external-dns icon indicating copy to clipboard operation
external-dns copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Question/Enhancement: Cloudflare Access Tunnel provider

Open mattiaforc opened this issue 1 year ago • 9 comments

Hello everybody,

I was wondering if anyone would be interested in a provider for Cloudflare Tunnel (formerly known as Cloudflare Argo Tunnels). I am playing around with it in my homelab - and made a (almost, see issue on cloudflare-go SDK) working implementation, albeit pretty basic, that allows external-dns to add ingresses and services records to a Cloudflare tunnel public hostnames configuration. The way it works is that a Cloudflare tunnel connector is deployed somewhere in your infrastructure - and it gives access to internal services and stuff, and you can then configure access restrictions (like OAuth policies, etc...)

My use case is to simply filter for a specific annotation (e.g. public-tunnel: true) on services/ingresses to decide whether or not to publish the service via Cloudflare.

I am proposing this implementation but I was wondering if this could be useful - or even relevant to the external-dns project - since it is not really a DNS provider, albeit providing external users a way to find/access services.

Any feedback would be appreciated, let me know :)

mattiaforc avatar May 07 '23 19:05 mattiaforc

Was working on something similar but got stuck due to the issue you mentioned. I wanted to be in control of the DNS name and not nessesarily always use the same name for the tunnel record as for the internal server This cannot be done however without setting TLS>Server Origin Name. Which currently cannot be done throug the Cloudflare Go API as the OriginRequest is not located corretly in the API.

This can be worked around with an internal wildcard Certificate but is not a nice solution.

SimonStiil avatar May 09 '23 17:05 SimonStiil

Would this also be able to add CNAME records under the hosted zone in addition to updating the tunnel configuration? I know external-dns already has cloudflare support, but I'm not sure if I can make the CNAME point to my tunnel, I'm thinking that external-dns will try to map to the external-ip in my cluster rather than the tunnel.

BrentGruber avatar Oct 05 '23 02:10 BrentGruber

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Jan 29 '24 18:01 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Feb 28 '24 19:02 k8s-triage-robot

@mattiaforc I was searching the web for something that does what you were suggesting. Was your suggestion adopted into external-dns? is there a PR/fork I can try? Thanks

alexo-bunnyshell avatar Mar 25 '24 13:03 alexo-bunnyshell

@mattiaforc and @SimonStiil, are either of you able to share your partial implementations of a Cloudflare Tunnel provider? I've been looking for a similar solution for my own WIP homelab. I'm behind my ISP's NAT so I'd like to use Cloudflare Tunnel to route external requests. My plan was to use Ingress rules to assign external DNS entries, in an attempt to keep things as gitops-y as possible.

/remove-lifecycle rotten

jo12bar avatar Apr 24 '24 03:04 jo12bar

@jo12bar It is not something I have touched for about a year. So I can't promise to much. But just sanitized my test code and added it to a repo. https://github.com/SimonStiil/go-cloudflare-tunnel-demo Hope it is of help to you for getting started.

SimonStiil avatar Apr 25 '24 19:04 SimonStiil

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Jul 24 '24 19:07 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Aug 23 '24 20:08 k8s-triage-robot