Using Cloudflare Tunnels to Route Directly to Your Ingress Controller

You should at this time know cloudflare tunnels, which are tunnels that expose
your internal services without opening ports in your router, but i saw very
little about using them in a k8s environment using an ingress, which i had done
and i will explain to you here.

The first step is this one
,check this out directly from cloudflare.

Well when you have been done this, is time to connect this to connect this to
our ingress controller to expose all you want to expose using an ingress,
directly from k8s throught the cloudflare tunnel

On the last part of the manifest they gave you to deploy the service, we need
to modify some things:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
---
# This ConfigMap is just a way to define the cloudflared config.yaml file in k8s.
# It's useful to define it in k8s, rather than as a stand-alone .yaml file,because
# this lets you use various k8s templating solutions (e.g. Helm charts) to
# parameterize your config, instead of just using string literals.
apiVersion: v1
kind: ConfigMap
metadata:
  name: cloudflared
data:
  config.yaml: |
    # Name of the tunnel you want to run
    tunnel: example-tunnel
    credentials-file: /etc/cloudflared/creds/credentials.json
    # Serves the metrics server under /metrics and the readiness server under /ready
    metrics: 0.0.0.0:2000
    # Autoupdates applied in a k8s pod will be lost when the pod is removed or restarted, so
    # autoupdate doesn't make sense in Kubernetes. However, outside of Kubernetes, we strongly
    # recommend using autoupdate.
    no-autoupdate: true
    # The `ingress` block tells cloudflared which local service to route incoming
    # requests to. For more about ingress rules, see
    # https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/ingress
    #
    # Remember, these rules route traffic from cloudflared to a local service. To route traffic
    # from the internet to cloudflared, run `cloudflared tunnel route dns <tunnel> <hostname>`.
    # E.g. `cloudflared tunnel route dns example-tunnel tunnel.example.com`.
    ingress:
    # The first rule proxies traffic to the httpbin sample Service defined in app.yaml
    - hostname: tunnel.example.com
      service: http://web-service:80
    # This rule sends traffic to the built-in hello-world HTTP server. This can help debug connectivity
    # issues. If hello.example.com resolves and tunnel.example.com does not, then the problem is
    # in the connection from cloudflared to your local service, not from the internet to cloudflared.
    - hostname: hello.example.com
      service: hello_world
    # This rule matches any traffic which didn't match a previous rule, and responds with HTTP 404.
    - service: http_status:404

On the ingress part, we are going to change what you got, for this:

1
2
3
4
5
6
7
8
ingress:
    - hostname: 'host1.level5.dev'
      service: http://traefik.traefik.svc.cluster.local:80
    - hostname: 'run.level5.dev'
      service: http://traefik.traefik.svc.cluster.local:80
    - hostname: 'host2.level5.dev'
      service: http://traefik.traefik.svc.cluster.local:80
    - service: http_status:404

See the change?

Now, all the traffic that goes to host1, host2 and run.level5.dev are properly routed
to the ingress controller, which is traefik.

This is what i got for this blog

1
2
3
4
5
6
7
8
9
10
11
12
> k describe ingress static-website -n website
Name:             static-website
Namespace:        website
Address:
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
  Host            Path  Backends
  ----            ----  --------
  run.level5.dev
                  /   static-website:80 (10.42.7.223:80)
Annotations:      <none>
Events:           <none>

There is one thing that at the moment doesnt work: using wildcards on the ingress
part of the cloudflared file. When it works, you only need to configure a
wildcard there and cloudflare will route all to your ingress.

Bonus, you get a certificate for FREE on cloudflare behalf and you dont need
to worry ANYMORE about certificate expiration / renewal.

easy peasy!

Comments

⬆︎TOP