Cert-manager: Support scoped-API token based authentication with Cloudflare
Is your feature request related to a problem? Please describe.
Cloudflare recently released scoped api tokens here. And I would like to use that instead of the previous API Key
Just to be crystal clear, I will state here:
- api key - currently supported but does not allow scoping/permissions on cloudflare. uses
X-Auth-Keyheader - api token - currently not supported but allows scoping/permissions. uses
Authorization: Bearer xxxheader
An example of the error when api token is passed to the .apiKeySecretRef
0905 04:51:24.366740 1 base_controller.go:189]
cert-manager/controller/challenges "msg"="re-queuing item due to error processing"
"error"="Cloudflare API Error
Error:
6003: Invalid request headers\u003c-
6103: Invalid format for X-Auth-Key header" "key"="xxxxxx"
Describe the solution you'd like
Requesting for apiToken to be supported in ClusterIssuer and Issuer. Perhaps a spec like .dns01.cloudflare.apiTokenSecretRef since cloudflare will continue to support both token and keys to allow customers to migrate.
*Describe alternatives you've considered
na
Additional context
a scoped token is better from a security standpoint
Environment details (if applicable):
- Kubernetes version (e.g. v1.10.2):
- Cloud-provider/provisioner (e.g. GKE, kops AWS, etc):
- cert-manager version (e.g. v0.4.0):
- Install method (e.g. helm or static manifests):
/kind feature
madsonic
All 10 comments
This sounds reasonable, and as you say I think it's best we implement this as a distinct field 😄
munnerz
on 7 Sep 2019
Cool! Let me take a stab at it.
madsonic
on 10 Sep 2019
recently added to external-dns too. would be great to have here as well :+1:
afirth
on 24 Sep 2019
Hey @madsonic
Are you still looking at implementing this?
Evesy
on 2 Oct 2019
I still am interested but haven't gotten the time away from work to do it. Let me know your plan forward
madsonic
on 6 Oct 2019
Would be a huge asset to include this limitation in the documentation.
allquantor
on 6 Nov 2019
@munnerz I take it #2170 resolves this issue. Is there a timeline for the 0.12 release?
vpetersson
on 11 Nov 2019
I also spent a while chasing my tail on this one - how hard is it to build the cert-manager image myself, in case 0.12 is delayed?
dts
on 24 Nov 2019
The v0.12 beta’s are already available, and there won’t be code changes
between the beta and final release (only updates to our documentation site
to come now). I’d recommend using the beta 🙂
On Sun, 24 Nov 2019 at 10:15, Daniel Staudigel notifications@github.com
wrote:
I also spent a while chasing my tail on this one - how hard is it to build
the cert-manager image myself, in case 0.12 is delayed more?—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/jetstack/cert-manager/issues/2036?email_source=notifications&email_token=AABRWP3LVRHCWQLB4KDBY63QVLAERA5CNFSM4ITZL3NKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEFARLRI#issuecomment-557913541,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AABRWP44RSRAJLJ7FW2BGATQVLAERANCNFSM4ITZL3NA
.
munnerz
on 24 Nov 2019
My bad - I thought 0.12 was pending the merge of #2170 - I'll wait until it's merged and hit up canary; I tried to build it myself and made it all the way to the last step, my updated clusterissuers get rejected by some webhook validation thing which I haven't managed to update.
dts
on 26 Nov 2019
Related issues
r0bj
·
3Comments
caiobegotti
·
4Comments
jbartus
·
4Comments
apetheriotis
·
3Comments
cpick
·
3Comments
Most helpful comment
Cool! Let me take a stab at it.