From 62ecb1cf7c2470203ba5d93d1a49c7bcb616e0fc Mon Sep 17 00:00:00 2001 From: Jonny Ervine Date: Mon, 22 Jan 2024 23:25:25 +0800 Subject: [PATCH] Add cloudflared remote --- cloudflare-tunnel-remote/Chart.yaml | 8 ++ .../templates/_helpers.tpl | 27 +++-- .../templates/deployment.yaml | 53 +++++++++ .../templates/secret.yaml | 10 ++ .../templates/serviceaccount.yaml | 4 +- cloudflare-tunnel-remote/values.home.yaml | 59 ++++++++++ .../values.yaml | 26 +---- cloudflare-tunnel/.helmignore | 23 ---- cloudflare-tunnel/Chart.yaml | 7 -- cloudflare-tunnel/templates/configmap.yaml | 29 ----- cloudflare-tunnel/templates/deployment.yaml | 102 ------------------ cloudflare-tunnel/templates/secret.yaml | 17 --- 12 files changed, 153 insertions(+), 212 deletions(-) create mode 100644 cloudflare-tunnel-remote/Chart.yaml rename {cloudflare-tunnel => cloudflare-tunnel-remote}/templates/_helpers.tpl (59%) create mode 100644 cloudflare-tunnel-remote/templates/deployment.yaml create mode 100644 cloudflare-tunnel-remote/templates/secret.yaml rename {cloudflare-tunnel => cloudflare-tunnel-remote}/templates/serviceaccount.yaml (70%) create mode 100644 cloudflare-tunnel-remote/values.home.yaml rename {cloudflare-tunnel => cloudflare-tunnel-remote}/values.yaml (55%) delete mode 100644 cloudflare-tunnel/.helmignore delete mode 100644 cloudflare-tunnel/Chart.yaml delete mode 100644 cloudflare-tunnel/templates/configmap.yaml delete mode 100644 cloudflare-tunnel/templates/deployment.yaml delete mode 100644 cloudflare-tunnel/templates/secret.yaml diff --git a/cloudflare-tunnel-remote/Chart.yaml b/cloudflare-tunnel-remote/Chart.yaml new file mode 100644 index 0000000..4c25748 --- /dev/null +++ b/cloudflare-tunnel-remote/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +appVersion: latest +description: Deployment of a remotely managed tunnel that has already been provisioned + in Cloudflare +icon: https://developers.cloudflare.com/cloudflare-one/favicon-32x32.png +name: cloudflare-tunnel-remote +type: application +version: 0.1.1 diff --git a/cloudflare-tunnel/templates/_helpers.tpl b/cloudflare-tunnel-remote/templates/_helpers.tpl similarity index 59% rename from cloudflare-tunnel/templates/_helpers.tpl rename to cloudflare-tunnel-remote/templates/_helpers.tpl index 9d85624..e5a1f53 100644 --- a/cloudflare-tunnel/templates/_helpers.tpl +++ b/cloudflare-tunnel-remote/templates/_helpers.tpl @@ -1,7 +1,7 @@ {{/* Expand the name of the chart. */}} -{{- define "cloudflare-tunnel.name" -}} +{{- define "cloudflare-tunnel-remote.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} @@ -10,7 +10,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "cloudflare-tunnel.fullname" -}} +{{- define "cloudflare-tunnel-remote.fullname" -}} {{- if .Values.fullnameOverride }} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- else }} @@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "cloudflare-tunnel.chart" -}} +{{- define "cloudflare-tunnel-remote.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Common labels */}} -{{- define "cloudflare-tunnel.labels" -}} -helm.sh/chart: {{ include "cloudflare-tunnel.chart" . }} -{{ include "cloudflare-tunnel.selectorLabels" . }} +{{- define "cloudflare-tunnel-remote.labels" -}} +helm.sh/chart: {{ include "cloudflare-tunnel-remote.chart" . }} +{{ include "cloudflare-tunnel-remote.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} @@ -45,7 +45,18 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{/* Selector labels */}} -{{- define "cloudflare-tunnel.selectorLabels" -}} -app.kubernetes.io/name: {{ include "cloudflare-tunnel.name" . }} +{{- define "cloudflare-tunnel-remote.selectorLabels" -}} +app.kubernetes.io/name: {{ include "cloudflare-tunnel-remote.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "cloudflare-tunnel-remote.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "cloudflare-tunnel-remote.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/cloudflare-tunnel-remote/templates/deployment.yaml b/cloudflare-tunnel-remote/templates/deployment.yaml new file mode 100644 index 0000000..354b599 --- /dev/null +++ b/cloudflare-tunnel-remote/templates/deployment.yaml @@ -0,0 +1,53 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "cloudflare-tunnel-remote.fullname" . }} + labels: + {{- include "cloudflare-tunnel-remote.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + pod: cloudflared + template: + metadata: + creationTimestamp: null + annotations: + # These are here so the deployment rolls when the config or secret change. + checksum/secret: {{ .Values.cloudflare.tunnel_token | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + pod: cloudflared + spec: + serviceAccountName: {{ include "cloudflare-tunnel-remote.fullname" . }} + containers: + - name: cloudflared + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default "latest" }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - cloudflared + - tunnel + # We can regulate the cloudflared version via an image tag. + - --no-autoupdate + # In a k8s environment, the metrics server needs to listen outside the pod it runs on. + # The address 0.0.0.0:2000 allows any pod in the namespace. + - --metrics + - 0.0.0.0:2000 + - run + env: + - name: TUNNEL_TOKEN + valueFrom: + secretKeyRef: + name: {{ include "cloudflare-tunnel-remote.fullname" . }} + key: tunnelToken + livenessProbe: + httpGet: + # Cloudflared has a /ready endpoint which returns 200 if and only if + # it has an active connection to the edge. + path: /ready + port: 2000 + failureThreshold: 1 + initialDelaySeconds: 10 + periodSeconds: 10 diff --git a/cloudflare-tunnel-remote/templates/secret.yaml b/cloudflare-tunnel-remote/templates/secret.yaml new file mode 100644 index 0000000..709cce9 --- /dev/null +++ b/cloudflare-tunnel-remote/templates/secret.yaml @@ -0,0 +1,10 @@ +# This credentials secret allows cloudflared to authenticate itself +# to the Cloudflare infrastructure. +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "cloudflare-tunnel-remote.fullname" . }} + labels: + {{- include "cloudflare-tunnel-remote.labels" . | nindent 4 }} +stringData: + tunnelToken: {{ .Values.cloudflare.tunnel_token }} diff --git a/cloudflare-tunnel/templates/serviceaccount.yaml b/cloudflare-tunnel-remote/templates/serviceaccount.yaml similarity index 70% rename from cloudflare-tunnel/templates/serviceaccount.yaml rename to cloudflare-tunnel-remote/templates/serviceaccount.yaml index ecb321e..17dc44c 100644 --- a/cloudflare-tunnel/templates/serviceaccount.yaml +++ b/cloudflare-tunnel-remote/templates/serviceaccount.yaml @@ -3,9 +3,9 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "cloudflare-tunnel.fullname" . }} + name: {{ include "cloudflare-tunnel-remote.fullname" . }} labels: - {{- include "cloudflare-tunnel.labels" . | nindent 4 }} + {{- include "cloudflare-tunnel-remote.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/cloudflare-tunnel-remote/values.home.yaml b/cloudflare-tunnel-remote/values.home.yaml new file mode 100644 index 0000000..92c095e --- /dev/null +++ b/cloudflare-tunnel-remote/values.home.yaml @@ -0,0 +1,59 @@ +# Default values for cloudflare-tunnel. + +# Cloudflare parameters. +cloudflare: + tunnel_token: "eyJhIjoiNmRlYmQ1NmE5N2VhMmFkOTM4ZjA3NDI4ZWU1NGYxMmEiLCJ0IjoiMGQ3ZjhkYWMtOTUzMC00NzU2LWI0ZTgtMTc0YTllOGNlZTkxIiwicyI6IllqUXdNVE15TVdVdE1tUXlOUzAwTXpVM0xUa3dOMk10TW1SbU16RmlNemxsTTJZNCJ9" + +image: + repository: cloudflare/cloudflared + pullPolicy: IfNotPresent + # If supplied, this overrides "latest" + tag: "" + +replicaCount: 2 + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +# Security items common to everything in the pod. Here we require that it +# does not run as the user defined in the image, literally named "nonroot". +podSecurityContext: + runAsNonRoot: true + runAsUser: 65532 + +# Security items for one container. We lock it down. +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + +resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +# Default affinity is to spread out over nodes; use this to override. +affinity: {} diff --git a/cloudflare-tunnel/values.yaml b/cloudflare-tunnel-remote/values.yaml similarity index 55% rename from cloudflare-tunnel/values.yaml rename to cloudflare-tunnel-remote/values.yaml index 64a9a41..c2e1565 100644 --- a/cloudflare-tunnel/values.yaml +++ b/cloudflare-tunnel-remote/values.yaml @@ -2,34 +2,12 @@ # Cloudflare parameters. cloudflare: - # Your Cloudflare account number. - account: "" - # The name of the tunnel this instance will serve - tunnelName: "" - # The ID of the above tunnel. - tunnelId: "" - # The secret for the tunnel. - secret: "" - # If defined, no secret is created for the credentials, and instead, the secret referenced is used - secretName: null - # If true, turn on WARP routing for TCP - enableWarp: false - # Define ingress rules for the tunnel. See - # https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file/ingress - ingress: [] - # The first rule proxies traffic to the httpbin sample service named web-server at port 80 - # - hostname: tunnel.example.com - # service: http://web-service:80 - # This rule sends traffic to the built-in hello-world HTTP server. This can help debug connectivity - # issues. If hello.example.com resolves and tunnel.example.com does not, then the problem is - # in the connection from cloudflared to your local service, not from the internet to cloudflared. - # - hostname: hello.example.com - # service: hello_world + tunnel_token: "" image: repository: cloudflare/cloudflared pullPolicy: IfNotPresent - # If supplied, this overrides "appVersion" + # If supplied, this overrides "latest" tag: "" replicaCount: 2 diff --git a/cloudflare-tunnel/.helmignore b/cloudflare-tunnel/.helmignore deleted file mode 100644 index 0e8a0eb..0000000 --- a/cloudflare-tunnel/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/cloudflare-tunnel/Chart.yaml b/cloudflare-tunnel/Chart.yaml deleted file mode 100644 index 948031c..0000000 --- a/cloudflare-tunnel/Chart.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v2 -appVersion: 2023.5.1 -description: Creation of a cloudflared deployment - a reverse tunnel for an environment -icon: https://developers.cloudflare.com/cloudflare-one/favicon-32x32.png -name: cloudflare-tunnel -type: application -version: 0.3.0 diff --git a/cloudflare-tunnel/templates/configmap.yaml b/cloudflare-tunnel/templates/configmap.yaml deleted file mode 100644 index 07d5219..0000000 --- a/cloudflare-tunnel/templates/configmap.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# This configmap stores the configuration used by cloudflared. -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "cloudflare-tunnel.fullname" . }} -data: - config.yaml: | - # Name of the tunnel you want to run - tunnel: {{ .Values.cloudflare.tunnelName }} - # The location of the secret containing the tunnel credentials - credentials-file: /etc/cloudflared/creds/credentials.json - # General purpose TCP routing for the network - warp-routing: - enabled: {{ .Values.cloudflare.enableWarp }} - # Serves the metrics server under /metrics and the readiness server under /ready - metrics: 0.0.0.0:2000 - # Autoupdates applied in a k8s pod will be lost when the pod is removed or restarted, so - # autoupdate doesn't make sense in Kubernetes. However, outside of Kubernetes, we strongly - # recommend using autoupdate. - no-autoupdate: true - # The `ingress` block tells cloudflared which local service to route incoming - # requests to. For more about ingress rules, see - # https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/ingress - ingress: - {{- with .Values.cloudflare.ingress }} - {{- toYaml . | nindent 6 }} - {{- end }} - # This rule matches any traffic which didn't match a previous rule, and responds with HTTP 404. - - service: http_status:404 diff --git a/cloudflare-tunnel/templates/deployment.yaml b/cloudflare-tunnel/templates/deployment.yaml deleted file mode 100644 index 6732ef1..0000000 --- a/cloudflare-tunnel/templates/deployment.yaml +++ /dev/null @@ -1,102 +0,0 @@ -# Here we deploy cloudflared images. The tunnel credentials are stored in -# a k8s secret, and the configuration is stored in a k8s configmap. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "cloudflare-tunnel.fullname" . }} - labels: - {{- include "cloudflare-tunnel.labels" . | nindent 4 }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - {{- include "cloudflare-tunnel.selectorLabels" . | nindent 6 }} - template: - metadata: - annotations: - # These are here so the deployment rolls when the config or secret change. - checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} - {{- with .Values.podAnnotations }} - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "cloudflare-tunnel.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "cloudflare-tunnel.fullname" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: - - tunnel - # Points cloudflared to the config file, which configures what - # cloudflared will actually do. This file is created by a ConfigMap. - - --config - - /etc/cloudflared/config/config.yaml - - run - livenessProbe: - httpGet: - # Cloudflared has a /ready endpoint which returns 200 if and only if - # it has an active connection to the edge. - path: /ready - port: 2000 - failureThreshold: 1 - initialDelaySeconds: 10 - periodSeconds: 10 - volumeMounts: - - name: config - mountPath: /etc/cloudflared/config - readOnly: true - # Each tunnel has an associated "credentials file" which authorizes machines - # to run the tunnel. cloudflared will read this file from its local filesystem, - # and it'll be stored in a k8s secret. - - name: creds - mountPath: /etc/cloudflared/creds - readOnly: true - resources: - {{- toYaml .Values.resources | nindent 12 }} - volumes: - - name: creds - secret: - secretName: {{ .Values.cloudflare.secretName | default (include "cloudflare-tunnel.fullname" .) }} - - name: config - configMap: - name: {{ include "cloudflare-tunnel.fullname" . }} - items: - - key: config.yaml - path: config.yaml - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - affinity: - {{- with .Values.affinity }} - {{- toYaml . | nindent 8 }} - {{- else }} - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 10 - podAffinityTerm: - topologyKey: kubernetes.io/hostname - labelSelector: - matchExpressions: - {{- range $k, $v := include "cloudflare-tunnel.selectorLabels" . | fromYaml }} - - key: {{ $k }} - operator: In - values: - - {{ $v }} - {{- end }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/cloudflare-tunnel/templates/secret.yaml b/cloudflare-tunnel/templates/secret.yaml deleted file mode 100644 index 8316526..0000000 --- a/cloudflare-tunnel/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if and (and .Values.cloudflare.account .Values.cloudflare.tunnelId .Values.cloudflare.secret) (not .Values.cloudflare.secretName) }} -# This credentials secret allows cloudflared to authenticate itself -# to the Cloudflare infrastructure. -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "cloudflare-tunnel.fullname" . }} - labels: - {{- include "cloudflare-tunnel.labels" . | nindent 4 }} -stringData: - credentials.json: |- - { - "AccountTag": {{ .Values.cloudflare.account | quote }}, - "TunnelID": {{ .Values.cloudflare.tunnelId | quote }}, - "TunnelSecret": {{ .Values.cloudflare.secret | quote }} - } -{{- end }}