Documentation
¶
Overview ¶
Package ingress provides conversion from Gateway API HTTPRoute resources to Cloudflare Tunnel ingress configuration.
Overview ¶
The Builder type converts a list of HTTPRoute resources into Cloudflare tunnel ingress rules. It handles:
- Hostname extraction from HTTPRoute.spec.hostnames
- Path matching (Exact and PathPrefix types)
- Backend service resolution to cluster-internal URLs
- Rule ordering by priority and path specificity
Diff-based Synchronization ¶
The package provides diff-based synchronization functions to minimize changes when updating tunnel configuration:
- DiffRules: Computes rules to add and remove
- ApplyDiff: Applies the diff to current rules
- EnsureCatchAll: Ensures catch-all rule exists at the end
This approach only adds new rules and removes orphaned rules, rather than replacing the entire configuration.
Path Matching ¶
The builder supports two path match types as defined by Gateway API:
- PathMatchExact: Matches the path exactly (priority 1)
- PathMatchPathPrefix: Matches paths with the given prefix (priority 0)
Rules are sorted by hostname, then by priority (exact matches first), then by path length (longer paths first for prefix matches).
Service Resolution ¶
Backend references are resolved to fully-qualified cluster DNS names:
http://<service>.<namespace>.svc.<cluster-domain>:<port>
Port 443 automatically uses HTTPS scheme.
Catch-All Rule ¶
A catch-all rule returning HTTP 404 is always appended as the last rule, as required by Cloudflare Tunnel configuration.
Index ¶
- Constants
- func ApplyDiff(current []zero_trust.TunnelCloudflaredConfigurationGetResponseConfigIngress, ...) []zero_trust.TunnelCloudflaredConfigurationUpdateParamsConfigIngress
- func EnsureCatchAll(rules []zero_trust.TunnelCloudflaredConfigurationUpdateParamsConfigIngress) []zero_trust.TunnelCloudflaredConfigurationUpdateParamsConfigIngress
- func IsCatchAll(r Rule) bool
- func RulesEqual(a, b Rule) bool
- type Builder
- type Rule
- func DiffRules(current []zero_trust.TunnelCloudflaredConfigurationGetResponseConfigIngress, ...) (toAdd []zero_trust.TunnelCloudflaredConfigurationUpdateParamsConfigIngress, ...)
- func RuleFromGet(r *zero_trust.TunnelCloudflaredConfigurationGetResponseConfigIngress) Rule
- func RuleFromUpdate(r *zero_trust.TunnelCloudflaredConfigurationUpdateParamsConfigIngress) Rule
Constants ¶
const ( // CatchAllService is the Cloudflare Tunnel service that returns HTTP 404. // It is always added as the last rule in the ingress configuration. CatchAllService = "http_status:404" // DefaultHTTPPort is the default port for HTTP backend services. DefaultHTTPPort = 80 // DefaultHTTPSPort is the default port for HTTPS backend services. DefaultHTTPSPort = 443 )
Variables ¶
This section is empty.
Functions ¶
func ApplyDiff ¶ added in v0.7.0
func ApplyDiff( current []zero_trust.TunnelCloudflaredConfigurationGetResponseConfigIngress, toAdd []zero_trust.TunnelCloudflaredConfigurationUpdateParamsConfigIngress, toRemove []Rule, ) []zero_trust.TunnelCloudflaredConfigurationUpdateParamsConfigIngress
ApplyDiff applies the diff to current rules, returning the final rule set. Removes orphaned rules, keeps existing rules, adds new rules.
func EnsureCatchAll ¶ added in v0.7.0
func EnsureCatchAll( rules []zero_trust.TunnelCloudflaredConfigurationUpdateParamsConfigIngress, ) []zero_trust.TunnelCloudflaredConfigurationUpdateParamsConfigIngress
EnsureCatchAll ensures a catch-all rule exists at the end of the rules.
func IsCatchAll ¶ added in v0.7.0
IsCatchAll returns true if the rule is a catch-all rule (no hostname).
func RulesEqual ¶ added in v0.7.0
RulesEqual compares two rules for equality.
Types ¶
type Builder ¶
type Builder struct {
// ClusterDomain is the Kubernetes cluster domain suffix for service DNS.
// Typically "cluster.local".
ClusterDomain string
}
Builder converts Gateway API HTTPRoute resources to Cloudflare Tunnel ingress configuration rules.
func NewBuilder ¶
NewBuilder creates a new Builder with the specified cluster domain.
func (*Builder) Build ¶
func (b *Builder) Build(routes []gatewayv1.HTTPRoute) []zero_trust.TunnelCloudflaredConfigurationUpdateParamsConfigIngress
Build converts a list of HTTPRoute resources to Cloudflare Tunnel ingress rules.
Rules are sorted by:
- Hostname (alphabetically)
- Priority (exact matches before prefix matches)
- Path length (longer paths first for specificity)
A catch-all rule returning HTTP 404 is always appended as the last rule.
type Rule ¶ added in v0.7.0
Rule represents a simplified ingress rule for comparison.
func DiffRules ¶ added in v0.7.0
func DiffRules( current []zero_trust.TunnelCloudflaredConfigurationGetResponseConfigIngress, desired []zero_trust.TunnelCloudflaredConfigurationUpdateParamsConfigIngress, ) (toAdd []zero_trust.TunnelCloudflaredConfigurationUpdateParamsConfigIngress, toRemove []Rule)
DiffRules computes the difference between current and desired rules. Returns rules to add (in desired but not in current) and rules to remove (in current but not in desired). Catch-all rules are excluded from comparison.
func RuleFromGet ¶ added in v0.7.0
func RuleFromGet(r *zero_trust.TunnelCloudflaredConfigurationGetResponseConfigIngress) Rule
RuleFromGet converts a get response ingress rule to a Rule for comparison.
func RuleFromUpdate ¶ added in v0.7.0
func RuleFromUpdate(r *zero_trust.TunnelCloudflaredConfigurationUpdateParamsConfigIngress) Rule
RuleFromUpdate converts an update params ingress rule to a Rule for comparison.
Source Files