/SyncFlaer

Synchronize Traefik host rules and/or Kubernetes Ingresses with Cloudflare

Primary LanguageGoGNU General Public License v3.0GPL-3.0

SyncFlaer

Synchronize Traefik host rules and/or Kubernetes Ingresses with Cloudflare®.

Why?

  • Dynamically create, update or delete Cloudflare® DNS records based on Traefik http rules and/or Kubernetes Ingresses (apiVersion: networking.k8s.io/v1)
  • Supports multiple Traefik instances
  • Supports Kubernetes Ingresses (apiVersion: networking.k8s.io/v1)
  • Supports multiple Cloudflare zones
  • Update DNS records when public IP changes
  • Supports configuring additional DNS records for services outside Traefik (i.e. vpn server)

Contents

Usage

Simple

Create a config file based on the example located at configs/config.yml.

syncflaer --config-path /opt/syncflaer.yml

Flags:

  -c, --config-path string   Path to config file (default "config.yml")
  -d, --debug                Enable debug mode
  -v, --version              Print the current version and exit

Kubernetes

You can run SyncFlaer as a Kubernetes CronJob. For an example deployment, please refer to the files located at deployments/kubernetes.

Configuration

Overview

SyncFlaer must be configured via a YAML config file. Some secrets can be configured using environment variables.

Config File

The full configuration file can be found at configs/config.yml.

Using Multiple Traefik Instances

You can configure SyncFlaer to gather host rules from multiple Traefik instances.
The configuration for two instances would look like this:

traefikInstances:
  - name: instance1
    url: https://traefik1.example.com
    user: admin1
    password: supersecure
    customRequestHeaders:
      X-Example-Header: instance1
    ignoredRules:
      - instance1.example.com
  - name: instance2
    url: https://traefik2.example.com
    user: admin2
    password: stillsupersecure
    customRequestHeaders:
      Authorization: env:TREAFIK_AUTH_HEADER
    ignoredRules:
      - instance2.example.com

Every instance can be configured to use different HTTP basic auth, custom request headers and ignored rules.

Overriding Default Settings

Let's say you have the following Cloudflare defaults defined in config file:

cloudflare:
  defaults:
    type: CNAME
    ttl: 1
    proxied: true

Usually, every DNS record created for a Traefik host rule will have those defaults.

If you want to override those defaults, you can do so by specifying them in the defaultOverrides section of the config file under traefikInstances:

traefikInstances:
  - name: main
    url: https://traefik.example.com
    defaultOverrides:
      - rule: app.example.com
        type: A
        ttl: 60
        proxied: false

This will override the defaults for the app.example.com rule.

Kubernetes Ingress Support

SyncFlaer can be configured to support Kubernetes Ingresses. By default, SyncFlaer will sync all Ingresses.

If you run SyncFlaer in a Kubernetes cluster, please refer to the deployments/kubernetes folder for an example deployment.
If you run SyncFlaer outside a Kubernetes cluster, you can use the KUBECONFIG environment variable to configure a specific kubeconfig file.
If the KUBECONFIG environment variable is not set, SyncFlaer will use the default kubeconfig file located at $HOME/.kube/config.

If you want to ignore specific Ingresses, use the annotation syncflaer.containeroo.ch/ignore=true.

To overwrite the default configuration for DNS records, you can specify the following annotations for each Ingress:

Annotation Example
syncflaer.containeroo.ch/type A or CNAME
syncflaer.containeroo.ch/content example.com
syncflaer.containeroo.ch/proxied true
syncflaer.containeroo.ch/ttl 120

Environment Variables

Instead of putting secrets in the config file, SyncFlaer can grab secrets from environment variables.

You can define the names of the environment variables by using the env: prefix.

Configuration Example
notifications.slack.webhookURL env:SLACK_TOKEN
password in traefikInstances env:TRAEFIK_K8S_PW
customRequestHeaders in traefikInstances env:TRAEFIK_AUTH_HEADER
cloudflare.apiToken env:CF_API_TOKEN

Defaults

If not specified, the following defaults apply:

Name Default Value
skipUpdateCheck false
ipProviders ["https://ifconfig.me/ip", "https://ipecho.net/plain", "https://checkip.amazonaws.com", "https://api.ipify.org"]
kubernetes.enabled false
managedRootRecord true
cloudflare.deleteGrace 0 (delete records instantly)
cloudflare.defaults.type CNAME
cloudflare.defaults.proxied true
cloudflare.defaults.ttl 1
notifications.slack.username SyncFlaer
notifications.slack.iconURL https://www.cloudflare.com/img/cf-facebook-card.png

Additional Records

You can specify additional DNS records which are not configured as Traefik hosts.

Example A Record

Key Example Default Value Required
name a.example.com none yes
type A cloudflare.defaults.type no
proxied true cloudflare.defaults.proxied no
ttl 1 cloudflare.defaults.ttl no
content 1.1.1.1 current public IP no

Example CNAME Record

Key Example Default Value Required
name vpn.example.com none yes
type CNAME cloudflare.defaults.type no
proxied false cloudflare.defaults.proxied no
ttl 120 cloudflare.defaults.ttl no
content mysite.com cloudflare.zoneName no

Cloudflare API Token

To create an API token visit https://dash.cloudflare.com/profile/api-tokens, click on Create token and select Get started.

Select the following settings:

Permissions:

  • Zone - DNS - Edit

Zone Resources:

  • Include - All Zones

Upgrade Notes

From 4.x to 5.x

The cloudflare.apiToken config is now required to be present in config file.
If you want to use environment variables for Slack webhook URL, Traefik HTTP basic auth password and Cloudflare API token, you have to use the env: prefix. Everything after the env: part will be used as the name of the environment variable.

Copyright

2023 containeroo

Cloudflare and the Cloudflare logo are registered trademarks owned by Cloudflare Inc. This project is not affiliated with Cloudflare®.

License

GNU GPLv3