You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+5-10Lines changed: 5 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@
6
6
7
7
A Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) controller that routes cluster traffic through [Cloudflare Tunnels](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/) — no public IPs or open firewall ports required.
8
8
9
-
**How it works:** The controller watches GatewayClass, Gateway, and HTTPRoute resources. For each Gateway it creates a Cloudflare Tunnel and deploys a [cloudflared](https://github.com/cloudflare/cloudflared) client. HTTPRoutes are translated into tunnel ingress rules and DNS CNAME records pointing to the tunnel.
9
+
**How it works:** The controller watches GatewayClass, Gateway, and HTTPRoute resources. For each Gateway it creates a Cloudflare Tunnel and deploys a [cloudflared](https://github.com/cloudflare/cloudflared) client. HTTPRoutes are translated into tunnel ingress rules. Hostname DNS, custom domains, and public route publication are owned by the platform routing layer.
10
10
11
11
**Conformance:** This controller passes the official [Gateway API conformance tests](https://gateway-api.sigs.k8s.io/concepts/conformance/) for the **GatewayHTTP** profile against Gateway API **v1.4.1**. Conformance tests run on every push in CI.
3.[Find your Cloudflare account ID](https://developers.cloudflare.com/fundamentals/setup/find-account-and-zone-ids/) and [create an API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) with **Cloudflare Tunnel Edit**and **Zone DNS Edit** permissions.
35
+
3.[Find your Cloudflare account ID](https://developers.cloudflare.com/fundamentals/setup/find-account-and-zone-ids/) and [create an API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) with **Cloudflare Tunnel Edit**permissions. The controller does not require Zone DNS permissions.
-**GatewayClass** validation with Cloudflare API token verification
105
-
-**DNS management** — automatic CNAME record creation and cleanup with metadata tags
105
+
-**Tunnel endpoint management** — tunnel creation and ingress-rule reconciliation without per-hostname DNS writes
106
106
-**Two config modes** — remote (Cloudflare dashboard) or local (ConfigMap-based)
107
107
-**API proxy support** — route API calls through a custom base URL
108
108
@@ -123,14 +123,9 @@ The controller reads configuration from the Secret referenced by the GatewayClas
123
123
124
124
**Local**: Ingress rules are written to a ConfigMap on the cluster. cloudflared reads from a mounted config file. The controller triggers a rolling restart when the config changes. Faster updates with no polling delay — useful for automated or high-frequency deployments.
125
125
126
-
### DNS Record Metadata
126
+
### DNS and Public Routing Ownership
127
127
128
-
DNS records created by the controller include metadata for identification and filtering:
-**Comment**: Human-readable description with Kubernetes context
132
-
133
-
Stale DNS records are automatically cleaned up using tag-based filtering when hostnames are removed from routes.
128
+
The controller does not create or clean up per-hostname DNS records. It owns the cluster-local tunnel endpoint and Cloudflare Tunnel ingress configuration only. Public hostnames, custom-domain validation, dispatcher KV entries, and stale-route tombstones are reconciled by the platform routing service.
0 commit comments