Merge pull request #5 from kubitodev/traefik-cloudflared-real-ip

Cloudflared and Traefik Cloudflared Source IP Charts

charts/cloudflared/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/cloudflared/Chart.yaml

@@ -0,0 +1,18 @@
+name: cloudflared
+maintainers:
+  - name: kubitodev
+    url: https://kubito.dev
+apiVersion: v2
+appVersion: 2022.7.1
+version: 1.0.0
+description: Kubito Cloudflared (Argo Tunnel) Helm Chart
+home: https://github.com/kubitodev/helm/tree/main/charts/cloudflared
+icon: https://kubito.dev/images/kubito.svg
+keywords:
+  - kubernetes
+  - cloudflare
+  - cloudflared
+  - argo
+  - tunnel
+sources:
+  - https://github.com/cloudflare/cloudflared

charts/cloudflared/README.md

@@ -0,0 +1,144 @@
+# Cloudflared
+
+A tunneling daemon that proxies traffic from the Cloudflare network to your origins. This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible. Extensive documentation can be found in the [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps) section of the Cloudflare Docs.
+
+## TL;DR
+
+```console
+helm repo add kubitodev https://charts.kubito.dev
+helm install example kubitodev/cloudflared
+```
+
+## Introduction
+
+Cloudflare Tunnel provides you with a secure way to connect your resources to Cloudflare without a publicly routable IP address. With Tunnel, you do not send traffic to an external IP — instead, a lightweight daemon in your infrastructure (cloudflared) creates outbound-only connections to Cloudflare’s edge. Cloudflare Tunnel can connect HTTP web servers, SSH servers, remote desktops, and other protocols safely to Cloudflare. This way, your origins can serve traffic through Cloudflare without being vulnerable to attacks that bypass Cloudflare.
+
+## Prerequisites
+
+- Kubernetes 1.12+
+- Helm 3.2.0+
+- Argo Tunnel ID generated
+
+## Installing the Chart
+
+To install the chart with the release name `example`:
+
+```console
+helm install example kubitodev/cloudflared
+```
+
+The command deploys cloudflared on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
+
+> **Tip**: List all releases using `helm list`
+
+## Uninstalling the Chart
+
+To uninstall/delete the `example` deployment:
+
+```console
+helm delete example
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Parameters
+
+### Image parameters
+
+| Name                    | Description                                   | Value                    |
+| ----------------------- | --------------------------------------------- | ------------------------ |
+| `image.repository`      | The Docker repository to pull the image from. | `cloudflare/cloudflared` |
+| `image.tag`             | The image tag to use.                         | `2022.7.1`               |
+| `image.imagePullPolicy` | The logic of image pulling.                   | `IfNotPresent`           |
+
+
+### Deployment parameters
+
+| Name                | Description                                                                  | Value   |
+| ------------------- | ---------------------------------------------------------------------------- | ------- |
+| `replicaCount`      | The number of replicas to deploy.                                            | `3`     |
+| `tunnelID`          | The Argo Tunnel ID you created. Check the configuration section for details. | `""`    |
+| `auth.accountTag`   | The Argo tunnel account tag.                                                 | `""`    |
+| `auth.tunnelName`   | The Argo tunnel name.                                                        | `""`    |
+| `auth.tunnelSecret` | The Argo tunnel secret.                                                      | `""`    |
+| `existingSecret`    | The name of an existing secret containing the Argo tunnel settings.          | `""`    |
+| `warpRouting`       | Whether to enable WARP traffic routing to local subnets.                     | `false` |
+| `ingress`           | The ingress settings to apply. Check the configuration section for examples. | `[]`    |
+
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
+
+```console
+helm install example \
+  --set user=example \
+  --set password=example \
+    kubitodev/example
+```
+
+Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
+
+```console
+helm install example -f values.yaml kubitodev/example
+```
+
+> **Tip**: You can use the default [values.yaml](values.yaml)
+
+## Configuration and installation details
+
+### Getting the Argo Tunnel ID (required)
+
+- Start by downloading and installing the lightweight Cloudflare Tunnel daemon, `cloudflared`. You can find it [here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation/).
+
+- Once installed, you can use the tunnel login command in `cloudflared` to obtain a certificate:
+
+```bash
+cloudflared tunnel login
+```
+
+- Create the tunnel with:
+
+```bash
+cloudflared tunnel create example-tunnel
+```
+
+- Associate your tunnel with a CNAME DNS Record
+
+```bash
+cloudflared tunnel route dns example-tunnel tunnel.example.com
+```
+
+- The tunnel configuration can be found in `~/.cloudflared/<TUNNEL_ID>.json`. You will need it for creating a secret/configmap when deploying the Cloudflared instance on your cluster.
+
+Now, when you want to create a new subdomain, just point it as a CNAME to the tunnel record, and it will be routed automatically!
+
+For more information, check the [official guide](https://developers.cloudflare.com/cloudflare-one/tutorials/many-cfd-one-tunnel/).
+
+### Setting up the Argo Tunnel ingress options with Traefik
+
+To use the tunnel with Traefik, you need to configure the ingress settings. As cloudflared works with CNAMEs, you want to set a wildcard hostname for the service, and set the origin request setting to be the root domain that you are configuring this for. Also, you need to point the service to the secure port (443) of the Traefik load balancer service. Here is an example configuration:
+
+```yaml
+cloudflared:
+  ingress:
+    - hostname: "*.example.com"
+      service: https://traefik.traefik-system.svc.cluster.local:443
+      originRequest:
+        originServerName: example.com
+    - service: http_status:404
+```
+
+## License
+
+Copyright &copy; 2022 Kubito
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

charts/cloudflared/templates/configmap.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+data:
+  config.yaml: |-
+    logDirectory: /var/log/cloudflared
+    tunnel: {{ required "The Argo Tunnel ID is missing." .Values.tunnelID }}
+    credentials-file: /etc/cloudflared/tunnel-config.json
+    warp-routing:
+      enabled: {{ .Values.warpRouting }}
+    ingress: {{ toYaml .Values.ingress | nindent 6 }}

charts/cloudflared/templates/deployment.yaml

@@ -0,0 +1,52 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}
+  replicas: {{ .Values.replicaCount | int }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}
+      annotations:
+        checksum/tunnel-id: {{ sha256sum .Values.tunnelID }}
+        checksum/ingress: {{ .Values.ingress | toJson | sha256sum }}
+        checksum/auth: {{ .Values.auth | toJson | sha256sum }}
+        checksum/warp-routing: {{ .Values.warpRouting | toJson | sha256sum }}
+    spec:
+      containers:
+      - args:
+        - tunnel
+        - --no-autoupdate
+        - --config
+        - /etc/cloudflared/config.yaml
+        - run
+        name: {{ .Release.Name }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        imagePullPolicy: {{ .Values.image.imagePullPolicy }}
+        volumeMounts:
+        - mountPath: /etc/cloudflared/tunnel-config.json
+          name: tunnel-secret-volume
+          subPath: tunnel-config.json
+        - mountPath: /etc/cloudflared/config.yaml
+          name: cloudflared-config-volume
+          subPath: config.yaml
+      imagePullSecrets:
+      - name: {{ default "tunnel-secret" .Values.existingSecret }}
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: tunnel-secret-volume
+        secret:
+          defaultMode: 420
+          optional: false
+          secretName: {{ default "tunnel-secret" .Values.existingSecret }}
+      - name: cloudflared-config-volume
+        configMap:
+          defaultMode: 420
+          name: {{ .Release.Name }}
+          optional: false

charts/cloudflared/templates/secret.yaml

@@ -0,0 +1,15 @@
+{{- if not .Values.existingSecret -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tunnel-secret
+type: Opaque
+stringData:
+  tunnel-config.json: >
+    {
+      "AccountTag": "{{ required "The Argo Tunnel Account Tag is missing." .Values.auth.accountTag }}",
+      "TunnelSecret": "{{ required "The Argo Tunnel Secret is missing." .Values.auth.tunnelSecret }}",
+      "TunnelID": "{{ required "The Argo Tunnel ID is missing." .Values.tunnelID }}",
+      "TunnelName": "{{ required "The Argo Tunnel Name is missing." .Values.auth.tunnelName }}"
+    }
+{{- end }}

charts/cloudflared/values.yaml

@@ -0,0 +1,38 @@
+## Default values for Cloudflared
+
+## @section Image parameters
+
+## @param image.repository The Docker repository to pull the image from.
+## @param image.tag The image tag to use.
+## @param image.imagePullPolicy The logic of image pulling.
+##
+image:
+  repository: cloudflare/cloudflared
+  tag: "2022.7.1"
+  imagePullPolicy: IfNotPresent
+
+## @section Deployment parameters
+
+## @param replicaCount The number of replicas to deploy.
+##
+replicaCount: 3
+## @param tunnelID The Argo Tunnel ID you created. Check the configuration section for details.
+##
+tunnelID: ""
+## @param auth.accountTag The Argo tunnel account tag.
+## @param auth.tunnelName The Argo tunnel name.
+## @param auth.tunnelSecret The Argo tunnel secret.
+##
+auth:
+  accountTag: ""
+  tunnelName: ""
+  tunnelSecret: ""
+## @param existingSecret The name of an existing secret containing the Argo tunnel settings.
+##
+existingSecret: ""
+## @param warpRouting Whether to enable WARP traffic routing to local subnets.
+##
+warpRouting: false
+## @param ingress The ingress settings to apply. Check the configuration section for examples.
+##
+ingress: []

charts/kubernetes-cloudflare-ddns/Chart.yaml

@@ -4,7 +4,7 @@ maintainers:
     url: https://kubito.dev
 apiVersion: v2
 appVersion: 1.0.1
-version: 1.0.4
+version: 1.0.5
 description: Kubito Kubernetes Cloudflare DDNS Helm Chart
 home: https://github.com/kubitodev/helm/tree/main/charts/kubernetes-cloudflare-ddns
 icon: https://kubito.dev/images/kubito.svg

charts/kubernetes-cloudflare-ddns/templates/secret.yaml

@@ -6,8 +6,8 @@ metadata:
   namespace: {{ .Release.Namespace }}
 type: Opaque
 data:
-  AUTH_KEY: {{ required "The AUTH_KEY value is missing." .Values.secret.authKey }}
-  NAME: {{ required "The NAME value is missing." .Values.secret.dnsRecord }}
-  RECORD_ID: {{ required "The RECORD_ID value is missing." .Values.secret.recordId }}
-  ZONE_ID: {{ required "The ZONE_ID value is missing." .Values.secret.zoneId }}
+  AUTH_KEY: {{ required "The AUTH_KEY value is missing." .Values.secret.authKey | b64enc }}
+  NAME: {{ required "The NAME value is missing." .Values.secret.dnsRecord | b64enc }}
+  RECORD_ID: {{ required "The RECORD_ID value is missing." .Values.secret.recordId | b64enc }}
+  ZONE_ID: {{ required "The ZONE_ID value is missing." .Values.secret.zoneId | b64enc }}
 {{- end }}

charts/traefik-cloudflared-source-ip/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/traefik-cloudflared-source-ip/Chart.yaml

@@ -0,0 +1,33 @@
+name: traefik-cloudflared-source-ip
+maintainers:
+  - name: kubitodev
+    url: https://kubito.dev
+apiVersion: v2
+appVersion: 2.8.0
+version: 1.0.0
+description: Kubito Traefik Cloudflared (Argo Tunnel) Real IP Helm Chart
+home: https://github.com/kubitodev/helm/tree/main/charts/traefik-cloudflared-source-ip
+icon: https://kubito.dev/images/kubito.svg
+keywords:
+  - kubernetes
+  - cloudflare
+  - cloudflared
+  - middleware
+  - real-ip
+  - source-ip
+  - argo-tunnel
+  - argo
+  - traefik
+sources:
+  - https://github.com/kubitodev/traefik-cloudflared-source-ip
+
+dependencies:
+  - condition: global.cloudflaredEnabled
+    name: cloudflared
+    repository: https://charts.kubito.dev
+    # https://github.com/Masterminds/semver#checking-version-constraints
+    version: 1.x.x
+  - condition: global.traefikEnabled
+    name: traefik
+    repository: https://helm.traefik.io/traefik
+    version: 10.24.0