docs: support for api tokens

Documents support for using scoped API Tokens alongside the existing support for Origin CA service keys. Bug: #135
cloudflare · Oct 2, 2024 · c94a25a · c94a25a
1 parent 1531b86
commit c94a25a
Show file tree

Hide file tree

Showing 5 changed files with 73 additions and 8 deletions.
diff --git a/README.org b/README.org
@@ -33,13 +33,57 @@ pod/origin-ca-issuer-1234568-abcdw  1/1     Running     0           1m
 #+END_EXAMPLE
 
 *** Adding an OriginIssuer
-With running the controller out of the way, we can now setup an issuer that's connected to our Cloudflare account via the Cloudflare API.
+**** API Token
+Origin CA Issuer can use an [[https://dash.cloudflare.com/profile/api-tokens][API Token]] that contains the "SSL and Certificates" permission, which can be scoped to specific accounts or zones.
 
-We need to fetch our API service key for Origin CA. This key can be found by navigating to the [[https://dash.cloudflare.com/profile/api-tokens][API Tokens]] section of the Cloudflare Dashboard and viewing the "Origin CA Key" API key. This key will begin with "v1.0-" and is different than your normal API key. It is not currently possible to use an API Token with the Origin CA API at this time.
+#+BEGIN_SRC sh :file ./deploy/example/api-token.secret.yaml :results silent file :exports code
+kubectl create secret generic \
+    --dry-run \
+    -n default cfapi-token \
+    --from-literal key=cfapi-token -oyaml
+#+END_SRC
+
+Then create an OriginIssuer referencing the secret created above.
+
+#+BEGIN_SRC yaml :tangle ./deploy/example/api-token.issuer.yaml :comments link
+apiVersion: cert-manager.k8s.cloudflare.com/v1
+kind: OriginIssuer
+metadata:
+  name: prod-issuer
+  namespace: default
+spec:
+  requestType: OriginECC
+  auth:
+    tokenRef:
+      name: cfapi-token
+      key: key
+#+END_SRC
+
+#+BEGIN_EXAMPLE
+$ kubectl apply -f api-token.secret.yaml -f issuer.yaml
+originissuer.cert-manager.k8s.cloudflare.com/prod-issuer created
+secret/cfapi-token created
+#+END_EXAMPLE
+
+The status conditions of the OriginIssuer resource will be updated once the Origin CA Issuer is ready.
+
+#+BEGIN_EXAMPLE
+$ kubectl get originissuer.cert-manager.k8s.cloudflare.com prod-issuer -o json | jq .status.conditions
+[
+  {
+    "lastTransitionTime": "2020-10-07T00:05:00Z",
+    "message": "OriginIssuer verified an ready to sign certificates",
+    "reason": "Verified",
+    "status": "True",
+    "type": "Ready"
+  }
+]
+#+END_EXAMPLE
 
-Once you've copied your Origin CA Key, you can use this to create the Secret used by the OriginIssuer.
+**** Origin CA Service Key
+Alternatively, the "Origin CA Key" can be used, also found on the API Tokens page. This key will begin with "v1.0-" and is different from the "Global API Key".
 
-#+BEGIN_SRC sh :file ./deploy/example/secret.issuer.yaml :results silent file :exports code
+#+BEGIN_SRC sh :file ./deploy/example/service-key.secret.yaml :results silent file :exports code
 kubectl create secret generic \
     --dry-run \
     -n default service-key \
@@ -48,7 +92,7 @@ kubectl create secret generic \
 
 Then create an OriginIssuer referencing the secret created above.
 
-#+BEGIN_SRC yaml :tangle ./deploy/example/issuer.yaml :comments link
+#+BEGIN_SRC yaml :tangle ./deploy/example/service-key.issuer.yaml :comments link
 apiVersion: cert-manager.k8s.cloudflare.com/v1
 kind: OriginIssuer
 metadata:
@@ -63,7 +107,7 @@ spec:
 #+END_SRC
 
 #+BEGIN_EXAMPLE
-$ kubectl apply -f service-key.yaml -f issuer.yaml
+$ kubectl apply -f service-key.secret.yaml -f issuer.yaml
 originissuer.cert-manager.k8s.cloudflare.com/prod-issuer created
 secret/service-key created
 #+END_EXAMPLE

diff --git a/deploy/example/api-token.issuer.yaml b/deploy/example/api-token.issuer.yaml
@@ -0,0 +1,13 @@
+# [[file:../../README.org::*API Token][API Token:2]]
+apiVersion: cert-manager.k8s.cloudflare.com/v1
+kind: OriginIssuer
+metadata:
+  name: prod-issuer
+  namespace: default
+spec:
+  requestType: OriginECC
+  auth:
+    tokenRef:
+      name: cfapi-token
+      key: key
+# API Token:2 ends here
diff --git a/deploy/example/api-token.secret.yaml b/deploy/example/api-token.secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  key: Y2ZhcGktdG9rZW4=
+kind: Secret
+metadata:
+  creationTimestamp: null
+  name: api-token
+  namespace: default
diff --git a/deploy/example/secret.issuer.yaml → deploy/example/secvice-key.secret.yaml b/deploy/example/secret.issuer.yaml → deploy/example/secvice-key.secret.yaml
diff --git a/deploy/example/issuer.yaml → deploy/example/service-key.issuer.yaml b/deploy/example/issuer.yaml → deploy/example/service-key.issuer.yaml
@@ -1,4 +1,4 @@
-# [[file:../../README.org::*Adding an OriginIssuer][Adding an OriginIssuer:2]]
+# [[file:../../README.org::*Origin CA Service Key][Origin CA Service Key:2]]
 apiVersion: cert-manager.k8s.cloudflare.com/v1
 kind: OriginIssuer
 metadata:
@@ -10,4 +10,4 @@ spec:
     serviceKeyRef:
       name: service-key
       key: key
-# Adding an OriginIssuer:2 ends here
+# Origin CA Service Key:2 ends here