Skip to content

Cloudflare Tunnel Gateway Controller

Kubernetes controller implementing Gateway API for Cloudflare Tunnel.

Enables routing traffic through Cloudflare Tunnel using standard Gateway API resources (Gateway, HTTPRoute, GRPCRoute).

Features

  • Standard Gateway API implementation (GatewayClass, Gateway, HTTPRoute, GRPCRoute)
  • Hot reload of tunnel configuration (no cloudflared restart required)
  • Optional cloudflared lifecycle management via Helm SDK
  • Leader election for high availability deployments
  • Multi-arch container images (amd64, arm64)
  • Signed container images with cosign

Warning

The controller assumes exclusive ownership of the tunnel configuration. It will remove any ingress rules not managed by HTTPRoute/GRPCRoute resources. Do not use a tunnel that has manually configured routes or is shared with other systems.

Quick Start

# 1. Install Gateway API CRDs
kubectl apply --filename https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard-install.yaml

# 2. Install the controller
helm install cloudflare-tunnel-gateway-controller \
  oci://ghcr.io/lexfrei/cloudflare-tunnel-gateway-controller/chart \
  --namespace cloudflare-tunnel-system \
  --create-namespace \
  --set config.tunnelID=YOUR_TUNNEL_ID \
  --set config.apiToken=YOUR_API_TOKEN

# 3. Create HTTPRoute to expose your service
kubectl apply --filename - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: my-app
spec:
  parentRefs:
    - name: cloudflare-tunnel
      namespace: cloudflare-tunnel-system
  hostnames:
    - app.example.com
  rules:
    - backendRefs:
        - name: my-service
          port: 80
EOF

See Getting Started for detailed setup instructions.

Documentation Sections

Section Description
Getting Started Prerequisites, installation, and quick start guide
Configuration Controller options, Helm values, GatewayClassConfig
Gateway API Supported resources, examples, and limitations
Guides Integration guides for AWG, external-dns, monitoring
Operations Troubleshooting, metrics, and manual installation
Development Architecture, contributing, and testing
Reference Helm chart, CRD reference, security policy

License

BSD 3-Clause License - see LICENSE for details.