-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for CloudFlare API Tokens (Authorization: Bearer) #1127
Comments
Hi @Evesy thanks for adding support for API token. But for now, the API token must be granted for all zone, cannot only to a specific zone. |
Additionally: * add a .dockerignore so we don't copy .git and docs to the container (gotta go fast) * Change Dockerfile{,.mini} to not run `go mod` every time a file is changed. This commit _should_ fix kubernetes-sigs#1127. While users in the past were able to define ZoneIDFilter for this provider, it did not actually do anything under the hood. In this case, we're changing Zones() to iterate over the provided zoneIDs and return only those zones. I would have also done this for domainFilter, but unfortunately the CloudFlare API requires that in order to list zones (and find them by name) that you have "all" permissions, which seems silly. After talking to their support, this is probably the best way to do this.
Additionally: * add a .dockerignore so we don't copy .git and docs to the container (gotta go fast) * Change Dockerfile{,.mini} to not run `go mod` every time a file is changed. This commit _should_ help kubernetes-sigs#1127. While users in the past were able to define ZoneIDFilter for this provider, it did not actually do anything under the hood. In this case, we're changing Zones() to iterate over the provided zoneIDs and return only those zones. I would have also done this for domainFilter, but unfortunately the CloudFlare API requires that in order to list zones (and find them by name) that you have "all" permissions, which seems silly. After talking to their support, this is probably the best way to do this.
I do confirm the assumption of @zackijack, il only works when the token has granted permissions for all zones |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
1 similar comment
/remove-lifecycle stale |
Do we have an update on this? I'm also seeing this with Cloudflare API tokens.
I don't necessarily want to generate wider permissions to see a zone specifically if I can help that. |
This appears to have regressed further, in that even with a token with zone.DNS.Edit permissions on all zones, you still get the above error. Seen as it's probably wise to rollback to 0.5.17 because of #1463 anyway, I'm going to wait until both of these are fixed before upgrading to something more recent than that. |
This commit _should_ help kubernetes-sigs#1127. While users in the past were able to define ZoneIDFilter for this provider, it did not actually do anything under the hood. In this case, we're changing Zones() to iterate over the provided zoneIDs and return only those zones. I would have also done this for domainFilter, but unfortunately the CloudFlare API requires that in order to list zones (and find them by name) that you have "all" permissions, which seems silly. After talking to their support, this is probably the best way to do this. Signed-off-by: James Callahan <jamescallahan@bitgo.com>
This commit _should_ help kubernetes-sigs#1127. While users in the past were able to define ZoneIDFilter for this provider, it did not actually do anything under the hood. In this case, we're changing Zones() to iterate over the provided zoneIDs and return only those zones. I would have also done this for domainFilter, but unfortunately the CloudFlare API requires that in order to list zones (and find them by name) that you have "all" permissions, which seems silly. After talking to their support, this is probably the best way to do this. Signed-off-by: James Callahan <jamescallahan@bitgo.com>
I am facing this issue currently with both latest and v0.5.17 docker images. My cloudflare token has zone:read and DNS:edit permissions for a particular zone in my client's account. Any updates on this issue will be really helpful, as we are depending on this setup for a multi-ingress setup. |
Also ran into this issue. Is anyone actively working on this? |
This commit _should_ help kubernetes-sigs#1127. While users in the past were able to define ZoneIDFilter for this provider, it did not actually do anything under the hood. In this case, we're changing Zones() to iterate over the provided zoneIDs and return only those zones. I would have also done this for domainFilter, but unfortunately the CloudFlare API requires that in order to list zones (and find them by name) that you have "all" permissions, which seems silly. After talking to their support, this is probably the best way to do this. Signed-off-by: James Callahan <jamescallahan@bitgo.com>
This commit _should_ help kubernetes-sigs#1127. While users in the past were able to define ZoneIDFilter for this provider, it did not actually do anything under the hood. In this case, we're changing Zones() to iterate over the provided zoneIDs and return only those zones. I would have also done this for domainFilter, but unfortunately the CloudFlare API requires that in order to list zones (and find them by name) that you have "all" permissions, which seems silly. After talking to their support, this is probably the best way to do this. Signed-off-by: James Callahan <jamescallahan@bitgo.com>
This commit _should_ help kubernetes-sigs#1127. While users in the past were able to define ZoneIDFilter for this provider, it did not actually do anything under the hood. In this case, we're changing Zones() to iterate over the provided zoneIDs and return only those zones. I would have also done this for domainFilter, but unfortunately the CloudFlare API requires that in order to list zones (and find them by name) that you have "all" permissions, which seems silly. After talking to their support, this is probably the best way to do this. Signed-off-by: James Callahan <jamescallahan@bitgo.com>
This commit _should_ help kubernetes-sigs#1127. While users in the past were able to define ZoneIDFilter for this provider, it did not actually do anything under the hood. In this case, we're changing Zones() to iterate over the provided zoneIDs and return only those zones. I would have also done this for domainFilter, but unfortunately the CloudFlare API requires that in order to list zones (and find them by name) that you have "all" permissions, which seems silly. After talking to their support, this is probably the best way to do this. Signed-off-by: James Callahan <jamescallahan@bitgo.com>
This should be implemented and fixed as of 0.7.2 To use api token you can write:
To synchronize just single zone you can use:
If someone has other issues or ideas, please open another issue /close |
@sheerun: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This issue seems to be present even on v0.9.0 , had tested it on v0.7.2(from the tutorial) and v0.7.6 , happens on all the cases. my token permission looks like
is it working for anyone else? [EDIT] |
API tokens would allow granting external-dns access to only a specific DNS zone and not the whole CloudFlare account 🔒
The text was updated successfully, but these errors were encountered: