cloudflare/argo-tunnel-examples

Ingress + Cloudflare Tunnel

felinto-dev opened this issue ยท 10 comments

Could you provide an example of how to use Ingress + Cloudflare tunnel?

I guess it is possible to avoid using the Cloud Provider Load Balancer solution if all traffic goes through Cloudflare Tunnel, right?

You can provide the example using Ingress Nginx OR Traefik OR any solution that allows defining custom routes for specific services, for example:

https://github.com/webmakaka/Microservices-with-Node-JS-and-React/blob/master/10_Testing_Isolated_Microservices/k8s/ingress-controller.yaml#L12-L16

You can point your cloudflared to your service directly, or to the ingress. I am working on an operator to automate it which is currently in alpha.

I'm struggling to get this to work atm and looking at the website it seems Tunnels is moving to a new part of the site. And also seems client configured tunnels aren't able to "migrated" to the new setup? Could this change be the source of my isses?

Currently there are two types of tunnels, one managed on the client side and one with the API/UI. Both of them work in the same way. What are the issues you are referring to?

holms commented

You can point your cloudflared to your service directly, or to the ingress. I am working on an operator to automate it which is currently in alpha.

There's helm chart in here: https://github.com/cloudflare/argo-tunnel-examples/tree/master/helm/cloudflare-tunnel
Do you really need to create k8s operator for that? The only problem is that this chart doesn't have helm-chart repo. There's no way to pass github path to a helm-release terraform resource, it only accepts direct URL for compressed helm-chart in .tgz format.

Also this particular for setting tunnel in kubernetes is using manifest, not chart, and they are different. Because manifest is using k8s secret with secret string in it, while in chart you can just pass that secret string through helm-chart params, and in helm-chart template it create a k8s secret by itself. I'm not sure if this very secure, but at least in terraform you can just pass an argument from resource of the tunnel to a helm-chart param, so it won't be exposed, but when listing deployments in kubectl this secret will be exposed, which I think it not a very good idea.

@mozarik could you get it to work? struggling with the same problem now but with kong-ingress-controller

@Leo310 i pivoted to use nginx

holms commented

I've actually managed it to work because someone pushed helm-chart to this repo, although in my humble opinion it should be moved to cloudflare/helm-charts repo.

But anyway, I'm using terraform for managing charts sorry, but you can easily make your own json config file, and you also need to download whole chart because there's no way to access it in here, I mean that folder in this git repo is not a helm repo sadly. Tried to contact cloudflare for some actions but for now things are staled.

resource "helm_release" "cloudflare-tunnel" {
  name      = "cloudflare-tunnel"
  chart     = "./charts/cloudflare-tunnel"
  namespace = "cloudflare"

  set {
    name  = "image.tag"
    value = "latest"
  }

  set {
    name  = "cloudflare.account"
    value = var.cloudflare_account_id
  }

  set {
    name  = "cloudflare.tunnelName"
    value = var.cloudflare_tunnel_name
  }

  set {
    name  = "cloudflare.tunnelId"
    value = var.cloudflare_tunnel_id
  }

  set {
    name  = "cloudflare.secret"
    value = var.cloudflare_tunnel_secret
  }
}

Once you have this tunnel you don't need to specify every virtual host in it, it doesn't replace an ingress controller. You can use wildcards in the rules for example *.mydomain.com and rest will be up to nginx controller itself.

I now also got it to work but I had a different problem. The domain I used to create the tunnel and dns record with (this guide) wasnt wildcarded so cloudflare didnt route any subdomains to the cloudflared pod.

It actually works with this yaml and your tweaked ingress rules. I used this rule for my kong-proxy:

ingress:
- service: http://kong-proxy.kong.svc.cluster.local:80

I ran in to similar issues due to the complexity of parsing the ingress: [ ] configuration using Helm's --set. I was able to sort it out using helm template.

helm template cloudflared cloudflare-tunnel \
--set "cloudflare.ingress[0].hostname=tunnel.example.com" \
--set "cloudflare.ingress[0].service=http://web-service:80"

From this I was able to work out how to do it in Terraform. I've created two modules, one uses Terraform templatefile the other makes use of the helm chart.

https://gitlab.com/2stacks/terraform-cloudflare-zerotrust