Merge pull request #19 from adyanth/cluster-tunnel

ClusterTunnel resource
adyanth · Feb 2, 2022 · ffdb499 · ffdb499
2 parents 508fc32 + 8814791
commit ffdb499
Show file tree

Hide file tree

Showing 29 changed files with 1,269 additions and 230 deletions.
diff --git a/PROJECT b/PROJECT
@@ -1,25 +1,33 @@
 domain: cfargotunnel.com
 layout:
-  - go.kubebuilder.io/v3
+- go.kubebuilder.io/v3
 plugins:
   manifests.sdk.operatorframework.io/v2: {}
   scorecard.sdk.operatorframework.io/v2: {}
 projectName: cloudflare-operator
 repo: github.com/adyanth/cloudflare-operator
 resources:
-  - controller: true
-    domain: k8s.io
-    group: networking
-    kind: Service
-    path: k8s.io/api/core/v1
-    version: v1
-  - api:
-      crdVersion: v1
-      namespaced: true
-    controller: true
-    domain: cfargotunnel.com
-    group: networking
-    kind: Tunnel
-    path: github.com/adyanth/cloudflare-operator/api/v1alpha1
-    version: v1alpha1
+- controller: true
+  domain: k8s.io
+  group: networking
+  kind: Service
+  path: k8s.io/api/core/v1
+  version: v1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: cfargotunnel.com
+  group: networking
+  kind: Tunnel
+  path: github.com/adyanth/cloudflare-operator/api/v1alpha1
+  version: v1alpha1
+- api:
+    crdVersion: v1
+  controller: true
+  domain: cfargotunnel.com
+  group: networking
+  kind: ClusterTunnel
+  path: github.com/adyanth/cloudflare-operator/api/v1alpha1
+  version: v1alpha1
 version: "3"
diff --git a/README.md b/README.md
@@ -27,8 +27,6 @@
 [![GitHub issues](https://img.shields.io/github/issues/adyanth/cloudflare-operator)](https://github.com/adyanth/cloudflare-operator/issues)
 [![Go Report Card](https://goreportcard.com/badge/github.com/adyanth/cloudflare-operator)](https://goreportcard.com/report/github.com/adyanth/cloudflare-operator)
 
-> This is **NOT** an official operator provided/backed by Cloudflare Inc.
-
 > **_NOTE_**: This project is currently in Alpha
 
 > UDP*: UDP support for Cloudflare Tunnels is in [Early Access](https://blog.cloudflare.com/extending-cloudflares-zero-trust-platform-to-support-udp-and-internal-dns/)
@@ -45,6 +43,7 @@ The Cloudflare Operator aims to provide a new way of dynamically deploying the [
   * Accept a Secret for Cloudflare API Tokens and Keys
   * Run a scaled (configurable) Deployment of `cloudflared`
   * Manage a ConfigMap for the above Deployment
+  * Have Cluster and Namespace scoped Tunnels
 * A Service controller which monitors Service Resources for Annotations and do the following:
   * Update the `cloudflared` ConfigMap to include the new Service to be served
   * Restart the `cloudflared` Deployment to make the configuration change take effect
@@ -64,3 +63,5 @@ There is more detailed information on this architecture and thought process behi
 Go through the dedicated documentation on [Getting Started](docs/getting-started.md) to learn how to deploy this operator and a sample tunnel along with a service to expose.
 
 Look into the [Configuration](docs/configuration.md) documentation to understand various configurable parameters of this operator.
+
+> **_NOTE_**: This is **NOT** an official operator provided/backed by Cloudflare Inc. It utilizes their [v4 API](https://api.cloudflare.com/) and their [`cloudflared`](https://github.com/cloudflare/cloudflared) to automate setting up of tunnels on Kubernetes. 
diff --git a/api/v1alpha1/clustertunnel_types.go b/api/v1alpha1/clustertunnel_types.go
@@ -0,0 +1,46 @@
+/*
+Copyright 2022.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+//+kubebuilder:resource:scope=Cluster
+
+// ClusterTunnel is the Schema for the clustertunnels API
+type ClusterTunnel struct {
+	Tunnel `json:",inline"`
+}
+
+//+kubebuilder:object:root=true
+
+// ClusterTunnelList contains a list of ClusterTunnel
+type ClusterTunnelList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ClusterTunnel `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&ClusterTunnel{}, &ClusterTunnelList{})
+}
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/networking.cfargotunnel.com_clustertunnels.yaml b/config/crd/bases/networking.cfargotunnel.com_clustertunnels.yaml
@@ -0,0 +1,151 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.7.0
+  creationTimestamp: null
+  name: clustertunnels.networking.cfargotunnel.com
+spec:
+  group: networking.cfargotunnel.com
+  names:
+    kind: ClusterTunnel
+    listKind: ClusterTunnelList
+    plural: clustertunnels
+    singular: clustertunnel
+  scope: Cluster
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ClusterTunnel is the Schema for the clustertunnels API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: TunnelSpec defines the desired state of Tunnel
+            properties:
+              cloudflare:
+                description: Cloudflare Credentials
+                properties:
+                  CLOUDFLARE_API_KEY:
+                    default: CLOUDFLARE_API_KEY
+                    description: Key in the secret to use for Cloudflare API Key,
+                      defaults to CLOUDFLARE_API_KEY. Needs Email also to be provided.
+                      For Delete operations for new tunnels only, or as an alternate
+                      to API Token
+                    type: string
+                  CLOUDFLARE_API_TOKEN:
+                    default: CLOUDFLARE_API_TOKEN
+                    description: Key in the secret to use for Cloudflare API token,
+                      defaults to CLOUDFLARE_API_TOKEN
+                    type: string
+                  CLOUDFLARE_TUNNEL_CREDENTIAL_FILE:
+                    default: CLOUDFLARE_TUNNEL_CREDENTIAL_FILE
+                    description: Key in the secret to use as credentials.json for
+                      the tunnel, defaults to CLOUDFLARE_TUNNEL_CREDENTIAL_FILE
+                    type: string
+                  CLOUDFLARE_TUNNEL_CREDENTIAL_SECRET:
+                    default: CLOUDFLARE_TUNNEL_CREDENTIAL_SECRET
+                    description: Key in the secret to use as credentials.json for
+                      the tunnel, defaults to CLOUDFLARE_TUNNEL_CREDENTIAL_SECRET
+                    type: string
+                  accountId:
+                    description: Account ID in Cloudflare. AccountId and AccountName
+                      cannot be both empty. If both are provided, Account ID is used
+                      if valid, else falls back to Account Name.
+                    type: string
+                  accountName:
+                    description: Account Name in Cloudflare. AccountName and AccountId
+                      cannot be both empty. If both are provided, Account ID is used
+                      if valid, else falls back to Account Name.
+                    type: string
+                  domain:
+                    description: Cloudflare Domain to which this tunnel belongs to
+                    type: string
+                  email:
+                    description: Email to use along with API Key for Delete operations
+                      for new tunnels only, or as an alternate to API Token
+                    type: string
+                  secret:
+                    description: Secret containing Cloudflare API key
+                    type: string
+                type: object
+              existingTunnel:
+                description: Existing tunnel object. ExistingTunnel and NewTunnel
+                  cannot be both empty and are mutually exclusive.
+                properties:
+                  id:
+                    description: Existing Tunnel ID to run on. Tunnel ID and Tunnel
+                      Name cannot be both empty. If both are provided, ID is used
+                      if valid, else falls back to Name.
+                    type: string
+                  name:
+                    description: Existing Tunnel name to run on. Tunnel Name and Tunnel
+                      ID cannot be both empty. If both are provided, ID is used if
+                      valid, else falls back to Name.
+                    type: string
+                type: object
+              image:
+                default: cloudflare/cloudflared:2022.1.3
+                description: Image sets the Cloudflared Image to use. Defaults to
+                  the image set during the release of the operator.
+                type: string
+              newTunnel:
+                description: New tunnel object. NewTunnel and ExistingTunnel cannot
+                  be both empty and are mutually exclusive.
+                properties:
+                  name:
+                    description: Tunnel name to create on Cloudflare.
+                    type: string
+                type: object
+              size:
+                default: 1
+                description: Size defines the number of Daemon pods to run for this
+                  tunnel
+                format: int32
+                minimum: 0
+                type: integer
+            type: object
+          status:
+            description: TunnelStatus defines the observed state of Tunnel
+            properties:
+              accountId:
+                type: string
+              tunnelId:
+                description: 'INSERT ADDITIONAL STATUS FIELD - define observed state
+                  of cluster Important: Run "make" to regenerate code after modifying
+                  this file'
+                type: string
+              tunnelName:
+                type: string
+              zoneId:
+                type: string
+            required:
+            - accountId
+            - tunnelId
+            - tunnelName
+            - zoneId
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
@@ -3,17 +3,20 @@
 # It should be run by config/default
 resources:
 - bases/networking.cfargotunnel.com_tunnels.yaml
+- bases/networking.cfargotunnel.com_clustertunnels.yaml
 #+kubebuilder:scaffold:crdkustomizeresource
 
 patchesStrategicMerge:
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
 #- patches/webhook_in_tunnels.yaml
+#- patches/webhook_in_clustertunnels.yaml
 #+kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
 #- patches/cainjection_in_tunnels.yaml
+#- patches/cainjection_in_clustertunnels.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.

diff --git a/config/crd/patches/cainjection_in_clustertunnels.yaml b/config/crd/patches/cainjection_in_clustertunnels.yaml
@@ -0,0 +1,7 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: clustertunnels.networking.cfargotunnel.com
diff --git a/config/crd/patches/webhook_in_clustertunnels.yaml b/config/crd/patches/webhook_in_clustertunnels.yaml
@@ -0,0 +1,16 @@
+# The following patch enables a conversion webhook for the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clustertunnels.networking.cfargotunnel.com
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          namespace: system
+          name: webhook-service
+          path: /convert
+      conversionReviewVersions:
+      - v1