feat: cloudflared 1.1.0

Author: nushkovg

charts/cloudflared/Chart.yaml

@@ -4,7 +4,7 @@ maintainers:
     url: https://kubito.dev
 apiVersion: v2
 appVersion: 2023.10.0
-version: 1.0.5
+version: 1.1.0
 description: Kubito Cloudflared (Argo Tunnel) Helm Chart
 home: https://github.com/kubitodev/helm/tree/main/charts/cloudflared
 icon: https://kubito.dev/images/kubito.svg

charts/cloudflared/README.md

@@ -53,16 +53,20 @@ The command removes all the Kubernetes components associated with the chart and
 
 ### Deployment parameters
 
-| Name                | Description                                                                  | Value   |
-| ------------------- | ---------------------------------------------------------------------------- | ------- |
-| `replicaCount`      | The number of replicas to deploy.                                            | `3`     |
-| `tunnelID`          | The Argo Tunnel ID you created. Check the configuration section for details. | `""`    |
-| `auth.accountTag`   | The Argo tunnel account tag.                                                 | `""`    |
-| `auth.tunnelName`   | The Argo tunnel name.                                                        | `""`    |
-| `auth.tunnelSecret` | The Argo tunnel secret.                                                      | `""`    |
-| `existingSecret`    | The name of an existing secret containing the Argo tunnel settings.          | `""`    |
-| `warpRouting`       | Whether to enable WARP traffic routing to local subnets.                     | `false` |
-| `ingress`           | The ingress settings to apply. Check the configuration section for examples. | `[]`    |
+| Name                        | Description                                                                                                  | Value   |
+| --------------------------- | ------------------------------------------------------------------------------------------------------------ | ------- |
+| `replicaCount`              | The number of replicas to deploy.                                                                            | `1`     |
+| `managed.enabled`           | Whether to enable Managed (CF Zero Trust Dashboard) tunnel configuration. Cannot coexist with the local one. | `true`  |
+| `managed.token`             | The connector token provided at the end of the CF Zero Trust tunnel creation.                                | `""`    |
+| `managed.existingSecret`    | The name of the existing secret containing the token. The secret key must be set to 'cf-tunnel-token'.       | `""`    |
+| `local.enabled`             | Whether to enable Local (CLI) tunnel configuration. Cannot coexist with the managed one.                     | `false` |
+| `local.auth.tunnelID`       | The Argo Tunnel ID you created. Check the configuration section for details.                                 | `""`    |
+| `local.auth.accountTag`     | The Argo tunnel account tag.                                                                                 | `""`    |
+| `local.auth.tunnelName`     | The Argo tunnel name.                                                                                        | `""`    |
+| `local.auth.tunnelSecret`   | The Argo tunnel secret.                                                                                      | `""`    |
+| `local.auth.existingSecret` | The name of an existing secret containing the Argo tunnel settings.                                          | `""`    |
+| `local.warpRouting`         | Whether to enable WARP traffic routing to local subnets.                                                     | `false` |
+| `local.ingress`             | The ingress settings to apply. Check the configuration section for examples.                                 | `[]`    |
 
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
@@ -84,7 +88,13 @@ helm install example -f values.yaml kubitodev/example
 
 ## Configuration and installation details
 
-### Getting the Argo Tunnel ID (required)
+### Managed Setup
+
+- Go to the Cloudflare dashboard of your account and enable Zero Trust. Once there, in Access -> Tunnels you can create a tunnel and get the connector token.
+
+### Local CLI Setup
+
+#### Getting the Argo Tunnel ID
 
 - Start by downloading and installing the lightweight Cloudflare Tunnel daemon, `cloudflared`. You can find it [here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation/).
 
@@ -112,7 +122,7 @@ Now, when you want to create a new subdomain, just point it as a CNAME to the tu
 
 For more information, check the [official guide](https://developers.cloudflare.com/cloudflare-one/tutorials/many-cfd-one-tunnel/).
 
-### Setting up the Argo Tunnel ingress options with Traefik
+#### Setting up the Argo Tunnel ingress options with Traefik
 
 To use the tunnel with Traefik, you need to configure the ingress settings. As cloudflared works with CNAMEs, you want to set a wildcard hostname for the service, and set the origin request setting to be the root domain that you are configuring this for. Also, you need to point the service to the secure port (443) of the Traefik load balancer service. Here is an example configuration:
 
@@ -128,7 +138,7 @@ cloudflared:
 
 ## License
 
-Copyright © 2022 Kubito
+Copyright © 2024 Kubito
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

charts/cloudflared/templates/configmap.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.local.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -6,8 +7,9 @@ metadata:
 data:
   config.yaml: |-
     logDirectory: /var/log/cloudflared
-    tunnel: {{ required "The Argo Tunnel ID is missing." .Values.tunnelID }}
+    tunnel: {{ required "The Argo Tunnel ID is missing." .Values.local.auth.tunnelID }}
     credentials-file: /etc/cloudflared/tunnel-config.json
     warp-routing:
       enabled: {{ .Values.warpRouting }}
-    ingress: {{ toYaml .Values.ingress | nindent 6 }}
+    ingress: {{ toYaml .Values.local.ingress | nindent 6 }}
+{{- end }}

charts/cloudflared/templates/deployment.yaml

@@ -12,41 +12,63 @@ spec:
     metadata:
       labels:
         app: {{ .Release.Name }}
+      {{- if .Values.local.enabled }}
       annotations:
-        checksum/tunnel-id: {{ sha256sum .Values.tunnelID }}
+        checksum/tunnel-id: {{ sha256sum .Values.local.auth.tunnelID }}
         checksum/ingress: {{ .Values.ingress | toJson | sha256sum }}
         checksum/auth: {{ .Values.auth | toJson | sha256sum }}
         checksum/warp-routing: {{ .Values.warpRouting | toJson | sha256sum }}
+      {{- end }}
     spec:
       containers:
       - args:
         - tunnel
         - --no-autoupdate
+        {{- if .Values.local.enabled }}
         - --config
         - /etc/cloudflared/config.yaml
         - run
+        {{- else if .Values.managed.enabled }}
+        - run
+        - --token
+        - $(CF_MANAGED_TUNNEL_TOKEN)
+        {{- end }}
         name: {{ .Release.Name }}
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
         imagePullPolicy: {{ .Values.image.imagePullPolicy }}
+        {{- if .Values.managed.enabled }}
+        env:
+        - name: CF_MANAGED_TUNNEL_TOKEN
+          {{- if .Values.managed.existingSecret }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.managed.existingSecret }}
+              key: cf-tunnel-token
+          {{- else }}
+          value: {{ .Values.managed.token }}
+          {{- end }}
+        {{- end }}
+        {{- if .Values.local.enabled }}
         volumeMounts:
         - mountPath: /etc/cloudflared/tunnel-config.json
           name: tunnel-secret-volume
           subPath: tunnel-config.json
         - mountPath: /etc/cloudflared/config.yaml
           name: cloudflared-config-volume
           subPath: config.yaml
-      imagePullSecrets:
-      - name: {{ default "tunnel-secret" .Values.existingSecret }}
+        {{- end }}
       restartPolicy: Always
       terminationGracePeriodSeconds: 30
+      {{- if .Values.local.enabled }}
       volumes:
       - name: tunnel-secret-volume
         secret:
           defaultMode: 420
           optional: false
-          secretName: {{ default "tunnel-secret" .Values.existingSecret }}
+          secretName: {{ default "tunnel-secret" .Values.local.auth.existingSecret }}
       - name: cloudflared-config-volume
         configMap:
           defaultMode: 420
           name: {{ .Release.Name }}
           optional: false
+      {{- end }}

charts/cloudflared/templates/secret.yaml

@@ -1,4 +1,4 @@
-{{- if not .Values.existingSecret -}}
+{{- if and .Values.local.enabled (not .Values.local.auth.existingSecret) }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,9 +7,9 @@ type: Opaque
 stringData:
   tunnel-config.json: >
     {
-      "AccountTag": "{{ required "The Argo Tunnel Account Tag is missing." .Values.auth.accountTag }}",
-      "TunnelSecret": "{{ required "The Argo Tunnel Secret is missing." .Values.auth.tunnelSecret }}",
-      "TunnelID": "{{ required "The Argo Tunnel ID is missing." .Values.tunnelID }}",
-      "TunnelName": "{{ required "The Argo Tunnel Name is missing." .Values.auth.tunnelName }}"
+      "AccountTag": "{{ required "The Argo Tunnel Account Tag is missing." .Values.local.auth.accountTag }}",
+      "TunnelSecret": "{{ required "The Argo Tunnel Secret is missing." .Values.local.auth.tunnelSecret }}",
+      "TunnelID": "{{ required "The Argo Tunnel ID is missing." .Values.local.auth.tunnelID }}",
+      "TunnelName": "{{ required "The Argo Tunnel Name is missing." .Values.local.auth.tunnelName }}"
     }
 {{- end }}

charts/cloudflared/values.yaml

@@ -15,24 +15,32 @@ image:
 
 ## @param replicaCount The number of replicas to deploy.
 ##
-replicaCount: 3
-## @param tunnelID The Argo Tunnel ID you created. Check the configuration section for details.
-##
-tunnelID: ""
-## @param auth.accountTag The Argo tunnel account tag.
-## @param auth.tunnelName The Argo tunnel name.
-## @param auth.tunnelSecret The Argo tunnel secret.
-##
-auth:
-  accountTag: ""
-  tunnelName: ""
-  tunnelSecret: ""
-## @param existingSecret The name of an existing secret containing the Argo tunnel settings.
-##
-existingSecret: ""
-## @param warpRouting Whether to enable WARP traffic routing to local subnets.
-##
-warpRouting: false
-## @param ingress The ingress settings to apply. Check the configuration section for examples.
+replicaCount: 1
+
+## @param managed.enabled Whether to enable Managed (CF Zero Trust Dashboard) tunnel configuration. Cannot coexist with the local one.
+## @param managed.token The connector token provided at the end of the CF Zero Trust tunnel creation.
+## @param managed.existingSecret The name of the existing secret containing the token. The secret key must be set to 'cf-tunnel-token'.
+managed:
+  enabled: true
+  token: ""
+  existingSecret: ""
+
+## @param local.enabled Whether to enable Local (CLI) tunnel configuration. Cannot coexist with the managed one.
+## @param local.auth.tunnelID The Argo Tunnel ID you created. Check the configuration section for details.
+## @param local.auth.accountTag The Argo tunnel account tag.
+## @param local.auth.tunnelName The Argo tunnel name.
+## @param local.auth.tunnelSecret The Argo tunnel secret.
+## @param local.auth.existingSecret The name of an existing secret containing the Argo tunnel settings.
+## @param local.warpRouting Whether to enable WARP traffic routing to local subnets.
+## @param local.ingress The ingress settings to apply. Check the configuration section for examples.
 ##
-ingress: []
+local:
+  enabled: false
+  auth:
+    tunnelID: ""
+    accountTag: ""
+    tunnelName: ""
+    tunnelSecret: ""
+    existingSecret: ""
+  warpRouting: false
+  ingress: []