feature: add PKI Cloudflare Sync

[carlosmonastyrski]

Context

This PR adds a new PKI sync destination for Cloudflare Custom SSL Certificates, enabling users to automatically push certificates from Infisical to Cloudflare Edge Certificates. The sync supports automatic certificate deployment and renewal handling. The implementation automatically detects private CA certificates and adjusts the bundle method accordingly to ensure correct chain handling.

Screenshots

Steps to verify the change

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

Added Cloudflare Custom SSL Certificate as a new PKI sync destination, enabling automatic certificate deployment and renewal to Cloudflare Edge Certificates. The implementation includes:

• Full CRUD API endpoints for managing Cloudflare Custom Certificate syncs
• Rate-limited Cloudflare API integration with proper retry logic
• Automatic detection of private vs. public CA certificates with appropriate bundle method handling
• Certificate validation and renewal tracking
• Frontend forms with zone selection
• Comprehensive documentation

Security Concerns:

• URL construction uses direct string interpolation of zoneId and existingCloudflareId without URL encoding, creating potential path traversal or URL manipulation vulnerabilities if these values contain special characters (lines 78, 256, 288, 369, 530 in cloudflare-custom-certificate-pki-sync-fns.ts)

Confidence Score: 4/5

• Safe to merge after addressing URL encoding security issue
• Score reflects well-structured implementation with proper RE2 regex usage, comprehensive error handling, and rate limiting. However, URL construction vulnerability with direct string interpolation of user-controlled values (zoneId) needs to be fixed before production deployment. The issue is easily remediated with encodeURIComponent().
• Pay close attention to backend/src/services/pki-sync/cloudflare-custom-certificate/cloudflare-custom-certificate-pki-sync-fns.ts for URL encoding fixes at lines 78, 256, 288, 369, and 530

Important Files Changed

Filename	Overview
backend/src/services/pki-sync/cloudflare-custom-certificate/cloudflare-custom-certificate-pki-sync-fns.ts	Implements Cloudflare Custom SSL certificate sync with proper rate limiting, error handling, and certificate chain management for private/public CAs
backend/src/services/pki-sync/cloudflare-custom-certificate/cloudflare-custom-certificate-pki-sync-schemas.ts	Defines validation schemas with RE2 regex for certificate naming, proper zod schemas for API validation
backend/src/services/pki-sync/pki-sync-fns.ts	Integrates Cloudflare Custom Certificate sync into main PKI sync factory with proper type checking

[greptile-apps]

_{3 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}