BLACK FRIDAY SALE IS LIVE !!!!!

Using Cloudflare Argo Tunnel to expose Kubernetes services

Utilize Cloudflare Argo Tunnel to expose Kubernetes services like a pro with a little assistance from our experts.

As a part of our Server Management Service, we at Skynats provide answers to all kinds of questions, no matter how big or small.

Let’s look at how our support team is prepared to assist clients who are experiencing issues with the http/2 smuggling vulnerability in Cloudflare.

How to Use Cloudflare Argo Tunnel to Expose Kubernetes Services

Before we begin, here is an overview of the architecture:

The procedure entails creating a Cloudflare Argo tunnel. When we’re done, the.cloudflared directory will contain the following files:

  • cert.pem
  • tunnel-ID.json

It is now time to configure the on-premise Kubernetes Cluster. This also entails copying the JSON file’s contents to the credential-file configmap.

To ensure that it responds to all requests, we must modify the config file that the Ingress-Controller depends on. In this situation, our support team advises using a catch*all to route all traffic to all the CNAME records we will be setting up later. In addition, if we need to set up a specific service mapping, we can create a Hostname/Service.

apiVersion: v1
data:
  default.yaml: |-
    tunnel: 
    credentials-file: /etc/cloudflared/cred.json
    ingress:
#    - hostname: # ADD specific hostname if needed
#      service: # 
# use catch-all service
    - service: http://traefik.traefik
kind: ConfigMap
metadata:
  name: config-file
  namespace: cloudflared

Additionally, port 9090 is where the Prometheus port is visible.

annotations:
    prometheus.io/path: /metrics
    prometheus.io/port: "9090"
    prometheus.io/scrape: "true"
  labels:
    app: cloudflared
spec:
  containers:
  - args:
    - tunnel
    - --config
    - /etc/cloudflared/default.yaml
    - --metrics
- 0.0.0.0:9090

CNAME creation for the Argo Tunnel

To route traffic, the Argo Tunnel needs a CNAME record to the tunnel ID. We can set up this k8s resource with the following manifest after configuring the external DNS in Kubernetes:

kind: Service
apiVersion: v1
metadata:
  name: cname-test
  annotations:
    external-dns.alpha.kubernetes.io/hostname: # CLOUDFLARE PUBLIC DOMAIN
    external-dns.alpha.kubernetes.io/ttl: "120" # optional
spec:
  type: ExternalName
  externalName: #TUNNEL ID.cfargotunnel.com

Putting it all together

After everything has been set up, the web application can be exposed as follows:

  1. The application should first be deployed to the Kubernetes cluster.
  2. Next, make sure a service is present in the cluster. In this case, ClusterIP will also function.
  3. Then, to expose it behind the IngressController, we must create an Ingress. We must verify that the public record hosted by Cloudflare matches the IngressRoute/ FQDN/ Public Domain.
  4. To create a public CNAME record for the service, create a different service to create CNAME.

The service will now be available outside of the building.

Are you looking for an answer to another query? Contact our technical support team.

Liked!! Share the post.

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

Get Support right now!

Start server management with our 24x7 monitoring and active support team

Can't get what you are looking for?

Available 24x7 for emergency support.