Skip to content

cloudflare.md

Latest commit

 

History

History
135 lines (85 loc) · 3.31 KB

cloudflare.md

File metadata and controls

135 lines (85 loc) · 3.31 KB

Cloudflare Setup

Cloudflare provides public access via Tunnel and DNS automation.

Docs: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/

Prerequisites

  • Doppler project with shared config (Step 2.1)

1. Create Account & Add Domain

New to Cloudflare? Click to expand

Create Account

  1. Go to cloudflare.com/sign-up
  2. Enter email and password
  3. Verify email
Need to register or add a domain? Click to expand

Option A: Register New Domain

  1. Domain Registration → Search and register
  2. Complete purchase

Tip: Cloudflare Registrar offers domains at cost — .com ~$9.77/year, .dev ~$12/year

Option B: Add Existing Domain

  1. Add a site
  2. Enter your domain
  3. Select Free plan
  4. Update nameservers at your current registrar to Cloudflare's

2. Create Tunnel (CLI)

Locally-managed tunnel allows GitOps control over routes via config.yaml.

Docs: Create local tunnel

2.1 Install cloudflared

# macOS
brew install cloudflared

# Linux
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb -o cloudflared.deb
sudo dpkg -i cloudflared.deb

2.2 Login & Create Tunnel

cloudflared tunnel login
# Opens browser → login → select domain → creates ~/.cloudflared/cert.pem

cloudflared tunnel create k8s-tunnel
# Output: Tunnel credentials written to ~/.cloudflared/<UUID>.json

cloudflared tunnel list
# Verify tunnel created, note the UUID

2.3 Encode Credentials for Doppler

cat ~/.cloudflared/<UUID>.json | base64 -w0

2.4 Cleanup Local Files

After saving to Doppler, delete local credentials:

rm ~/.cloudflared/cert.pem
rm ~/.cloudflared/<UUID>.json

To manage tunnels later, run cloudflared tunnel login again

Result: Tunnel UUID → save as <CF_TUNNEL_ID>, base64 credentials → add CF_TUNNEL_CREDENTIALS to Doppler

3. Create API Token

For External-DNS (automatic DNS record management):

  1. API TokensCreate Token
  2. Select template Edit zone DNSUse template
  3. Configure:
    • Zone Resources: Include → Specific zone → your domain
  4. Click Continue to summaryCreate Token
  5. Copy token (shown only once!) → add CF_API_TOKEN to Doppler

Troubleshooting

Tunnel not connecting 
kubectl logs -n cloudflare -l app=cloudflared -f
kubectl get secret tunnel-credentials -n cloudflare

Check Zero Trust → Tunnels — status should be HEALTHY.

DNS not updating 
kubectl logs -n external-dns -l app.kubernetes.io/name=external-dns

Verify CF_API_TOKEN has Zone:DNS:Edit permission in API Tokens.