Skip to content

feat(cluster-apps): manage tunnel-fronted CNAMEs in TF#4

Merged
xnoto merged 1 commit intomainfrom
feat/cluster-apps-tunnel-dns
Apr 30, 2026
Merged

feat(cluster-apps): manage tunnel-fronted CNAMEs in TF#4
xnoto merged 1 commit intomainfrom
feat/cluster-apps-tunnel-dns

Conversation

@xnoto
Copy link
Copy Markdown
Contributor

@xnoto xnoto commented Apr 30, 2026
edited
Loading

Summary

The cloudflare-operator owns the cluster-apps tunnel and configures the cloudflared deployment to route hostnames it sees in TunnelBindings — but it does not write DNS records. Without a CNAME pointing each FQDN at <tunnel-id>.cfargotunnel.com, requests reach Cloudflare's edge but error out with 530 / 1033 (no tunnel route for hostname).

This PR:

  • Adds a data "cloudflare_zero_trust_tunnel_cloudflared" "cluster_apps" lookup by name (cluster-apps-k3s) so the tunnel ID resolves at plan time without being hard-coded in TF
  • Adds a for_each cloudflare_dns_record covering argocd, grafana, status, ansible — the hostnames declared in TunnelBindings under kustomize-cluster/workloads/

If the operator ever recreates the tunnel, the next tofu plan picks up the new ID via the data source and updates the CNAME content.

Test plan

  • `tofu plan` shows 4 CNAMEs created, no other drift
  • After apply: `curl -I https://argocd.makeitwork.cloud\` returns ArgoCD's login HTML (not Cloudflare 530)
  • After grafana / ansible / status workloads come up (Phase B), their FQDNs resolve too

Pairs with

🤖 Generated with Claude Code

@xnoto
feat(cluster-apps): manage tunnel-fronted CNAMEs for argocd/grafana/s…
19911eb 
…tatus/ansible

The cloudflare-operator creates the cluster-apps tunnel but does not
manage DNS records — it only configures the cloudflared deployment to
route hostnames it sees in TunnelBindings. Without CNAMEs pointing each
FQDN at <tunnel-id>.cfargotunnel.com, requests reach Cloudflare's edge
but error out with 530/1033.

Look up the operator-owned tunnel by name and write a CNAME for each
fronted hostname. Tunnel ID gets refreshed automatically if the operator
ever recreates the tunnel.
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 30, 2026

OpenTofu Plan

OpenTofu will perform the following actions:

  # cloudflare_dns_record.cluster_apps["ansible"] will be created
  + resource "cloudflare_dns_record" "cluster_apps" {
      + content          = "7a3b548e-734f-427c-bd37-b360199f5433.cfargotunnel.com"
      + created_on       = (known after apply)
      + id               = (known after apply)
      + meta             = (known after apply)
      + modified_on      = (known after apply)
      + name             = "ansible"
      + proxiable        = (known after apply)
      + proxied          = true
      + settings         = (known after apply)
      + tags             = (known after apply)
      + tags_modified_on = (known after apply)
      + ttl              = 1
      + type             = "CNAME"
      + zone_id          = (sensitive value)
    }

  # cloudflare_dns_record.cluster_apps["argocd"] will be created
  + resource "cloudflare_dns_record" "cluster_apps" {
      + content          = "7a3b548e-734f-427c-bd37-b360199f5433.cfargotunnel.com"
      + created_on       = (known after apply)
      + id               = (known after apply)
      + meta             = (known after apply)
      + modified_on      = (known after apply)
      + name             = "argocd"
      + proxiable        = (known after apply)
      + proxied          = true
      + settings         = (known after apply)
      + tags             = (known after apply)
      + tags_modified_on = (known after apply)
      + ttl              = 1
      + type             = "CNAME"
      + zone_id          = (sensitive value)
    }

  # cloudflare_dns_record.cluster_apps["grafana"] will be created
  + resource "cloudflare_dns_record" "cluster_apps" {
      + content          = "7a3b548e-734f-427c-bd37-b360199f5433.cfargotunnel.com"
      + created_on       = (known after apply)
      + id               = (known after apply)
      + meta             = (known after apply)
      + modified_on      = (known after apply)
      + name             = "grafana"
      + proxiable        = (known after apply)
      + proxied          = true
      + settings         = (known after apply)
      + tags             = (known after apply)
      + tags_modified_on = (known after apply)
      + ttl              = 1
      + type             = "CNAME"
      + zone_id          = (sensitive value)
    }

  # cloudflare_dns_record.cluster_apps["status"] will be created
  + resource "cloudflare_dns_record" "cluster_apps" {
      + content          = "7a3b548e-734f-427c-bd37-b360199f5433.cfargotunnel.com"
      + created_on       = (known after apply)
      + id               = (known after apply)
      + meta             = (known after apply)
      + modified_on      = (known after apply)
      + name             = "status"
      + proxiable        = (known after apply)
      + proxied          = true
      + settings         = (known after apply)
      + tags             = (known after apply)
      + tags_modified_on = (known after apply)
      + ttl              = 1
      + type             = "CNAME"
      + zone_id          = (sensitive value)
    }

Plan: 4 to add, 0 to change, 0 to destroy.

@xnoto xnoto merged commit f66f807 into main Apr 30, 2026
3 checks passed
@xnoto xnoto deleted the feat/cluster-apps-tunnel-dns branch April 30, 2026 01:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xnoto