### Install Development Dependencies and Tools Source: https://github.com/stringke/cloudflare-operator/blob/main/CONTRIBUTING.md Commands to download Go dependencies and install necessary development tools for the project. ```bash # Install Go dependencies go mod download # Install development tools make tools ``` -------------------------------- ### Example Original Configuration Output Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/guides/pages-advanced-deployment.md This is an example of the JSON output when retrieving the original configuration of a Pages project. ```json { "productionBranch": "main", "subdomain": "existing-project", "source": { "type": "github", "github": { "owner": "my-org", "repo": "my-repo" } }, "capturedAt": "2025-01-19T12:00:00Z" } ``` -------------------------------- ### Install Cloudflare Operator (Full) Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/getting-started.md Use this command for a complete installation including CRDs, namespace, RBAC, and the operator. Recommended for new users. ```bash # All-in-one: CRDs + Namespace + RBAC + Operator kubectl apply -f https://github.com/StringKe/cloudflare-operator/releases/latest/download/cloudflare-operator-full-no-webhook.yaml ``` -------------------------------- ### Install Cloudflare Operator (Modular) Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/getting-started.md Step 3 of modular installation: installs the operator's RBAC and Deployment. Recommended for production environments for fine-grained control. ```bash # Step 3: Install operator (RBAC + Deployment) kubectl apply -f https://github.com/StringKe/cloudflare-operator/releases/latest/download/cloudflare-operator-no-webhook.yaml ``` -------------------------------- ### Configure Custom OIDC Provider with SCIM Provisioning Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/accessidentityprovider.md Example for integrating a custom OIDC provider with SCIM provisioning enabled. This setup requires the provider's client ID, authorization URL, token URL, and JWKS URL. SCIM user deprovisioning is also enabled. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: AccessIdentityProvider metadata: name: custom-oidc spec: type: oidc name: "Custom OIDC Provider" config: clientId: "oidc-client-id" authUrl: "https://idp.example.com/oauth/authorize" tokenUrl: "https://idp.example.com/oauth/token" certsUrl: "https://idp.example.com/oauth/jwks" scimConfig: enabled: true userDeprovision: true cloudflare: accountId: "1234567890abcdef" credentialsRef: name: production ``` -------------------------------- ### Basic AccessServiceToken Example Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/accessservicetoken.md This example demonstrates the basic configuration for an AccessServiceToken. It specifies the desired name for the token, the Kubernetes Secret to store credentials in, and Cloudflare account details. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: AccessServiceToken metadata: name: api-service-token namespace: production spec: name: "API Service Account" secretRef: name: api-service-creds namespace: production cloudflare: accountId: "1234567890abcdef" credentialsRef: name: production ``` -------------------------------- ### Example: Git Production Deployment Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/pagesdeployment.md An example of a PagesDeployment resource configured for a production deployment using a Git source. ```APIDOC ## Example: Git Production Deployment ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: PagesDeployment metadata: name: my-app-prod namespace: production labels: networking.cloudflare-operator.io/version: "v1.2.3" spec: projectRef: name: my-app environment: production source: type: git git: branch: main cloudflare: accountId: "your-account-id" credentialsRef: name: cloudflare-credentials ``` ``` -------------------------------- ### Example: Service LoadBalancer IP Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/dnsrecord.md An example demonstrating how to automatically create a DNS record using a Kubernetes Service's LoadBalancer IP address. ```APIDOC ## Example: Service LoadBalancer IP ### Description This example shows a `DNSRecord` resource configured to use a Service's LoadBalancer IP address as the source for the DNS record's A record. ### Resource Definition ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: DNSRecord metadata: name: api-dns namespace: production spec: name: api.example.com sourceRef: service: name: api-service addressType: LoadBalancerIP proxied: true cloudflare: domain: example.com secret: cloudflare-api-credentials ``` ``` -------------------------------- ### Example Git Production Deployment Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/pagesdeployment.md A complete example of a PagesDeployment resource configured for a production Git-based deployment. Ensure your Cloudflare credentials are correctly referenced. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: PagesDeployment metadata: name: my-app-prod namespace: production labels: networking.cloudflare-operator.io/version: "v1.2.3" spec: projectRef: name: my-app environment: production source: type: git git: branch: main cloudflare: accountId: "your-account-id" credentialsRef: name: cloudflare-credentials ``` -------------------------------- ### Install Cloudflare Operator (Full) Source: https://github.com/stringke/cloudflare-operator/blob/main/README.md Installs CRDs, namespace, RBAC, and the operator without a webhook. Recommended for new users. ```bash # All-in-one: CRDs + Namespace + RBAC + Operator (without webhook) kubectl apply -f https://github.com/StringKe/cloudflare-operator/releases/latest/download/cloudflare-operator-full-no-webhook.yaml # Verify installation kubectl get pods -n cloudflare-operator-system ``` -------------------------------- ### AccessIdentityProvider - Microsoft Azure AD Example Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/accessidentityprovider.md This example shows how to configure Microsoft Azure AD as an identity provider, including referencing Kubernetes Secrets for credentials. ```APIDOC ## AccessIdentityProvider - Microsoft Azure AD ### Description Configures Microsoft Azure AD as an identity provider, utilizing Kubernetes Secrets for client credentials. ### Kind AccessIdentityProvider ### Spec - **type**: `azureAd` (string, Required) - **name**: `"Azure AD"` (string, Optional) - **config**: - **appsDomain**: `"tenant.onmicrosoft.com"` (string, Optional) - **configSecretRef**: - **name**: `azure-credentials` (string, Optional) - **namespace**: `cloudflare-operator-system` (string, Optional) - **key**: `CLIENT_ID` (string, Optional) - **cloudflare**: - **accountId**: `"1234567890abcdef"` (string, Required) - **credentialsRef**: - **name**: `production` (string, Required) ### Example ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: AccessIdentityProvider metadata: name: azure-ad spec: type: azureAd name: "Azure AD" config: appsDomain: "tenant.onmicrosoft.com" configSecretRef: name: azure-credentials namespace: cloudflare-operator-system key: CLIENT_ID cloudflare: accountId: "1234567890abcdef" credentialsRef: name: production ``` ``` -------------------------------- ### AccessIdentityProvider - Custom OIDC Provider with SCIM Example Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/accessidentityprovider.md This example illustrates configuring a custom OIDC provider with SCIM provisioning enabled. ```APIDOC ## AccessIdentityProvider - Custom OIDC Provider with SCIM ### Description Configures a custom OIDC provider with SCIM provisioning enabled for user and group synchronization. ### Kind AccessIdentityProvider ### Spec - **type**: `oidc` (string, Required) - **name**: `"Custom OIDC Provider"` (string, Optional) - **config**: - **clientId**: `"oidc-client-id"` (string, Optional) - **authUrl**: `"https://idp.example.com/oauth/authorize"` (string, Optional) - **tokenUrl**: `"https://idp.example.com/oauth/token"` (string, Optional) - **certsUrl**: `"https://idp.example.com/oauth/jwks"` (string, Optional) - **scimConfig**: - **enabled**: `true` (boolean, Optional) - **userDeprovision**: `true` (boolean, Optional) - **cloudflare**: - **accountId**: `"1234567890abcdef"` (string, Required) - **credentialsRef**: - **name**: `production` (string, Required) ### Example ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: AccessIdentityProvider metadata: name: custom-oidc spec: type: oidc name: "Custom OIDC Provider" config: clientId: "oidc-client-id" authUrl: "https://idp.example.com/oauth/authorize" tokenUrl: "https://idp.example.com/oauth/token" certsUrl: "https://idp.example.com/oauth/jwks" scimConfig: enabled: true userDeprovision: true cloudflare: accountId: "1234567890abcdef" credentialsRef: name: production ``` ``` -------------------------------- ### Get PagesDeployment Status Information using kubectl Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/pagesdeployment.md Retrieve deployment status information using kubectl. Examples show how to get the version name, hash URL, and all status details. ```bash # Get the version name kubectl get pagesdeployment my-app-deploy -o jsonpath='{.status.versionName}' # Get the hash URL (immutable reference) kubectl get pagesdeployment my-app-deploy -o jsonpath='{.status.hashUrl}' # Get all deployment info kubectl get pagesdeployment my-app-deploy -o jsonpath='{.status}' | jq ``` -------------------------------- ### Install Cloudflare Operator (Modular) Source: https://github.com/stringke/cloudflare-operator/blob/main/README.md Installs the operator's RBAC and Deployment without a webhook. Assumes CRDs and namespace are already set up. ```bash # Step 3: Install operator (RBAC + Deployment) kubectl apply -f https://github.com/StringKe/cloudflare-operator/releases/latest/download/cloudflare-operator-no-webhook.yaml # Verify installation kubectl get pods -n cloudflare-operator-system ``` -------------------------------- ### AccessIdentityProvider - Google Workspace Example Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/accessidentityprovider.md This example demonstrates how to configure a Google Workspace identity provider for Cloudflare Zero Trust Access using the AccessIdentityProvider resource. ```APIDOC ## AccessIdentityProvider - Google Workspace ### Description Configures Google Workspace as an identity provider for Cloudflare Zero Trust Access. ### Kind AccessIdentityProvider ### Spec - **type**: `google` (string, Required) - **name**: `"Google Workspace"` (string, Optional) - **config**: - **appsDomain**: `"example.com"` (string, Optional) - **cloudflare**: - **accountId**: `"1234567890abcdef"` (string, Required) - **credentialsRef**: - **name**: `production` (string, Required) ### Example ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: AccessIdentityProvider metadata: name: google-workspace spec: type: google name: "Google Workspace" config: appsDomain: "example.com" cloudflare: accountId: "1234567890abcdef" credentialsRef: name: production ``` ``` -------------------------------- ### GatewayConfiguration Example Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/gatewayconfiguration.md Configures global Cloudflare Gateway settings, including logging, certificate inspection, and API credentials. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: GatewayConfiguration metadata: name: gateway-config spec: logging: enabled: true level: "standard" inspection: true cloudflare: accountId: "1234567890abcdef" credentialsRef: name: production ``` -------------------------------- ### v1alpha2 TunnelBinding Example Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/migration.md Example of a recommended TunnelBinding resource using the 'networking.cloudflare-operator.io/v1alpha2' API group. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: TunnelBinding ``` -------------------------------- ### Gateway Configuration Example Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/tunnelgatewayclassconfig.md Example of a TunnelGatewayClassConfig resource to set up Cloudflare Tunnel integration with the Kubernetes Gateway API. Requires Cloudflare account ID and credentials reference. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: TunnelGatewayClassConfig metadata: name: tunnel-gateway-config spec: cloudflare: accountId: "1234567890abcdef" credentialsRef: name: production ``` -------------------------------- ### v1alpha1 TunnelBinding Example Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/migration.md Example of a legacy TunnelBinding resource using the 'networking.cfargotunnel.com' API group. ```yaml apiVersion: networking.cfargotunnel.com/v1alpha1 kind: TunnelBinding ``` -------------------------------- ### Create a Basic R2 Bucket Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/r2bucket.md This example demonstrates how to create a simple R2 bucket with a specified name and Cloudflare account ID. Ensure you have a 'production' secret for Cloudflare credentials. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: R2Bucket metadata: name: app-storage namespace: production spec: bucketName: "app-storage-prod" cloudflare: accountId: "1234567890abcdef" credentialsRef: name: production ``` -------------------------------- ### PagesDeployment Spec Example Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/guides/pages-advanced-deployment.md This is an example of the new PagesDeployment spec format, recommended for defining deployments. It specifies the project reference, environment, source type (git or directUpload), and Cloudflare account details. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: PagesDeployment metadata: name: my-app-prod spec: projectRef: name: my-pages-project # NEW: Deployment environment (required) environment: production # or "preview" # NEW: Unified source configuration (required) source: type: git # or "directUpload" git: branch: main commitSha: "abc123def456" # optional: specific commit purgeBuildCache: false cloudflare: accountId: "your-account-id" credentialsRef: name: cloudflare-credentials ``` -------------------------------- ### Register Domain Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/domainregistration.md Example of how to register a new domain using the DomainRegistration resource. Ensure you provide a valid domain name and Cloudflare API credentials. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: DomainRegistration metadata: name: new-domain spec: domain: "example.com" cloudflare: accountId: "1234567890abcdef" credentialsRef: name: production ``` -------------------------------- ### Manual DNS CNAME Record Example Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/guides/pages-advanced-deployment.md Example of a CNAME record required for manual DNS configuration, pointing a custom domain to the Pages project's default subdomain. ```text app.external-dns.com CNAME my-app.pages.dev ``` -------------------------------- ### Go Coding Standards for Status Updates and Conditions Source: https://github.com/stringke/cloudflare-operator/blob/main/CONTRIBUTING.md Examples demonstrating best practices for updating object status and setting conditions in Go. ```go // ✅ Use ConflictRetry for status updates err := controller.UpdateStatusWithConflictRetry(ctx, r.Client, obj, func() { obj.Status.State = "active" }) // ✅ Use meta.SetStatusCondition for conditions meta.SetStatusCondition(&status.Conditions, metav1.Condition{ Type: "Ready", Status: metav1.ConditionTrue, Reason: "Reconciled", ObservedGeneration: obj.Generation, }) ``` -------------------------------- ### Retrieve Original Pages Project Configuration Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/guides/pages-advanced-deployment.md Fetch the original configuration of an existing Pages project using `kubectl get` and `jq` for pretty-printing. ```bash kubectl get pagesproject existing-project -o jsonpath='{.status.originalConfig}' | jq ``` -------------------------------- ### View Virtual Network Details Source: https://github.com/stringke/cloudflare-operator/blob/main/examples/02-private-network/virtual-network/README.md Use this command to get detailed information about a specific virtual network, identified by its name. ```bash kubectl describe virtualnetwork production-vnet ``` -------------------------------- ### Create a WAF ZoneRuleset Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/zoneruleset.md Example of creating a ZoneRuleset resource for WAF rules. Ensure Cloudflare API credentials are provided via `credentialsRef`. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: ZoneRuleset metadata: name: waf-rules namespace: production spec: name: "WAF Rules" kind: "waf" cloudflare: accountId: "1234567890abcdef" domain: "example.com" credentialsRef: name: production ``` -------------------------------- ### Multiple PrivateServices in a Namespace Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/privateservice.md This example demonstrates how to define multiple PrivateService resources within the same namespace to expose different internal services. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: PrivateService metadata: name: redis-private namespace: cache spec: serviceRef: name: redis port: 6379 tunnelRef: kind: ClusterTunnel name: main-tunnel cloudflare: accountId: "1234567890abcdef" credentialsRef: name: production --- apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: PrivateService metadata: name: elasticsearch-private namespace: cache spec: serviceRef: name: elasticsearch port: 9200 tunnelRef: kind: ClusterTunnel name: main-tunnel cloudflare: accountId: "1234567890abcdef" credentialsRef: name: production ``` -------------------------------- ### GitOps Workflow: Deploy Preview and Promote to Production Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/pagesproject.md Illustrates the CI/Ops steps for deploying a new version as a preview and then promoting it to production using GitOps. ```yaml # Step 1: CI deploys v1.3.0 as preview versionManagement: policy: gitops gitops: previewVersion: "v1.3.0" productionVersion: "v1.2.3" # Step 2: Ops promotes v1.3.0 to production versionManagement: policy: gitops gitops: previewVersion: "v1.3.0" productionVersion: "v1.3.0" # Changed ``` -------------------------------- ### Global API Key Credentials Example Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/cloudflarecredentials.md Defines a Kubernetes Secret for a Global API Key and email, and a CloudflareCredentials resource to use them. This method is less secure and generally not recommended for new setups. ```yaml apiVersion: v1 kind: Secret metadata: name: cf-global-key namespace: cloudflare-operator-system type: Opaque stringData: CLOUDFLARE_API_KEY: "YOUR_GLOBAL_API_KEY" CLOUDFLARE_EMAIL: "admin@example.com" --- apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: CloudflareCredentials metadata: name: legacy-account spec: accountId: "0987654321fedcba" authType: globalAPIKey secretRef: name: cf-global-key namespace: cloudflare-operator-system apiKeyKey: CLOUDFLARE_API_KEY emailKey: CLOUDFLARE_EMAIL ``` -------------------------------- ### Deploy Web Application Source: https://github.com/stringke/cloudflare-operator/blob/main/examples/scenarios/web-app-exposure/README.md Deploys the sample web application to the Kubernetes cluster. ```bash kubectl apply -f app-deployment.yaml ``` -------------------------------- ### TunnelIngressClassConfig Example Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/tunnelingressclassconfig.md Example of a TunnelIngressClassConfig resource definition for Kubernetes. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: TunnelIngressClassConfig metadata: name: tunnel-ingress-config spec: cloudflare: accountId: "1234567890abcdef" credentialsRef: name: production ``` -------------------------------- ### Multi-Environment Management with Deployment Configurations Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/pagesproject.md Shows how to define environment-specific configurations, such as environment variables, for different deployment targets like production and preview. ```yaml deploymentConfigs: production: environmentVariables: ENV: { value: "production" } DB_URL: { value: "prod-db.example.com" } preview: environmentVariables: ENV: { value: "preview" } DB_URL: { value: "staging-db.example.com" } ``` -------------------------------- ### Preview Deployment using Git Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/pagesdeployment.md Set up a PagesDeployment for a preview environment using a Git source. Specify the project reference and the Git branch. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: PagesDeployment metadata: name: my-app-preview-feature-x namespace: staging spec: projectRef: name: my-app environment: preview source: type: git git: branch: feature/new-feature cloudflare: accountId: "your-account-id" credentialsRef: name: cloudflare-credentials ``` -------------------------------- ### CI/CD Integration with AccessServiceToken Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/accessservicetoken.md This example illustrates how to create an AccessServiceToken for CI/CD pipelines and provides a sample script for retrieving and using the credentials in a GitHub Actions workflow. It shows how to extract the client ID and secret from the Kubernetes Secret. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: AccessServiceToken metadata: name: ci-cd-token namespace: ci-cd spec: name: "CI/CD Pipeline Token" secretRef: name: cicd-cf-credentials namespace: ci-cd cloudflare: accountId: "1234567890abcdef" credentialsRef: name: production --- # Usage in GitHub Actions apiVersion: v1 kind: ConfigMap metadata: name: ci-cd-config namespace: ci-cd data: deploy.sh: | #!/bin/bash CLIENT_ID=$(kubectl get secret cicd-cf-credentials -o jsonpath='{.data.CF_ACCESS_CLIENT_ID}' | base64 -d) CLIENT_SECRET=$(kubectl get secret cicd-cf-credentials -o jsonpath='{.data.CF_ACCESS_CLIENT_SECRET}' | base64 -d) # Use credentials to authenticate with protected services ``` -------------------------------- ### Install Cloudflare Operator CRDs Source: https://github.com/stringke/cloudflare-operator/blob/main/README.md Installs only the Custom Resource Definitions (CRDs) for the Cloudflare Operator. Requires cluster-admin privileges. ```bash # Step 1: Install CRDs (cluster-admin required) kubectl apply -f https://github.com/StringKe/cloudflare-operator/releases/latest/download/cloudflare-operator-crds.yaml ``` -------------------------------- ### AccessApplication with Service Token and Human Access Policies Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/accessapplication.md This example demonstrates how to configure an AccessApplication with policies for both service token (M2M) authentication and human user access based on email domain. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: AccessApplication metadata: name: api-service spec: name: API Service domain: api-internal.example.com type: self_hosted policies: - policyName: "Service Token Access" decision: non_identity precedence: 1 include: - anyValidServiceToken: {} - policyName: "Human Access" decision: allow precedence: 2 include: - emailDomain: domain: "example.com" cloudflare: accountId: "" domain: example.com secret: cloudflare-credentials ``` -------------------------------- ### Create a Device Settings Policy Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/devicesettingspolicy.md This example demonstrates how to create a DeviceSettingsPolicy resource to configure WARP client settings. It specifies a policy name, enables split tunneling, and references Cloudflare API credentials. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: DeviceSettingsPolicy metadata: name: enterprise-policy spec: name: "Enterprise Policy" settings: splitTunneling: "enabled" cloudflare: accountId: "1234567890abcdef" credentialsRef: name: production ``` -------------------------------- ### Verify Cloudflare Operator Installation Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/getting-started.md Check the operator pod status and Custom Resource Definitions (CRDs) to confirm a successful installation. ```bash # Check operator pod kubectl get pods -n cloudflare-operator-system # Check CRDs kubectl get crds | grep cloudflare ``` -------------------------------- ### Deploy to Cluster A (Production) Source: https://github.com/stringke/cloudflare-operator/blob/main/examples/scenarios/multi-cluster-access/README.md Apply the configuration for the production cluster. Ensure the correct context is set before applying. ```bash # On Cluster A (Production) # 在集群 A(生产) kubectl config use-context cluster-a kubectl apply -f cluster-a/ ``` -------------------------------- ### Basic Employee Access Group Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/accessgroup.md This example demonstrates how to create a basic AccessGroup that includes all users with an email domain of 'example.com'. It specifies the Cloudflare account ID, domain, and the Kubernetes secret containing API credentials. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: AccessGroup metadata: name: employees spec: name: Company Employees include: - emailDomain: domain: "example.com" cloudflare: accountId: "" domain: example.com secret: cloudflare-credentials ``` -------------------------------- ### Download and Execute Migration Script Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/migration/tunnelbinding-migration.md Download the migration script from GitHub, make it executable, and run it for a dry-run or actual migration. The script helps convert TunnelBinding resources to Ingress configurations. ```bash curl -O https://raw.githubusercontent.com/StringKe/cloudflare-operator/main/scripts/migrate-tunnelbinding.sh chmod +x migrate-tunnelbinding.sh ./migrate-tunnelbinding.sh # Example ./migrate-tunnelbinding.sh default ./migration-output ``` -------------------------------- ### Create an R2 Bucket for Multi-Tier Storage Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/r2bucket.md This example configures an R2 bucket with multiple lifecycle rules to manage data across different retention tiers (daily, monthly, yearly). This is useful for backup storage. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: R2Bucket metadata: name: backups namespace: production spec: bucketName: "database-backups" lifecycleRules: - id: "daily-cleanup" enabled: true prefix: "daily/" expiration: 30 - id: "monthly-retain" enabled: true prefix: "monthly/" expiration: 365 - id: "yearly-archive" enabled: true prefix: "yearly/" expiration: 2555 cloudflare: accountId: "1234567890abcdef" credentialsRef: name: production ``` -------------------------------- ### Get Service CIDR Source: https://github.com/stringke/cloudflare-operator/blob/main/examples/scenarios/kubernetes-private-access/README.md Retrieves the Service CIDR range from the Kubernetes API server. ```bash # Service CIDR (from kube-apiserver) kubectl cluster-info dump | grep -m1 service-cluster-ip-range ``` -------------------------------- ### Deploy Sample Application Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/getting-started.md Deploy a sample Nginx application as a Kubernetes Deployment and Service. This application will be exposed through the Cloudflare tunnel. ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: hello-world spec: replicas: 1 selector: matchLabels: app: hello-world template: metadata: labels: app: hello-world spec: containers: - name: nginx image: nginx:alpine ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: hello-world spec: selector: app: hello-world ports: - port: 80 ``` -------------------------------- ### Get Pod CIDR Source: https://github.com/stringke/cloudflare-operator/blob/main/examples/scenarios/kubernetes-private-access/README.md Retrieves the Pod CIDR range configured for Kubernetes nodes. ```bash # Pod CIDR kubectl get nodes -o jsonpath='{.items[*].spec.podCIDR}' ``` -------------------------------- ### Run Operator Locally Source: https://github.com/stringke/cloudflare-operator/blob/main/CONTRIBUTING.md Instructions for installing CRDs and running the operator locally, with an option for debugging. ```bash # Install CRDs to cluster make install # Run the operator locally (outside cluster) make run # Or run with delve debugger make debug ``` -------------------------------- ### Get Version Name using kubectl Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/guides/pages-advanced-deployment.md Retrieve the `versionName` from the status of a PagesDeployment using kubectl. ```bash # Get version name kubectl get pagesdeployment my-app-deploy -o jsonpath='{.status.versionName}' ``` -------------------------------- ### Get Hash URL using kubectl Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/guides/pages-advanced-deployment.md Retrieve the immutable `hashUrl` from the status of a PagesDeployment using kubectl. ```bash # Get hash URL (immutable reference to this deployment) kubectl get pagesdeployment my-app-deploy -o jsonpath='{.status.hashUrl}' ``` -------------------------------- ### Describe Tunnel Resource Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/migration.md Get detailed information about a specific Tunnel resource, which can help in diagnosing issues. ```bash kubectl describe tunnel -n ``` -------------------------------- ### Database Access with Virtual Network Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/privateservice.md This example shows how to configure PrivateService for secure database access, including a comment for description and association with a specific virtual network. It requires service and tunnel references, along with Cloudflare account credentials. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: PrivateService metadata: name: postgres-private namespace: databases spec: serviceRef: name: postgres port: 5432 tunnelRef: kind: Tunnel name: db-tunnel namespace: tunnels virtualNetworkRef: name: db-network comment: "PostgreSQL private access" cloudflare: accountId: "1234567890abcdef" credentialsRef: name: production ``` -------------------------------- ### DNSRecord Spec with CAA Record Data Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/dnsrecord.md Example of a DNSRecord configured for a CAA record, specifying the issue and properties. ```yaml apiVersion: cloudflare.example.com/v1alpha1 kind: DNSRecord metadata: name: caa-record spec: name: "example.com" type: "CAA" content: "0 issue \"letsencrypt.org\"" cloudflare: zone: "example.com" ``` -------------------------------- ### Fork and Clone Repository Source: https://github.com/stringke/cloudflare-operator/blob/main/CONTRIBUTING.md Steps to fork the Cloudflare Operator repository and set up the local development environment. ```bash # Fork the repository on GitHub, then: git clone https://github.com//cloudflare-operator.git cd cloudflare-operator git remote add upstream https://github.com/StringKe/cloudflare-operator.git ``` -------------------------------- ### DNSRecord Spec with MX Record Details Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/dnsrecord.md Example of a DNSRecord configured for an MX record, including the priority field. ```yaml apiVersion: cloudflare.example.com/v1alpha1 kind: DNSRecord metadata: name: mx-record spec: name: "mail.example.com" type: "MX" content: "mail.example.com" priority: 10 ttl: 3600 cloudflare: zone: "example.com" ``` -------------------------------- ### List All TunnelBindings Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/migration/tunnelbinding-migration.md Use kubectl to list all TunnelBinding resources across all namespaces. This is the first step in identifying resources to migrate. ```bash kubectl get tunnelbinding -A ``` -------------------------------- ### Deploy to Cluster B (Staging) Source: https://github.com/stringke/cloudflare-operator/blob/main/examples/scenarios/multi-cluster-access/README.md Apply the configuration for the staging cluster. Ensure the correct context is set before applying. ```bash # On Cluster B (Staging) # 在集群 B(预发布) kubectl config use-context cluster-b kubectl apply -f cluster-b/ ``` -------------------------------- ### Get Operator Logs Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/troubleshooting.md Retrieve logs from the operator controller manager to identify errors or warnings. Useful for debugging. ```bash # Operator logs kubectl logs -n cloudflare-operator-system deployment/cloudflare-operator-controller-manager ``` -------------------------------- ### Get Existing Tunnels Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/migration.md Verify that existing v1alpha1 Tunnel resources are still accessible and operational after the operator update. ```bash kubectl get tunnels.networking.cloudflare-operator.io -A kubectl get clustertunnels.networking.cloudflare-operator.io ``` -------------------------------- ### Build Operator Binary and Docker Image Source: https://github.com/stringke/cloudflare-operator/blob/main/CONTRIBUTING.md Commands to build the operator binary and its Docker image for development. ```bash # Build the operator binary make build # Build Docker image make docker-build IMG=cloudflare-operator:dev ``` -------------------------------- ### Create Virtual Network Source: https://github.com/stringke/cloudflare-operator/blob/main/examples/02-private-network/virtual-network/README.md Use this command to create virtual networks defined in a YAML file. ```bash kubectl apply -f virtual-network.yaml ``` -------------------------------- ### DNSRecord Spec with Ingress Source Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/dnsrecord.md Example of a DNSRecord dynamically sourcing its IP address from a Kubernetes Ingress's LoadBalancer status. ```yaml apiVersion: cloudflare.example.com/v1alpha1 kind: DNSRecord metadata: name: ingress-record spec: name: "ingress.example.com" sourceRef: ingress: name: my-ingress namespace: default proxied: true cloudflare: zone: "example.com" ``` -------------------------------- ### Example Domain Configuration Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/clouflareflacdomain.md This snippet shows how to configure a CloudflareDomain resource to manage domain settings in Cloudflare. Ensure you provide the correct account ID and a reference to your Cloudflare credentials. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: CloudflareDomain metadata: name: example-domain spec: domain: "example.com" cloudflare: accountId: "1234567890abcdef" credentialsRef: name: production ``` -------------------------------- ### DNSRecord Spec with Service Source Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/dnsrecord.md Example of a DNSRecord dynamically sourcing its IP address from a Kubernetes Service's LoadBalancer status. ```yaml apiVersion: cloudflare.example.com/v1alpha1 kind: DNSRecord metadata: name: service-record spec: name: "service.example.com" sourceRef: service: name: my-loadbalancer-service namespace: production proxied: true cloudflare: zone: "example.com" ``` -------------------------------- ### Run Unit Tests and Coverage Source: https://github.com/stringke/cloudflare-operator/blob/main/CONTRIBUTING.md Commands to execute all unit tests, specific tests, and generate a test coverage report. ```bash # Run all tests make test # Run specific test go test ./internal/controller/... -run TestTunnelReconciler # Run with coverage make test-coverage ``` -------------------------------- ### List All Operator Resources Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/troubleshooting.md Get a list of all resources managed by the Cloudflare Operator across all namespaces. Helps in understanding the current state. ```bash # List all operator resources kubectl get tunnels,clustertunnels,tunnelbindings,virtualnetworks,networkroutes -A ``` -------------------------------- ### S3 Credentials Secret Example Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/guides/pages-advanced-deployment.md Define a Kubernetes Secret for S3 credentials, including access key ID and secret access key. ```yaml apiVersion: v1 kind: Secret metadata: name: aws-credentials type: Opaque stringData: accessKeyId: "AKIAIOSFODNN7EXAMPLE" secretAccessKey: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" # sessionToken: "optional-session-token" ``` -------------------------------- ### Basic A Record (Proxied) Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/dnsrecord.md Create a static A record for a hostname, pointing to a specific IP address. This example also enables the Cloudflare proxy for the record. The TTL is set to 1, indicating automatic TTL management by Cloudflare. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: DNSRecord metadata: name: www-record namespace: default spec: name: www type: A content: 203.0.113.50 ttl: 1 # Automatic TTL proxied: true # Enable Cloudflare proxy comment: "Web server endpoint" cloudflare: domain: example.com secret: cloudflare-api-credentials ``` -------------------------------- ### Force A Record Type Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/dnsrecord.md Example of explicitly specifying the record type as 'A' to override auto-detection when creating a DNSRecord, particularly when using a service source. ```yaml spec: type: A # Force A record type sourceRef: service: name: my-service ``` -------------------------------- ### DNSRecord Spec with SRV Record Data Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/dnsrecord.md Example of a DNSRecord configured for an SRV record, specifying port and weight within the 'data' field. ```yaml apiVersion: cloudflare.example.com/v1alpha1 kind: DNSRecord metadata: name: srv-record spec: name: "_service._tcp.example.com" type: "SRV" sourceRef: service: name: my-app-service namespace: default data: srv: port: 8080 weight: 5 cloudflare: zone: "example.com" ``` -------------------------------- ### Deploy and Verify DNSRecord Source: https://github.com/stringke/cloudflare-operator/blob/main/test/e2e/TEST_PLAN.md Applies a DNSRecord manifest and waits for its status to become Ready. It also includes a DNS query to verify the record. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: DNSRecord metadata: name: test-dns namespace: e2e-test spec: name: e2e-test-record.your-domain.com type: A content: 1.2.3.4 ttl: 300 proxied: false cloudflare: accountId: "${CLOUDFLARE_ACCOUNT_ID}" credentialsRef: name: default ``` ```bash kubectl apply -f test/e2e/manifests/09-dnsrecord.yaml kubectl wait --for=jsonpath='{.status.state}'=Ready dnsrecord/test-dns -n e2e-test --timeout=60s kubectl get dnsrecord test-dns -n e2e-test -o yaml # DNS 查询验证 dig e2e-test-record.your-domain.com ``` -------------------------------- ### DNSRecord Spec with Node Source Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/dnsrecord.md Example of a DNSRecord dynamically sourcing its IP address from a Kubernetes Node's external IP addresses. ```yaml apiVersion: cloudflare.example.com/v1alpha1 kind: DNSRecord metadata: name: node-record spec: name: "node.example.com" sourceRef: node: name: "worker-node-1" proxied: false cloudflare: zone: "example.com" ``` -------------------------------- ### GitOps Workflow: Rollback to Previous Version Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/pagesproject.md Demonstrates how to revert the production version to a previous stable release by updating the `productionVersion` field. ```yaml versionManagement: policy: gitops gitops: previewVersion: "v1.3.0" productionVersion: "v1.2.3" # Rollback to v1.2.3 ``` -------------------------------- ### Configure Custom Domain for R2 Bucket Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/api-reference/r2bucketdomain.md This example demonstrates how to configure a custom domain for an R2 bucket using the R2BucketDomain resource. Ensure an R2Bucket resource and Cloudflare DNS are set up prior to applying this configuration. ```yaml apiVersion: networking.cloudflare-operator.io/v1alpha2 kind: R2BucketDomain metadata: name: assets-domain namespace: production spec: domain: "assets.example.com" bucketRef: name: app-storage cloudflare: accountId: "1234567890abcdef" credentialsRef: name: production ``` -------------------------------- ### Access Application and Verify DNS Source: https://github.com/stringke/cloudflare-operator/blob/main/docs/en/getting-started.md Access your deployed application via the configured FQDN. Verify the DNS record and use curl to test accessibility. ```bash # Verify DNS record dig hello.example.com # Access the application curl https://hello.example.com ```