From 7f767952eade25fdc0d09cb84ed47173d597d153 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sun, 15 Aug 2021 02:00:10 +0200
Subject: [PATCH] feat(openshift-ingress): Switch to api token for Cloudflare

This patch replaces the existing apiKey, which has full account access
with an API token that is restricted to a single domain. This should
help to reduce the blast radius in case something goes south.
---
 clusters/okd4/openshift-ingress/credentials.yaml | 6 +++---
 clusters/okd4/openshift-ingress/issuer.yaml      | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/clusters/okd4/openshift-ingress/credentials.yaml b/clusters/okd4/openshift-ingress/credentials.yaml
index 2cf3222ed..d4cb37829 100644
--- a/clusters/okd4/openshift-ingress/credentials.yaml
+++ b/clusters/okd4/openshift-ingress/credentials.yaml
@@ -5,15 +5,15 @@ metadata:
     namespace: openshift-ingress
 type: Opaque
 data:
-    token: ENC[AES256_GCM,data:suSZx5FJ+TDoAHB2wlnWqKs+sE9JCcLiK/GrFSiXqXMCukKJmorIT7QELgnHCx+s8bItVw==,iv:YZCEccpslvdhGMmI72Yi73NXc70vIe/GudcVD/EPZLU=,tag:Up0vdlaQ5aL2JIX4upur/A==,type:str]
+    token: ENC[AES256_GCM,data:WegdVaHNQhN2VWfzc6LuSVJ/JCqAYMD/kycEedrZxNIOLkhFc/E+WCi50mx5Sv6A0UqVo7f2LbY=,iv:q/QWZouLRrdP4UjbGVthvymbeG8Pfg6nczESNYzBK6U=,tag:poUE1TSwmnp4onvVF4zAuA==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2021-08-13T23:42:10Z"
-    mac: ENC[AES256_GCM,data:HhZESbkZWNL/VJJJeODJ/ij/sjq3sKSmcYFZ+gPpIiatJDk5dTOFjNWrpusYKzE/eB8ZSNIvjnLBtqoMl9qdLaYQ1QZy6lfoRSNa4kU/Fum+BGvZo6JLYKjj4rVolGLKThStUeq5NTG7MG6nG1IDzDo5n+Q+SyjJe2k+pkEDifg=,iv:mTLruprmTzKmpyScfMSLu5POLRfFuPfbDAn4MqCflAk=,tag:0NCryO9SZrSXASqGxZC5pA==,type:str]
+    lastmodified: "2021-08-14T23:59:48Z"
+    mac: ENC[AES256_GCM,data:YhmKLWEDhmdLZdr1WYHAobkYVfo8q/do8tN83bYLQmcnchHeSjPdiHJ1FU7KvFI/E2hXGPPNjtExIpeSOcJ3K7WDM1Qi8r6FeCroySBNkolq63u5/TI4umiWKDUBXEvv6H9MIfy7+zIzJ/fl1bKze9P1IggHlWC9vhL+uGnwyVc=,iv:85JnGYtz5yIpZpxJCa0vV5l7XMsDE66cwg4aaU0Retw=,tag:h68lmun+hHb4Hdb3/v4afw==,type:str]
     pgp:
         - created_at: "2021-08-13T23:42:09Z"
           enc: |
diff --git a/clusters/okd4/openshift-ingress/issuer.yaml b/clusters/okd4/openshift-ingress/issuer.yaml
index bc82529c9..a859189d9 100644
--- a/clusters/okd4/openshift-ingress/issuer.yaml
+++ b/clusters/okd4/openshift-ingress/issuer.yaml
@@ -13,7 +13,7 @@ spec:
         solvers:
             - dns01:
                 cloudflare:
-                    apiKeySecretRef:
+                    apiTokenSecretRef:
                         key: token
                         name: cloudflare-token
                     email: ENC[AES256_GCM,data:QReTFOsJN+Jl/xyzQ6VJM19RXEYhS1bRuzCQTdq5dj1VksTiL/qhWM4=,iv:GceeVKhraaRk3ouDqvZqGA1CYInjDvuOtjuE6QvLbTI=,tag:QuCITSfHEaSAPAiA22zXPA==,type:str]
@@ -26,8 +26,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2021-08-13T23:58:48Z"
-    mac: ENC[AES256_GCM,data:OhKb2zKxLJDWOpW6R00D5FMordx1zkyqQuf7qHMEFqC0i4ouxjYVQXJaoPjUeKD0DvMPIlo8pQdpJ9ZDemv08uj0ATn6SbgeMyx6PGFE7HPEd1XroOY6ClMEoK9m7au7lYO0m7JXCvBR56XDFXwUIFldA1oy5hV9mXNXtfgNeHI=,iv:z1NKmCEJfLROvq4UokswFrNVZD9J9iRPaixxso49DkU=,tag:ZOvvkmftqQvWIvq9SeOS3A==,type:str]
+    lastmodified: "2021-08-15T00:00:02Z"
+    mac: ENC[AES256_GCM,data:TS5R/P/hrsJtcAKAPjeWuxMVYK6RKKsbEnbU8bGY7uB/BdDWzXrZrLLeeuAzQEruuaxmde2KJWDYyVx68sj7Nwm6pM3ceg232Stupan/1piylpool8VZKvkcnZZAv6rddc+ZjTSnFEDDKH5NRTTiOEccYM8NcPmE4LXfI4OltL0=,iv:pMJ9k+NT/cjDlMOyszNSKpmGTzz046UcFjavZA87vMs=,tag:u76roSIaOTuQHweLRK4t/A==,type:str]
     pgp:
         - created_at: "2021-08-13T23:58:48Z"
           enc: |
-- 
GitLab