secrets.yml - name: Configure Cloudflare DNS entries hosts: localhost connection: local gather_facts: no vars_files: - ../secrets.yml vars: # Zone configuration (fixed to container.mom) zone: "container.mom" # Common record templates that can be reused across clusters dns_templates: openshift_cluster: a_records: - name: "api.{{ cluster_name }}.{{ cluster_region }}" content: "{{ dns.cluster_ip }}" ttl: 1 proxied: false comment: "Managed by Ansible - {{ dns.display_name }} API" - name: "api-int.{{ cluster_name }}.{{ cluster_region }}" content: "{{ dns.cluster_ip }}" ttl: 1 proxied: false comment: "Managed by Ansible - {{ dns.display_name }} Internal API" - name: "*.apps.{{ cluster_name }}.{{ cluster_region }}" content: "{{ dns.cluster_ip }}" ttl: 1 proxied: false comment: "Managed by Ansible - {{ dns.display_name }} Apps Wildcard" - name: "master-0.{{ cluster_name }}.{{ cluster_region }}" content: "{{ dns.cluster_ip }}" ttl: 1 proxied: false comment: "Managed by Ansible - {{ dns.display_name }} Master Node" # Global DNS records (apply to the entire zone) global_records: # MX Records - type: MX name: "@" content: "witcher.mxrouting.net" priority: 10 ttl: 1 proxied: false comment: "Managed by Ansible - Primary MX" - type: MX name: "@" content: "witcher-relay.mxrouting.net" priority: 20 ttl: 1 proxied: false comment: "Managed by Ansible - Secondary MX" # Global TXT Records - type: TXT name: "@" content: "v=spf1 include:mxlogin.com -all" ttl: 1 proxied: false comment: "Managed by Ansible - SPF Record" - type: TXT name: "x._domainkey" content: "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3fpg1ITFGcPMLR4hQNJDfaUbswvy0z1OWec07SvLVTqw9g+ghDsvjUIc8DpcSApC9G47HVNjFjPrHfaGTUe7M6Rdiy+EdNyW9RsoLMZr78bJAeLpXecZhTHePjCQBLPyRjv7lBQkW4NxwDHJoG+Le8gAXg9hJ3MD3cuP4gbWGhFFaWfRvIlVUfcFqTNrwy+D24m+o3zCEYcP6bXoF4Fnk1NUqHb399Kssn73cY4Ibw2QdivqMup4LLVvQ1ilk+8I7W1stQ+JLoBtOQ9WPoAD/MkYI4+OJUnn9nz6r1UIeAMTWZ5rIySbdYZFeKHDWZjwdc5eZOg6PSzY8GXE5x1cvQIDAQAB" ttl: 3600 proxied: false comment: "Managed by Ansible - DKIM Record" - type: TXT name: "@" content: "google-site-verification=WvCHGBq2aVDGDNY8Gw8qB9PUToxVtc6ijxmb42jw1aY" ttl: 1 proxied: false comment: "Managed by Ansible - Google Site Verification" tasks: - name: Ensure required variables are defined ansible.builtin.assert: that: - global.cloudflare is defined - dns is defined - cluster_name is defined - cluster_region is defined fail_msg: "Please ensure global.cloudflare is defined in secrets.yml and cluster configuration is in inventory" # Start with global records - name: Prepare DNS records list with global records ansible.builtin.set_fact: dns_records: "{{ global_records }}" # Add OpenShift cluster A records - name: Add OpenShift cluster A records ansible.builtin.set_fact: dns_records: >- {{ dns_records + [ { 'type': 'A', 'name': record.name | replace('{{ cluster_name }}', cluster_name) | replace('{{ cluster_region }}', cluster_region), 'content': dns.cluster_ip, 'ttl': record.ttl, 'proxied': record.proxied, 'comment': record.comment | replace('{{ dns.display_name }}', dns.display_name) } ] }} loop: "{{ dns_templates.openshift_cluster.a_records }}" loop_control: loop_var: record label: "A: {{ record.name | replace('{{ cluster_name }}', cluster_name) | replace('{{ cluster_region }}', cluster_region) }}" # Add OpenShift router CNAME records for custom domains - name: Add OpenShift router CNAME records for custom domains ansible.builtin.set_fact: dns_records: >- {{ dns_records + [ { 'type': 'CNAME', 'name': domain, 'content': dns.router, 'ttl': 3600, 'proxied': false, 'comment': 'Managed by Ansible - OpenShift Router for ' + domain + ' (' + dns.display_name + ')' } ] }} loop: "{{ dns.custom_domains | default([]) }}" loop_control: loop_var: domain label: "CNAME: {{ domain }}" # Add additional cluster-specific records - name: Add additional cluster-specific records ansible.builtin.set_fact: dns_records: >- {{ dns_records + [ { 'type': record.type, 'name': record.name, 'content': record.content, 'ttl': record.ttl, 'proxied': record.proxied, 'comment': record.comment | replace('{{ cluster_name }}', cluster_name) | replace('{{ cluster_region }}', cluster_region) } ] }} loop: "{{ dns.additional_records | default([]) }}" loop_control: loop_var: record label: "{{ record.type }}: {{ record.name }}" # Configure all DNS records - name: Configure DNS records for {{ zone }} community.general.cloudflare_dns: zone: "{{ zone }}" api_token: "{{ global.cloudflare }}" type: "{{ item.type }}" name: "{{ item.name }}" content: "{{ item.content }}" ttl: "{{ item.ttl | default(3600) }}" proxied: "{{ item.proxied | default(false) }}" state: "{{ item.state | default('present') }}" priority: "{{ item.priority | default(omit) }}" loop: "{{ dns_records }}" loop_control: label: "{{ item.type }}: {{ item.name }}.{{ zone }}" register: dns_result - name: Show DNS configuration results ansible.builtin.debug: var: dns_result verbosity: 1 - name: Report successful DNS changes ansible.builtin.debug: msg: "Successfully updated DNS records for zone {{ zone }}" when: dns_result is changed