Allow api token for cloudflare (#1073)

* Allow api token for cloudflare

* Update build.json

* Update CHANGELOG.md

* Update run.sh

* Update README.md

* Update README.md

* Update README.md

letsencrypt/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 4.5
+
+- Update cerbot to 1.2.0
+- Update image to Alpine 3.11
+- Support CloudFlare API Token
+
 ## 4.4
 
 - Added support for nectup dns

letsencrypt/README.md

@@ -57,6 +57,7 @@ In addition add the fields according to the credentials required by your dns pro
 ```yaml
 cloudflare_email: ''
 cloudflare_api_key: ''
+cloudflare_api_token: ''
 cloudxns_api_key: ''
 cloudxns_secret_key: ''
 digitalocean_token: ''
@@ -142,6 +143,30 @@ You can find additional information in regards to the required permissions in th
 
 <https://github.com/certbot/certbot/blob/master/certbot-dns-google/certbot_dns_google/__init__.py>
 
+### CloudFlare
+
+Previously, Cloudflare’s “Global API Key” was used for authentication, however this key can access the entire Cloudflare API for all domains in your account, meaning it could cause a lot of damage if leaked.
+
+Cloudflare’s newer API Tokens can be restricted to specific domains and operations, and are therefore now the recommended authentication option.
+
+However, due to some shortcomings in Cloudflare’s implementation of Tokens, Tokens created for Certbot currently require `Zone:Zone:Read` and `Zone:DNS:Edit` permissions for all zones in your account.
+
+Example credentials file using restricted API Token (recommended):
+```yaml
+dns:
+  provider: dns-clooudflare
+  dns_cloudflare_api_token: 0123456789abcdef0123456789abcdef01234
+```
+
+Example credentials file using Global API Key (not recommended):
+```yaml
+dns:
+  provider: dns-clooudflare
+  dns_cloudflare_email: cloudflare@example.com
+  dns_cloudflare_api_key: 0123456789abcdef0123456789abcdef01234
+```
+
+
 ## Certificate files
 
 The certificate files will be available within the "ssl" share after successful request of the certificates.

letsencrypt/build.json

@@ -1,13 +1,13 @@
 {
   "build_from": {
-    "aarch64": "homeassistant/aarch64-base-python:3.7-alpine3.10",
-    "amd64": "homeassistant/amd64-base-python:3.7-alpine3.10",
-    "armhf": "homeassistant/armhf-base-python:3.7-alpine3.10",
-    "armv7": "homeassistant/armv7-base-python:3.7-alpine3.10",
-    "i386": "homeassistant/i386-base-python:3.7-alpine3.10"
+    "aarch64": "homeassistant/aarch64-base-python:3.7-alpine3.11",
+    "amd64": "homeassistant/amd64-base-python:3.7-alpine3.11",
+    "armhf": "homeassistant/armhf-base-python:3.7-alpine3.11",
+    "armv7": "homeassistant/armv7-base-python:3.7-alpine3.11",
+    "i386": "homeassistant/i386-base-python:3.7-alpine3.11"
   },
   "args": {
-    "CERTBOT_VERSION": "1.0.0",
+    "CERTBOT_VERSION": "1.2.0",
     "CERTBOT_NETCUP_VERSION": "0.31.0.1"
   }
 }

letsencrypt/config.json

@@ -1,6 +1,6 @@
 {
   "name": "Let's Encrypt",
-  "version": "4.4",
+  "version": "4.5",
   "slug": "letsencrypt",
   "description": "Manage certificate from Let's Encrypt",
   "url": "https://github.com/home-assistant/hassio-addons/tree/master/letsencrypt",
@@ -32,6 +32,7 @@
       "provider": "list(dns-cloudflare|dns-cloudxns|dns-digitalocean|dns-dnsimple|dns-dnsmadeeasy|dns-gehirn|dns-google|dns-linode|dns-luadns|dns-nsone|dns-ovh|dns-rfc2136|dns-route53|dns-sakuracloud|dns-netcup)?",
       "cloudflare_email": "email?",
       "cloudflare_api_key": "str?",
+      "cloudflare_api_token": "str?",
       "cloudxns_api_key": "str?",
       "cloudxns_secret_key": "str?",
       "digitalocean_token": "str?",

letsencrypt/data/run.sh

@@ -25,6 +25,7 @@ PROVIDER_ARGUMENTS=()
 
 echo -e "dns_cloudflare_email = $(bashio::config 'dns.cloudflare_email')\n" \
   "dns_cloudflare_api_key = $(bashio::config 'dns.cloudflare_api_key')\n" \
+  "dns_cloudflare_api_token = $(bashio::config 'dns.cloudflare_api_token')\n" \
   "dns_cloudxns_api_key = $(bashio::config 'dns.cloudxns_api_key')\n" \
   "dns_cloudxns_secret_key = $(bashio::config 'dns.cloudxns_secret_key')\n" \
   "dns_digitalocean_token = $(bashio::config 'dns.digitalocean_token')\n" \