Adds platform/external-dns/policies/dynadot-multi-domain.yaml — the
canonical external-dns + dynadot webhook deployment that ships in every
Sovereign on an OpenOva pool domain.
Why a webhook: external-dns has no upstream Dynadot provider; the
canonical pattern is the webhook RPC contract, with a sidecar that
implements the provider in our preferred language. We reuse the same
internal/dynadot/ package the catalyst-api uses, so the never-wipe rule,
record encoding, and managed-domain allowlist are identical on both
write paths (per docs/INVIOLABLE-PRINCIPLES.md #2 — no duplicate
implementations of the same concern).
Multi-domain:
- One --domain-filter per zone in the external-dns args; adding a third
pool domain (e.g. acme.io) is a one-line edit here PLUS a one-key edit
on dynadot-api-credentials' `domains` field. No webhook rebuild.
- Webhook reads DYNADOT_MANAGED_DOMAINS from the same secret with
optional=true, preserving backward compatibility with the legacy
single-`domain` secret shape (pre-#108).
TXT registry:
- --txt-owner-id=$(SOVEREIGN_FQDN), --txt-prefix=_externaldns.<sub>.
- Cluster overlays substitute SOVEREIGN_FQDN via the bp-catalyst-platform
umbrella so two clusters sharing a parent zone (alpha.omani.works,
beta.omani.works) cannot collide.
Closes#109.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
f0fe3006ba