From c94a25a51444b4b2a3ced857d663091a05e27487 Mon Sep 17 00:00:00 2001 From: Terin Stock Date: Wed, 2 Oct 2024 14:25:46 -0500 Subject: [PATCH] docs: support for api tokens Documents support for using scoped API Tokens alongside the existing support for Origin CA service keys. Bug: #135 --- README.org | 56 +++++++++++++++++-- deploy/example/api-token.issuer.yaml | 13 +++++ deploy/example/api-token.secret.yaml | 8 +++ ...et.issuer.yaml => secvice-key.secret.yaml} | 0 .../{issuer.yaml => service-key.issuer.yaml} | 4 +- 5 files changed, 73 insertions(+), 8 deletions(-) create mode 100644 deploy/example/api-token.issuer.yaml create mode 100644 deploy/example/api-token.secret.yaml rename deploy/example/{secret.issuer.yaml => secvice-key.secret.yaml} (100%) rename deploy/example/{issuer.yaml => service-key.issuer.yaml} (64%) diff --git a/README.org b/README.org index 37eec92..9cbe532 100644 --- a/README.org +++ b/README.org @@ -33,13 +33,57 @@ pod/origin-ca-issuer-1234568-abcdw 1/1 Running 0 1m #+END_EXAMPLE *** Adding an OriginIssuer -With running the controller out of the way, we can now setup an issuer that's connected to our Cloudflare account via the Cloudflare API. +**** API Token +Origin CA Issuer can use an [[https://dash.cloudflare.com/profile/api-tokens][API Token]] that contains the "SSL and Certificates" permission, which can be scoped to specific accounts or zones. -We need to fetch our API service key for Origin CA. This key can be found by navigating to the [[https://dash.cloudflare.com/profile/api-tokens][API Tokens]] section of the Cloudflare Dashboard and viewing the "Origin CA Key" API key. This key will begin with "v1.0-" and is different than your normal API key. It is not currently possible to use an API Token with the Origin CA API at this time. +#+BEGIN_SRC sh :file ./deploy/example/api-token.secret.yaml :results silent file :exports code +kubectl create secret generic \ + --dry-run \ + -n default cfapi-token \ + --from-literal key=cfapi-token -oyaml +#+END_SRC + +Then create an OriginIssuer referencing the secret created above. + +#+BEGIN_SRC yaml :tangle ./deploy/example/api-token.issuer.yaml :comments link +apiVersion: cert-manager.k8s.cloudflare.com/v1 +kind: OriginIssuer +metadata: + name: prod-issuer + namespace: default +spec: + requestType: OriginECC + auth: + tokenRef: + name: cfapi-token + key: key +#+END_SRC + +#+BEGIN_EXAMPLE +$ kubectl apply -f api-token.secret.yaml -f issuer.yaml +originissuer.cert-manager.k8s.cloudflare.com/prod-issuer created +secret/cfapi-token created +#+END_EXAMPLE + +The status conditions of the OriginIssuer resource will be updated once the Origin CA Issuer is ready. + +#+BEGIN_EXAMPLE +$ kubectl get originissuer.cert-manager.k8s.cloudflare.com prod-issuer -o json | jq .status.conditions +[ + { + "lastTransitionTime": "2020-10-07T00:05:00Z", + "message": "OriginIssuer verified an ready to sign certificates", + "reason": "Verified", + "status": "True", + "type": "Ready" + } +] +#+END_EXAMPLE -Once you've copied your Origin CA Key, you can use this to create the Secret used by the OriginIssuer. +**** Origin CA Service Key +Alternatively, the "Origin CA Key" can be used, also found on the API Tokens page. This key will begin with "v1.0-" and is different from the "Global API Key". -#+BEGIN_SRC sh :file ./deploy/example/secret.issuer.yaml :results silent file :exports code +#+BEGIN_SRC sh :file ./deploy/example/service-key.secret.yaml :results silent file :exports code kubectl create secret generic \ --dry-run \ -n default service-key \ @@ -48,7 +92,7 @@ kubectl create secret generic \ Then create an OriginIssuer referencing the secret created above. -#+BEGIN_SRC yaml :tangle ./deploy/example/issuer.yaml :comments link +#+BEGIN_SRC yaml :tangle ./deploy/example/service-key.issuer.yaml :comments link apiVersion: cert-manager.k8s.cloudflare.com/v1 kind: OriginIssuer metadata: @@ -63,7 +107,7 @@ spec: #+END_SRC #+BEGIN_EXAMPLE -$ kubectl apply -f service-key.yaml -f issuer.yaml +$ kubectl apply -f service-key.secret.yaml -f issuer.yaml originissuer.cert-manager.k8s.cloudflare.com/prod-issuer created secret/service-key created #+END_EXAMPLE diff --git a/deploy/example/api-token.issuer.yaml b/deploy/example/api-token.issuer.yaml new file mode 100644 index 0000000..e69d814 --- /dev/null +++ b/deploy/example/api-token.issuer.yaml @@ -0,0 +1,13 @@ +# [[file:../../README.org::*API Token][API Token:2]] +apiVersion: cert-manager.k8s.cloudflare.com/v1 +kind: OriginIssuer +metadata: + name: prod-issuer + namespace: default +spec: + requestType: OriginECC + auth: + tokenRef: + name: cfapi-token + key: key +# API Token:2 ends here diff --git a/deploy/example/api-token.secret.yaml b/deploy/example/api-token.secret.yaml new file mode 100644 index 0000000..c454340 --- /dev/null +++ b/deploy/example/api-token.secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + key: Y2ZhcGktdG9rZW4= +kind: Secret +metadata: + creationTimestamp: null + name: api-token + namespace: default diff --git a/deploy/example/secret.issuer.yaml b/deploy/example/secvice-key.secret.yaml similarity index 100% rename from deploy/example/secret.issuer.yaml rename to deploy/example/secvice-key.secret.yaml diff --git a/deploy/example/issuer.yaml b/deploy/example/service-key.issuer.yaml similarity index 64% rename from deploy/example/issuer.yaml rename to deploy/example/service-key.issuer.yaml index 16c321c..f283a5a 100644 --- a/deploy/example/issuer.yaml +++ b/deploy/example/service-key.issuer.yaml @@ -1,4 +1,4 @@ -# [[file:../../README.org::*Adding an OriginIssuer][Adding an OriginIssuer:2]] +# [[file:../../README.org::*Origin CA Service Key][Origin CA Service Key:2]] apiVersion: cert-manager.k8s.cloudflare.com/v1 kind: OriginIssuer metadata: @@ -10,4 +10,4 @@ spec: serviceKeyRef: name: service-key key: key -# Adding an OriginIssuer:2 ends here +# Origin CA Service Key:2 ends here