Skip to content

Deploy dragonfly-loader staging Cloudflare Access cutover #157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
import-pandas-as-numpy wants to merge 1 commit into
base: main
Choose a base branch
from
+47 −7
Open

Deploy dragonfly-loader staging Cloudflare Access cutover #157

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions docs/dragonfly-loader-staging-cloudflare-access.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# Dragonfly Loader Staging Cloudflare Access

This note records the direct staging secret rotation required to migrate
`dragonfly-loader` from Auth0 to Cloudflare Access service-token headers.

Applied on:

- `2026-04-04`

Staging Kubernetes secret:

- `dragonfly/dragonfly-loader-env`

Cloudflare Access token source:

- token name: `dragonfly-loader-staging`
- token id: `81f1ecf8-44b1-4636-9b13-a2ab077588d1`
- created in Cloudflare account `Vipyr Security`
- expires at: `2027-04-04T17:58:56Z`

Secret contract after rotation:

- `BASE_URL=https://dragonfly-staging.vipyrsec.com`
- `CF_ACCESS_CLIENT_ID`
- `CF_ACCESS_CLIENT_SECRET`

Deprecated keys removed from the staging secret:

- `AUTH0_DOMAIN`
- `CLIENT_ID`
- `CLIENT_SECRET`
- `USERNAME`
- `PASSWORD`
- `AUDIENCE`

Notes:

- Secret values are intentionally omitted from this file.
- Cloudflare Access for `dragonfly-staging.vipyrsec.com` already had a
`non_identity` policy allowing `any_valid_service_token` at the time of
rotation.
11 changes: 5 additions & 6 deletions kubernetes/manifests/dragonfly/loader/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,8 @@ This deployment expects a number of secrets and environment variables to exist i
| Environment | Description |
| ------------- | ----------------------------------------- |
| BASE_URL | Base URL of the Dragonfly API |
| AUTH0_DOMAIN | Domain of the AUTH0 authentication server |
| CLIENT_ID | Client ID |
| CLIENT_SECRET | Client secret |
| USERNAME | Username |
| PASSWORD | Password |
| AUDIENCE | Authentication audience |
| CF_ACCESS_CLIENT_ID | Cloudflare Access service token client ID |
| CF_ACCESS_CLIENT_SECRET | Cloudflare Access service token client secret |

For staging, `BASE_URL` should be the public protected hostname
`https://dragonfly-staging.vipyrsec.com`.
2 changes: 1 addition & 1 deletion kubernetes/manifests/dragonfly/loader/cronjob.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ spec:
spec:
containers:
- name: dragonfly-loader
image: ghcr.io/vipyrsec/dragonfly-loader:sha-fc9128434c0f15b90e7f0ec686bd1932f3c5fd4a
image: ghcr.io/vipyrsec/dragonfly-loader:sha-9f67b5bfcab22089deef147902532c3c9f17d90b
imagePullPolicy: IfNotPresent
envFrom:
- secretRef:
Expand Down
Loading