Question/Enhancement: Cloudflare Access Tunnel provider

[mattiaforc]

Hello everybody,

I was wondering if anyone would be interested in a provider for Cloudflare Tunnel (formerly known as Cloudflare Argo Tunnels). I am playing around with it in my homelab - and made a (almost, see issue on cloudflare-go SDK) working implementation, albeit pretty basic, that allows external-dns to add ingresses and services records to a Cloudflare tunnel public hostnames configuration. The way it works is that a Cloudflare tunnel connector is deployed somewhere in your infrastructure - and it gives access to internal services and stuff, and you can then configure access restrictions (like OAuth policies, etc...)

My use case is to simply filter for a specific annotation (e.g. public-tunnel: true) on services/ingresses to decide whether or not to publish the service via Cloudflare.

I am proposing this implementation but I was wondering if this could be useful - or even relevant to the external-dns project - since it is not really a DNS provider, albeit providing external users a way to find/access services.

Any feedback would be appreciated, let me know :)

[SimonStiil]

Was working on something similar but got stuck due to the issue you mentioned. I wanted to be in control of the DNS name and not nessesarily always use the same name for the tunnel record as for the internal server This cannot be done however without setting TLS>Server Origin Name. Which currently cannot be done throug the Cloudflare Go API as the OriginRequest is not located corretly in the API.

This can be worked around with an internal wildcard Certificate but is not a nice solution.

[BrentGruber]

Would this also be able to add CNAME records under the hosted zone in addition to updating the tunnel configuration? I know external-dns already has cloudflare support, but I'm not sure if I can make the CNAME point to my tunnel, I'm thinking that external-dns will try to map to the external-ip in my cluster rather than the tunnel.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[alexo-bunnyshell]

@mattiaforc I was searching the web for something that does what you were suggesting. Was your suggestion adopted into external-dns? is there a PR/fork I can try? Thanks

[jo12bar]

@mattiaforc and @SimonStiil, are either of you able to share your partial implementations of a Cloudflare Tunnel provider? I've been looking for a similar solution for my own WIP homelab. I'm behind my ISP's NAT so I'd like to use Cloudflare Tunnel to route external requests. My plan was to use Ingress rules to assign external DNS entries, in an attempt to keep things as gitops-y as possible.

/remove-lifecycle rotten

[SimonStiil]

@jo12bar It is not something I have touched for about a year. So I can't promise to much. But just sanitized my test code and added it to a repo. https://github.com/SimonStiil/go-cloudflare-tunnel-demo Hope it is of help to you for getting started.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to [this](https://github.com/kubernetes-sigs/external-dns/issues/3591#issuecomment-2366964653): >The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. > >This bot triages issues according to the following rules: >- After 90d of inactivity, `lifecycle/stale` is applied >- After 30d of inactivity since `lifecycle/stale` was applied, `lifecycle/rotten` is applied >- After 30d of inactivity since `lifecycle/rotten` was applied, the issue is closed > >You can: >- Reopen this issue with `/reopen` >- Mark this issue as fresh with `/remove-lifecycle rotten` >- Offer to help out with [Issue Triage][1] > >Please send feedback to sig-contributor-experience at [kubernetes/community](https://github.com/kubernetes/community). > >/close not-planned > >[1]: https://www.kubernetes.dev/docs/guide/issue-triage/ Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.