-
Notifications
You must be signed in to change notification settings - Fork 123
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add cloudflared system extension
Cloudflare Tunnel securely connects resources to Cloudflare without a public IP. Signed-off-by: Maxime NARBAUD <[email protected]> Signed-off-by: Noel Georgi <[email protected]>
- Loading branch information
Showing
15 changed files
with
166 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,6 +9,7 @@ spec: | |
- btrfs | ||
- chelsio-drivers | ||
- chelsio-firmware | ||
- cloudflared | ||
- crun | ||
- drbd | ||
- dvb-cx23885 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
# Cloudflare Tunnel | ||
|
||
Cloudflare Tunnel securely connects resources to Cloudflare without a public IP. A lightweight daemon (cloudflared) creates outbound-only connections to Cloudflare, allowing safe access to services like HTTP, SSH, remote desktops, and other protocols. | ||
|
||
More info: https://github.com/cloudflare/cloudflared/ | ||
|
||
## Installation | ||
|
||
Cloudflared system extension can be installed by customising boot assets or after installation with the `installer` | ||
|
||
You can use the following schematic file: | ||
```yaml | ||
# cloudflared-ext.yaml | ||
customization: | ||
systemExtensions: | ||
officialExtensions: | ||
- siderolabs/cloudflared | ||
``` | ||
Check documentation for install: | ||
* https://www.talos.dev/latest/talos-guides/configuration/system-extensions/ | ||
* https://www.talos.dev/latest/talos-guides/install/boot-assets/ | ||
## Usage | ||
Configure the extension via `ExtensionServiceConfig` document. | ||
|
||
```yaml | ||
# cloudflared-config.yaml | ||
--- | ||
apiVersion: v1alpha1 | ||
kind: ExtensionServiceConfig | ||
name: cloudflared | ||
environment: | ||
- TUNNEL_TOKEN=<your_token> | ||
- TUNNEL_METRICS=localhost:2000 | ||
- TUNNEL_EDGE_IP_VERSION=auto # if your node is only configured for IPv6 | ||
``` | ||
|
||
Then apply the patch to your node's MachineConfigs | ||
```bash | ||
talosctl patch mc -p @cloudflared-config.yaml | ||
``` | ||
|
||
You will then be able to verify that it is in place with the following command | ||
```bash | ||
talosctl get extensionserviceconfigs | ||
NODE NAMESPACE TYPE ID VERSION | ||
mynode runtime ExtensionServiceConfig cloudflared 1 | ||
``` | ||
|
||
## Configuration | ||
|
||
See all run parameters here (use environment variables): https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
name: cloudflared | ||
depends: | ||
- service: cri | ||
- network: | ||
- addresses | ||
- connectivity | ||
- etcfiles | ||
- hostname | ||
- configuration: true | ||
container: | ||
entrypoint: /usr/local/bin/cloudflared | ||
args: | ||
- tunnel | ||
- run | ||
environment: | ||
- NO_AUTOUPDATE=true | ||
restart: always |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
version: v1alpha1 | ||
metadata: | ||
name: cloudflared | ||
version: "$VERSION" | ||
author: Maxime Narbaud | ||
description: | | ||
Cloudflare Tunnel securely connects resources to Cloudflare without a public IP. | ||
A lightweight daemon (cloudflared) creates outbound-only connections to Cloudflare, | ||
allowing safe access to services like HTTP, SSH, remote desktops, and other protocols. | ||
More info: https://github.com/cloudflare/cloudflared/ | ||
compatibility: | ||
talos: | ||
version: ">= v1.5.0" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
name: cloudflared | ||
variant: scratch | ||
shell: /bin/bash | ||
dependencies: | ||
- stage: base | ||
steps: | ||
- sources: | ||
- url: https://github.com/cloudflare/cloudflared/archive/refs/tags/{{ .CLOUDFLARED_VERSION }}.tar.gz | ||
destination: cloudflared.tar.gz | ||
sha256: 74794fbcdd7b71131799100d493cf70a8e126cb109f3d9e2abce55593df6a737 | ||
sha512: cd417fc8410537fd0e59799be750f18b13e5931a5785258833b518aa5f516a479e00af0bbceb9f6e03d7cc6f2da406a956f25f64a57f282de56d9f6c47b281a2 | ||
env: | ||
GOPATH: /go | ||
cachePaths: | ||
- /.cache/go-build | ||
- /go/pkg | ||
prepare: | ||
- | | ||
sed -i 's#$VERSION#{{ .VERSION }}#' /pkg/manifest.yaml | ||
- | | ||
tar -xzvf cloudflared.tar.gz --strip-components=1 | ||
build: | ||
- | | ||
export PATH=${PATH}:${TOOLCHAIN}/go/bin | ||
make cloudflared VERSION="{{ .CLOUDFLARED_VERSION}}" DATE="{{ .BUILD_ARG_SOURCE_DATE_EPOCH }}" | ||
install: | ||
- | | ||
mkdir -p /rootfs/usr/local/lib/containers/cloudflared/usr/local/bin | ||
mv cloudflared /rootfs/usr/local/lib/containers/cloudflared/usr/local/bin | ||
- | | ||
mkdir -p /rootfs/usr/local/etc/containers | ||
cp /pkg/cloudflared.yaml /rootfs/usr/local/etc/containers/ | ||
test: | ||
- | | ||
mkdir -p /extensions-validator-rootfs | ||
cp -r /rootfs/ /extensions-validator-rootfs/rootfs | ||
cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml | ||
/extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}" | ||
- | | ||
[[ $(/rootfs/usr/local/lib/containers/cloudflared/usr/local/bin/cloudflared version) == *{{ .CLOUDFLARED_VERSION }}* ]] | ||
finalize: | ||
- from: /rootfs | ||
to: /rootfs | ||
- from: /pkg/manifest.yaml | ||
to: / |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
VERSION: "{{ .CLOUDFLARED_VERSION }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters