From 0483524a882253da4351b6513b79b12e2e39cdfd Mon Sep 17 00:00:00 2001 From: xnoto Date: Wed, 29 Apr 2026 20:48:42 -0600 Subject: [PATCH] feat(cluster): add CNAMEs + Access app for headlamp & k3s API MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - cf-tunnels.tf: add `headlamp` and `k3s` to cluster_apps_hostnames so CNAMEs resolve through the cluster-apps tunnel. Drop `ansible` (AWX is being deprecated). - cf-access-k3s.tf (new): Cloudflare Access self_hosted application protecting k3s.makeitwork.cloud. Pairs with the upcoming TunnelBinding in kustomize-cluster that fronts kube-apiserver as a TCP tunnel. Admins-only via the existing GitHub IdP and access group. Headlamp doesn't get its own Access app — it'll authenticate via ArgoCD's embedded Dex (separate PR adds the static client). --- README.md | 1 + cf-access-k3s.tf | 34 ++++++++++++++++++++++++++++++++++ cf-tunnels.tf | 3 ++- 3 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 cf-access-k3s.tf diff --git a/README.md b/README.md index 4c6934c..62fa85f 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,7 @@ No modules. | [cloudflare_dns_record.spf](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/dns_record) | resource | | [cloudflare_dns_record.www](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/dns_record) | resource | | [cloudflare_ruleset.cache_rules](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) | resource | +| [cloudflare_zero_trust_access_application.k3s](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_application) | resource | | [cloudflare_zero_trust_access_application.warp](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_application) | resource | | [cloudflare_zero_trust_access_group.admins](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_group) | resource | | [cloudflare_zero_trust_access_identity_provider.github](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) | resource | diff --git a/cf-access-k3s.tf b/cf-access-k3s.tf new file mode 100644 index 0000000..ab0616f --- /dev/null +++ b/cf-access-k3s.tf @@ -0,0 +1,34 @@ +# Cloudflare Access application protecting the k3s API server tunnel. +# +# Pairs with the TunnelBinding in kustomize-cluster (workloads/kubectl-tunnel) +# that fronts kubernetes.default.svc:443 over k3s.makeitwork.cloud as a TCP +# tunnel. Clients reach the apiserver via: +# +# cloudflared access tcp --hostname k3s.makeitwork.cloud --url localhost:6443 +# +# `cloudflared access` runs the Access OIDC flow against this app before the +# TCP tunnel opens, so only org admins authenticated via GitHub can connect. +resource "cloudflare_zero_trust_access_application" "k3s" { + account_id = local.account_id + name = "k3s API" + type = "self_hosted" + domain = "k3s.makeitwork.cloud" + session_duration = "24h" + + allowed_idps = [ + cloudflare_zero_trust_access_identity_provider.github.id, + ] + + policies = [ + { + name = "makeitworkcloud-admins" + decision = "allow" + session_duration = "24h" + include = [{ + group = { + id = cloudflare_zero_trust_access_group.admins.id + } + }] + } + ] +} diff --git a/cf-tunnels.tf b/cf-tunnels.tf index a0ff90e..4da96a0 100644 --- a/cf-tunnels.tf +++ b/cf-tunnels.tf @@ -21,8 +21,9 @@ locals { cluster_apps_hostnames = [ "argocd", "grafana", + "headlamp", + "k3s", "status", - "ansible", ] }