Helm Chart for Cloudflare Tunnels

Tuesday, April 9, 2024

I’m a big fan of Cloudflare’s tunnels. They allow me to run lots of services behind my firewall and still access them either over the open internet, or via their Zero Trust system. This gives me the ability to run public services, like this blog, or to give myself or my friends access to services behind my firewall without using my VPN. In the beginning to get this working I was adding a sidecar container to every deployment that needed a tunnel. While this worked, it was annoying and tedious to have to copy entire Helm charts locally to make modifications to them. I recently created a new Helm chart that I’ve been using that deploys a container running the Cloudflare Tunnel binary and then connects to the Kubernets service of whatever I want to tunnel.

The entire process is pretty painless, and detailed in the README file in the repository which I will copy in full below. Hopefully this helps! Helm chart is available in the helm-cf-tunnels repository .

Helm CF Tunnel Chart

This is a simple chart that will get a Cloudflare tunnel up and running.

Usage

Prerequisites

In order to use this chart first a cloudflare tunnel needs to be created, and two secrets and a configMap need to be added to the namespace you want to deploy this to.

First create the tunnel using cloudflared, add the DNS entry, then add the credentials and the certificate to the cluster as secrets:

$ cloudflared tunnel create <tunnel-name>
$ cloudflared tunnel route dns <tunnel-name> <subdomain>.<domain>.<tld>
$ kubectl create secret generic some-secret-name --from-file=credentials.json=/home/user/.cloudflared/<long-uuid>.json
$ kubectl create secret generic some-secret-name --from-file=cert.pem=/home/user/.cloudflared/cert.pem

Next create the configMap that will map to your active service. Make sure to change the service entry to point to the correct service endpoint in your cluster.

apiVersion: v1    
kind: ConfigMap
metadata:
  name: config-map-name
  namespace: somewhere
data:    
  config.yaml: |    
    tunnel: tunnel-name
    credentials-file: /etc/cloudflared/creds/credentials.json
    metrics: 0.0.0.0:2000
    no-autoupdate: true 
    ingress: 
    - hostname: something.somewhere.com
      service: http://service-name:3000
    - service: http_status:404

Then apply the config:

$ kubectl apply -f configmap.yaml

Installing the chart

Either modify the values.yaml to point to the correct locations for the credentials, certification, and config, or pass them in via the command line during the helm command.

...

configuration:
  creds: some-secret-name
  cert: some-secret-name
  config: some-configmap-name

...

Public or Private?

At this point your tunnel should be up and running but is public. If you want this to be public, then you are done. Otherwise you will need to navigate to your Cloudflare dashboard and to the Zero Trust section and add a new application for the tunnel.

devopshelmtunnelcloudflare

Using Atlantis with OpenTofu