Skip to content

feat: add cloudflare-tunnel chart for zero-trust ingress#18

Merged
disentangle-network merged 2 commits intomainfrom
feature/cloudflare-tunnel
Mar 7, 2026
Merged

feat: add cloudflare-tunnel chart for zero-trust ingress#18
disentangle-network merged 2 commits intomainfrom
feature/cloudflare-tunnel

Conversation

@disentangle-network
Copy link
Owner

@disentangle-network disentangle-network commented Mar 7, 2026

Summary

  • Adds helm/cloudflare-tunnel/ chart deploying cloudflared for TLS ingress
  • Eliminates need for cert-manager, ingress controller, and load balancer
  • Single pod: ~100m CPU, ~128Mi RAM, 0 PVCs
  • Requires Cloudflare Tunnel token stored as K8s Secret (external dependency)
  • ARM64 compatible (official multi-arch image)

Architecture

Internet -> Cloudflare Edge (TLS) -> Tunnel -> cloudflared pod -> K8s Service
  • No inbound ports required (tunnel is outbound-only)
  • Cloudflare handles TLS termination via Universal SSL
  • Ingress rules map hostnames to internal services

Chart Features

  • Token from existing Secret or chart-created Secret
  • Template validation: fails if neither tunnel.token nor tunnel.existingSecret is set
  • Readiness probe on cloudflared health endpoint (:2000/ready)
  • Hardened security contexts (runAsNonRoot, drop ALL, readOnlyRootFilesystem)
  • CI: tunnel-lint job added to Helm CI workflow

Test plan

  • helm lint helm/cloudflare-tunnel/ passes
  • helm template with tunnel.token=test renders Deployment + Secret
  • helm template with tunnel.existingSecret=my-secret renders Deployment only
  • helm template with neither fails with clear error
  • CI tunnel-lint job passes

Ref #16

privsim added 2 commits March 6, 2026 18:04
@privsim
feat: add cloudflare-tunnel chart for zero-trust ingress
e5e72d1 
Adds helm/cloudflare-tunnel/ providing a cloudflared Deployment for
TLS ingress without cert-manager, ingress controller, or load balancer.
Requires a Cloudflare Tunnel token stored as a K8s Secret.

Ref #16
@privsim
merge: resolve conflicts with monitoring chart (main)
869a79e 
Integrates monitoring chart CI, Makefile, and gitignore changes
alongside cloudflare-tunnel additions.
@disentangle-network disentangle-network merged commit 517f855 into main Mar 7, 2026
16 checks passed
@disentangle-network disentangle-network deleted the feature/cloudflare-tunnel branch March 7, 2026 01:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@disentangle-network @privsim