From 971fd5d8ea8a1a11e771c3b0ce80fdd6de44f170 Mon Sep 17 00:00:00 2001 From: glaberge Date: Fri, 12 Sep 2025 08:07:33 -0400 Subject: [PATCH 1/5] Adds topologyspread constraints --- charts/cloudflare-tunnel/templates/deployment.yaml | 4 ++++ charts/cloudflare-tunnel/values.yaml | 2 ++ 2 files changed, 6 insertions(+) diff --git a/charts/cloudflare-tunnel/templates/deployment.yaml b/charts/cloudflare-tunnel/templates/deployment.yaml index 7b50786..0ec8c7e 100644 --- a/charts/cloudflare-tunnel/templates/deployment.yaml +++ b/charts/cloudflare-tunnel/templates/deployment.yaml @@ -103,3 +103,7 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/cloudflare-tunnel/values.yaml b/charts/cloudflare-tunnel/values.yaml index c6d0e02..553efbd 100644 --- a/charts/cloudflare-tunnel/values.yaml +++ b/charts/cloudflare-tunnel/values.yaml @@ -78,5 +78,7 @@ nodeSelector: {} tolerations: [] +topologySpreadConstraints: [] + # Default affinity is to spread out over nodes; use this to override. affinity: {} From 216f754be2eaa3e92646a27d0c96bc6f944b5b19 Mon Sep 17 00:00:00 2001 From: glaberge Date: Fri, 12 Sep 2025 08:08:57 -0400 Subject: [PATCH 2/5] Adds failure threshold to livenessprobe --- charts/cloudflare-tunnel-remote/templates/deployment.yaml | 2 +- charts/cloudflare-tunnel-remote/values.yaml | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/charts/cloudflare-tunnel-remote/templates/deployment.yaml b/charts/cloudflare-tunnel-remote/templates/deployment.yaml index 16e35ec..864944b 100644 --- a/charts/cloudflare-tunnel-remote/templates/deployment.yaml +++ b/charts/cloudflare-tunnel-remote/templates/deployment.yaml @@ -51,6 +51,6 @@ spec: # it has an active connection to the edge. path: /ready port: 2000 - failureThreshold: 1 + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} initialDelaySeconds: 10 periodSeconds: 10 diff --git a/charts/cloudflare-tunnel-remote/values.yaml b/charts/cloudflare-tunnel-remote/values.yaml index 8935696..8b7d28d 100644 --- a/charts/cloudflare-tunnel-remote/values.yaml +++ b/charts/cloudflare-tunnel-remote/values.yaml @@ -60,3 +60,6 @@ tolerations: [] # Default affinity is to spread out over nodes; use this to override. affinity: {} + +livenessProbe: + failureThreshold: 1 From ca6482df0a707e192ae17f8a206fcd86a1dc5c70 Mon Sep 17 00:00:00 2001 From: glaberge Date: Fri, 12 Sep 2025 08:11:19 -0400 Subject: [PATCH 3/5] Adds auto protocol selection --- charts/cloudflare-tunnel/templates/configmap.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/cloudflare-tunnel/templates/configmap.yaml b/charts/cloudflare-tunnel/templates/configmap.yaml index 07d5219..f930ce6 100644 --- a/charts/cloudflare-tunnel/templates/configmap.yaml +++ b/charts/cloudflare-tunnel/templates/configmap.yaml @@ -14,6 +14,8 @@ data: enabled: {{ .Values.cloudflare.enableWarp }} # Serves the metrics server under /metrics and the readiness server under /ready metrics: 0.0.0.0:2000 + # Specifies the protocol used to establish a connection between cloudflared and the Cloudflare global network + protocol: {{ default "auto" .Values.cloudflare.protocol }} # Autoupdates applied in a k8s pod will be lost when the pod is removed or restarted, so # autoupdate doesn't make sense in Kubernetes. However, outside of Kubernetes, we strongly # recommend using autoupdate. From b9893b89f576b830458f362461c86dfba7a67b2a Mon Sep 17 00:00:00 2001 From: glaberge Date: Fri, 12 Sep 2025 08:11:36 -0400 Subject: [PATCH 4/5] Removes default 404 route --- charts/cloudflare-tunnel/templates/configmap.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/charts/cloudflare-tunnel/templates/configmap.yaml b/charts/cloudflare-tunnel/templates/configmap.yaml index f930ce6..d998a13 100644 --- a/charts/cloudflare-tunnel/templates/configmap.yaml +++ b/charts/cloudflare-tunnel/templates/configmap.yaml @@ -27,5 +27,3 @@ data: {{- with .Values.cloudflare.ingress }} {{- toYaml . | nindent 6 }} {{- end }} - # This rule matches any traffic which didn't match a previous rule, and responds with HTTP 404. - - service: http_status:404 From cf68e5c5d2973eedbd1c83e74055b64cc12daefb Mon Sep 17 00:00:00 2001 From: glaberge Date: Fri, 12 Sep 2025 08:14:36 -0400 Subject: [PATCH 5/5] Adds service monitor and service for metrics --- .../templates/deployment.yaml | 2 +- .../cloudflare-tunnel/templates/service.yaml | 15 ++++++++ .../templates/servicemonitor.yaml | 38 +++++++++++++++++++ charts/cloudflare-tunnel/values.yaml | 21 ++++++++++ 4 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 charts/cloudflare-tunnel/templates/service.yaml create mode 100644 charts/cloudflare-tunnel/templates/servicemonitor.yaml diff --git a/charts/cloudflare-tunnel/templates/deployment.yaml b/charts/cloudflare-tunnel/templates/deployment.yaml index 0ec8c7e..6529b48 100644 --- a/charts/cloudflare-tunnel/templates/deployment.yaml +++ b/charts/cloudflare-tunnel/templates/deployment.yaml @@ -52,7 +52,7 @@ spec: # it has an active connection to the edge. path: /ready port: 2000 - failureThreshold: 1 + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} initialDelaySeconds: 10 periodSeconds: 10 volumeMounts: diff --git a/charts/cloudflare-tunnel/templates/service.yaml b/charts/cloudflare-tunnel/templates/service.yaml new file mode 100644 index 0000000..0316761 --- /dev/null +++ b/charts/cloudflare-tunnel/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "cloudflare-tunnel.fullname" . }} + labels: + {{- include "cloudflare-tunnel.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 2000 + targetPort: 2000 + protocol: TCP + name: metrics + selector: + {{- include "cloudflare-tunnel.selectorLabels" . | nindent 4 }} diff --git a/charts/cloudflare-tunnel/templates/servicemonitor.yaml b/charts/cloudflare-tunnel/templates/servicemonitor.yaml new file mode 100644 index 0000000..762636c --- /dev/null +++ b/charts/cloudflare-tunnel/templates/servicemonitor.yaml @@ -0,0 +1,38 @@ +{{- if .Values.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "cloudflare-tunnel.fullname" . }} + labels: + {{- include "cloudflare-tunnel.labels" . | nindent 4 }} + {{- with .Values.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + jobLabel: {{ template "cloudflare-tunnel.fullname" . }} + endpoints: + - port: metrics + {{- if .Values.serviceMonitor.interval }} + interval: {{ .Values.serviceMonitor.interval }} + {{- end }} + {{- if .Values.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{ toYaml .Values.serviceMonitor.metricRelabelings | indent 4 }} + {{- end }} + {{- if .Values.serviceMonitor.relabelings }} + relabelings: + {{ toYaml .Values.serviceMonitor.relabelings | indent 4 }} + {{- end }} + {{- if .Values.serviceMonitor.honorLabels }} + honorLabels: true + {{- end }} + selector: + matchLabels: + {{- include "cloudflare-tunnel.selectorLabels" . | nindent 6 }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{- end }} diff --git a/charts/cloudflare-tunnel/values.yaml b/charts/cloudflare-tunnel/values.yaml index 553efbd..abd2ed1 100644 --- a/charts/cloudflare-tunnel/values.yaml +++ b/charts/cloudflare-tunnel/values.yaml @@ -12,6 +12,9 @@ cloudflare: secret: "" # If defined, no secret is created for the credentials, and instead, the secret referenced is used secretName: null + # Specifies the protocol used to establish a connection between cloudflared and the Cloudflare global network. Available values are auto, http2, h2mux, and quic. (default: auto) + # https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/local/local-management/arguments/ + protocol: "" # If true, turn on WARP routing for TCP enableWarp: false # Define ingress rules for the tunnel. See @@ -82,3 +85,21 @@ topologySpreadConstraints: [] # Default affinity is to spread out over nodes; use this to override. affinity: {} + +livenessProbe: + failureThreshold: 1 + +serviceMonitor: + # -- Enable this if you're using https://github.com/coreos/prometheus-operator + enabled: false + # -- Interval at which endpoints should be scraped. + interval: 30s + # -- Add custom labels to the ServiceMonitor resource + additionalLabels: {} + # prometheus: kube-prometheus + # -- Chooses the metric’s labels on collisions with target labels. + honorLabels: false + # -- Path to scrape metrics + path: /metrics + # -- Timeout for scrape metrics request + scrapeTimeout: 10s