Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for generating ssl certs via DNS challenge (via Cloudflare) #2957

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Add support for generating ssl certs via DNS challenge (via Cloudflare) #2957

wants to merge 8 commits into from

Conversation

aktech
Copy link
Member

@aktech aktech commented Feb 11, 2025
edited
Loading

Reference Issues or PRs

Fixes #2956

Documentation PR to follow up after this PR gets approval.

Valid certs, after deploying with the dns challenge configuration:

Secure https:
Screenshot 2025-02-12 at 11 57 22 am 2

Certificate:
Screenshot 2025-02-12 at 11 57 08 am

What does this implement/fix?

Put a x in the boxes that apply

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds a feature)
  • Breaking change (fix or feature that would cause existing features not to work as expected)
  • Documentation Update
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes, no API changes)
  • Build related changes
  • Other (please describe):

Testing

  • Did you test the pull request locally?
  • Did you add new tests?

How to test this PR?

  1. Set the following environment variables:
  • CLOUDFLARE_EMAIL (Cloudflare login email)
  • CLOUDFLARE_TOKEN (Token generated from cloudflare dashboard with permissions to access the domain for which you need to generate certs)

  1. Create a DNS entry to your cloudflare account pointing the domain you want to deploy Nebari on, to the IP of the load balancer on the docker network (e.g: 172.18.1.100) - This step is optional if you already have enabled dns auto provision.

  2. Add the following to the nebari-config.yml

certificate:
  type: lets-encrypt
  acme_email: <YOUR-EMAIL>
  acme_server: https://acme-v02.api.letsencrypt.org/directory
  acme_challenge_type: dns

and deploy Nebari locally and verify valid certificates are generated.

Any other comments?

@aktech aktech marked this pull request as ready for review February 11, 2025 23:36
@aktech aktech requested a review from a team as a code owner February 11, 2025 23:36
@aktech aktech requested review from dcmcand and viniciusdc and removed request for a team February 11, 2025 23:36
@dcmcand
Copy link
Contributor

dcmcand commented Feb 12, 2025

I think for CI we want to use the staging server so we don't hit rate limits

@dcmcand
Copy link
Contributor

dcmcand commented Feb 12, 2025

@aktech why do we need CLOUDFLARE_DNS_API_TOKEN when we already have CLOUDFLARE_TOKEN? Couldn't we just use the same env var? What is the difference?

@aktech
Copy link
Member Author

aktech commented Feb 12, 2025

I think for CI we want to use the staging server so we don't hit rate limits

We can create subdomains per run, like say: nebari-{commit-sha}.nebari.dev to tackle this. Rate limits are per domain and also staging certs will still throw ssl errors.

@aktech why do we need CLOUDFLARE_DNS_API_TOKEN when we already have CLOUDFLARE_TOKEN? Couldn't we just use the same env var? What is the difference?

I was trying to use the recommended environment variable for dns challenge, but since both of these token need similar permissions, that's a fair point, we can re-use it.

@aktech aktech mentioned this pull request Feb 12, 2025
Open
@dcmcand
Copy link
Contributor

dcmcand commented Feb 14, 2025

Based on https://go-acme.github.io/lego/dns/cloudflare/ you either need CLOUDFLARE_DNS_API_TOKEN or you need CLOUDFLARE_API_KEY and CLOUDFLARE_EMAIL.

CLOUDFLARE_DNS_API_TOKEN is preferred since it allows granular permissions, so I think we can remove the CLOUDFLARE_EMAIL variable, unless we want to offer both options.

@aktech
Copy link
Member Author

aktech commented Feb 14, 2025

Awesome, that's even better! I'll test and remove.

@aktech
Copy link
Member Author

aktech commented Feb 14, 2025

Awesome, that's even better! I'll test and remove.

Done and verified it works without email, let's keep it simple for now (i.e. without email IMO).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dcmcand dcmcand Awaiting requested review from dcmcand dcmcand is a code owner automatically assigned from nebari-dev/maintenance-team

@viniciusdc viniciusdc Awaiting requested review from viniciusdc viniciusdc is a code owner automatically assigned from nebari-dev/maintenance-team

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
🪴 Nebari Project Management
Status: New 🚦
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[ENH] - Allow certificate generation via DNS challenge
2 participants
@aktech @dcmcand