StringKe
diff --git a/‎Makefile‎
Lines changed: 1 addition & 1 deletion b/‎Makefile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎README.md‎
Lines changed: 121 additions & 18 deletions b/‎README.md‎
Lines changed: 121 additions & 18 deletions
diff --git a/‎api/cloudflare/v1alpha1/doc.go‎
Lines changed: 30 additions & 0 deletions b/‎api/cloudflare/v1alpha1/doc.go‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎api/cloudflare/v1alpha1/groupversion_info.go‎
Lines changed: 37 additions & 0 deletions b/‎api/cloudflare/v1alpha1/groupversion_info.go‎
Lines changed: 37 additions & 0 deletions
@@ -215,7 +215,7 @@ GOLANGCI_LINT = $(LOCALBIN)/golangci-lint
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v5.4.3
-CONTROLLER_TOOLS_VERSION ?= v0.16.1
+CONTROLLER_TOOLS_VERSION ?= v0.17.2
 ENVTEST_VERSION ?= release-0.19
 GOLANGCI_LINT_VERSION ?= v2.1.5
 
 
@@ -7,7 +7,7 @@
   <br />
 
   <p align="center">
-    A Kubernetes Operator to create and manage Cloudflare Tunnels and DNS records <br /> for (HTTP/TCP/UDP*) Service Resources
+    A Kubernetes Operator for Cloudflare Zero Trust: Tunnels, Access, Gateway, and Device Management
     <br />
     <br />
     <a href="https://github.com/adyanth/cloudflare-operator/blob/main/docs/getting-started.md"><strong>Getting Started Guide »</strong></a>
@@ -28,33 +28,136 @@
 
 > **_NOTE_**: This project is currently in Alpha
 
-> UDP*: UDP support for Cloudflare Tunnels is in [Early Access](https://blog.cloudflare.com/extending-cloudflares-zero-trust-platform-to-support-udp-and-internal-dns/)
+## Overview
 
-## Motivation
+The Cloudflare Operator provides Kubernetes-native management of Cloudflare Zero Trust resources. Built with `operator-sdk`, it enables declarative configuration of tunnels, access policies, gateway rules, and device settings through Custom Resources (CRDs).
 
-The [Cloudflare Tunnels guide](https://developers.cloudflare.com/cloudflare-one/tutorials/many-cfd-one-tunnel) for deployment on Kubernetes provides a [manifest](https://github.com/cloudflare/argo-tunnel-examples/tree/master/named-tunnel-k8s) which is very bare bones and does not hook into Kubernetes in any meaningful way. The operator started out as a hobby project of mine to deploy applications in my home lab and expose them to the internet via Cloudflare Tunnels without doing a lot of manual work every time a new application is deployed.
+## Features
 
-## Overview
+### Tunnel Management
+- **Tunnel / ClusterTunnel**: Create and manage Cloudflare Tunnels with scaled `cloudflared` deployments
+- **TunnelBinding**: Automatically configure tunnel ingress rules and DNS records for Services
+- **AccessTunnel**: Reference existing tunnels created outside of Kubernetes
+- **WARP Routing**: Enable private network access via WARP client (`enableWarpRouting`)
+
+### Private Network Access (ZTNA)
+- **VirtualNetwork**: Manage Cloudflare virtual networks for traffic isolation
+- **NetworkRoute**: Configure IP routes through tunnels to private networks
+- **PrivateService**: Expose Kubernetes Services to WARP clients via private IPs
 
-The Cloudflare Operator aims to provide a new way of dynamically deploying the [cloudflared](https://github.com/cloudflare/cloudflared) daemon on Kubernetes. Scaffolded and built using `operator-sdk`. Once deployed, this operator provides the following:
+### Access Control
+- **AccessApplication**: Define Zero Trust applications with access policies
+- **AccessGroup**: Create reusable access groups with include/exclude/require rules
+- **AccessIdentityProvider**: Configure identity providers (OIDC, SAML, GitHub, Azure AD, etc.)
+- **AccessServiceToken**: Manage service tokens for machine-to-machine authentication
 
-* Ability to create new and use existing Tunnels for [Cloudflare for Teams](https://developers.cloudflare.com/cloudflare-one/) using Custom Resources (CR/CRD) which will:
-  * Accept a Secret for Cloudflare API Tokens and Keys
-  * Run a scaled (configurable) Deployment of `cloudflared`
-  * Manage a ConfigMap for the above Deployment
-  * Have Cluster and Namespace scoped Tunnels
-* A TunnelBinding controller which does the following:
-  * Update the `cloudflared` ConfigMap to include the new Services to be served under a given Tunnel
-  * Restart the `cloudflared` Deployment to make the configuration change take effect
-  * Add a DNS entry in Cloudflare for the specified domain to be a [proxied CNAME to the referenced tunnel](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns)
-  * Reverse the above when the TunnelBinding is deleted using Finalizers
+### Gateway & Security
+- **GatewayRule**: Configure Cloudflare Gateway DNS, HTTP, and network policies
+- **GatewayList**: Manage lists (URLs, hostnames, IPs) for use in gateway rules
+- **GatewayConfiguration**: Global gateway settings and configurations
 
-## Bird's eye view
+### Device Management
+- **DeviceSettingsPolicy**: Configure WARP client settings, split tunnels, and fallback domains
+- **DevicePostureRule**: Define device posture checks for Zero Trust access
+
+### DNS & Connectivity
+- **DNSRecord**: Manage Cloudflare DNS records
+- **WARPConnector**: Deploy WARP connectors for site-to-site connectivity
+
+## Architecture
 
 Here is how the operator and the Tunnel Resource fit into your deployment.
 
 ![Operator Architecture](./docs/images/OperatorArchitecture.png#center)
 
-There is more detailed information on this architecture and the thought process behind it in my [blog post](https://adyanth.site/posts/migration-compose-k8s/cloudflare-tunnel-operator-architecture/).
+## Quick Start
+
+### Prerequisites
+- Kubernetes cluster (v1.28+)
+- Cloudflare account with Zero Trust enabled
+- Cloudflare API Token with appropriate permissions
+
+### Installation
+
+```bash
+# Install CRDs
+kubectl apply -f https://github.com/adyanth/cloudflare-operator/releases/latest/download/cloudflare-operator.crds.yaml
+
+# Install operator
+kubectl apply -f https://github.com/adyanth/cloudflare-operator/releases/latest/download/cloudflare-operator.yaml
+```
+
+### Create a Tunnel
+
+```yaml
+apiVersion: networking.cfargotunnel.com/v1alpha2
+kind: Tunnel
+metadata:
+  name: my-tunnel
+  namespace: default
+spec:
+  cloudflare:
+    accountId: <your-account-id>
+    domain: example.com
+    secret: cloudflare-api-secret
+  enableWarpRouting: true  # Enable private network access
+```
+
+### Expose a Service
+
+```yaml
+apiVersion: networking.cfargotunnel.com/v1alpha2
+kind: TunnelBinding
+metadata:
+  name: my-service-binding
+  namespace: default
+spec:
+  tunnelRef:
+    name: my-tunnel
+  subjects:
+    - name: my-service
+      spec:
+        fqdn: app.example.com
+        protocol: http
+        target: my-service:8080
+```
+
+## CRD Reference
+
+| CRD | Scope | Description |
+|-----|-------|-------------|
+| `Tunnel` | Namespaced | Cloudflare Tunnel with managed cloudflared deployment |
+| `ClusterTunnel` | Cluster | Cluster-wide Cloudflare Tunnel |
+| `TunnelBinding` | Namespaced | Bind Services to Tunnels with DNS records |
+| `AccessTunnel` | Namespaced | Reference to external tunnel |
+| `VirtualNetwork` | Cluster | Cloudflare virtual network |
+| `NetworkRoute` | Cluster | IP route through tunnel |
+| `PrivateService` | Namespaced | Expose Service via WARP private IP |
+| `AccessApplication` | Namespaced | Zero Trust application |
+| `AccessGroup` | Namespaced | Access policy group |
+| `AccessIdentityProvider` | Namespaced | Identity provider configuration |
+| `AccessServiceToken` | Namespaced | Service token for M2M auth |
+| `GatewayRule` | Namespaced | Gateway policy rule |
+| `GatewayList` | Namespaced | List for gateway policies |
+| `GatewayConfiguration` | Cluster | Global gateway settings |
+| `DeviceSettingsPolicy` | Cluster | WARP client settings |
+| `DevicePostureRule` | Namespaced | Device posture check |
+| `DNSRecord` | Namespaced | DNS record management |
+| `WARPConnector` | Namespaced | WARP connector deployment |
+
+## Documentation
+
+- [Getting Started Guide](docs/getting-started.md)
+- [API Reference (v1alpha2)](docs/v1alpha2.md)
+- [Migration from v1alpha1](docs/migration/v1alpha2.md)
+- [Examples](docs/examples/)
+
+## Contributing
+
+Contributions are welcome! Please read our [Contributing Guide](CONTRIBUTING.md) for details.
+
+## License
+
+This project is licensed under the Apache License 2.0 - see the [LICENSE](LICENSE) file for details.
 
 > **_NOTE_**: This is **NOT** an official operator provided/backed by Cloudflare Inc. It utilizes their [v4 API](https://api.cloudflare.com/) and their [`cloudflared`](https://github.com/cloudflare/cloudflared) to automate setting up of tunnels on Kubernetes.
@@ -0,0 +1,30 @@
+/*
+Copyright 2025 Adyanth H.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha1 contains shared API types for Cloudflare Zero Trust resources.
+// These types are used across multiple CRDs to provide consistent interfaces
+// for Cloudflare credentials, resource references, and status reporting.
+//
+// Key types include:
+//   - CloudflareRef: Unified reference to Cloudflare credentials and account
+//   - CloudflareCredentials: API authentication configuration
+//   - CommonStatus: Standard status fields with conditions
+//   - TunnelReference: Reference to Tunnel/ClusterTunnel resources
+//   - VirtualNetworkReference: Reference to VirtualNetwork resources
+//
+// +kubebuilder:object:generate=true
+// +groupName=cloudflare.com
+package v1alpha1
@@ -0,0 +1,37 @@
+/*
+Copyright 2025 Adyanth H.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha1 contains API Schema definitions for the cloudflare.com v1alpha1 API group.
+// This package provides shared types for Cloudflare Zero Trust resources.
+// +kubebuilder:object:generate=true
+// +groupName=cloudflare.com
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects.
+	GroupVersion = schema.GroupVersion{Group: "cloudflare.com", Version: "v1alpha1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)