feat(gitops): bootstrap Cloudflare Tunnel ingress

- add STRRL Cloudflare Tunnel ingress controller manifests backed by External Secrets
- seed Cloudflare account and tunnel config from Infisical or environment values
- stage the controller in Flux before app reconciliation and document Ingress routing

Author: icepuma

gitops/apps/README.md

@@ -1,29 +1,32 @@
 # Apps
 
-Public apps attach to the shared `Gateway` in `gateway-system` with `HTTPRoute`.
+Public apps should use the Cloudflare Tunnel ingress class.
 
 Constraints:
 - hostnames must be under your cluster base domain, for example `*.intar.app`
-- routes should bind to `stardrive-public`
-- HTTPS is terminated by the platform wildcard certificate
+- routes should set `ingressClassName: cloudflare-tunnel`
+- the controller reads `CLOUDFLARE_API_TOKEN`, `CLOUDFLARE_ACCOUNT_ID`, and `CLOUDFLARE_TUNNEL_NAME` from the shared Infisical operator path
+- the Cloudflare API token needs Zone read, DNS edit, and Cloudflare Tunnel edit permissions
 
 Example shape:
 
 ```yaml
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
+apiVersion: networking.k8s.io/v1
+kind: Ingress
 metadata:
   name: example
   namespace: app
 spec:
-  parentRefs:
-    - name: stardrive-public
-      namespace: gateway-system
-      sectionName: https
-  hostnames:
-    - app.intar.app
+  ingressClassName: cloudflare-tunnel
   rules:
-    - backendRefs:
-        - name: example
-          port: 8080
+    - host: app.intar.app
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: example
+                port:
+                  number: 8080
 ```

gitops/core/cloudflare-tunnel-ingress-controller/external-secret.yaml

@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-tunnel-credentials
+  namespace: cloudflare-tunnel
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: infisical
+  target:
+    name: cloudflare-tunnel-credentials
+  data:
+    - secretKey: api-token
+      remoteRef:
+        key: CLOUDFLARE_API_TOKEN
+    - secretKey: cloudflare-account-id
+      remoteRef:
+        key: CLOUDFLARE_ACCOUNT_ID
+    - secretKey: cloudflare-tunnel-name
+      remoteRef:
+        key: CLOUDFLARE_TUNNEL_NAME

gitops/core/cloudflare-tunnel-ingress-controller/helmrelease.yaml

@@ -0,0 +1,28 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cloudflare-tunnel-ingress-controller
+  namespace: cloudflare-tunnel
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: cloudflare-tunnel-ingress-controller
+      version: 0.0.23
+      sourceRef:
+        kind: HelmRepository
+        name: cloudflare-tunnel-ingress-controller
+        namespace: cloudflare-tunnel
+  values:
+    cloudflare:
+      secretRef:
+        name: cloudflare-tunnel-credentials
+        accountIDKey: cloudflare-account-id
+        tunnelNameKey: cloudflare-tunnel-name
+        apiTokenKey: api-token
+    ingressClass:
+      name: cloudflare-tunnel
+      isDefaultClass: false
+    dnsCommentTemplate: "managed by stardrive"
+    cloudflared:
+      replicaCount: 2

gitops/core/cloudflare-tunnel-ingress-controller/helmrepository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cloudflare-tunnel-ingress-controller
+  namespace: cloudflare-tunnel
+spec:
+  interval: 1h
+  url: https://helm.strrl.dev

gitops/core/cloudflare-tunnel-ingress-controller/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: cloudflare-tunnel
+resources:
+  - namespace.yaml
+  - helmrepository.yaml
+  - external-secret.yaml
+  - helmrelease.yaml

gitops/core/cloudflare-tunnel-ingress-controller/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cloudflare-tunnel

gitops/core/kustomization.yaml

@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - external-secrets
+  - cloudflare-tunnel-ingress-controller
   - cert-manager
   - cert-manager-issuer
   - cluster-secrets

internal/workflow/bootstrap.go

@@ -142,8 +142,10 @@ func (a *App) Bootstrap(ctx context.Context, req BootstrapRequest) error {
 			return nil, err
 		}
 		if err := infClient.SetSecrets(ctx, cfg.Infisical.ProjectID, cfg.Infisical.Environment, paths.OperatorShared, map[string]string{
-			secretHetznerToken:       infra.Hetzner.Token,
-			secretCloudflareAPIToken: infra.CloudflareToken,
+			secretHetznerToken:         infra.Hetzner.Token,
+			secretCloudflareAPIToken:   infra.CloudflareToken,
+			secretCloudflareAccountID:  infra.CloudflareAccountID,
+			secretCloudflareTunnelName: infra.CloudflareTunnelName,
 		}); err != nil {
 			return nil, err
 		}
@@ -488,17 +490,20 @@ func (a *App) promptBootstrapInputs(ctx context.Context, cfg *config.Config, edi
 	}
 
 	existing, _ := infClient.GetSecrets(ctx, cfg.Infisical.ProjectID, cfg.Infisical.Environment, cfg.Secrets().OperatorShared)
-	infra := infraSecrets{
-		Hetzner: hetzner.Credentials{
-			Token: defaultSecret(existing[secretHetznerToken], os.Getenv(secretHetznerToken)),
-		},
-		CloudflareToken: defaultSecret(existing[secretCloudflareAPIToken], os.Getenv(secretCloudflareAPIToken)),
-	}
+	infra := infraSecretsFromValues(existing)
 	infra.Hetzner.Token, err = promptSecretIfNeeded(ctx, edit, infra.Hetzner.Token, "HCLOUD_TOKEN", "Hetzner Cloud project API token")
 	if err != nil {
 		return nil, infraSecrets{}, err
 	}
-	infra.CloudflareToken, err = promptSecretIfNeeded(ctx, edit, infra.CloudflareToken, "Cloudflare API token", "Token with DNS edit permissions for the target zone")
+	infra.CloudflareToken, err = promptSecretIfNeeded(ctx, edit, infra.CloudflareToken, "Cloudflare API token", "Token with Zone read, DNS edit, and Cloudflare Tunnel edit permissions")
+	if err != nil {
+		return nil, infraSecrets{}, err
+	}
+	infra.CloudflareAccountID, err = promptStringIfNeeded(ctx, edit, infra.CloudflareAccountID, "Cloudflare account ID", "Account that owns the tunnel and DNS zones")
+	if err != nil {
+		return nil, infraSecrets{}, err
+	}
+	infra.CloudflareTunnelName, err = promptStringIfNeeded(ctx, edit, infra.CloudflareTunnelName, "Cloudflare Tunnel name", "Tunnel to create or reuse for public app ingress")
 	if err != nil {
 		return nil, infraSecrets{}, err
 	}

internal/workflow/bootstrap_test.go

@@ -33,3 +33,42 @@ func TestGenerateStorageBoxPasswordMeetsPolicy(t *testing.T) {
 		t.Fatalf("password does not meet complexity policy: %q", password)
 	}
 }
+
+func TestInfraSecretsFromValuesReadsCloudflareTunnelEnv(t *testing.T) {
+	t.Setenv(secretHetznerToken, "hcloud-token")
+	t.Setenv(secretCloudflareAPIToken, "cloudflare-token")
+	t.Setenv(secretCloudflareAccountID, "cloudflare-account")
+	t.Setenv(secretCloudflareTunnelName, "stardrive-tunnel")
+
+	secrets := infraSecretsFromValues(nil)
+
+	if secrets.Hetzner.Token != "hcloud-token" {
+		t.Fatalf("expected Hetzner token from env, got %q", secrets.Hetzner.Token)
+	}
+	if secrets.CloudflareToken != "cloudflare-token" {
+		t.Fatalf("expected Cloudflare token from env, got %q", secrets.CloudflareToken)
+	}
+	if secrets.CloudflareAccountID != "cloudflare-account" {
+		t.Fatalf("expected Cloudflare account ID from env, got %q", secrets.CloudflareAccountID)
+	}
+	if secrets.CloudflareTunnelName != "stardrive-tunnel" {
+		t.Fatalf("expected Cloudflare tunnel name from env, got %q", secrets.CloudflareTunnelName)
+	}
+}
+
+func TestInfraSecretsFromValuesPrefersStoredValues(t *testing.T) {
+	t.Setenv(secretCloudflareAccountID, "env-account")
+	t.Setenv(secretCloudflareTunnelName, "env-tunnel")
+
+	secrets := infraSecretsFromValues(map[string]string{
+		secretCloudflareAccountID:  "stored-account",
+		secretCloudflareTunnelName: "stored-tunnel",
+	})
+
+	if secrets.CloudflareAccountID != "stored-account" {
+		t.Fatalf("expected stored Cloudflare account ID, got %q", secrets.CloudflareAccountID)
+	}
+	if secrets.CloudflareTunnelName != "stored-tunnel" {
+		t.Fatalf("expected stored Cloudflare tunnel name, got %q", secrets.CloudflareTunnelName)
+	}
+}

internal/workflow/cluster_runtime.go

@@ -718,7 +718,7 @@ func (a *App) waitForFluxBootstrapOCI(ctx context.Context, cfg *config.Config, k
 
 func (a *App) waitForDeferredFluxBootstrapOCI(ctx context.Context, cfg *config.Config, kubeconfigPath string) error {
 	env := a.kubectlEnv(kubeconfigPath)
-	for _, name := range []string{fluxIssuerKustomizationName, fluxClusterSecretsKustomizationName, fluxPublicEdgeKustomizationName, fluxAppsKustomizationName} {
+	for _, name := range []string{fluxIssuerKustomizationName, fluxClusterSecretsKustomizationName, fluxPublicEdgeKustomizationName, fluxCloudflareTunnelKustomizationName, fluxAppsKustomizationName} {
 		if err := a.runCommand(ctx, env, nil, "kubectl", "wait", "--namespace", fluxNamespace, "--for=condition=Ready", "kustomization/"+name, "--timeout=15m"); err != nil {
 			return err
 		}
@@ -1269,6 +1269,22 @@ spec:
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
+metadata:
+  name: %s
+  namespace: %s
+spec:
+  interval: 5m0s
+  prune: true
+  wait: true
+  path: "./core/cloudflare-tunnel-ingress-controller"
+  dependsOn:
+    - name: %s
+  sourceRef:
+    kind: OCIRepository
+    name: %s
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
 metadata:
   name: %s
   namespace: %s
@@ -1279,6 +1295,7 @@ spec:
   path: "./apps"
   dependsOn:
     - name: %s
+    - name: %s
   sourceRef:
     kind: OCIRepository
     name: %s
@@ -1309,9 +1326,14 @@ spec:
 		fluxNamespace,
 		fluxIssuerKustomizationName,
 		fluxOCIRepositoryName,
+		fluxCloudflareTunnelKustomizationName,
+		fluxNamespace,
+		fluxKustomizationName,
+		fluxOCIRepositoryName,
 		fluxAppsKustomizationName,
 		fluxNamespace,
 		fluxPublicEdgeKustomizationName,
+		fluxCloudflareTunnelKustomizationName,
 		fluxOCIRepositoryName,
 	))
 }