argo-tunnel-examples icon indicating copy to clipboard operation
argo-tunnel-examples copied to clipboard

Published 20 hours ago verified publisher icon cloudflare

Issues with Origin Certificate Path in Cloudflare Tunnel Guide

Open ARAldhafeeri opened this issue 5 months ago • 0 comments

Hello,

Thank you for the detailed documentation! However, I encountered some issues while following the guide here:

Cloudflare One Tunnel Guide

Issue Description

While setting up the Cloudflare tunnel, I received the following error message regarding the origin certificate:

2024-09-22T12:55:04Z INF Cannot determine default origin certificate path. No file cert.pem in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared] originCertPath=
2024-09-22T12:55:04Z ERR You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable. See https://developers.cloudflare.com/argo-tunnel/reference/service/ for more information. originCertPath=
error parsing tunnel ID: Error locating origin cert: client didn't specify origincert path

Proposed Solution

To resolve this, I found that creating a Kubernetes secret for the certificate and updating the deployment YAML to add a volume for the certificates is necessary. The steps are as follows:

  1. Create the secret for the certificate (after obtaining it during the first login):

    kubectl create secret generic origin-cert --from-file=cert.pem=C:/Users/User/.cloudflared/cert.pem -n cloudflare

  2. Update the deployment YAML as shown below:

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: cloudflared
  namespace: cloudflare
spec:
  selector:
    matchLabels:
      app: cloudflared
  replicas: 2 
  template:
    metadata:
      labels:
        app: cloudflared
    spec:
      containers:
      - name: cloudflared
        image: cloudflare/cloudflared:2022.3.0
        args:
        - tunnel
        - --config
        - /etc/cloudflared/config/config.yaml
        - run
        livenessProbe:
          httpGet:
            path: /ready
            port: 2000
          failureThreshold: 1
          initialDelaySeconds: 10
          periodSeconds: 10
        volumeMounts:
        - name: config
          mountPath: /etc/cloudflared/config
          readOnly: true
        - name: creds
          mountPath: /etc/cloudflared/creds
          readOnly: true
        - name: certs
          mountPath: /usr/local/etc/cloudflared
          readOnly: true
      volumes:
      - name: creds
        secret:
          secretName: tunnel-credentials
      - name: config
        configMap:
          name: cloudflared
          items:
          - key: config.yaml
            path: config.yaml
      - name: certs
        secret: # this is important you will get cert error
          secretName: origin-cert

Final Note

While this is a fundamental Kubernetes issue, I noticed that the "Hello World" example works because it's in the same namespace. For tunneling to services in different namespaces, the format should be:

<protocol>://<serviceName>.<namespace>.svc.cluster.local:<protocol-port>
e.g.:
http://helloworld.helloworld.svc.cluster.local:6666

Thank you for your assistance!

ARAldhafeeri avatar Sep 22 '24 13:09 ARAldhafeeri