feat(external): create cloudflare API token for cert-manager

2025-02-02 04:14:28 +07:00 · 2021-12-12 16:06:22 +07:00 · 2021-12-12 16:06:22 +07:00 · 4e49aee054
commit 4e49aee054
parent e698fb44de
2 changed files with 26 additions and 9 deletions
--- a/external/cert-manager/templates/issuer.yaml
+++ b/external/cert-manager/templates/issuer.yaml
@ -13,5 +13,5 @@ spec:
        cloudflare:
          email: {{ .Values.issuer.email }}
          apiTokenSecretRef:
-            name: cloudflare-api-token-secret
+            name: cloudflare-api-token
            key: api-token
--- a/external/cloudflare.tf
+++ b/external/cloudflare.tf
@ -87,14 +87,6 @@ resource "cloudflare_api_token" "external_dns" {
      "com.cloudflare.api.account.zone.*" = "*"
    }
  }
-
-  condition {
-    request_ip {
-      in = [
-        data.http.public_ip.body
-      ]
-    }
-  }
 }

 resource "kubernetes_secret" "external_dns_token" {
@ -107,3 +99,28 @@ resource "kubernetes_secret" "external_dns_token" {
    "value" = cloudflare_api_token.external_dns.value
  }
 }
+
+resource "cloudflare_api_token" "cert_manager" {
+  name = "homelab_cert_manager"
+
+  policy {
+    permission_groups = [
+      data.cloudflare_api_token_permission_groups.all.permissions["DNS Write"],
+      data.cloudflare_api_token_permission_groups.all.permissions["Zone Read"]
+    ]
+    resources = {
+      "com.cloudflare.api.account.zone.*" = "*"
+    }
+  }
+}
+
+resource "kubernetes_secret" "cert_manager_token" {
+  metadata {
+    name = "cloudflare-api-token"
+    namespace = "cert-manager"
+  }
+
+  data = {
+    "api-token" = cloudflare_api_token.cert_manager.value
+  }
+}