diff --git a/README.md b/README.md
index f417eb1..9940de0 100644
--- a/README.md
+++ b/README.md
@@ -4,14 +4,14 @@
 ## Requirements
 
 | Name | Version |
-|------|---------|
+| ---- | ------- |
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | > 1.3 |
 | <a name="requirement_cloudflare"></a> [cloudflare](#requirement\_cloudflare) | ~> 5.0 |
 
 ## Providers
 
 | Name | Version |
-|------|---------|
+| ---- | ------- |
 | <a name="provider_cloudflare"></a> [cloudflare](#provider\_cloudflare) | ~> 5.0 |
 | <a name="provider_sops"></a> [sops](#provider\_sops) | n/a |
 
@@ -22,7 +22,7 @@ No modules.
 ## Resources
 
 | Name | Type |
-|------|------|
+| ---- | ---- |
 | [cloudflare_dns_record.api](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/dns_record) | resource |
 | [cloudflare_dns_record.apps](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/dns_record) | resource |
 | [cloudflare_dns_record.apps_wildcard](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/dns_record) | resource |
@@ -38,7 +38,6 @@ No modules.
 | [cloudflare_zero_trust_access_group.admins](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_group) | resource |
 | [cloudflare_zero_trust_access_identity_provider.github](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) | resource |
 | [cloudflare_zero_trust_organization.main](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_organization) | resource |
-| [cloudflare_zero_trust_tunnel_cloudflared.cluster_apps](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_tunnel_cloudflared) | resource |
 | [cloudflare_zero_trust_tunnel_cloudflared.warp](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_tunnel_cloudflared) | resource |
 | [cloudflare_zero_trust_tunnel_cloudflared_route.private_network](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_tunnel_cloudflared_route) | resource |
 | [cloudflare_zone_setting.brotli](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zone_setting) | resource |
@@ -60,6 +59,6 @@ No inputs.
 ## Outputs
 
 | Name | Description |
-|------|-------------|
+| ---- | ----------- |
 | <a name="output_tunnel_ids"></a> [tunnel\_ids](#output\_tunnel\_ids) | Cloudflare Tunnel IDs for reference in kustomize-cluster ConfigMaps |
 <!-- END_TF_DOCS -->
diff --git a/cf-tunnels.tf b/cf-tunnels.tf
index 1b51d05..af41a9a 100644
--- a/cf-tunnels.tf
+++ b/cf-tunnels.tf
@@ -1,30 +1,9 @@
-# Cloudflare Tunnels for OpenShift workloads
-# Tunnels connect cloudflared pods to Cloudflare edge network
+# Cloudflare Tunnels — connect cloudflared pods to Cloudflare's edge.
 #
-# The cluster-apps tunnel is managed by cloudflare-operator in OpenShift.
-# Tunnel credentials are managed in kustomize-cluster via SOPS/KSOPS.
-# DNS records for app endpoints are managed by TunnelBinding resources in cluster.
-
-# =============================================================================
-# Consolidated HTTP Tunnel (managed by cloudflare-operator)
-# =============================================================================
-
-# Consolidated tunnel for all HTTP workloads
-# Lifecycle managed by cloudflare-operator ClusterTunnel resource in OpenShift
-# Import: tofu import cloudflare_zero_trust_tunnel_cloudflared.cluster_apps 03f750691b4ad4d59aa4b7205adaa108/1ac3a39c-7d97-422e-88e5-1f82b6334bbb
-resource "cloudflare_zero_trust_tunnel_cloudflared" "cluster_apps" {
-  account_id = local.account_id
-  name       = "cluster-apps"
-
-  lifecycle {
-    # Tunnel is managed by cloudflare-operator, prevent Terraform from modifying/deleting
-    ignore_changes = all
-  }
-}
-
-# =============================================================================
-# WARP Connector (IP routing for Zero Trust VPN)
-# =============================================================================
+# The cluster-apps tunnel is created and owned by cloudflare-operator
+# (see kustomize-cluster/operators/cloudflare/cluster-tunnel.yaml). Tunnel
+# credentials live in the cluster's Secret. DNS records for app endpoints
+# are reconciled by TunnelBinding resources, not managed here.
 
 resource "cloudflare_zero_trust_tunnel_cloudflared" "warp" {
   account_id = local.account_id
diff --git a/outputs.tf b/outputs.tf
index 9f26b18..c36825b 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -5,7 +5,6 @@
 output "tunnel_ids" {
   description = "Cloudflare Tunnel IDs for reference in kustomize-cluster ConfigMaps"
   value = {
-    cluster_apps = cloudflare_zero_trust_tunnel_cloudflared.cluster_apps.id
-    warp         = cloudflare_zero_trust_tunnel_cloudflared.warp.id
+    warp = cloudflare_zero_trust_tunnel_cloudflared.warp.id
   }
 }