Setting Up Cloudflared Tunnel on OpenShift
Introduction
Cloudflare’s Tunnel, powered by Cloudflared, provides a secure way to expose your web applications to the internet without exposing your origin server’s IP address. This guide walks us through the steps to set up a Cloudflared tunnel on OpenShift, a popular container platform.
Important
This setup will expose the OpenShift console and Ingress routes only, not the API server, for oc login
Prerequisites
- An OpenShift cluster, either on-premises or in a cloud provider
- Cloudflare account
- Basic knowledge of OpenShift and Cloudflare
Install Cloudflared on Your Local Machine
Download and Install the Cloudflared binary for your operating system from the Cloudflare website.
brew install cloudflared
Verify the installation
$ cloudflared version
cloudflared version 2024.2.1 (built 2024-02-20T16:25:25Z)
Create a Cloudflare Tunnel
Authenticate Cloudflared: A browser window will open and prompt you to log in to your Cloudflare account. After logging in, select your hostname.
cloudflared tunnel login
Create a tunnel and give it a name. From the command’s output, note the Tunnel’s UUID and the path to your Tunnel’s credentials file.
cloudflared tunnel create openshift
Configure Cloudflared for OpenShift
Create an OpenShift secret from the Tunnel’s credentials file.
oc create secret generic cloudflared --from-file ~/.cloudflared/<tunnel_id>.json
To deploy the cloudflared tunnel image, I’ll be using a helm chart
Create a values.yaml
with a cloudflared configuration.
replicaCount: 3
image:
repository: docker.io/cloudflare/cloudflared
tag: "2024.2.1"
cloudflared:
tunnelID: "<REPLACE_WITH_TUNNEL_ID>"
existingSecret: cloudflared
ingress:
- hostname: "oauth-openshift.apps.<DOMAIN>"
originRequest:
noTLSVerify: true
service: https://oauth-openshift.openshift-authentication
- hostname: "*.apps.<DOMAIN>"
originRequest:
noTLSVerify: true
service: https://router-internal-default.openshift-ingress.svc.cluster.local
- service: http_status:404
Install helm chart
helm repo add xunholy-charts https://xunholy.github.io/charts/
helm install cloudflared xunholy-charts/cloudflared -f values.yaml -n networking
Cloudflared will authenticate with Cloudflare using the credentials in the configuration file and establish a secure tunnel to your OpenShift service.
Verify that cloudflared pods are running.
oc get pods
NAME READY STATUS RESTARTS AGE
cloudflared-fd8478945-l7xhc 1/1 Running 0 119m
cloudflared-fd8478945-v9nq5 1/1 Running 0 119m
cloudflared-fd8478945-wt2z7 1/1 Running 0 119m
Create a DNS record
Follow this guide to create a DNS record for the tunnel. For the CNAME record name, add *.apps.<DOMAIN_NAME>
with the target as <TUNNEL_ID>,cfargotunnel.com
Verify the Tunnel
Open a web browser and navigate to the OpenShift console.
Congratulations! You have successfully set up a Cloudflared tunnel on OpenShift, which allows you to expose your web application securely to the internet.