Utilize Cloudflare Argo Tunnel to expose Kubernetes services like a pro with a little assistance from our experts.
As a part of our Server Management Service, we at Skynats provide answers to all kinds of questions, no matter how big or small.
Let’s look at how our support team is prepared to assist clients who are experiencing issues with the http/2 smuggling vulnerability in Cloudflare.
How to Use Cloudflare Argo Tunnel to Expose Kubernetes Services
Before we begin, here is an overview of the architecture:
The procedure entails creating a Cloudflare Argo tunnel. When we’re done, the.cloudflared directory will contain the following files:
- cert.pem
- tunnel-ID.json
It is now time to configure the on-premise Kubernetes Cluster. This also entails copying the JSON file’s contents to the credential-file configmap.
To ensure that it responds to all requests, we must modify the config file that the Ingress-Controller depends on. In this situation, our support team advises using a catch*all to route all traffic to all the CNAME records we will be setting up later. In addition, if we need to set up a specific service mapping, we can create a Hostname/Service.
apiVersion: v1
data:
default.yaml: |-
tunnel:
credentials-file: /etc/cloudflared/cred.json
ingress:
# - hostname: # ADD specific hostname if needed
# service: #
# use catch-all service
- service: http://traefik.traefik
kind: ConfigMap
metadata:
name: config-file
namespace: cloudflaredAdditionally, port 9090 is where the Prometheus port is visible.
annotations:
prometheus.io/path: /metrics
prometheus.io/port: "9090"
prometheus.io/scrape: "true"
labels:
app: cloudflared
spec:
containers:
- args:
- tunnel
- --config
- /etc/cloudflared/default.yaml
- --metrics
- 0.0.0.0:9090CNAME creation for the Argo Tunnel
To route traffic, the Argo Tunnel needs a CNAME record to the tunnel ID. We can set up this k8s resource with the following manifest after configuring the external DNS in Kubernetes:
kind: Service
apiVersion: v1
metadata:
name: cname-test
annotations:
external-dns.alpha.kubernetes.io/hostname: # CLOUDFLARE PUBLIC DOMAIN
external-dns.alpha.kubernetes.io/ttl: "120" # optional
spec:
type: ExternalName
externalName: #TUNNEL ID.cfargotunnel.comPutting it all together
After everything has been set up, the web application can be exposed as follows:
- The application should first be deployed to the Kubernetes cluster.
- Next, make sure a service is present in the cluster. In this case, ClusterIP will also function.
- Then, to expose it behind the IngressController, we must create an Ingress. We must verify that the public record hosted by Cloudflare matches the IngressRoute/ FQDN/ Public Domain.
- To create a public CNAME record for the service, create a different service to create CNAME.
The service will now be available outside of the building.
Are you looking for an answer to another query? Contact our technical support team.
