Cloudflare and DNS

[mitchross]

Would you mind sharing how you have your cloudflare setup for routing to dns? Do you point to your cloudflare tunnel ? Do you have any setttings on your router for handling private ip resolution? and sort of visual with examples would be helpful!

[vehagn]

With the setup I'm running now I don't have to configure anything in my router. I just have a DNS CNAME-record pointing
to the cloudflared-tunnel which then routes the traffic to the LoadBalancer Service connected to the Gateway.

The DNS-record for *.stonegarden.dev looks like

Type	Name	Content	Proxy status
CNAME	*	<TUNNEL_ID>.cfargotunnel.com	Proxied

You can find the TUNNEL_ID under Networks > Tunnels in CF Zero Trust.
If you configure the tunnel through the Zero Trust dashboard I think you also get a DNS entry for it automatically.

You can find the cloudflared config I'm using here, i.e. not configured through the Zero Trust dashboard.

Keep in mind that CF doesn't like you streaming huge amounts of data through their network, so for some stuff I also have port 443 open on my router to the Gateway Service IP.

I assume you already have a Cloudflare tunnel up and running, but if not I have a very brief description on how to get it up and running here.

A rough sketch of the flow would be:

flowchart TB
    Web --> DNS --> CF-tunnel ---> Gateway-Service --> Gateway --> HTTPRoute
    DNS --> External-IP --> Router --> Internal-IP --> Gateway-Service

Loading

[mitchross]

Great this is what I have.. Been troubleshooting issues for a few days why external hosted services didnt work... One last question
for your truenas tls pass thru you have - 192.168.1.117 .. Do you set that in cloudflare at all? like an "A record" ?

[vehagn]

TrueNAS is part of the *-record from because of this cloudflared config, though it can be reached in multiple ways since it has it's own IP (external to the cluster) and I've set up both a Service and TLSRoute in the cluster (which is not really needed).

homelab/k8s/infra/network/cloudflared/config.yaml

Lines 16 to 19 in c7d997c

	- hostname: truenas.stonegarden.dev
	service: https://truenas.truenas.svc.cluster.local:443
	originRequest:
	originServerName: truenas.stonegarden.dev

The idea was to have everything go through the same Gateway (and IP), but atm you can't combine HTTP and TLS listeners on the same Gateway, at least not with Cilium (GitHub issues cilium/cilium#32371, cert-manager/cert-manager#6985).

As a kind of half-way measure I'm now pointing cloudflared to a "Service withouth selectors" (with a custom EndpointSlice), though I could also point cloudflared to the LoadBalancer Service for the TLS-passthrough Gateway I've set up. You could also just point cloudflared directly to the TrueNAS IP.

I'll try to illustrate:

flowchart TB
    Web --> DNS --> CF-tunnel -.-> TLS-Passthrough-GW-Svc -.-> TLS-Passthrough-GW -.-> TLSRoute -.-> TrueNAS-Service
    CF-tunnel -.-> TrueNAS-IP
    CF-tunnel --> TrueNAS-Service ---> TrueNAS-IP

Loading

I've tried to go more in-depth here: https://blog.stonegarden.dev/articles/2024/04/k8s-external-services/

[mitchross]

OH! I totally removed this from my cloudflare config when I was doing my own setup and forgot to add it back....thank you!