search

cloudflare / helm-charts

https://developers.cloudflare.com
Apache License 2.0
80 stars 65 forks source link

How to properly authenticate to Cloudflare? #35

Open matt-j-so opened 1 year ago

matt-j-so commented 1 year ago

I'm trying to use the cloudflare-tunnel helm chart, but I'm not sure how to configure the below options properly:

cloudflare:
  # Your Cloudflare account number.
  account: ""
  # The secret for the tunnel.
  secret: ""

Could you provide instructions on how to get Cloudflare account number and secret for the tunnel ? I can't find any documentation or example on how to use it properly.

Thanks in advance for any help :)

bhvk0 commented 1 year ago

Same here, doesn't work me I've successfully used this example - https://nyan.im/p/cloudflare-tunnel-on-kubernetes-en

DillonN commented 1 year ago

This worked for me

  1. Create a tunnel in the CF ZeroTrust dashboard
  2. At the end, it should give you a command to run the tunnel locally - grab the token from this command
  3. Decode the token, e.g. with echo "ey..." | base64 -d
  4. The decoded token should be a JSON object like {"a": "<account-id>", "t": "<tunnel-id>", "s": "<tunnel-secret>"}
  5. Take those three values, plus the tunnel name, and fill them in for the four corresponding cloudflare options in config.yaml
froblesmartin commented 1 year ago

You could follow the tutorial documented at https://developers.cloudflare.com/cloudflare-one/tutorials/many-cfd-one-tunnel/, it does not use this Helm chart, but that is just to replace the k8s manifests it applies with this Helm chart :)

The main problem with this Helm chart is that you need to provide the secret from the values.yaml. I will most likely open a PR to allow to use of an externally managed secret (which in my case for now I will provide with sealed secrets).

bhvk0 commented 1 year ago

The main problem with this Helm chart is that you need to provide the secret from the values.yaml.

We use ksops for that purpose, maybe it's also a solution for you

froblesmartin commented 1 year ago

The main problem with this Helm chart is that you need to provide the secret from the values.yaml.

We use ksops for that purpose, maybe it's also a solution for you

Yes, that would be a solution, but also it would be to just allow everybody to use another way to provide the secret (sealed secrets, one of the many tools that integrate with Secrets Store CSI Driver, or any other way).

For that, I have opened this PR to allow to not generate the secret with this Helm chart itself 😄

https://github.com/cloudflare/helm-charts/pull/38