Add support for CloudFlare API Tokens (Authorization: Bearer) #1127
Comments
|
Hi @Evesy thanks for adding support for API token. But for now, the API token must be granted for all zone, cannot only to a specific zone. |
Additionally:
* add a .dockerignore so we don't copy .git and docs to the
container (gotta go fast)
* Change Dockerfile{,.mini} to not run `go mod` every time a file is
changed.
This commit _should_ fix kubernetes-sigs#1127. While users in the past were able to
define ZoneIDFilter for this provider, it did not actually do anything
under the hood.
In this case, we're changing Zones() to iterate over the provided
zoneIDs and return only those zones.
I would have also done this for domainFilter, but unfortunately the
CloudFlare API requires that in order to list zones (and find them by
name) that you have "all" permissions, which seems silly. After talking
to their support, this is probably the best way to do this.
Additionally:
* add a .dockerignore so we don't copy .git and docs to the
container (gotta go fast)
* Change Dockerfile{,.mini} to not run `go mod` every time a file is
changed.
This commit _should_ help kubernetes-sigs#1127. While users in the past were able to
define ZoneIDFilter for this provider, it did not actually do anything
under the hood.
In this case, we're changing Zones() to iterate over the provided
zoneIDs and return only those zones.
I would have also done this for domainFilter, but unfortunately the
CloudFlare API requires that in order to list zones (and find them by
name) that you have "all" permissions, which seems silly. After talking
to their support, this is probably the best way to do this.
|
I do confirm the assumption of @zackijack, il only works when the token has granted permissions for all zones |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
1 similar comment
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
Do we have an update on this? I'm also seeing this with Cloudflare API tokens. I don't necessarily want to generate wider permissions to see a zone specifically if I can help that. |
|
This appears to have regressed further, in that even with a token with zone.DNS.Edit permissions on all zones, you still get the above error. Seen as it's probably wise to rollback to 0.5.17 because of #1463 anyway, I'm going to wait until both of these are fixed before upgrading to something more recent than that. |
This commit _should_ help kubernetes-sigs#1127. While users in the past were able to define ZoneIDFilter for this provider, it did not actually do anything under the hood. In this case, we're changing Zones() to iterate over the provided zoneIDs and return only those zones. I would have also done this for domainFilter, but unfortunately the CloudFlare API requires that in order to list zones (and find them by name) that you have "all" permissions, which seems silly. After talking to their support, this is probably the best way to do this. Signed-off-by: James Callahan <jamescallahan@bitgo.com>
This commit _should_ help kubernetes-sigs#1127. While users in the past were able to define ZoneIDFilter for this provider, it did not actually do anything under the hood. In this case, we're changing Zones() to iterate over the provided zoneIDs and return only those zones. I would have also done this for domainFilter, but unfortunately the CloudFlare API requires that in order to list zones (and find them by name) that you have "all" permissions, which seems silly. After talking to their support, this is probably the best way to do this. Signed-off-by: James Callahan <jamescallahan@bitgo.com>
|
I am facing this issue currently with both latest and v0.5.17 docker images. My cloudflare token has zone:read and DNS:edit permissions for a particular zone in my client's account. Any updates on this issue will be really helpful, as we are depending on this setup for a multi-ingress setup. |
|
Also ran into this issue. Is anyone actively working on this? |
This commit _should_ help kubernetes-sigs#1127. While users in the past were able to define ZoneIDFilter for this provider, it did not actually do anything under the hood. In this case, we're changing Zones() to iterate over the provided zoneIDs and return only those zones. I would have also done this for domainFilter, but unfortunately the CloudFlare API requires that in order to list zones (and find them by name) that you have "all" permissions, which seems silly. After talking to their support, this is probably the best way to do this. Signed-off-by: James Callahan <jamescallahan@bitgo.com>
This commit _should_ help kubernetes-sigs#1127. While users in the past were able to define ZoneIDFilter for this provider, it did not actually do anything under the hood. In this case, we're changing Zones() to iterate over the provided zoneIDs and return only those zones. I would have also done this for domainFilter, but unfortunately the CloudFlare API requires that in order to list zones (and find them by name) that you have "all" permissions, which seems silly. After talking to their support, this is probably the best way to do this. Signed-off-by: James Callahan <jamescallahan@bitgo.com>
This commit _should_ help kubernetes-sigs#1127. While users in the past were able to define ZoneIDFilter for this provider, it did not actually do anything under the hood. In this case, we're changing Zones() to iterate over the provided zoneIDs and return only those zones. I would have also done this for domainFilter, but unfortunately the CloudFlare API requires that in order to list zones (and find them by name) that you have "all" permissions, which seems silly. After talking to their support, this is probably the best way to do this. Signed-off-by: James Callahan <jamescallahan@bitgo.com>
This commit _should_ help kubernetes-sigs#1127. While users in the past were able to define ZoneIDFilter for this provider, it did not actually do anything under the hood. In this case, we're changing Zones() to iterate over the provided zoneIDs and return only those zones. I would have also done this for domainFilter, but unfortunately the CloudFlare API requires that in order to list zones (and find them by name) that you have "all" permissions, which seems silly. After talking to their support, this is probably the best way to do this. Signed-off-by: James Callahan <jamescallahan@bitgo.com>
|
This should be implemented and fixed as of 0.7.2 To use api token you can write: To synchronize just single zone you can use: If someone has other issues or ideas, please open another issue /close |
|
@sheerun: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This issue seems to be present even on v0.9.0 , had tested it on v0.7.2(from the tutorial) and v0.7.6 , happens on all the cases. my token permission looks like is it working for anyone else? [EDIT] |
API tokens would allow granting external-dns access to only a specific DNS zone and not the whole CloudFlare account 🔒
The text was updated successfully, but these errors were encountered: