waji // devops notes

Cloudflare Tunnels

SecurityKubernetes

Considerations:

https://github.com/STRRL/cloudflare-tunnel-ingress-controller?tab=readme-ov-file

 

https://github.com/adyanth/cloudflare-operator/tree/main

 

 

Followed getting started from adyanth/cloudflare-operator

$ kubectl apply -k https://github.com/adyanth/cloudflare-operator/config/default

namespace/cloudflare-operator-system created
customresourcedefinition.apiextensions.k8s.io/clustertunnels.networking.cfargotunnel.com created
customresourcedefinition.apiextensions.k8s.io/tunnelbindings.networking.cfargotunnel.com created
customresourcedefinition.apiextensions.k8s.io/tunnels.networking.cfargotunnel.com created
serviceaccount/cloudflare-operator-controller-manager created
role.rbac.authorization.k8s.io/cloudflare-operator-leader-election-role created
clusterrole.rbac.authorization.k8s.io/cloudflare-operator-manager-role created
clusterrole.rbac.authorization.k8s.io/cloudflare-operator-metrics-reader created
clusterrole.rbac.authorization.k8s.io/cloudflare-operator-proxy-role created
rolebinding.rbac.authorization.k8s.io/cloudflare-operator-leader-election-rolebinding created
clusterrolebinding.rbac.authorization.k8s.io/cloudflare-operator-manager-rolebinding created
clusterrolebinding.rbac.authorization.k8s.io/cloudflare-operator-proxy-rolebinding created
configmap/cloudflare-operator-manager-config created
service/cloudflare-operator-controller-manager-metrics-service created
deployment.apps/cloudflare-operator-controller-manager created

 

kubectl -n cloudflare-operator-system create secret generic cloudflare-secrets --from-literal CLOUDFLARE_API_TOKEN=xxxx --from-literal CLOUDFLARE_API_KEY=xxxx

 

 

waji@DESKTOP-LAJ2REG:~$ k apply -f cloudflare-cluster-tunnel.yaml
clustertunnel.networking.cfargotunnel.com/cloudflare-cluster-tunnel created
waji@DESKTOP-LAJ2REG:~$ k get clustertunnel cloudflare-cluster-tunnel
NAME                        TUNNELID
cloudflare-cluster-tunnel   4f54909e-0963-4131-a33f-ed71b5dbc3d2
waji@DESKTOP-LAJ2REG:~$ k get cm -n cloudflare-operator-system
NAME                                 DATA   AGE
cloudflare-cluster-tunnel            1      16s
cloudflare-operator-manager-config   1      5m22s
kube-root-ca.crt                     1      5m23s
waji@DESKTOP-LAJ2REG:~$ k get deploy -n cloudflare-operator-system
NAME                                     READY   UP-TO-DATE   AVAILABLE   AGE
cloudflare-cluster-tunnel                2/2     2            2           21s
cloudflare-operator-controller-manager   1/1     1            1           5m27s

 

Need to convert above into the Helm chart and then test again

 

Done helm chart.

Need to deploy it in a chart repo

Try to get the servicemonitor right → Maybe we can use ‘Probes’

 

 

Cloudflare Tunnels bind with Ingress Nginx Controller

We need ingress controller deployed with its Service as ClusterIP

homelab@bastion:~$ k get svc -n ingress-nginx
NAME                                 TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)          AGE
ingress-nginx-controller             ClusterIP   10.96.16.136   <none>        80/TCP,443/TCP   15m

 

Deploy cloudflare operator

homelab@bastion:~$ helm install cloudflare-operator cloudflare-operator/ -n cloudflare-operator-system
NAME: cloudflare-operator
LAST DEPLOYED: Fri Apr 12 16:34:09 2024
NAMESPACE: cloudflare-operator-system
STATUS: deployed
REVISION: 1
TEST SUITE: None

homelab@bastion:~$ k get secrets -n cloudflare-operator-system
NAME                                        TYPE                 DATA   AGE
cloudflare-secrets                          Opaque               2      7s
sh.helm.release.v1.cloudflare-operator.v1   helm.sh/release.v1   1      8s

homelab@bastion:~$ k get po -n cloudflare-operator-system
NAME                                                     READY   STATUS    RESTARTS   AGE
cloudflare-cluster-tunnel-5994cf67f6-5rxf5               1/1     Running   0          24s
cloudflare-cluster-tunnel-5994cf67f6-ng78n               1/1     Running   0          24s
cloudflare-operator-controller-manager-89756d7b7-vzr6l   2/2     Running   0          46s

homelab@bastion:~$ k get clustertunnels.networking.cfargotunnel.com
NAME                        TUNNELID
cloudflare-cluster-tunnel   3cbd1598-9901-4084-9342-18d216ab2072

 

Then we need to deploy this tunnelbinding

apiVersion: networking.cfargotunnel.com/v1alpha1
kind: TunnelBinding
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
subjects:
  - name: ingress-nginx-controller
    kind: Service
    spec:
      fqdn: "*.homek8s.cloud"
tunnelRef:
  kind: ClusterTunnel
  name: cloudflare-cluster-tunnel

 

We should be able to see

homelab@bastion:~$ k get tunnelbindings.networking.cfargotunnel.com -n ingress-nginx
NAME            FQDNS
ingress-nginx   *.homek8s.cloud

 

Our DNS records should show

 

The tunnel

 

Now we deploy a ingress resource

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: hubble-ingress
  namespace: kube-system
spec:
  ingressClassName: nginx
  rules:
  - host: hubble.homek8s.cloud
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: hubble-ui
            port:
              number: 80

 

After deploying

homelab@bastion:~$ k get ing -n kube-system
NAME             CLASS   HOSTS                  ADDRESS        PORTS   AGE
hubble-ingress   nginx   hubble.homek8s.cloud   10.96.16.136   80      11m

 

Check hubble ui

 

Test another app

 

← back