Cloudflare zero trust service token

[jonathon2nd]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Unable to use public registration authority though cloudflare zero trust in Step CLI, as there is no way to use a service token.
https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/

Why is this needed?

It would be nice to be able to expose a registration authority while also protecting it with cloudflare access. This works for https in the browser, but not for step cli

I think this would be good for allowing teams to use internal prod PKI, without being in a VPN.

[maraino]

I've never used Cloudflare services, so the following can be wrong.

If I understand correctly, you want to use step-ca as an RA (or a CA) behind Cloudflare Zero Trust and then use commands like step ca certificate ... to access that step-ca. And for that, you need to provide the headers CF-Access-Client-Id and CF-Access-Client-Secret. Right?

So initially, add support to step CLI to pass random headers or cookies to all the requests going to step-ca. For example, when you run:

step ca certificate \
  --header 'CF-Access-Client-Id: foo' \
  --header 'CF-Access-Client-Secret: bar' \
  localhost local.crt local.key

This could make an HTTP request to /provisioners with those headers and then a request to /sign with the same headers.

But looking further, I think the first request to /provisioners will return the response of step-ca and set-cookie header that we can use in the call to /sign instead of the client ID and secret. To inject that, Cloudflare will have to terminate TLS and then forward everything through a new TLS connection to step-ca. Something like:

step-cli <= TLS => CloudFlare Terminates TLS <= TLS (private pki) => step-ca

Is this correct? Is the first TLS connection using Web PKI or Private PKI?

If I'm correct, a few operations won't directly work. For example, step ca renew ... won't work because it will be using mTLS, but you would be able to use the flag --mtls=false to skip mTLS and send an Authorization header a JWT with the certificate signed by the private key.

Can you please describe the flow of requests and point me in the right direction?

[jonathon2nd]

Thinking about it more this is not something we want to use for this RA, as it will be connected to via step-issuer on public k8s clusters. I am sure that setting that up with zero trust will be a pain if not impossible. The whole reason for a separate provisioner on issuing ca for this separate external registration authority is to have a secure endpoint with minimized risk. So this may just be unnecessary?

I am not really that knowledgeable in it, I just use it for various things.