From 4e49aee05458732d81f082e8e863364848cd7857 Mon Sep 17 00:00:00 2001 From: Khue Doan Date: Sun, 12 Dec 2021 16:06:22 +0700 Subject: [PATCH] feat(external): create cloudflare API token for cert-manager --- external/cert-manager/templates/issuer.yaml | 2 +- external/cloudflare.tf | 33 ++++++++++++++++----- 2 files changed, 26 insertions(+), 9 deletions(-) diff --git a/external/cert-manager/templates/issuer.yaml b/external/cert-manager/templates/issuer.yaml index 255bb88c..cd7ef84b 100644 --- a/external/cert-manager/templates/issuer.yaml +++ b/external/cert-manager/templates/issuer.yaml @@ -13,5 +13,5 @@ spec: cloudflare: email: {{ .Values.issuer.email }} apiTokenSecretRef: - name: cloudflare-api-token-secret + name: cloudflare-api-token key: api-token diff --git a/external/cloudflare.tf b/external/cloudflare.tf index 0bad1304..fa31da9a 100644 --- a/external/cloudflare.tf +++ b/external/cloudflare.tf @@ -87,14 +87,6 @@ resource "cloudflare_api_token" "external_dns" { "com.cloudflare.api.account.zone.*" = "*" } } - - condition { - request_ip { - in = [ - data.http.public_ip.body - ] - } - } } resource "kubernetes_secret" "external_dns_token" { @@ -107,3 +99,28 @@ resource "kubernetes_secret" "external_dns_token" { "value" = cloudflare_api_token.external_dns.value } } + +resource "cloudflare_api_token" "cert_manager" { + name = "homelab_cert_manager" + + policy { + permission_groups = [ + data.cloudflare_api_token_permission_groups.all.permissions["DNS Write"], + data.cloudflare_api_token_permission_groups.all.permissions["Zone Read"] + ] + resources = { + "com.cloudflare.api.account.zone.*" = "*" + } + } +} + +resource "kubernetes_secret" "cert_manager_token" { + metadata { + name = "cloudflare-api-token" + namespace = "cert-manager" + } + + data = { + "api-token" = cloudflare_api_token.cert_manager.value + } +}