From what I can tell, running the tunnel doesn't require the certificate, only creating the tunnel (already out of scope for this role) and running the cloudflared tunnel route commands requires it. So all of those commands could run on localhost via delegate_to and then there would be no need to have the certificate on the remote systems.
This would be more secure because it looks like the certificate allows you to manage all tunnels associated with your account, not just related to the current host.
From what I can tell, running the tunnel doesn't require the certificate, only creating the tunnel (already out of scope for this role) and running the
cloudflared tunnel routecommands requires it. So all of those commands could run on localhost viadelegate_toand then there would be no need to have the certificate on the remote systems.This would be more secure because it looks like the certificate allows you to manage all tunnels associated with your account, not just related to the current host.