Add external-dns with Ambassador Host support and managed Gandi secret

- Add Crossplane-managed gandi-api-key secret for external-dns
- Configure external-dns to watch Ambassador Host resources
- Add RBAC permissions for getambassador.io resources
- Enable automatic DNS record creation for vault.nge6.com

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

external-dns.yaml

@@ -53,6 +53,9 @@ spec:
       - apiGroups: ["extensions", "networking.k8s.io"]
         resources: ["ingresses"]
         verbs: ["get", "watch", "list"]
+      - apiGroups: ["getambassador.io"]
+        resources: ["hosts", "mappings"]
+        verbs: ["get", "watch", "list"]
       - apiGroups: [""]
         resources: ["nodes"]
         verbs: ["list", "watch"]
@@ -81,6 +84,26 @@ spec:
         name: external-dns
         namespace: external-dns
 ---
+# External DNS Gandi API key secret
+apiVersion: kubernetes.crossplane.io/v1alpha2
+kind: Object
+metadata:
+  name: external-dns-gandi-secret
+  namespace: crossplane-system
+spec:
+  providerConfigRef:
+    name: kubernetes-provider
+  forProvider:
+    manifest:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: gandi-api-key
+        namespace: external-dns
+      type: Opaque
+      stringData:
+        api-key: "5ea1e058de81926ad37af59374756eb69f7e24af"
+---
 # External DNS deployment
 apiVersion: kubernetes.crossplane.io/v1alpha2
 kind: Object
@@ -115,6 +138,7 @@ spec:
               args:
               - --source=service
               - --source=ingress
+              - --source=ambassador-host
               - --domain-filter=nge6.com
               - --provider=gandi
               - --registry=txt