cloudflare-operator icon indicating copy to clipboard operation
cloudflare-operator copied to clipboard

Published 20 hours ago verified publisher icon adyanth

Proposal: Complementary Service controller annotations for Access

Open adyanth opened this issue 2 years ago • 1 comments

Motivation

Seamlessly expose TCP/UDP* services from one cluster to another securely tunnelled over Cloudflare.

Current status

Currently, the operator provides the tunnelling functionality of cloudflared to expose services. This is good enough for HTTP/S endpoints. But for any TCP/UDP* (including SSH/RDP) based traffic, like a database service, this is one piece of the puzzle. There needs to be another cloudflared running at the consumer pointing to the same FQDN which in turn would expose a port that connects to the other end.

Implementation

Implementing this would be a two-step process.

  • We need another set of annotations for the service. If the endpoint is protected by Cloudflare Access/Zero Trust, we need a CRD that can capture data needed for logging in and getting a token (which would not need the level of access used by the tunnel)

  • The service controller would then listen to those, spin up a cloudflared deployment in access mode and point the service to it. An alternative could be to run a common WARP client per CRD, but that would be getting more access than needed, creating edge cases for conflicting ports, and a security nightmare.

adyanth avatar Mar 26 '22 16:03 adyanth

One client can only listen to one port, so it has to be multiple containers, one per port.

adyanth avatar Dec 15 '22 05:12 adyanth