argo-tunnel-examples icon indicating copy to clipboard operation
argo-tunnel-examples copied to clipboard

Published 20 hours ago verified publisher icon cloudflare

Ingress + Cloudflare Tunnel

Open felinto-dev opened this issue 3 years ago • 10 comments

Could you provide an example of how to use Ingress + Cloudflare tunnel?

I guess it is possible to avoid using the Cloud Provider Load Balancer solution if all traffic goes through Cloudflare Tunnel, right?

You can provide the example using Ingress Nginx OR Traefik OR any solution that allows defining custom routes for specific services, for example:

https://github.com/webmakaka/Microservices-with-Node-JS-and-React/blob/master/10_Testing_Isolated_Microservices/k8s/ingress-controller.yaml#L12-L16

felinto-dev avatar Dec 19 '21 07:12 felinto-dev

You can point your cloudflared to your service directly, or to the ingress. I am working on an operator to automate it which is currently in alpha.

adyanth avatar Feb 25 '22 06:02 adyanth

I'm struggling to get this to work atm and looking at the website it seems Tunnels is moving to a new part of the site. And also seems client configured tunnels aren't able to "migrated" to the new setup? Could this change be the source of my isses?

yankeeinlondon avatar May 29 '22 23:05 yankeeinlondon

Currently there are two types of tunnels, one managed on the client side and one with the API/UI. Both of them work in the same way. What are the issues you are referring to?

adyanth avatar May 30 '22 04:05 adyanth

Need this one too using Traefik. is it like this ? https://community.cloudflare.com/t/examples-ingress-cloudflared-configuration-when-exposing-via-ingress-kubernetes/331844

mozarik avatar Jul 31 '22 12:07 mozarik

You can point your cloudflared to your service directly, or to the ingress. I am working on an operator to automate it which is currently in alpha.

There's helm chart in here: https://github.com/cloudflare/argo-tunnel-examples/tree/master/helm/cloudflare-tunnel Do you really need to create k8s operator for that? The only problem is that this chart doesn't have helm-chart repo. There's no way to pass github path to a helm-release terraform resource, it only accepts direct URL for compressed helm-chart in .tgz format.

Also this particular for setting tunnel in kubernetes is using manifest, not chart, and they are different. Because manifest is using k8s secret with secret string in it, while in chart you can just pass that secret string through helm-chart params, and in helm-chart template it create a k8s secret by itself. I'm not sure if this very secure, but at least in terraform you can just pass an argument from resource of the tunnel to a helm-chart param, so it won't be exposed, but when listing deployments in kubectl this secret will be exposed, which I think it not a very good idea.

holms avatar Sep 07 '22 01:09 holms

@mozarik could you get it to work? struggling with the same problem now but with kong-ingress-controller

Leo310 avatar Oct 10 '22 21:10 Leo310

@Leo310 i pivoted to use nginx

mozarik avatar Oct 11 '22 03:10 mozarik

I've actually managed it to work because someone pushed helm-chart to this repo, although in my humble opinion it should be moved to cloudflare/helm-charts repo.

But anyway, I'm using terraform for managing charts sorry, but you can easily make your own json config file, and you also need to download whole chart because there's no way to access it in here, I mean that folder in this git repo is not a helm repo sadly. Tried to contact cloudflare for some actions but for now things are staled.

resource "helm_release" "cloudflare-tunnel" {
  name      = "cloudflare-tunnel"
  chart     = "./charts/cloudflare-tunnel"
  namespace = "cloudflare"

  set {
    name  = "image.tag"
    value = "latest"
  }

  set {
    name  = "cloudflare.account"
    value = var.cloudflare_account_id
  }

  set {
    name  = "cloudflare.tunnelName"
    value = var.cloudflare_tunnel_name
  }

  set {
    name  = "cloudflare.tunnelId"
    value = var.cloudflare_tunnel_id
  }

  set {
    name  = "cloudflare.secret"
    value = var.cloudflare_tunnel_secret
  }
}

Once you have this tunnel you don't need to specify every virtual host in it, it doesn't replace an ingress controller. You can use wildcards in the rules for example *.mydomain.com and rest will be up to nginx controller itself.

holms avatar Oct 11 '22 03:10 holms

I now also got it to work but I had a different problem. The domain I used to create the tunnel and dns record with (this guide) wasnt wildcarded so cloudflare didnt route any subdomains to the cloudflared pod.

It actually works with this yaml and your tweaked ingress rules. I used this rule for my kong-proxy:

ingress:
- service: http://kong-proxy.kong.svc.cluster.local:80

Leo310 avatar Oct 11 '22 08:10 Leo310

I ran in to similar issues due to the complexity of parsing the ingress: [ ] configuration using Helm's --set. I was able to sort it out using helm template.

helm template cloudflared cloudflare-tunnel \
--set "cloudflare.ingress[0].hostname=tunnel.example.com" \
--set "cloudflare.ingress[0].service=http://web-service:80"

From this I was able to work out how to do it in Terraform. I've created two modules, one uses Terraform templatefile the other makes use of the helm chart.

https://gitlab.com/2stacks/terraform-cloudflare-zerotrust

sms-astanley avatar Dec 31 '22 18:12 sms-astanley