Setting Up Cloudflared Tunnel on OpenShift

Setting Up Cloudflared Tunnel on OpenShift

March 11, 2024

Introduction

Cloudflare’s Tunnel, powered by Cloudflared, provides a secure way to expose your web applications to the internet without exposing your origin server’s IP address. This guide walks us through the steps to set up a Cloudflared tunnel on OpenShift, a popular container platform.

Important

This setup will expose the OpenShift console and Ingress routes only, not the API server, for oc login

Prerequisites

  • An OpenShift cluster, either on-premises or in a cloud provider
  • Cloudflare account
  • Basic knowledge of OpenShift and Cloudflare

Install Cloudflared on Your Local Machine

Download and Install the Cloudflared binary for your operating system from the Cloudflare website.

brew install cloudflared

Verify the installation

$ cloudflared version
cloudflared version 2024.2.1 (built 2024-02-20T16:25:25Z)

Create a Cloudflare Tunnel

Authenticate Cloudflared: A browser window will open and prompt you to log in to your Cloudflare account. After logging in, select your hostname.

cloudflared tunnel login

Create a tunnel and give it a name. From the command’s output, note the Tunnel’s UUID and the path to your Tunnel’s credentials file.

cloudflared tunnel create openshift

Configure Cloudflared for OpenShift

Create an OpenShift secret from the Tunnel’s credentials file.

oc create secret generic cloudflared --from-file ~/.cloudflared/<tunnel_id>.json

To deploy the cloudflared tunnel image, I’ll be using a helm chart

Create a values.yaml with a cloudflared configuration.

replicaCount: 3
image:
  repository: docker.io/cloudflare/cloudflared
  tag: "2024.2.1"
cloudflared:
  tunnelID: "<REPLACE_WITH_TUNNEL_ID>"
  existingSecret: cloudflared
  ingress:
    - hostname: "oauth-openshift.apps.<DOMAIN>"
      originRequest:
        noTLSVerify: true
      service: https://oauth-openshift.openshift-authentication
    - hostname: "*.apps.<DOMAIN>"
      originRequest:
        noTLSVerify: true
      service: https://router-internal-default.openshift-ingress.svc.cluster.local
    - service: http_status:404

Install helm chart

helm repo add xunholy-charts https://xunholy.github.io/charts/
helm install cloudflared xunholy-charts/cloudflared -f values.yaml -n networking

Cloudflared will authenticate with Cloudflare using the credentials in the configuration file and establish a secure tunnel to your OpenShift service.

Verify that cloudflared pods are running.

oc get pods
NAME                          READY   STATUS    RESTARTS   AGE
cloudflared-fd8478945-l7xhc   1/1     Running   0          119m
cloudflared-fd8478945-v9nq5   1/1     Running   0          119m
cloudflared-fd8478945-wt2z7   1/1     Running   0          119m

Create a DNS record

Follow this guide to create a DNS record for the tunnel. For the CNAME record name, add *.apps.<DOMAIN_NAME> with the target as <TUNNEL_ID>,cfargotunnel.com

Verify the Tunnel

Open a web browser and navigate to the OpenShift console.

Congratulations! You have successfully set up a Cloudflared tunnel on OpenShift, which allows you to expose your web application securely to the internet.

Last updated on