This blog will give you a brief overview for exposing services from a private network to the public network using zero trust tool, CloudFlare Zero Trust Tunnels. They have a generous free tier that you can leverage. Please note that this post does not encompass a fully prescriptive set of security best practices, merely it gets the setup working. Getting this right took me longer than I expected. Hopefully its helpful to you.
Due to to my homelab setup, namespaces are created by ArgoCD which kicks off ahead of terraform apply. You may need to make a namespace cloudflared.
Access
Based on the guide from cloudflares docs you'll need to create a API token:
Note: When creating your api token know that "Cloudflare Tunnel" is not the same thing as Zero Trust in their permissions. This was confusing to me because tunnels are now named "zero trust tunnels". For the sake of permissions make sure you provider "Cloudflare Tunnel: Edit".
Terraform
The following code deploys a single tunnel and sets up DNS records for all sites indicated in "services". TLS verify is disabled below so update it if you want.
variable "cloudflare_zone_id" {
description = "Zone ID for your domain"
type = string
sensitive = true
}
variable "cloudflare_account_id" {
description = "Account ID for your Cloudflare account"
type = string
sensitive = true
}
variable "cloudflare_email" {
description = "Email address for your Cloudflare account"
type = string
sensitive = true
}
variable "services" {
description = "Values for the services to be exposed via Cloudflare Tunnel"
type = map(object({
hostname = string # public domain name. ex: "service.example.com"
service = string # private service endpoint. ex: service.apps.internaldomain.com
}))
}
locals {
cf_tunnel_secret = jsonencode({
"AccountTag" : "${var.cloudflare_account_id}",
"TunnelSecret" : "${base64sha256(random_password.tunnel_secret.result)}",
"TunnelID" : "${cloudflare_zero_trust_tunnel_cloudflared.homelab.id}"
})
ingress_rules = [
for service in var.services : {
hostname = service.hostname
origin_request = {
no_tls_verify = true
}
service = service.service
}
]
}
resource "random_password" "tunnel_secret" {
length = 64
}
resource "cloudflare_zero_trust_tunnel_cloudflared" "homelab" {
name = "homelab-tunnel"
config_src = "cloudflare"
account_id = var.cloudflare_account_id
tunnel_secret = base64sha256(random_password.tunnel_secret.result)
}
resource "cloudflare_zero_trust_tunnel_cloudflared_config" "homelab" {
account_id = var.cloudflare_account_id
tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.homelab.id
config = {
ingress = concat(local.ingress_rules, [
{
origin_request = {
connect_timeout = 0
keep_alive_connections = 0
keep_alive_timeout = 0
tcp_keep_alive = 0
tls_timeout = 0
}
service = "http_status:503"
},
])
warp_routing = {
enabled = false
}
}
}
resource "kubernetes_secret" "cloudflare_credentials" {
metadata {
name = "tunnel-credentials"
namespace = "cloudflared"
}
data = {
"credentials.json" = local.cf_tunnel_secret
}
}
resource "cloudflare_dns_record" "vault_homelab_tunnel" {
for_each = var.services
zone_id = var.cloudflare_zone_id
comment = "${each.key} tunnel record"
content = join(".", [cloudflare_zero_trust_tunnel_cloudflared.homelab.id, "cfargotunnel.com"])
name = each.value.hostname
proxied = true
ttl = 1
type = "CNAME"
}
Kubernetes manifest:
In my setup, k8s resources are mostly deployed via ArgoCD. Below, this manifest deploys cloudflared pod and connects it to the tunnel homelab-tunnel from your account. It authenticates via the public cloudflare API using credentials from a kubernetes secret tunnel-credentials which is created by Terraform.
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cloudflared
namespace: cloudflared
spec:
selector:
matchLabels:
app: cloudflared
replicas: 1
template:
metadata:
labels:
app: cloudflared
spec:
containers:
- name: cloudflared
image: cloudflare/cloudflared:latest
args:
- tunnel
- --credentials-file
- /etc/cloudflared/creds/credentials.json
- --protocol # https://github.com/cloudflare/cloudflared/issues/1176#issuecomment-2404546711
- http2 # didnt seem to need the sysctl changes
- --metrics
- 0.0.0.0:2000
- run
- homelab-tunnel
livenessProbe:
httpGet:
path: /ready
port: 2000
failureThreshold: 1
initialDelaySeconds: 10
periodSeconds: 10
volumeMounts:
- name: creds
mountPath: /etc/cloudflared/creds
readOnly: true
volumes:
- name: creds
secret:
secretName: tunnel-credentials
Disclaimer: The following code stores the secret to joining your tunnel in your terraform statefile in 2 locations random_password.tunnel_secret and cloudflare_zero_trust_tunnel_cloudflared.homelab. With 1.10 we have ephemeral resources which will remove that but the random provider doesnt have it yet. Hopefully it will be removed from tunnel resource once available.
Top comments (0)