Fixed issue-86 - added support for cloudflare api token

README.md

@@ -182,7 +182,7 @@ Please configure in `cluster.yml` all necessary credentials:
 | DNS provider | Variables  |
 |---|---|
 |Azure|`azure_client_id: 'client_id'`<br/>`azure_secret: 'key'`<br/>`azure_subscription_id: 'subscription_id'`<br/>`azure_tenant: 'tenant_id'`<br/>`azure_resource_group: 'dns_zone_resource_group'` |
-|CloudFlare|`cloudflare_account_email: [email protected]` <br> Use the global api key here! (API-Token is not supported!) (Details in #86) <br>`cloudflare_account_api_token: 9348234sdsd894.....` <br>  `cloudflare_zone: domain.tld`|
+|CloudFlare|`cloudflare_zone: domain.tld`<br>api key via <br>`cloudflare_account_api_token:`<br>Or global api key **not recommended** <br>`cloudflare_account_email: [email protected]`<br>`cloudflare_account_api_token: 9348.....`|
 |DigitalOcean|`digitalocean_token: e7a6f82c3245b65cf4.....` <br>  `digitalocean_zone: domain.tld`|
 |Gandi|`gandi_account_api_token: 0123456...` <br>  `gandi_zone: domain.tld`|
 |GCP|`gcp_project: project-name `<br/>`gcp_managed_zone_name: 'zone-name'`<br/>`gcp_managed_zone_domain: 'example.com.'`<br/>`gcp_serviceaccount_file: ../gcp_service_account.json` |

ansible/roles/letsencrypt/README.md

@@ -12,11 +12,12 @@ Requirements
 Role Variables
 --------------
 
-| variable | describtion  | example | default | 
+| variable | describtion  | example | default |
 |---|---|---|---|
 | le_dns_provider | DNS provider | `[route53|cloudflare|gcp|azure|hetzner]` |  non **required** |
 | le_cloudflare_account_email | Cloudflare Account E-Mail for API authentication | `[email protected]`| non **required if provider is cloudflare** |
-| le_cloudflare_account_api_token | Cloudflare API token for API authentication | `loo...ngiJ`| non **required if provider is cloudflare** |
+| le_cloudflare_account_api_token | Cloudflare Global API token for API authentication | `loo...ngiJ`| non **required if provider is cloudflare** |
+| le_cloudflare_api_token | Cloudflare API token for API authentication | `loo...ngiJ`| non **required if provider is cloudflare** |
 | le_cloudflare_zone | Cloudflare zone in which the entries are created and deleted for the dns challenge | `domain.tld` | non **required if provider is cloudflare** |
 | le_aws_access_key | AWS Access key | |  non **required if provider is  route53** |
 | le_aws_secret_key | AWS secret key || non **required if provider is  route53** |
@@ -71,7 +72,7 @@ Example in context of hetzner-ocp4
     lc_cloudflare_account_email: "{{ cloudflare_account_email }}"
     lc_cloudflare_account_api_token: "{{ cloudflare_account_api_token }}"
     lc_cloudflare_zone: "{{ cloudflare_zone }}"
-    lc_public_domain: "{{ cluster_name }}.{{ public_domain }}" 
+    lc_public_domain: "{{ cluster_name }}.{{ public_domain }}"
     # Only set if you really want a production letsencrypt certificate
     #   https://letsencrypt.org/docs/rate-limits/
     # lc_acme_directory: "https://acme-v02.api.letsencrypt.org/directory"

ansible/roles/letsencrypt/tasks/check-variables.yml

@@ -29,7 +29,22 @@
     - le_cloudflare_account_email
     - le_cloudflare_account_api_token
     - le_cloudflare_zone
-  when: le_dns_provider == "cloudflare"
+  when:
+    - le_dns_provider == "cloudflare"
+    - le_cloudflare_api_token is not defined
+
+- name: Check required CloudFlare variables
+  ansible.builtin.assert:
+    that:
+      - lookup('vars',item) is defined
+    msg: "{{ item }} is not defined!"
+  with_items:
+    - le_cloudflare_api_token
+    - le_cloudflare_zone
+  when:
+    - le_dns_provider == "cloudflare"
+    - le_cloudflare_account_email is not defined
+    - le_cloudflare_account_api_token is not defined
 
 - name: Check required GCP variables
   ansible.builtin.assert:
@@ -83,6 +98,7 @@
     - le_letsencrypt_account_email
     - le_cloudflare_account_api_token
     - le_cloudflare_zone
+    - le_cloudflare_api_token
     - le_public_domain
     - le_certificates_dir
     - le_public_domain

ansible/roles/letsencrypt/tasks/create-cloudflare.yml

@@ -0,0 +1,36 @@
+---
+- name: Create DNS record at CloudFlare via account_api_token
+  delegate_to: localhost
+  community.general.net_tools.cloudflare_dns:
+    zone: "{{ le_cloudflare_zone }}"
+    record: "{{ item.0.key }}"
+    # 1 for automatic
+    ttl: 1
+    type: TXT
+    value: "{{ item.1 }}"
+    account_email: "{{ le_cloudflare_account_email }}"
+    account_api_token: "{{ le_cloudflare_account_api_token }}"
+  register: record
+  loop: "{{ challenge_data_dns | default({}) | dict2items | subelements('value') }}"
+  when:
+    - le_dns_provider == "cloudflare"
+    - le_cloudflare_account_email is defined
+    - le_cloudflare_account_api_token is defined
+    - sample_com_challenge is changed
+
+- name: Create DNS record at CloudFlare via api_token
+  delegate_to: localhost
+  community.general.net_tools.cloudflare_dns:
+    zone: "{{ le_cloudflare_zone }}"
+    record: "{{ item.0.key }}"
+    # 1 for automatic
+    ttl: 1
+    type: TXT
+    value: "{{ item.1 }}"
+    api_token: "{{ le_cloudflare_api_token }}"
+  register: record
+  loop: "{{ challenge_data_dns | default({}) | dict2items | subelements('value') }}"
+  when:
+    - le_dns_provider == "cloudflare"
+    - le_cloudflare_api_token is defined
+    - sample_com_challenge is changed

ansible/roles/letsencrypt/tasks/destroy-cloudflare.yml

@@ -0,0 +1,36 @@
+---
+- name: Delete DNS record at CloudFlare via account_api_token
+  delegate_to: localhost
+  community.general.net_tools.cloudflare_dns:
+    zone: "{{ le_cloudflare_zone }}"
+    record: "{{ item.0.key }}"
+    # 1 for automatic
+    ttl: 1
+    type: TXT
+    value: "{{ item.1 }}"
+    account_email: "{{ le_cloudflare_account_email }}"
+    account_api_token: "{{ le_cloudflare_account_api_token }}"
+    state: absent
+  loop: "{{ challenge_data_dns | default({}) | dict2items | subelements('value') }}"
+  when:
+    - le_dns_provider == "cloudflare"
+    - le_cloudflare_account_email is defined
+    - le_cloudflare_account_api_token is defined
+    - sample_com_challenge is changed
+
+- name: Delete DNS record at CloudFlare via api_token
+  delegate_to: localhost
+  community.general.net_tools.cloudflare_dns:
+    zone: "{{ le_cloudflare_zone }}"
+    record: "{{ item.0.key }}"
+    # 1 for automatic
+    ttl: 1
+    type: TXT
+    value: "{{ item.1 }}"
+    api_token: "{{ le_cloudflare_api_token }}"
+    state: absent
+  loop: "{{ challenge_data_dns | default({}) | dict2items | subelements('value') }}"
+  when:
+    - le_dns_provider == "cloudflare"
+    - le_cloudflare_api_token is defined
+    - sample_com_challenge is changed

ansible/roles/letsencrypt/tasks/main.yml

@@ -55,21 +55,6 @@
     challenge_data_dns: "{{ sample_com_challenge.challenge_data_dns }}"
   when: sample_com_challenge is changed
 
-- name: Create DNS record at CloudFlare
-  delegate_to: localhost
-  community.general.net_tools.cloudflare_dns:
-    zone: "{{ le_cloudflare_zone }}"
-    record: "{{ item.0.key }}"
-    # 1 for automatic
-    ttl: 1
-    type: TXT
-    value: "{{ item.1 }}"
-    account_email: "{{ le_cloudflare_account_email }}"
-    account_api_token: "{{ le_cloudflare_account_api_token }}"
-  register: record
-  loop: "{{ challenge_data_dns | default({}) | dict2items | subelements('value') }}"
-  when: le_dns_provider == "cloudflare" and sample_com_challenge is changed
-
 - name: Create DNS record at Route53
   delegate_to: localhost
   community.aws.route53:
@@ -167,7 +152,7 @@
 - name: Include DNS provider
   ansible.builtin.include_tasks: "create-{{ le_dns_provider }}.yml"
   when:
-    - le_dns_provider in ['hetzner', 'digitalocean']
+    - le_dns_provider in ['hetzner', 'digitalocean', 'cloudflare']
     - sample_com_challenge is changed
 
 - name: Pause, wait for DNS changes
@@ -190,21 +175,6 @@
     data: "{{ sample_com_challenge }}"
   when: sample_com_challenge is changed
 
-- name: Delete DNS record at CloudFlare
-  delegate_to: localhost
-  community.general.net_tools.cloudflare_dns:
-    zone: "{{ le_cloudflare_zone }}"
-    record: "{{ item.0.key }}"
-    # 1 for automatic
-    ttl: 1
-    type: TXT
-    value: "{{ item.1 }}"
-    account_email: "{{ le_cloudflare_account_email }}"
-    account_api_token: "{{ le_cloudflare_account_api_token }}"
-    state: absent
-  loop: "{{ challenge_data_dns | default({}) | dict2items | subelements('value') }}"
-  when: le_dns_provider == "cloudflare" and sample_com_challenge is changed
-
 - name: Delete DNS record at Route53
   delegate_to: localhost
   community.aws.route53:
@@ -290,7 +260,7 @@
 - name: Include DNS provider
   ansible.builtin.include_tasks: "destroy-{{ le_dns_provider }}.yml"
   when:
-    - le_dns_provider in ['hetzner', 'digitalocean']
+    - le_dns_provider in ['hetzner', 'digitalocean','cloudflare']
     - sample_com_challenge is changed
 
 - name: concat root ca and intermediate

ansible/roles/openshift-4-cluster/tasks/certificate-renewal.yml

@@ -15,6 +15,8 @@
 
     le_cloudflare_account_email: "{{ cloudflare_account_email | default(letsencrypt_account_email) }}"
     le_cloudflare_account_api_token: "{{ cloudflare_account_api_token }}"
+    le_cloudflare_api_token: "{{ cloudflare_api_token }}"
+
     le_cloudflare_zone: "{{ cloudflare_zone }}"
 
     le_aws_access_key: "{{ aws_access_key }}"

ansible/roles/openshift-4-cluster/tasks/create-network.yml

@@ -144,6 +144,7 @@
     pd_provider: "{{ dns_provider }}"
     pd_public_ip: "{% if 'IPv4' in ip_families %}{{ public_ip | default(listen_address) }}{% endif %}"
     pd_public_ipv6: "{% if 'IPv6' in ip_families %}{{ public_ipv6 | default(listen_address_ipv6) }}{% endif %}"
+    pd_cloudflare_api_token: "{{ cloudflare_api_token }}"
     pd_cloudflare_account_api_token: "{{ cloudflare_account_api_token }}"
     pd_cloudflare_zone: "{{ cloudflare_zone }}"
     pd_aws_access_key: "{{ aws_access_key }}"

ansible/roles/openshift-4-cluster/tasks/create.yml

@@ -47,6 +47,7 @@
 
     le_cloudflare_account_email: "{{ cloudflare_account_email | default(letsencrypt_account_email) }}"
     le_cloudflare_account_api_token: "{{ cloudflare_account_api_token }}"
+    le_cloudflare_api_token: "{{ cloudflare_api_token }}"
     le_cloudflare_zone: "{{ cloudflare_zone }}"
 
     le_aws_access_key: "{{ aws_access_key }}"

ansible/roles/openshift-4-cluster/tasks/destroy-network.yml

@@ -8,6 +8,7 @@
     pd_provider: "{{ dns_provider }}"
     pd_public_ip: "{% if 'IPv4' in ip_families %}{{ public_ip | default(listen_address) }}{% endif %}"
     pd_public_ipv6: "{% if 'IPv6' in ip_families %}{{ public_ipv6 | default(listen_address_ipv6) }}{% endif %}"
+    pd_cloudflare_api_token: "{{ cloudflare_api_token }}"
     pd_cloudflare_account_api_token: "{{ cloudflare_account_api_token }}"
     pd_cloudflare_zone: "{{ cloudflare_zone }}"
     pd_aws_access_key: "{{ aws_access_key }}"

ansible/roles/public_dns/tasks/create-cloudflare.yml

@@ -1,5 +1,5 @@
 ---
-- name: Create Cloudflare DNS records
+- name: Create Cloudflare DNS records via account_api_token
   cloudflare_dns:
     zone: "{{ pd_cloudflare_zone }}"
     record: "{{ item }}.{{ pd_public_domain }}"
@@ -14,10 +14,14 @@
     - '*.apps'
   tags:
     - public_dns
-  when: (pd_public_ip is defined) and (pd_public_ip|length > 0)
+  when:
+    - (pd_public_ip is defined)
+    - (pd_public_ip|length > 0)
+    - cloudflare_account_email is defined
+    - cloudflare_account_api_token is defined
 
 
-- name: Create IPv6 Cloudflare DNS records
+- name: Create IPv6 Cloudflare DNS records via account_api_token
   cloudflare_dns:
     zone: "{{ pd_cloudflare_zone }}"
     record: "{{ item }}.{{ pd_public_domain }}"
@@ -32,4 +36,46 @@
     - '*.apps'
   tags:
     - public_dns
-  when: (pd_public_ipv6 is defined) and (pd_public_ipv6|length > 0)
+  when:
+    - (pd_public_ipv6 is defined)
+    - (pd_public_ipv6|length > 0)
+    - cloudflare_account_email is defined
+    - cloudflare_account_api_token is defined
+
+- name: Create Cloudflare DNS records via api_token
+  cloudflare_dns:
+    zone: "{{ pd_cloudflare_zone }}"
+    record: "{{ item }}.{{ pd_public_domain }}"
+    # 1 is auto
+    ttl: 1
+    type: A
+    value: "{{ pd_public_ip }}"
+    api_token: "{{ cloudflare_api_token }}"
+  with_items:
+    - api
+    - '*.apps'
+  tags:
+    - public_dns
+  when:
+    - (pd_public_ip is defined)
+    - (pd_public_ip|length > 0)
+    - cloudflare_api_token is defined
+
+- name: Create IPv6 Cloudflare DNS records via api_token
+  cloudflare_dns:
+    zone: "{{ pd_cloudflare_zone }}"
+    record: "{{ item }}.{{ pd_public_domain }}"
+    # 1 is auto
+    ttl: 1
+    type: AAAA
+    value: "{{ pd_public_ipv6 }}"
+    api_token: "{{ cloudflare_api_token }}"
+  with_items:
+    - api
+    - '*.apps'
+  tags:
+    - public_dns
+  when:
+    - (pd_public_ipv6 is defined)
+    - (pd_public_ipv6|length > 0)
+    - cloudflare_api_token is defined

ansible/roles/public_dns/tasks/destroy-cloudflare.yml

@@ -1,6 +1,6 @@
 ---
 
-- name: Delete DNS record at CloudFlare
+- name: Delete DNS record at CloudFlare via account_api_token
   cloudflare_dns:
     state: absent
     zone: "{{ pd_cloudflare_zone }}"
@@ -15,7 +15,7 @@
     - api
     - '*.apps'
 
-- name: Delete IPv6 DNS record at CloudFlare
+- name: Delete IPv6 DNS record at CloudFlare via account_api_token
   cloudflare_dns:
     state: absent
     zone: "{{ pd_cloudflare_zone }}"

cluster-example.yml

@@ -14,8 +14,11 @@ letsencrypt_account_email: [email protected]
 # Depending on the dns provider:
 # CloudFlare
 cloudflare_account_email: [email protected]
-# Use the global api key! - (API-Token is not supported!) (Details in #86)
+# Uansible/roles/openshift-4-cluster/tasks/prepare-host-RedHat-entitlement.ymlse the global api key! - (API-Token is not supported!) (Details in #86)
+# Global Account API token - not recommend
 cloudflare_account_api_token: 9348234sdsd894.....
+# API token
+cloudflare_api_token: .....
 cloudflare_zone: example.com
 # Route53
 aws_access_key: key