Bobcares

For every $500 you spend, we will provide you with a $500 credit on your account*

BLACK FRIDAY SPECIAL

*The maximum is $4000 in credits, Offer valid till November 30th, 2024, New Customers Only, Credit will be applied after purchase and expires after six (6) months

For every $500 you spend, we will provide you with a $500 credit on your account*

BLACK FRIDAY SPECIAL

*The maximum is $4000 in credits, Offer valid till November 30th, 2024, New Customers Only, Credit will be applied after purchase and expires after six (6) months

Expose Kubernetes service using Cloudflare Argo Tunnel

by | Feb 14, 2022

Expose Kubernetes service using Cloudflare Argo Tunnel like an experts with a little help from our experts.

At Bobcares, we offer solutions for every query, big and small, as a part of our Server Management Service.

Let’s take a look at how our Support Team is ready to help customers with http/2 smuggling vulnerability in Cloudflare.

How to Expose Kubernetes service using Cloudflare Argo Tunnel

If you are looking for a way to expose Kubernetes service via Cloudflare Argo Tunnel, our Support Team is here to help you out. Before we proceed, here is an overview of the architecture:

Expose Kubernetes service using Cloudflare Argo Tunnel

The process involves creating a Cloudflare Argo tunnel. Once we are done with that, we will find the following files in the .cloudflared directory:

  • cert.pem
  • tunnel-ID.json

Now, it is time to set up the on-premise Kubernetes Cluster. This includes copying the content of the JSON file to the credential-file configmap.

We have to edit the config-file depending on the Ingress-Controller so that it handles all requests. In this particular scenario, our Support Team suggests using a catch*all to route all traffic for all the CNAME records we will be creating later. Furthermore, we cal create Hostname/ Service if we need to create specific service mapping.

apiVersion: v1
data:
  default.yaml: |-
    tunnel: 
    credentials-file: /etc/cloudflared/cred.json
    ingress:
#    - hostname: # ADD specific hostname if needed
#      service: # 
# use catch-all service
    - service: http://traefik.traefik
kind: ConfigMap
metadata:
  name: config-file
  namespace: cloudflared

Moreover, the Prometheus port is exposed at port 9090.

annotations:
    prometheus.io/path: /metrics
    prometheus.io/port: "9090"
    prometheus.io/scrape: "true"
  labels:
    app: cloudflared
spec:
  containers:
  - args:
    - tunnel
    - --config
    - /etc/cloudflared/default.yaml
    - --metrics
- 0.0.0.0:9090

Creating CNAME for the Argo Tunnel

The Argo Tunnel requires the CNAME record to the tunnel ID in order to route the traffic. After setting up the external DNS in the Kubernetes, we can set this up a k8s resource with the following manifest:

kind: Service
apiVersion: v1
metadata:
  name: cname-test
  annotations:
    external-dns.alpha.kubernetes.io/hostname: # CLOUDFLARE PUBLIC DOMAIN
    external-dns.alpha.kubernetes.io/ttl: "120" # optional
spec:
  type: ExternalName
  externalName: #TUNNEL ID.cfargotunnel.com

Pulling it together

After setting up everything, we can expose the web application as follows:

  1. First, deploy the application to the Kubernetes cluster.
  2. Then, ensure the cluster has a service. ClusterIP will also work in this scenario.
  3. After that, we have to create an Ingress to expose it behind the IngressController. We have to ensure the IngressRoute/ FQDN/ Public Domain is the same as the public record Cloudflare is hosting.
  4. Finally, create a different service to create CNAME in order to create a public CNAME record for the service.

Now, the service will be accessible from outside.

[Looking for a solution to another query? We are just a click away.]

Conclusion

To conclude, our skilled Support Engineers at Bobcares helped us understand more about http/2 smuggling vulnerability in Cloudflare.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.