Documentation
¶
Overview ¶
Package controller implements Kubernetes controllers for Gateway API resources.
The package provides two main controllers:
GatewayReconciler: Watches Gateway resources and manages cloudflared deployment via Helm when --manage-cloudflared is enabled. Updates Gateway status with the tunnel CNAME address for external-dns integration.
HTTPRouteReconciler: Watches HTTPRoute resources and synchronizes them to Cloudflare Tunnel ingress configuration via the Cloudflare API. Performs full synchronization on startup and on any route change.
Architecture ¶
The controllers follow the standard controller-runtime reconciliation pattern:
┌─────────────┐ watch ┌─────────────────────────┐
│ HTTPRoute │─────────────>│ HTTPRouteReconciler │
│ resources │ │ │
└─────────────┘ └───────────┬─────────────┘
│
┌─────────────┐ watch │ Cloudflare API
│ Gateway │─────────────>│ │
│ resources │ │ ▼
└─────────────┘ │ ┌─────────────────┐
│ │ │ Tunnel Config │
│ │ └────────┬────────┘
▼ │ │
┌─────────────────────────┐ │ ▼
│ GatewayReconciler │ │ ┌─────────────────┐
│ (optional Helm mgmt) │ │ │ cloudflared │
└─────────────────────────┘ │ │ (hot reload) │
│ └─────────────────┘
Configuration ¶
Controllers are configured via the Config struct which accepts settings from CLI flags or environment variables (CF_* prefix).
Leader Election ¶
When running multiple replicas for high availability, enable leader election via --leader-elect flag to ensure only one controller actively reconciles resources at a time.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Run ¶
Run initializes and starts the controller manager with the provided configuration. It sets up the Cloudflare API client, creates Gateway and HTTPRoute controllers, and blocks until the context is cancelled or an error occurs.
The function performs the following steps:
- Creates Cloudflare API client with the provided token
- Auto-detects account ID if not provided
- Initializes controller-runtime manager with metrics and health endpoints
- Sets up GatewayReconciler and HTTPRouteReconciler
- Optionally initializes Helm manager for cloudflared deployment
- Starts the manager and blocks until shutdown
Types ¶
type Config ¶
type Config struct {
// AccountID is the Cloudflare account ID. If empty, it will be auto-detected
// from the API token (requires token to have access to exactly one account).
AccountID string
// TunnelID is the Cloudflare Tunnel ID (required).
TunnelID string
// APIToken is the Cloudflare API token with Tunnel permissions (required).
APIToken string
// ClusterDomain is the Kubernetes cluster domain for service DNS resolution.
// Defaults to "cluster.local".
ClusterDomain string
// GatewayClassName is the name of the GatewayClass to watch.
// Only Gateways referencing this class will be reconciled.
GatewayClassName string
// ControllerName is the controller name reported in GatewayClass status.
ControllerName string
// MetricsAddr is the address for the Prometheus metrics endpoint.
MetricsAddr string
// HealthAddr is the address for health and readiness probe endpoints.
HealthAddr string
// LeaderElect enables leader election for high availability.
// Required when running multiple replicas.
LeaderElect bool
// LeaderElectNS is the namespace for the leader election lease.
LeaderElectNS string
// LeaderElectName is the name of the leader election lease.
LeaderElectName string
// ManageCloudflared enables automatic cloudflared deployment via Helm.
ManageCloudflared bool
// TunnelToken is the Cloudflare Tunnel token for remote-managed mode.
// Required when ManageCloudflared is true.
TunnelToken string
// CloudflaredNS is the namespace for cloudflared deployment.
CloudflaredNS string
// CloudflaredProto is the transport protocol (auto, quic, http2).
CloudflaredProto string
// AWGSecretName is the secret containing AWG VPN configuration.
// If set, enables AWG sidecar for cloudflared.
AWGSecretName string
// AWGInterfaceName is the AWG network interface name.
AWGInterfaceName string
}
Config holds all configuration options for the controller manager. Values are typically populated from CLI flags or environment variables.
type GatewayReconciler ¶
type GatewayReconciler struct {
client.Client
// Scheme is the runtime scheme for API type registration.
Scheme *runtime.Scheme
// GatewayClassName is the name of the GatewayClass to watch.
GatewayClassName string
// ControllerName is reported in Gateway status conditions.
ControllerName string
// TunnelID is the Cloudflare Tunnel ID, used for status address.
TunnelID string
// HelmManager handles cloudflared deployment. If nil, cloudflared
// management is disabled and must be deployed separately.
HelmManager *helm.Manager
// TunnelToken is passed to cloudflared for tunnel authentication.
TunnelToken string
// CloudflaredNS is the namespace for cloudflared deployment.
CloudflaredNS string
// Protocol is the cloudflared transport protocol (auto, quic, http2).
Protocol string
// AWGSecretName enables AWG sidecar if set.
AWGSecretName string
// AWGInterfaceName is the AWG network interface name.
AWGInterfaceName string
}
GatewayReconciler reconciles Gateway resources for the cloudflare-tunnel GatewayClass.
It performs the following functions:
- Watches Gateway resources matching the configured GatewayClassName
- Updates Gateway status with tunnel CNAME address (for external-dns integration)
- Manages cloudflared deployment lifecycle via Helm (when HelmManager is set)
- Handles Gateway deletion with proper cleanup of cloudflared resources
The reconciler uses finalizers to ensure cloudflared is properly removed when a Gateway is deleted.
func (*GatewayReconciler) SetupWithManager ¶
func (r *GatewayReconciler) SetupWithManager(mgr ctrl.Manager) error
type HTTPRouteReconciler ¶
type HTTPRouteReconciler struct {
client.Client
// Scheme is the runtime scheme for API type registration.
Scheme *runtime.Scheme
// CFClient is the Cloudflare API client for tunnel configuration.
CFClient *cloudflare.Client
// AccountID is the Cloudflare account ID.
AccountID string
// TunnelID is the Cloudflare Tunnel ID to configure.
TunnelID string
// ClusterDomain is used for building service URLs (e.g., "cluster.local").
ClusterDomain string
// GatewayClassName filters which routes to process.
GatewayClassName string
// ControllerName is reported in HTTPRoute status.
ControllerName string
}
HTTPRouteReconciler reconciles HTTPRoute resources and synchronizes them to Cloudflare Tunnel ingress configuration.
Key behaviors:
- Watches all HTTPRoute resources in the cluster
- Filters routes by parent Gateway's GatewayClass
- Performs full synchronization on any route change (not incremental)
- Updates Cloudflare Tunnel config via API (cloudflared hot-reloads)
- Updates HTTPRoute status with acceptance conditions
On startup, the reconciler performs a full sync to ensure tunnel configuration matches the current state of HTTPRoute resources. This means any ingress rules created outside of this controller will be replaced.
func (*HTTPRouteReconciler) SetupWithManager ¶
func (r *HTTPRouteReconciler) SetupWithManager(mgr ctrl.Manager) error
Source Files