From 31f521ebc4ad5de9855fb1311d9ba14a20df8122 Mon Sep 17 00:00:00 2001
From: David Landry <david@dmwl.net>
Date: Fri, 27 Sep 2024 17:45:05 -0400
Subject: [PATCH] feat(cloudflare-tunnel): add tunnel

---
 apps/cloudflare-tunnel/base/deployment.yaml   | 39 +++++++++++++++++++
 .../cloudflare-tunnel/base/kustomization.yaml |  5 +++
 apps/cloudflare-tunnel/base/namespace.yaml    |  4 ++
 .../overlays/system/config.json               | 11 ++++++
 .../overlays/system/deployment.patch.yaml     | 15 +++++++
 .../overlays/system/kustomization.yaml        | 11 ++++++
 .../overlays/system/secret-generator.yaml     | 10 +++++
 .../overlays/system/secret.enc.yaml           | 27 +++++++++++++
 8 files changed, 122 insertions(+)
 create mode 100644 apps/cloudflare-tunnel/base/deployment.yaml
 create mode 100644 apps/cloudflare-tunnel/base/kustomization.yaml
 create mode 100644 apps/cloudflare-tunnel/base/namespace.yaml
 create mode 100644 apps/cloudflare-tunnel/overlays/system/config.json
 create mode 100644 apps/cloudflare-tunnel/overlays/system/deployment.patch.yaml
 create mode 100644 apps/cloudflare-tunnel/overlays/system/kustomization.yaml
 create mode 100644 apps/cloudflare-tunnel/overlays/system/secret-generator.yaml
 create mode 100644 apps/cloudflare-tunnel/overlays/system/secret.enc.yaml

diff --git a/apps/cloudflare-tunnel/base/deployment.yaml b/apps/cloudflare-tunnel/base/deployment.yaml
new file mode 100644
index 0000000..9a31c50
--- /dev/null
+++ b/apps/cloudflare-tunnel/base/deployment.yaml
@@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: cloudflared
+  name: cloudflared-deployment
+  namespace: default
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      pod: cloudflared
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        pod: cloudflared
+    spec:
+      containers:
+        - command:
+            - cloudflared
+            - tunnel
+            - --no-autoupdate
+            # In a k8s environment, the metrics server needs to listen outside the pod it runs on.
+            # The address 0.0.0.0:2000 allows any pod in the namespace.
+            - --metrics
+            - 0.0.0.0:2000
+            - run
+          image: cloudflare/cloudflared:latest
+          name: cloudflared
+          livenessProbe:
+            httpGet:
+              # Cloudflared has a /ready endpoint which returns 200 if and only if
+              # it has an active connection to the edge.
+              path: /ready
+              port: 2000
+            failureThreshold: 1
+            initialDelaySeconds: 10
+            periodSeconds: 10
diff --git a/apps/cloudflare-tunnel/base/kustomization.yaml b/apps/cloudflare-tunnel/base/kustomization.yaml
new file mode 100644
index 0000000..ad6b3f5
--- /dev/null
+++ b/apps/cloudflare-tunnel/base/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - deployment.yaml
diff --git a/apps/cloudflare-tunnel/base/namespace.yaml b/apps/cloudflare-tunnel/base/namespace.yaml
new file mode 100644
index 0000000..4bd7dc1
--- /dev/null
+++ b/apps/cloudflare-tunnel/base/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: network-system
diff --git a/apps/cloudflare-tunnel/overlays/system/config.json b/apps/cloudflare-tunnel/overlays/system/config.json
new file mode 100644
index 0000000..7503bc2
--- /dev/null
+++ b/apps/cloudflare-tunnel/overlays/system/config.json
@@ -0,0 +1,11 @@
+{
+  "appName": "cloudflare-tunnel",
+  "userGivenName": "cloudflare-tunnel",
+  "destNamespace": "network-system",
+  "destServer": "https://kubernetes.default.svc",
+  "srcPath": "apps/cloudflare-tunnel/overlays/system",
+  "srcRepoURL": "ssh://git@gitea-ssh.gitops.svc.cluster.local:2222/davad/argo.git",
+  "srcTargetRevision": "",
+  "labels": null,
+  "annotations": null
+}
diff --git a/apps/cloudflare-tunnel/overlays/system/deployment.patch.yaml b/apps/cloudflare-tunnel/overlays/system/deployment.patch.yaml
new file mode 100644
index 0000000..38a15f2
--- /dev/null
+++ b/apps/cloudflare-tunnel/overlays/system/deployment.patch.yaml
@@ -0,0 +1,15 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cloudflared-deployment
+spec:
+  template:
+    spec:
+      containers:
+        - name: cloudflared
+          env:
+            - name: TUNNEL_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: cloudflared-config
+                  key: token
diff --git a/apps/cloudflare-tunnel/overlays/system/kustomization.yaml b/apps/cloudflare-tunnel/overlays/system/kustomization.yaml
new file mode 100644
index 0000000..50e9778
--- /dev/null
+++ b/apps/cloudflare-tunnel/overlays/system/kustomization.yaml
@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
+
+generators:
+  - ./secret-generator.yaml
+
+patches:
+  - path: deployment.patch.yaml
diff --git a/apps/cloudflare-tunnel/overlays/system/secret-generator.yaml b/apps/cloudflare-tunnel/overlays/system/secret-generator.yaml
new file mode 100644
index 0000000..7e5244f
--- /dev/null
+++ b/apps/cloudflare-tunnel/overlays/system/secret-generator.yaml
@@ -0,0 +1,10 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: cloudflared-ksops-generator
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+files:
+  - ./secret.enc.yaml
diff --git a/apps/cloudflare-tunnel/overlays/system/secret.enc.yaml b/apps/cloudflare-tunnel/overlays/system/secret.enc.yaml
new file mode 100644
index 0000000..5b6857c
--- /dev/null
+++ b/apps/cloudflare-tunnel/overlays/system/secret.enc.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: cloudflared-config
+type: Opaque
+data:
+    token: ENC[AES256_GCM,data:tkJD0z6idw6QZZL8IKu/PWo6RXABPy8BcgtP3ai43QnbXjW+uZa3nimTLSwWFcFIcVpRQAKYjvCOFI18ntf+gePk3rwLaUn7IXw2DerTwUYh6k8Erau1Tpp1J8K2X3l6JDtRVlpUwKaSyvIOuhlxsPNra+np3433flYHEuXCC2tB27IXcB/k36KHAramo3XptHhKe+3DoywUfQTYqco9oBrGWWCJVlcGm+KhOMAieekqdW9Ftj3EguMcQGkcLzqoiK1Z3v+fkI1/IL0gWR8Vew6hUzlD1IFcj0VD0vpGSM9s/VzMVn3vp7D1e3L3urFkmyM9nJHUW/8=,iv:In08NkxVSuyAzPdl7dayM/QXZPnc1OrShGrwar/iLsE=,tag:qEk5ZRioUvXwGcOClhdkHQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1y26vr5qt6th3wu92rnsgkqcpxxah3pqkqa4khcjjycm3kg40aqyqjgfzx9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxNGxaU3FHY1dMTnNXZDh2
+            S2M2QjhPcERqTXI0ajRLRDQ1MXdZNHdUbkhZCnM5Ly9VYk5ySlZmUVUwb3A3UzBI
+            QzU4RHFiQVFzaGlqbHFZOXQxVisrMVkKLS0tIEJEYVllQVNKc0ppTTZ6SUU1dXRI
+            a1ZkNHJLQjBlNmhaOTBMVXJEK1UxY1kKy4ioaiasJz3obb/+oR666lDqCWI4OcZu
+            aUAeQPGqR9U/UWLHqdKcJvsAxVItQyrl9a3vANdg6FZP8IQqDd4y/w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-27T21:03:45Z"
+    mac: ENC[AES256_GCM,data:kaQhH6AgeAhMuIqG8M4SoJCVUJhv9jkcXssoRASOM5sSixvRuzyLzaBHjY0jGHpmNPDDYmhe8YCrmnKBR6XSHbe5W0bkAK3fV+QPcWlHP5RHmtLMq68KM02ljxeKe+Z3Rdy5urydVCU8NYLnFET9rIcFFJMI5DM9pX5flNX3ZeQ=,iv:Ks8A9awmvnL7LmKrKc7tl3qsfc6oH4UAUeokMMfdjqc=,tag:xgN5BNdHkEllnR0TEjf0YQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1