-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[cloudflare-tunnel] New chart (#545)
* Add: init chart cloudflare-tunnel Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Add: documentation Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> --------- Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com>
- Loading branch information
1 parent
4c55a8a
commit 4c77819
Showing
11 changed files
with
492 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# Patterns to ignore when building packages. | ||
# This supports shell glob matching, relative path matching, and | ||
# negation (prefixed with !). Only one pattern per line. | ||
.DS_Store | ||
# Common VCS dirs | ||
.git/ | ||
.gitignore | ||
.bzr/ | ||
.bzrignore | ||
.hg/ | ||
.hgignore | ||
.svn/ | ||
# Common backup files | ||
*.swp | ||
*.bak | ||
*.tmp | ||
*.orig | ||
*~ | ||
# Various IDEs | ||
.project | ||
.idea/ | ||
*.tmproj | ||
.vscode/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
--- | ||
apiVersion: v2 | ||
name: cloudflare-tunnel | ||
description: Creation of a cloudflared deployment - a reverse tunnel for an environment | ||
type: application | ||
version: 0.1.0 | ||
appVersion: "2023.5.1" | ||
icon: https://www.vectorlogo.zone/logos/cloudflare/cloudflare-icon.svg | ||
home: https://github.com/nlamirault/portefaix-hub | ||
sources: | ||
- https://github.com/nlamirault/portefaix-hub/tree/master/charts/cloudflare-tunnel | ||
keywords: | ||
- cloudflare | ||
- cloudflared | ||
- tunnel | ||
|
||
maintainers: | ||
- name: nlamirault | ||
email: nicolas.lamirault@gmail.com | ||
url: https://github.com/nlamirault | ||
|
||
# https://artifacthub.io/docs/topics/annotations/helm/ | ||
annotations: | ||
artifacthub.io/license: Apache-2.0 | ||
artifacthub.io/links: | | ||
- name: Cloudflare Tunnel | ||
url: https://github.com/cloudflare/cloudflared | ||
artifacthub.io/maintainers: | | ||
- name: nlamirault | ||
email: nicolas.lamirault@gmail.com | ||
artifacthub.io/signKey: | | ||
fingerprint: C39918B3EBDE35C23B8D0B8E5F99269A6FCA437C | ||
url: https://keybase.io/nlamirault/pgp_keys.asc | ||
artifacthub.io/changes: | | ||
- kind: added | ||
description: Bootstrap chart from Cloudflare chart |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
# cloudflare-tunnel | ||
|
||
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2023.5.1](https://img.shields.io/badge/AppVersion-2023.5.1-informational?style=flat-square) | ||
|
||
Creation of a cloudflared deployment - a reverse tunnel for an environment | ||
|
||
**Homepage:** <https://github.com/nlamirault/portefaix-hub> | ||
|
||
## Maintainers | ||
|
||
| Name | Email | Url | | ||
| ---- | ------ | --- | | ||
| nlamirault | <nicolas.lamirault@gmail.com> | <https://github.com/nlamirault> | | ||
|
||
## Source Code | ||
|
||
* <https://github.com/nlamirault/portefaix-hub/tree/master/charts/cloudflare-tunnel> | ||
|
||
## Values | ||
|
||
| Key | Type | Default | Description | | ||
|-----|------|---------|-------------| | ||
| additionalLabels | object | `{}` | Additional labels to add to all resources | | ||
| affinity | object | `{}` | | | ||
| cloudflare.account | string | `""` | | | ||
| cloudflare.enableWarp | bool | `false` | | | ||
| cloudflare.ingress | list | `[]` | | | ||
| cloudflare.protocol | string | `""` | | | ||
| cloudflare.secret | string | `""` | | | ||
| cloudflare.secretName | string | `nil` | | | ||
| cloudflare.tunnelId | string | `""` | | | ||
| cloudflare.tunnelName | string | `""` | | | ||
| fullnameOverride | string | `""` | | | ||
| image.pullPolicy | string | `"IfNotPresent"` | | | ||
| image.repository | string | `"cloudflare/cloudflared"` | | | ||
| image.tag | string | `""` | | | ||
| imagePullSecrets | list | `[]` | | | ||
| nameOverride | string | `""` | | | ||
| nodeSelector | object | `{}` | | | ||
| podAnnotations | object | `{}` | | | ||
| podSecurityContext.runAsNonRoot | bool | `true` | | | ||
| podSecurityContext.runAsUser | int | `65532` | | | ||
| replicaCount | int | `1` | | | ||
| resources | object | `{}` | | | ||
| securityContext.allowPrivilegeEscalation | bool | `false` | | | ||
| securityContext.capabilities.drop[0] | string | `"ALL"` | | | ||
| securityContext.readOnlyRootFilesystem | bool | `true` | | | ||
| serviceAccount.annotations | object | `{}` | | | ||
| serviceAccount.name | string | `""` | | | ||
| serviceMonitor.additionalLabels | object | `{}` | Add custom labels to the ServiceMonitor resource | | ||
| serviceMonitor.enabled | bool | `false` | Enable this if you're using https://github.com/coreos/prometheus-operator | | ||
| serviceMonitor.honorLabels | bool | `false` | Chooses the metric’s labels on collisions with target labels. | | ||
| serviceMonitor.interval | string | `"30s"` | Interval at which endpoints should be scraped. | | ||
| serviceMonitor.path | string | `"/metrics"` | Path to scrape metrics | | ||
| serviceMonitor.scrapeTimeout | string | `"10s"` | Timeout for scrape metrics request | | ||
| tolerations | list | `[]` | | | ||
|
||
---------------------------------------------- | ||
Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
{{/* | ||
Expand the name of the chart. | ||
*/}} | ||
{{- define "cloudflare-tunnel.name" -}} | ||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} | ||
{{- end }} | ||
|
||
{{/* | ||
Create a default fully qualified app name. | ||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). | ||
If release name contains chart name it will be used as a full name. | ||
*/}} | ||
{{- define "cloudflare-tunnel.fullname" -}} | ||
{{- if .Values.fullnameOverride }} | ||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} | ||
{{- else }} | ||
{{- $name := default .Chart.Name .Values.nameOverride }} | ||
{{- if contains $name .Release.Name }} | ||
{{- .Release.Name | trunc 63 | trimSuffix "-" }} | ||
{{- else }} | ||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} | ||
{{- end }} | ||
{{- end }} | ||
{{- end }} | ||
|
||
{{/* | ||
Create chart name and version as used by the chart label. | ||
*/}} | ||
{{- define "cloudflare-tunnel.chart" -}} | ||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} | ||
{{- end }} | ||
|
||
{{/* | ||
Common labels | ||
*/}} | ||
{{- define "cloudflare-tunnel.labels" -}} | ||
helm.sh/chart: {{ include "cloudflare-tunnel.chart" . }} | ||
{{ include "cloudflare-tunnel.selectorLabels" . }} | ||
{{- if .Chart.AppVersion }} | ||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} | ||
{{- end }} | ||
app.kubernetes.io/component: tunnel | ||
app.kubernetes.io/part-of: {{ include "cloudflare-tunnel.name" . }} | ||
app.kubernetes.io/managed-by: {{ .Release.Service }} | ||
{{- if .Values.additionalLabels }} | ||
{{ toYaml .Values.additionalLabels }} | ||
{{- end }} | ||
{{- end }} | ||
|
||
{{/* | ||
Selector labels | ||
*/}} | ||
{{- define "cloudflare-tunnel.selectorLabels" -}} | ||
app.kubernetes.io/name: {{ include "cloudflare-tunnel.name" . }} | ||
app.kubernetes.io/instance: {{ .Release.Name }} | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
# This configmap stores the configuration used by cloudflared. | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: {{ include "cloudflare-tunnel.fullname" . }} | ||
data: | ||
config.yaml: | | ||
# Name of the tunnel you want to run | ||
tunnel: {{ .Values.cloudflare.tunnelName }} | ||
# The location of the secret containing the tunnel credentials | ||
credentials-file: /etc/cloudflared/creds/credentials.json | ||
# General purpose TCP routing for the network | ||
warp-routing: | ||
enabled: {{ .Values.cloudflare.enableWarp }} | ||
# Serves the metrics server under /metrics and the readiness server under /ready | ||
metrics: 0.0.0.0:2000 | ||
# Specifies the protocol used to establish a connection between cloudflared and the Cloudflare global network | ||
protocol: {{ default "auto" .Values.cloudflare.protocol }} | ||
# Autoupdates applied in a k8s pod will be lost when the pod is removed or restarted, so | ||
# autoupdate doesn't make sense in Kubernetes. However, outside of Kubernetes, we strongly | ||
# recommend using autoupdate. | ||
no-autoupdate: true | ||
# The `ingress` block tells cloudflared which local service to route incoming | ||
# requests to. For more about ingress rules, see | ||
# https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/ingress | ||
ingress: | ||
{{- with .Values.cloudflare.ingress }} | ||
{{- toYaml . | nindent 6 }} | ||
{{- end }} | ||
# This rule matches any traffic which didn't match a previous rule, and responds with HTTP 404. | ||
- service: http_status:404 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
# Here we deploy cloudflared images. The tunnel credentials are stored in | ||
# a k8s secret, and the configuration is stored in a k8s configmap. | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: {{ include "cloudflare-tunnel.fullname" . }} | ||
labels: | ||
{{- include "cloudflare-tunnel.labels" . | nindent 4 }} | ||
spec: | ||
replicas: {{ .Values.replicaCount }} | ||
selector: | ||
matchLabels: | ||
{{- include "cloudflare-tunnel.selectorLabels" . | nindent 6 }} | ||
template: | ||
metadata: | ||
annotations: | ||
# These are here so the deployment rolls when the config or secret change. | ||
checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} | ||
checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} | ||
{{- with .Values.podAnnotations }} | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
labels: | ||
{{- include "cloudflare-tunnel.selectorLabels" . | nindent 8 }} | ||
spec: | ||
{{- with .Values.imagePullSecrets }} | ||
imagePullSecrets: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
serviceAccountName: {{ include "cloudflare-tunnel.fullname" . }} | ||
securityContext: | ||
{{- toYaml .Values.podSecurityContext | nindent 8 }} | ||
containers: | ||
- name: {{ .Chart.Name }} | ||
securityContext: | ||
{{- toYaml .Values.securityContext | nindent 12 }} | ||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" | ||
imagePullPolicy: {{ .Values.image.pullPolicy }} | ||
args: | ||
- tunnel | ||
# Points cloudflared to the config file, which configures what | ||
# cloudflared will actually do. This file is created by a ConfigMap. | ||
- --config | ||
- /etc/cloudflared/config/config.yaml | ||
- run | ||
livenessProbe: | ||
httpGet: | ||
# Cloudflared has a /ready endpoint which returns 200 if and only if | ||
# it has an active connection to the edge. | ||
path: /ready | ||
port: 2000 | ||
failureThreshold: 1 | ||
initialDelaySeconds: 10 | ||
periodSeconds: 10 | ||
volumeMounts: | ||
- name: config | ||
mountPath: /etc/cloudflared/config | ||
readOnly: true | ||
# Each tunnel has an associated "credentials file" which authorizes machines | ||
# to run the tunnel. cloudflared will read this file from its local filesystem, | ||
# and it'll be stored in a k8s secret. | ||
- name: creds | ||
mountPath: /etc/cloudflared/creds | ||
readOnly: true | ||
resources: | ||
{{- toYaml .Values.resources | nindent 12 }} | ||
volumes: | ||
- name: creds | ||
secret: | ||
secretName: {{ .Values.cloudflare.secretName | default (include "cloudflare-tunnel.fullname" .) }} | ||
- name: config | ||
configMap: | ||
name: {{ include "cloudflare-tunnel.fullname" . }} | ||
items: | ||
- key: config.yaml | ||
path: config.yaml | ||
{{- with .Values.nodeSelector }} | ||
nodeSelector: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} | ||
affinity: | ||
{{- with .Values.affinity }} | ||
{{- toYaml . | nindent 8 }} | ||
{{- else }} | ||
podAntiAffinity: | ||
preferredDuringSchedulingIgnoredDuringExecution: | ||
- weight: 10 | ||
podAffinityTerm: | ||
topologyKey: kubernetes.io/hostname | ||
labelSelector: | ||
matchExpressions: | ||
{{- range $k, $v := include "cloudflare-tunnel.selectorLabels" . | fromYaml }} | ||
- key: {{ $k }} | ||
operator: In | ||
values: | ||
- {{ $v }} | ||
{{- end }} | ||
{{- end }} | ||
{{- with .Values.tolerations }} | ||
tolerations: | ||
{{- toYaml . | nindent 8 }} | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
{{- if and (and .Values.cloudflare.account .Values.cloudflare.tunnelId .Values.cloudflare.secret) (not .Values.cloudflare.secretName) }} | ||
# This credentials secret allows cloudflared to authenticate itself | ||
# to the Cloudflare infrastructure. | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: {{ include "cloudflare-tunnel.fullname" . }} | ||
labels: | ||
{{- include "cloudflare-tunnel.labels" . | nindent 4 }} | ||
stringData: | ||
credentials.json: |- | ||
{ | ||
"AccountTag": {{ .Values.cloudflare.account | quote }}, | ||
"TunnelID": {{ .Values.cloudflare.tunnelId | quote }}, | ||
"TunnelSecret": {{ .Values.cloudflare.secret | quote }} | ||
} | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: {{ include "cloudflare-tunnel.fullname" . }} | ||
labels: | ||
{{- include "cloudflare-tunnel.labels" . | nindent 4 }} | ||
spec: | ||
type: ClusterIP | ||
ports: | ||
- port: 2000 | ||
targetPort: 2000 | ||
protocol: TCP | ||
name: metrics | ||
selector: | ||
{{- include "cloudflare-tunnel.selectorLabels" . | nindent 4 }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
# Here we create a service account with no privileges to run the | ||
# deployment - just in case the default service account is different. | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: {{ include "cloudflare-tunnel.fullname" . }} | ||
labels: | ||
{{- include "cloudflare-tunnel.labels" . | nindent 4 }} | ||
{{- with .Values.serviceAccount.annotations }} | ||
annotations: | ||
{{- toYaml . | nindent 4 }} | ||
{{- end }} |
Oops, something went wrong.