feat(cloudflare-tunnel): add tunnel

apps/cloudflare-tunnel/base/deployment.yaml

@@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: cloudflared
+  name: cloudflared-deployment
+  namespace: default
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      pod: cloudflared
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        pod: cloudflared
+    spec:
+      containers:
+        - command:
+            - cloudflared
+            - tunnel
+            - --no-autoupdate
+            # In a k8s environment, the metrics server needs to listen outside the pod it runs on.
+            # The address 0.0.0.0:2000 allows any pod in the namespace.
+            - --metrics
+            - 0.0.0.0:2000
+            - run
+          image: cloudflare/cloudflared:latest
+          name: cloudflared
+          livenessProbe:
+            httpGet:
+              # Cloudflared has a /ready endpoint which returns 200 if and only if
+              # it has an active connection to the edge.
+              path: /ready
+              port: 2000
+            failureThreshold: 1
+            initialDelaySeconds: 10
+            periodSeconds: 10

apps/cloudflare-tunnel/base/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - deployment.yaml

apps/cloudflare-tunnel/base/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: network-system

apps/cloudflare-tunnel/overlays/system/config.json

@@ -0,0 +1,11 @@
+{
+  "appName": "cloudflare-tunnel",
+  "userGivenName": "cloudflare-tunnel",
+  "destNamespace": "network-system",
+  "destServer": "https://kubernetes.default.svc",
+  "srcPath": "apps/cloudflare-tunnel/overlays/system",
+  "srcRepoURL": "ssh://git@gitea-ssh.gitops.svc.cluster.local:2222/davad/argo.git",
+  "srcTargetRevision": "",
+  "labels": null,
+  "annotations": null
+}

apps/cloudflare-tunnel/overlays/system/deployment.patch.yaml

@@ -0,0 +1,15 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cloudflared-deployment
+spec:
+  template:
+    spec:
+      containers:
+        - name: cloudflared
+          env:
+            - name: TUNNEL_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: cloudflared-config
+                  key: token

apps/cloudflare-tunnel/overlays/system/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../base
+
+generators:
+  - ./secret-generator.yaml
+
+patches:
+  - path: deployment.patch.yaml

apps/cloudflare-tunnel/overlays/system/secret-generator.yaml

@@ -0,0 +1,10 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: cloudflared-ksops-generator
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+files:
+  - ./secret.enc.yaml

apps/cloudflare-tunnel/overlays/system/secret.enc.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: cloudflared-config
+type: Opaque
+data:
+    token: ENC[AES256_GCM,data:tkJD0z6idw6QZZL8IKu/PWo6RXABPy8BcgtP3ai43QnbXjW+uZa3nimTLSwWFcFIcVpRQAKYjvCOFI18ntf+gePk3rwLaUn7IXw2DerTwUYh6k8Erau1Tpp1J8K2X3l6JDtRVlpUwKaSyvIOuhlxsPNra+np3433flYHEuXCC2tB27IXcB/k36KHAramo3XptHhKe+3DoywUfQTYqco9oBrGWWCJVlcGm+KhOMAieekqdW9Ftj3EguMcQGkcLzqoiK1Z3v+fkI1/IL0gWR8Vew6hUzlD1IFcj0VD0vpGSM9s/VzMVn3vp7D1e3L3urFkmyM9nJHUW/8=,iv:In08NkxVSuyAzPdl7dayM/QXZPnc1OrShGrwar/iLsE=,tag:qEk5ZRioUvXwGcOClhdkHQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1y26vr5qt6th3wu92rnsgkqcpxxah3pqkqa4khcjjycm3kg40aqyqjgfzx9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxNGxaU3FHY1dMTnNXZDh2
+            S2M2QjhPcERqTXI0ajRLRDQ1MXdZNHdUbkhZCnM5Ly9VYk5ySlZmUVUwb3A3UzBI
+            QzU4RHFiQVFzaGlqbHFZOXQxVisrMVkKLS0tIEJEYVllQVNKc0ppTTZ6SUU1dXRI
+            a1ZkNHJLQjBlNmhaOTBMVXJEK1UxY1kKy4ioaiasJz3obb/+oR666lDqCWI4OcZu
+            aUAeQPGqR9U/UWLHqdKcJvsAxVItQyrl9a3vANdg6FZP8IQqDd4y/w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-27T21:03:45Z"
+    mac: ENC[AES256_GCM,data:kaQhH6AgeAhMuIqG8M4SoJCVUJhv9jkcXssoRASOM5sSixvRuzyLzaBHjY0jGHpmNPDDYmhe8YCrmnKBR6XSHbe5W0bkAK3fV+QPcWlHP5RHmtLMq68KM02ljxeKe+Z3Rdy5urydVCU8NYLnFET9rIcFFJMI5DM9pX5flNX3ZeQ=,iv:Ks8A9awmvnL7LmKrKc7tl3qsfc6oH4UAUeokMMfdjqc=,tag:xgN5BNdHkEllnR0TEjf0YQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1