Gateway API¶
This section documents the Gateway API implementation in the Cloudflare Tunnel Gateway Controller.
Overview¶
The controller implements the Kubernetes Gateway API to configure Cloudflare Tunnel ingress rules. It watches Gateway and Route resources and translates them into Cloudflare Tunnel configuration via the Cloudflare API.
Supported Resources¶
| Resource | API Version | Status |
|---|---|---|
| GatewayClass | gateway.networking.k8s.io/v1 | Supported |
| Gateway | gateway.networking.k8s.io/v1 | Supported |
| HTTPRoute | gateway.networking.k8s.io/v1 | Supported |
| GRPCRoute | gateway.networking.k8s.io/v1 | Supported |
| TCPRoute | gateway.networking.k8s.io/v1alpha2 | Not supported |
| TLSRoute | gateway.networking.k8s.io/v1alpha2 | Not supported |
| UDPRoute | gateway.networking.k8s.io/v1alpha2 | Not supported |
Sections¶
-
Supported Resources
Detailed feature support matrix for each Gateway API resource.
-
HTTPRoute
HTTP routing examples and configuration patterns.
-
GRPCRoute
gRPC routing with service and method matching.
-
ReferenceGrant
Cross-namespace backend references and security.
-
Limitations
Known limitations and workarounds.
How It Works¶
flowchart TB
subgraph Kubernetes["Kubernetes Cluster"]
GW[Gateway]
HR[HTTPRoute]
SVC[Services]
CTRL[Controller]
CFD[cloudflared]
end
subgraph Cloudflare["Cloudflare Edge"]
API[Cloudflare API]
EDGE[Edge Network]
end
GW -->|watch| CTRL
HR -->|watch| CTRL
SVC -->|resolve| CTRL
CTRL -->|configure| API
API -->|push config| CFD
CFD -->|tunnel| EDGE
EDGE -->|traffic| CFD
CFD -->|route| SVCKey Concepts¶
TLS Termination
Cloudflare Tunnel terminates TLS at Cloudflare's edge network. Gateway listener configuration for ports, protocols, and TLS settings has no effect on routing behavior.
Full Sync
Any change to HTTPRoute or GRPCRoute triggers a full configuration sync to Cloudflare Tunnel. The controller rebuilds the entire ingress configuration on each reconciliation.