Cloudflare Tunnel provides secure external access without exposing ports. Three services are exposed:
| Domain | Service | Purpose |
|---|---|---|
| tower-api.jinwang.dev | Tower K8s API | kubectl access (tower cluster) |
| sandbox-api.jinwang.dev | Sandbox K8s API | kubectl access (sandbox cluster) |
| auth.jinwang.dev | Keycloak | OIDC authentication |
| cd.jinwang.dev | ArgoCD | GitOps dashboard |
# In Cloudflare Zero Trust dashboard:
# Access → Tunnels → Create a tunnel
# Name: playbox-admin-static
# Download: credentials JSON + cert.pemCloudflare automatically creates CNAME records when tunnel is configured. Verify in DNS dashboard:
tower-api.jinwang.dev→ tunnel CNAMEsandbox-api.jinwang.dev→ tunnel CNAMEauth.jinwang.dev→ tunnel CNAMEcd.jinwang.dev→ tunnel CNAME
For additional security, add Access policies:
- Allow only specific email domains
- Require MFA for API access
- Bypass for OIDC callback URLs
- Client → Cloudflare: Cloudflare's edge cert (publicly trusted, automatic)
- Cloudflare → Origin:
noTLSVerify: truefor K8s API (self-signed CA). cert-manager handles internal certs. - Client kubeconfig: No
insecure-skip-tls-verifyneeded
- Tunnel not connecting: Check
kubectl logs -n kube-tunnel -l app=cloudflared - 502 errors: Verify target service is running
- Certificate errors: Ensure Cloudflare SSL mode is "Full" not "Full (Strict)" for tunnel origins