docs: support for api tokens

README.org

@@ -3,7 +3,12 @@
 Origin CA Issuer is a [[https://github.com/cert-manager/cert-manager][cert-manager]] CertificateRequest controller for Cloudflare's [[https://developers.cloudflare.com/ssl/origin-configuration/origin-ca][Origin CA]] feature.
 
 ** Getting Started
-We assume you have a Kubernetes cluster (1.16 or newer) with cert-manager (1.0 or newer) installed. We also assume you have permissions to create Custom Resource Definitions.
+*** Prerequisites
+
+- Kubernetes: releases with [[https://endoflife.date/kubernetes][maintenance support]]
+- cert-manager: releases under [[https://endoflife.date/cert-manager][upstream support]], which can be installed following upstream's [[https://cert-manager.io/docs/installation/][documentation]].
+
+You must also have permissions in the Kubernetes cluster to create Custom Resource Definitions.
 
 *** Installing Origin CA Issuer
 First, we need to install the Custom Resource Definitions for the Origin CA Issuer.
@@ -33,13 +38,57 @@ pod/origin-ca-issuer-1234568-abcdw  1/1     Running     0           1m
 #+END_EXAMPLE
 
 *** Adding an OriginIssuer
-With running the controller out of the way, we can now setup an issuer that's connected to our Cloudflare account via the Cloudflare API.
+**** API Token
+Origin CA Issuer can use an [[https://dash.cloudflare.com/profile/api-tokens][API Token]] that contains the "SSL and Certificates" permission, which can be scoped to specific accounts or zones.
+
+#+BEGIN_SRC sh :file ./deploy/example/cfapi-token.secret.yaml :results silent file :exports code
+kubectl create secret generic \
+    --dry-run \
+    -n default cfapi-token \
+    --from-literal key=cfapi-token -oyaml
+#+END_SRC
+
+Then create an OriginIssuer referencing the secret created above.
+
+#+BEGIN_SRC yaml :tangle ./deploy/example/api-token.issuer.yaml :comments link
+apiVersion: cert-manager.k8s.cloudflare.com/v1
+kind: OriginIssuer
+metadata:
+  name: prod-issuer
+  namespace: default
+spec:
+  requestType: OriginECC
+  auth:
+    tokenRef:
+      name: cfapi-token
+      key: key
+#+END_SRC
 
-We need to fetch our API service key for Origin CA. This key can be found by navigating to the [[https://dash.cloudflare.com/profile/api-tokens][API Tokens]] section of the Cloudflare Dashboard and viewing the "Origin CA Key" API key. This key will begin with "v1.0-" and is different than your normal API key. It is not currently possible to use an API Token with the Origin CA API at this time.
+#+BEGIN_EXAMPLE
+$ kubectl apply -f api-token.secret.yaml -f issuer.yaml
+originissuer.cert-manager.k8s.cloudflare.com/prod-issuer created
+secret/cfapi-token created
+#+END_EXAMPLE
+
+The status conditions of the OriginIssuer resource will be updated once the Origin CA Issuer is ready.
+
+#+BEGIN_EXAMPLE
+$ kubectl get originissuer.cert-manager.k8s.cloudflare.com prod-issuer -o json | jq .status.conditions
+[
+  {
+    "lastTransitionTime": "2020-10-07T00:05:00Z",
+    "message": "OriginIssuer verified an ready to sign certificates",
+    "reason": "Verified",
+    "status": "True",
+    "type": "Ready"
+  }
+]
+#+END_EXAMPLE
 
-Once you've copied your Origin CA Key, you can use this to create the Secret used by the OriginIssuer.
+**** Origin CA Service Key
+Alternatively, the "Origin CA Key" can be used, also found on the API Tokens page. This key will begin with "v1.0-" and is different from the "Global API Key".
 
-#+BEGIN_SRC sh :file ./deploy/example/secret.issuer.yaml :results silent file :exports code
+#+BEGIN_SRC sh :file ./deploy/example/service-key.secret.yaml :results silent file :exports code
 kubectl create secret generic \
     --dry-run \
     -n default service-key \
@@ -48,7 +97,7 @@ kubectl create secret generic \
 
 Then create an OriginIssuer referencing the secret created above.
 
-#+BEGIN_SRC yaml :tangle ./deploy/example/issuer.yaml :comments link
+#+BEGIN_SRC yaml :tangle ./deploy/example/service-key.issuer.yaml :comments link
 apiVersion: cert-manager.k8s.cloudflare.com/v1
 kind: OriginIssuer
 metadata:
@@ -63,7 +112,7 @@ spec:
 #+END_SRC
 
 #+BEGIN_EXAMPLE
-$ kubectl apply -f service-key.yaml -f issuer.yaml
+$ kubectl apply -f service-key.secret.yaml -f issuer.yaml
 originissuer.cert-manager.k8s.cloudflare.com/prod-issuer created
 secret/service-key created
 #+END_EXAMPLE

deploy/charts/origin-ca-issuer/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 type: application
 name: origin-ca-issuer
-version: 0.5.7
+version: 0.5.8
 appVersion: 0.9.0
 description: A Helm chart for origin-ca-issuer
 home: https://github.com/cloudflare/origin-ca-issuer

deploy/charts/origin-ca-issuer/README.md

@@ -4,8 +4,8 @@ origin-ca-issuer is a Kubernetes addon to automate issuance and renewals of Clou
 
 ## Prerequisites
 
-* Kubernetes 1.16+
-* cert-manager 1.0.0+
+* Kubernetes releases in [maintenance support](https://endoflife.date/kubernetes)
+* cert-manager releases with upstream [support](https://endoflife.date/cert-manager)
 
 ## Installing the Chart
 

deploy/example/api-token.issuer.yaml

@@ -0,0 +1,13 @@
+# [[file:../../README.org::*API Token][API Token:2]]
+apiVersion: cert-manager.k8s.cloudflare.com/v1
+kind: OriginIssuer
+metadata:
+  name: prod-issuer
+  namespace: default
+spec:
+  requestType: OriginECC
+  auth:
+    tokenRef:
+      name: cfapi-token
+      key: key
+# API Token:2 ends here

deploy/example/cfapi-token.secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  key: Y2ZhcGktdG9rZW4=
+kind: Secret
+metadata:
+  creationTimestamp: null
+  name: cfapi-token
+  namespace: default

deploy/example/issuer.yaml → deploy/example/service-key.issuer.yaml

@@ -1,4 +1,4 @@
-# [[file:../../README.org::*Adding an OriginIssuer][Adding an OriginIssuer:2]]
+# [[file:../../README.org::*Origin CA Service Key][Origin CA Service Key:2]]
 apiVersion: cert-manager.k8s.cloudflare.com/v1
 kind: OriginIssuer
 metadata:
@@ -10,4 +10,4 @@ spec:
     serviceKeyRef:
       name: service-key
       key: key
-# Adding an OriginIssuer:2 ends here
+# Origin CA Service Key:2 ends here