Expose Kubernetes service using Cloudflare Argo Tunnel like an experts with a little help from our experts.

At Bobcares, we offer solutions for every query, big and small, as a part of our Server Management Service.

Let’s take a look at how our Support Team is ready to help customers with http/2 smuggling vulnerability in Cloudflare.

How to Expose Kubernetes service using Cloudflare Argo Tunnel

If you are looking for a way to expose Kubernetes service via Cloudflare Argo Tunnel, our Support Team is here to help you out. Before we proceed, here is an overview of the architecture:

The process involves creating a Cloudflare Argo tunnel. Once we are done with that, we will find the following files in the .cloudflared directory:

• cert.pem
• tunnel-ID.json

Now, it is time to set up the on-premise Kubernetes Cluster. This includes copying the content of the JSON file to the credential-file configmap.

We have to edit the config-file depending on the Ingress-Controller so that it handles all requests. In this particular scenario, our Support Team suggests using a catch*all to route all traffic for all the CNAME records we will be creating later. Furthermore, we cal create Hostname/ Service if we need to create specific service mapping.

apiVersion: v1
data:
  default.yaml: |-
    tunnel: 
    credentials-file: /etc/cloudflared/cred.json
    ingress:
#    - hostname: # ADD specific hostname if needed
#      service: # 
# use catch-all service
    - service: http://traefik.traefik
kind: ConfigMap
metadata:
  name: config-file
  namespace: cloudflared

Moreover, the Prometheus port is exposed at port 9090.

annotations:
    prometheus.io/path: /metrics
    prometheus.io/port: "9090"
    prometheus.io/scrape: "true"
  labels:
    app: cloudflared
spec:
  containers:
  - args:
    - tunnel
    - --config
    - /etc/cloudflared/default.yaml
    - --metrics
- 0.0.0.0:9090

Creating CNAME for the Argo Tunnel

The Argo Tunnel requires the CNAME record to the tunnel ID in order to route the traffic. After setting up the external DNS in the Kubernetes, we can set this up a k8s resource with the following manifest:

kind: Service
apiVersion: v1
metadata:
  name: cname-test
  annotations:
    external-dns.alpha.kubernetes.io/hostname: # CLOUDFLARE PUBLIC DOMAIN
    external-dns.alpha.kubernetes.io/ttl: "120" # optional
spec:
  type: ExternalName
  externalName: #TUNNEL ID.cfargotunnel.com

Pulling it together

After setting up everything, we can expose the web application as follows:

1. First, deploy the application to the Kubernetes cluster.
2. Then, ensure the cluster has a service. ClusterIP will also work in this scenario.
3. After that, we have to create an Ingress to expose it behind the IngressController. We have to ensure the IngressRoute/ FQDN/ Public Domain is the same as the public record Cloudflare is hosting.
4. Finally, create a different service to create CNAME in order to create a public CNAME record for the service.

Now, the service will be accessible from outside.

[Looking for a solution to another query? We are just a click away.]

Conclusion

To conclude, our skilled Support Engineers at Bobcares helped us understand more about http/2 smuggling vulnerability in Cloudflare.