add GKE, httpbin, and tunnel token steps

ranbel · ranbel · commit da6f0837410f · 2025-06-16T17:32:29.000-04:00
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-tunnel-permissions.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/configure-tunnels/remote-tunnel-permissions.mdx
@@ -17,7 +17,7 @@ To get the token for a remotely-managed tunnel:
 <TabItem label="Dashboard">
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Tunnels**.
 2. Select a `cloudflared` tunnel and select **Edit**.
-3. Copy `cloudflared` installation command.
+3. Copy the `cloudflared` installation command.
 4. Paste the installation command into any text editor. The token value is of the form `eyJhIjoiNWFiNGU5Z...`
 
 </TabItem>
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/kubernetes.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/kubernetes.mdx
@@ -5,7 +5,7 @@ sidebar:
   order: 6
 ---
 
-[Kubernetes](https://kubernetes.io/) is a container orchestration tool that helps deploy applications onto physical or virtual machines, scale the deployment to meet traffic demands, and push updates without downtime. The Kubernetes cluster, or environment, where the application instances are running is connected internally through a private network. You can install the `cloudflared` daemon inside of the Kubernetes cluster in order to connect applications inside of the cluster to Cloudflare.
+[Kubernetes](https://kubernetes.io/) is a container orchestration tool that is used to deploy applications onto physical or virtual machines, scale the deployment to meet traffic demands, and push updates without downtime. The Kubernetes cluster, or environment, where the application instances are running is connected internally through a private network. You can install the `cloudflared` daemon inside of the Kubernetes cluster in order to connect applications inside of the cluster to Cloudflare.
 
 This guide will cover how to expose a Kubernetes service to the public Internet using a [remotely-managed](/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms/#remotely-managed-tunnel) Cloudflare Tunnel. For the purposes of this example, we will deploy a basic web application alongside `cloudflared` in Google Kubernetes Engine (GKE). The same principles apply to any other Kubernetes environment (such as `minikube`, `kubeadm`, or a cloud-based Kubernetes service) where `cloudflared` can connect to Cloudflare's network.
 
@@ -17,7 +17,7 @@ If you are looking to set up a [locally-managed tunnel](/cloudflare-one/connecti
 
 ![Diagram showing how a user connects to Kubernetes services through Cloudflare Tunnel](~/assets/images/cloudflare-one/connections/connect-apps/kubernetes-tunnel.png)
 
-As shown in the diagram, we recommend setting up `cloudflared` as an adjacent [deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) to the application deployments. Having a separate Kubernetes deployment for `cloudflared` allows you to scale `cloudflared` independently of the application. In the `cloudflared` deployment, you can spin up [multiple replicas](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/) running the same Cloudflare Tunnel -- there is no need to build a dedicated tunnel for each pod. Each `cloudflared` replica / pod can reach all Kubernetes services in the cluster.
+As shown in the diagram, we recommend setting up `cloudflared` as an adjacent [deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) to the application deployments. Having a separate Kubernetes deployment for `cloudflared` allows you to scale `cloudflared` independently of the application. In the `cloudflared` deployment, you can spin up [multiple replicas](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-availability/) running the same Cloudflare Tunnel -- there is no need to build a dedicated tunnel for each `cloudflared` pod. Each `cloudflared` replica / pod can reach all Kubernetes services in the cluster.
 
 :::note
 We do not recommend using `cloudflared` in autoscaling setups because downscaling (removing replicas) will break existing user connections to that replica. Additionally, `cloudflared` does not load balance across replicas; replicas are strictly for high availability. To load balance traffic to your nodes, you can use [Cloudflare Load Balancer](/load-balancing/private-network/) or a third-party load balancer.
@@ -27,75 +27,189 @@ Once the cluster is connected to Cloudflare, you can configure Cloudflare Tunnel
 
 ## Prerequisites
 
+To complete the following procedure, you will need:
+- [A Google Cloud Project](https://cloud.google.com/resource-manager/docs/creating-managing-projects#creating_a_project)
+- [A zone on Cloudflare](/fundamentals/manage-domains/add-site/)
+
 ## 1. Create a GKE cluster
 
+To create a new Kubernetes cluster in Google Cloud:
+
+1. Open [Google Cloud](https://console.cloud.google.com/) and go to **Kubernetes Engine**.
+2. In **Clusters**, select **Create**.
+3. Name the cluster. In this example, we will name it `cloudflare-tunnel`.
+4. (Optional) Choose your desired region and other cluster specifications. For this example, we will use the default specifications.
+5. Select **Create**.
+6. To connect to the cluster:
+	1. Select the three-dot menu.
+	2. Select **Connect**.
+	3. Select **Run in Cloud Shell** to open a terminal in the browser.
+	4. Select **Authorize**.
+	5. Press Enter to run the pre-populated `gcloud` command.
+	6. (Recommended) In the Cloud Shell menu, select **Open Editor** to launch the built-in IDE.
+7. Run the following command to check the cluster status:
+		```sh
+		kubectl get all
+		```
+		```sh output
+		NAME                 TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
+		service/kubernetes   ClusterIP   34.118.224.1   <none>        443/TCP   15m
+		```
+
+## 2. Create pods for the web app
+
+A pod represents an instance of a running process in the cluster. In this example, we will deploy the [httpbin](https://httpbin.org/) application with two pods and make the pods accessible inside the cluster at `httpbin-service:80`.
+
+1. Create a folder for your Kubernetes manifest files:
+
+   ```sh
+   mkdir tunnel-example
+   ```
+
+2. Change into the directory:
+
+   ```sh
+   cd tunnel-example
+   ```
 
-- Install the [gcloud CLI](https://cloud.google.com/sdk/docs/install) and [kubectl CLI](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-access-for-kubectl).
-- In the GCP console create a new Kubernetes cluster.
-- In order to connect to the cluster, select the three dots and then connect from the drop down.
-- Copy the command that appears and paste it into your local terminal.
+4. In the `tunnel-example` directory, create a new file called `httpbin.yaml`. This file defines the Kubernetes deployment for the httpbin app.
 
+		```yaml title="httpbin.yaml"
+		apiVersion: apps/v1
+		kind: Deployment
+		metadata:
+			name: httpbin-deployment
+			namespace: default
+		spec:
+			replicas: 2
+			selector:
+				matchLabels:
+					app: httpbin
+			template:
+				metadata:
+					labels:
+						app: httpbin
+				spec:
+					containers:
+					- name: httpbin
+						image: kennethreitz/httpbin:latest
+						imagePullPolicy: IfNotPresent
+						ports:
+						- containerPort: 80
+		```
 
-## Create pods for the web app
+5. Create a new `httpbinsvc.yaml` file. This file defines a Kubernetes service that allows other apps in the cluster (such as `cloudflared`) to access the set of httpbin pods.
 
+		```yaml title="httpbinsvc.yaml"
+		apiVersion: v1
+		kind: Service
+		metadata:
+			name: httpbin-service
+			namespace: default
+		spec:
+			type: LoadBalancer
+			selector:
+				app: httpbin
+			ports:
+			- port: 80
+				targetPort: 80
+		```
 
+6. Use the following command to run the application inside the cluster:
 
-A pod is the basic deployable object that Kubernetes creates. It represents an instance of a running process in the cluster. The following .yml file ( httpbin-app.yml) will create a pod that contains the httpbin application. It will create two replicas so as to prevent any downtime. The application will be accessible inside the cluster at web-service:80.
+		```sh
+		kubectl create -f httpbin.yaml -f httpbinsvc.yaml
+		```
 
-```yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: httpbin-deployment
-spec:
-  selector:
-    matchLabels:
-      app: httpbin
-  replicas: 2
-  template:
-    metadata:
-      labels:
-        app: httpbin
-    spec:
-      containers:
-        - name: httpbin
-          image: kennethreitz/httpbin:latest
-          ports:
-            - containerPort: 80
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: web-service
-spec:
-  selector:
-    app: httpbin
-  ports:
-    - protocol: TCP
-      port: 80
-```
+7. Check the status of your deployment:
 
-Using the following command the application will begin to run inside the cluster.
+		```sh
+		kubectl get all
+		```
 
-```sh
-kubectl create -f httpbin-app.yml
-```
+		```sh output
+		NAME                                     READY   STATUS    RESTARTS   AGE
+		pod/httpbin-deployment-bc6689c5d-b5ftk   1/1     Running   0          79s
+		pod/httpbin-deployment-bc6689c5d-cbd9m   1/1     Running   0          79s
 
-The pods' status can be seen through the console or using the kubectl get pod command.
+		NAME                      TYPE           CLUSTER-IP       EXTERNAL-IP    PORT(S)        AGE
+		service/httpbin-service   LoadBalancer   34.118.225.147   34.75.201.60   80:31967/TCP   79s
+		service/kubernetes        ClusterIP      34.118.224.1     <none>         443/TCP        24h
+
+		NAME                                 READY   UP-TO-DATE   AVAILABLE   AGE
+		deployment.apps/httpbin-deployment   2/2     2            2           79s
 
-```sh
-kubectl get pods
-```
+		NAME                                           DESIRED   CURRENT   READY   AGE
+		replicaset.apps/httpbin-deployment-bc6689c5d   2         2         2       79s
+		```
 
-## Create a tunnel
+## 3. Create a tunnel
 
-Applications must be packaged into a containerized image, such as a Docker image, before you can run it in Kubernetes. Kubernetes uses the image to spin up multiple instances of the application.
+1. Open a new browser tab and log in to [Zero Trust](https://one.dash.cloudflare.com).
 
-## Store the tunnel token
+2. Go to **Networks** > **Tunnels**.
 
-## Create pods for cloudflared
+3. Select **Create a tunnel**.
+
+4. Choose **Cloudflared** for the connector type and select **Next**.
+
+5. Enter a name for your tunnel (for example, `gke`).
+
+6. Select **Save tunnel**.
+
+7. Under **Choose an environment**, select **Docker**.
+
+		Applications must be packaged into a containerized image before you can run it in Kubernetes. Therefore, we will use the `cloudflared` Docker container image to deploy the tunnel in Kubernetes.
+
+8. Instead of running the installation command, copy just the token value rather than the whole command. The token value is of the form `eyJhIjoiNWFiNGU5Z...` You will need the token for the Kubernetes manifest file.
+
+Leave this browser tab open while we finish up the Kubernetes deployment.
+
+## 4. Store the tunnel token
+
+Create a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/) that contains the tunnel token. The tunnel token must be encoded as a base64-encoded string before it can be stored in the secret. The encoding is not meant to protect the token from being read but to allow for the safe handling of binary data within Kubernetes.
 
+1. Convert the tunnel token into base64 format:
 
+	```sh
+	'eyJhIjoiNWFiNGU5Z...' | base64
+	```
+
+	```sh output
+	ZXlKa...NKOQo=
+	```
+
+2. In GKE Cloud Shell, create a `tunnel-token.yaml` file with the following content. Make sure to replace `<base64_tunnel_token>` with your base64-encoded token value (`ZXlKa...NKOQo=`).
+
+		```yaml title="tunnel-token.yaml"
+		apiVersion: v1
+		data:
+				token: <base64_tunnel_token>
+		kind: Secret
+		metadata:
+				name: tunnel-token
+				namespace: default
+		type: Opaque
+		```
+
+3. Create the secret:
+
+		```sh
+		kubectl create -f tunnel-token.yaml
+		```
+
+4. Check the newly created secret:
+
+		```sh
+		kubectl get secrets
+		```
+
+		```sh output
+		NAME        TYPE     DATA   AGE
+		tunnel-token   Opaque   1      100s
+		```
+
+## Create pods for cloudflared
 
 The tunnel can be created through the dashboard using [this guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). Instead of running the command to install a connector you will select docker as the environment and copy just the token rather than the whole command. Configure the tunnel to route to k8.example.com from the service [http://web-service:80](http://web-service:80). Create the cloudflared-deployment.yml file with the following content.
 
