--- # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json apiVersion: helm.toolkit.fluxcd.io/v2beta2 kind: HelmRelease metadata: name: &app cloudflared spec: interval: 30m chart: spec: chart: app-template version: 3.0.4 sourceRef: kind: HelmRepository name: bjw-s namespace: flux-system install: remediation: retries: 3 upgrade: cleanupOnFail: true remediation: retries: 3 strategy: rollback dependsOn: - name: ingress-nginx namespace: network values: controllers: cloudflared: replicas: 2 strategy: RollingUpdate annotations: reloader.stakater.com/auto: "true" containers: app: image: repository: docker.io/cloudflare/cloudflared tag: 2024.3.0@sha256:8acfc9e4e65e0d1e26686177a3a0c4baa3b0330c0fc6adc899c2b673bc938e77 env: NO_AUTOUPDATE: "true" TUNNEL_CRED_FILE: /etc/cloudflared/creds/credentials.json TUNNEL_METRICS: 0.0.0.0:8080 TUNNEL_TRANSPORT_PROTOCOL: quic TUNNEL_POST_QUANTUM: true args: - tunnel - --config - /etc/cloudflared/config/config.yaml - run - "${CLUSTER_SECRET_CLOUDFLARE_TUNNEL_ID}" probes: liveness: &probes enabled: true custom: true spec: httpGet: path: /ready port: &port 8080 initialDelaySeconds: 0 periodSeconds: 10 timeoutSeconds: 1 failureThreshold: 3 readiness: *probes startup: enabled: false securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: { drop: ["ALL"] } resources: requests: cpu: 10m limits: memory: 256Mi pod: securityContext: runAsUser: 568 runAsGroup: 568 runAsNonRoot: true topologySpreadConstraints: - maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: DoNotSchedule labelSelector: matchLabels: app.kubernetes.io/name: *app service: app: controller: cloudflared ports: http: port: *port serviceMonitor: app: serviceName: cloudflared endpoints: - port: http scheme: http path: /metrics interval: 1m scrapeTimeout: 10s persistence: config: enabled: true type: configMap name: cloudflared-configmap globalMounts: - path: /etc/cloudflared/config/config.yaml subPath: config.yaml readOnly: true creds: type: secret name: cloudflared-tunnel-secret globalMounts: - path: /etc/cloudflared/creds/credentials.json subPath: credentials.json readOnly: true