homelab/k8s/apps/cloudflared/cloudflared-tonydu.yaml

---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: default
  name: cloudflared-tonydu
spec:
  selector:
    matchLabels:
      app: cloudflared-tonydu
  replicas: 2
  template:
    metadata:
      labels:
        app: cloudflared-tonydu

    spec:
      containers:
      - name: cloudflared
        image: cloudflare/cloudflared:2025.2.0
        resources:
          requests:
            memory: "32Mi"
            cpu: "100m"
          limits:
            memory: "512Mi"
            cpu: "500m"
        args:
        - tunnel
        - --config
        - /etc/cloudflared/config/config.yaml
        - run
        livenessProbe:
          httpGet:
            path: /ready
            port: 2000
          failureThreshold: 1
          initialDelaySeconds: 10
          periodSeconds: 10
        volumeMounts:
        - name: config
          mountPath: /etc/cloudflared/config
          readOnly: true
        - name: creds
          mountPath: /etc/cloudflared/creds
          readOnly: true
      volumes:
      - name: creds
        secret:
          secretName: cf-tunnel-creds-tonydu
      - name: config
        configMap:
          name: cloudflared-tonydu
          namespace: default
          items:
          - key: config.yaml
            path: config.yaml
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: cloudflared-tonydu
  namespace: default
data:
  config.yaml: |
    # Name of the tunnel you want to run
    tunnel: f84d35f1-604c-4982-87fa-deb2253703ea
    credentials-file: /etc/cloudflared/creds/credentials.json
    # Serves the metrics server under /metrics and the readiness server under /ready
    metrics: 0.0.0.0:2000
    no-autoupdate: true
    ingress:
    # The old tonydu.me domains will be routed like this because I no longer
    # want to support internal DNS records for tonydu.me
    - hostname: blog.tonydu.me
      service: https://traefik.traefik.svc.cluster.local
      originRequest:
        noTLSVerify: true
        http2Origin: true
        httpHostHeader: blog.tonydu.me
    - hostname: wizarr.tonydu.me
      service: https://traefik.traefik.svc.cluster.local
      originRequest:
        noTLSVerify: true
        http2Origin: true
        httpHostHeader: wizarr.tonydu.me
    # This rule matches any traffic which didn't match a previous rule, and responds with HTTP 404.
    - service: http_status:404