Make HTTP client timeout configurable for Cloudflare API calls

[jholm117]

Problem

The HTTP client timeout for Cloudflare Origin CA API calls is hardcoded to 30 seconds:

// cmd/controller/main.go (v0.13.0)
Builder: cfapi.NewBuilder().WithClient(&http.Client{
    Timeout: 30 * time.Second,
}),

As the number of SANs on a certificate grows, the Origin CA API takes longer to sign. We have a certificate with 107 SANs where the API consistently takes ~43 seconds to return a signed certificate, causing every issuance attempt to fail with:

unable to sign request: Post "https://api.cloudflare.com/client/v4/certificates": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

We confirmed this by calling the API directly with a 120s timeout from the same cluster — the request succeeds in ~43s and returns a valid cert.

Impact

Once a certificate crosses the SAN threshold where Cloudflare's signing time exceeds 30s, the controller can never issue or renew it. cert-manager backs off exponentially after each failure, and the certificate stays stuck in Ready: False until manual intervention.

Proposed Fix

Add a --cfapi-timeout flag (or similar) to make the HTTP client timeout configurable, defaulting to the current 30s for backwards compatibility.

// options.go
fs.DurationVar(&o.CFAPITimeout, "cfapi-timeout", 30*time.Second, "Timeout for Cloudflare Origin CA API requests")

// main.go
Builder: cfapi.NewBuilder().WithClient(&http.Client{
    Timeout: o.CFAPITimeout,
}),

Note: extraArgs is defined in the Helm chart's values.yaml but is not rendered in the deployment template, so even if the flag existed today it couldn't be set via Helm. That template bug may also be worth fixing.

Environment

• origin-ca-issuer: v0.7.0 (also confirmed hardcoded in v0.13.0 source)
• cert-manager: v1.x
• Certificate: 107 SANs, requestType: OriginECC
• Measured Cloudflare API response time: 43.4s for this CSR