feat: add Cloudflare Tunnel for TLS ingress

[disentangle-network]

Summary

Deploy Cloudflare Tunnel (cloudflared) as the ingress/TLS solution for the Always Free OKE cluster. This eliminates the need for cert-manager, an ingress controller, and a load balancer.

Research Findings

• Approach: Single cloudflared pod creates outbound tunnel to Cloudflare edge
• Resource footprint: ~200m CPU, ~128Mi RAM, 0 PVCs
• ARM64: Confirmed (official multi-arch image since v2022.12.0)
• What it eliminates: cert-manager (3 pods), ingress controller (1-2 pods), load balancer (preserves 1 free LB for future use)
• TLS: Handled by Cloudflare Universal SSL (free)

Blocker

Requires Cloudflare Tunnel token provisioned via Cloudflare dashboard/API and stored as a K8s Secret. This is an external dependency.

Fallback

If Cloudflare Tunnel is not viable, the fallback is Traefik + cert-manager + OCI Free LB (10 Mbps, must use specific annotations to avoid billing):

annotations:
  service.beta.kubernetes.io/oci-load-balancer-shape: "flexible"
  service.beta.kubernetes.io/oci-load-balancer-shape-flex-min: "10"
  service.beta.kubernetes.io/oci-load-balancer-shape-flex-max: "10"

Acceptance Criteria

• Cloudflare Tunnel token provisioned (external dependency)
• cloudflared Deployment manifest or Helm chart committed
• Ingress rules configured for RPC endpoint
• TLS verified end-to-end
• Documentation: tunnel setup and DNS configuration

Notes

• P2P traffic (port 9000) should NOT route through the tunnel — direct pod-to-pod only
• OCI Always Free includes 1 Flexible LB at 10 Mbps (discovered during research) — document this for future reference