Cloudflare Tunnel

Enterprise-grade tunnels with Cloudflare's global edge network, DNS management, and Access integration.

Prerequisites

Cloudflare account (free tier works)
Domain added to Cloudflare (for custom domains)
API token with Zone and Tunnel permissions

Create API Token

Go to Cloudflare API Tokens
Click "Create Token"
Use "Edit Cloudflare Tunnel" template or create custom with:
- Account.Cloudflare Tunnel: Edit
- Zone.DNS: Edit (for custom domains)
Copy the token

Setup

1. Create Secret

kubectl create secret generic cloudflare-api-token \
  --from-literal=token=YOUR_API_TOKEN \
  -n ktube-system

2. Create TunnelProvider

kubectl apply -f - <<EOF
apiVersion: ktube.dev/v1alpha1
kind: TunnelProvider
metadata:
  name: cloudflare-prod
spec:
  type: cloudflare
  cloudflare:
    accountId: YOUR_ACCOUNT_ID      # From CF dashboard URL
    apiTokenSecretRef:
      name: cloudflare-api-token
      namespace: ktube-system
      key: token
EOF

3. Create Tunnel

kubectl apply -f - <<EOF
apiVersion: ktube.dev/v1alpha1
kind: Tunnel
metadata:
  name: cf-tunnel
  namespace: default
spec:
  providerRef:
    name: cloudflare-prod
  deployment:
    replicas: 2    # HA with 2 connectors
EOF

Custom Domains

Expose services with your own domain. ktube automatically creates DNS records and configures the tunnel.

apiVersion: ktube.dev/v1alpha1
kind: TunnelBinding
metadata:
  name: api-binding
spec:
  tunnelRef:
    name: cf-tunnel
  hostname: api.yourdomain.com
  protocol: https
  service:
    name: api-server
    port: 8080

Quick Tunnel Mode

For development, use Quick Tunnel to get an auto-generated trycloudflare.com URL without DNS configuration.

apiVersion: ktube.dev/v1alpha1
kind: TunnelBinding
metadata:
  name: dev-binding
spec:
  tunnelRef:
    name: cf-tunnel
  quickTunnel: true
  service:
    name: my-service
    port: 8080

Advanced Options

The Cloudflare provider supports additional binding options:

Option	Description	Default
`noTLSVerify`	Skip TLS verification for backend	false
`disableChunkedEncoding`	Disable chunked encoding for large files	true
`connectTimeout`	Backend connection timeout	30s

Troubleshooting

Invalid API Token

Ensure your token has the correct permissions and hasn't expired.

DNS Record Not Created

Check that your domain is active on Cloudflare and the token has Zone.DNS:Edit permission.