Refactor to just forward controller volume mounts

I gave this some more thought and I think just letting consumers mount volumes to the controller and then forward those to the cloudflared pod would be better. Curious what you think!
STRRL · Jan 9, 2024 · 5442a8e · 5442a8e
1 parent 3c73a10
commit 5442a8e
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 100 deletions.
diff --git a/cmd/cloudflare-tunnel-ingress-controller/main.go b/cmd/cloudflare-tunnel-ingress-controller/main.go
@@ -27,10 +27,6 @@ type rootCmdFlags struct {
 	cloudflareAccountId  string
 	cloudflareTunnelName string
 	namespace            string
-	caPoolSecret         *string
-	caPoolConfigMap      *string
-	caPoolKey            *string
-	caPoolMountPath      *string
 }
 
 func main() {
@@ -103,8 +99,7 @@ func main() {
 					case <-done:
 						return
 					case _ = <-ticker.C:
-						caPool := controller.GetCaPoolOptions(options.caPoolConfigMap, options.caPoolSecret, options.caPoolKey, options.caPoolMountPath)
-						err := controller.CreateControlledCloudflaredIfNotExist(ctx, mgr.GetClient(), tunnelClient, options.namespace, caPool)
+						err := controller.CreateControlledCloudflaredIfNotExist(ctx, mgr.GetClient(), tunnelClient, options.namespace)
 						if err != nil {
 							logger.WithName("controlled-cloudflared").Error(err, "create controlled cloudflared")
 						}
@@ -124,10 +119,6 @@ func main() {
 	rootCommand.PersistentFlags().StringVar(&options.cloudflareAccountId, "cloudflare-account-id", options.cloudflareAccountId, "cloudflare account id")
 	rootCommand.PersistentFlags().StringVar(&options.cloudflareTunnelName, "cloudflare-tunnel-name", options.cloudflareTunnelName, "cloudflare tunnel name")
 	rootCommand.PersistentFlags().StringVar(&options.namespace, "namespace", options.namespace, "namespace to execute cloudflared connector")
-	rootCommand.PersistentFlags().StringVar(options.caPoolConfigMap, "capool-config-map", "", "config map containing CA certificates to mount")
-	rootCommand.PersistentFlags().StringVar(options.caPoolSecret, "capool-secret", "", "secret containing CA certificates to mount")
-	rootCommand.PersistentFlags().StringVar(options.caPoolKey, "capool-config-map", "", "key in the configmap/secret containing the CA certificates")
-	rootCommand.PersistentFlags().StringVar(options.caPoolMountPath, "capool-secret", "", "the path within the cloudflared container to mount the CA certificates")
 
 	err := rootCommand.Execute()
 	if err != nil {

diff --git a/helm/cloudflare-tunnel-ingress-controller/templates/deployment.yaml b/helm/cloudflare-tunnel-ingress-controller/templates/deployment.yaml
@@ -39,18 +39,6 @@ spec:
             - --cloudflare-account-id=$(CLOUDFLARE_ACCOUNT_ID)
             - --cloudflare-tunnel-name=$(CLOUDFLARE_TUNNEL_NAME)
             - --namespace=$(NAMESPACE)
-            {{- if .Values.cloudflare.caPool.existingConfigMap }}
-            - --capool-config-map={{ .Values.cloudflare.caPool.existingConfigMap }}
-            {{- end }}
-            {{- if .Values.cloudflare.caPool.existingSecret }}
-            - --capool-secret={{ .Values.cloudflare.caPool.existingSecret }}
-            {{- end }}
-            {{- if .Values.cloudflare.caPool.key }}
-            - --capool-key={{ .Values.cloudflare.caPool.key }}
-            {{- end }}
-            {{- if .Values.cloudflare.caPool.mountPath }}
-            - --capool-mount-path={{ .Values.cloudflare.caPool.mountPath }}
-            {{- end }}
           env:
             - name: CLOUDFLARE_API_TOKEN
               valueFrom:
@@ -86,6 +74,10 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
             - name: CLOUDFLARED_IMAGE
               value: "{{ .Values.cloudflared.image.repository }}:{{ .Values.cloudflared.image.tag }}"
             - name: CLOUDFLARED_IMAGE_PULL_POLICY
@@ -94,6 +86,10 @@ spec:
               value: {{ .Values.cloudflared.replicaCount | quote }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          {{- if gt (len .Values.extraVolumeMounts) 0 }}
+          volumeMounts:
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+          {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -106,3 +102,7 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if gt (len .Values.extraVolumes) 0 }}
+      volumes:
+        {{- toYaml .Values.extraVolumes | nindent 8 }}
+      {{- end }}
diff --git a/helm/cloudflare-tunnel-ingress-controller/values.yaml b/helm/cloudflare-tunnel-ingress-controller/values.yaml
@@ -14,15 +14,6 @@ cloudflare:
   #   tunnelNameKey: tunnel_name
   #   apiTokenKey: api_token
 
-  # Uncomment if you would like to mount CA certificates for the origin service
-  # caPool:
-  #   existingConfigMap: ""
-  #   existingSecret: ""
-  #   # Defaults to `ca-certificates.crt`
-  #   key: ""
-  #   # Defaults to `/etc/ssl/certs`
-  #   mountPath: ""
-
 ingressClass:
   name: cloudflare-tunnel
   controllerValue: strrl.dev/cloudflare-tunnel-ingress-controller
@@ -80,6 +71,14 @@ tolerations: []
 
 affinity: {}
 
+# Any additional volumes to include in the controller deployment.
+# Note: These will be forwarded to the cloudflared deployment as well.
+extraVolumes: []
+
+# Any additional volumes to mount in the controller pod.
+# Note: These will be forwarded to the cloudflared pod as well.
+extraVolumeMounts: []
+
 cloudflared:
   image:
     repository: cloudflare/cloudflared

diff --git a/pkg/controller/controlled-cloudflared-connector.go b/pkg/controller/controlled-cloudflared-connector.go
@@ -11,22 +11,16 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/utils/pointer"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-type CaPool struct {
-	ConfigMap *struct{ Name string }
-	Secret    *struct{ Name string }
-	Key       string
-	MountPath string
-}
-
 func CreateControlledCloudflaredIfNotExist(
 	ctx context.Context,
 	kubeClient client.Client,
 	tunnelClient *cloudflarecontroller.TunnelClient,
 	namespace string,
-	caPool *CaPool,
 ) error {
 	list := appsv1.DeploymentList{}
 	err := kubeClient.List(ctx, &list, &client.ListOptions{
@@ -43,83 +37,46 @@ func CreateControlledCloudflaredIfNotExist(
 		return nil
 	}
 
-	var caPoolSource *v1.VolumeSource = nil
-	if caPool.ConfigMap != nil && caPool.Secret != nil {
-		return errors.New("Only one of --capool-config-map or --capool-secret may be specified")
-	} else if caPool.ConfigMap != nil {
-		caPoolSource = &v1.VolumeSource{
-			ConfigMap: &v1.ConfigMapVolumeSource{
-				LocalObjectReference: v1.LocalObjectReference{
-					Name: caPool.ConfigMap.Name,
-				},
-			},
-		}
-	} else if caPool.Secret != nil {
-		caPoolSource = &v1.VolumeSource{
-			Secret: &v1.SecretVolumeSource{
-				SecretName: caPool.Secret.Name,
-			},
-		}
+	token, err := tunnelClient.FetchTunnelToken(ctx)
+	if err != nil {
+		return errors.Wrap(err, "fetch tunnel token")
 	}
 
-	var extraVolumes []v1.Volume
-	var extraVolumeMounts []v1.VolumeMount
-
-	if caPoolSource != nil {
-		extraVolumes = append(extraVolumes, v1.Volume{
-			Name:         "ca-pool",
-			VolumeSource: *caPoolSource,
-		})
-		extraVolumeMounts = append(extraVolumeMounts, v1.VolumeMount{
-			Name:      "ca-pool",
-			MountPath: caPool.MountPath,
-			SubPath:   caPool.Key,
-		})
+	controllerPod := v1.Pod{}
+	err = kubeClient.Get(ctx, types.NamespacedName{
+		Namespace: namespace,
+		Name:      os.Getenv("POD_NAME"),
+	}, &controllerPod)
+	if err != nil {
+		return errors.Wrap(err, "get controller pod")
 	}
 
-	token, err := tunnelClient.FetchTunnelToken(ctx)
-	if err != nil {
-		return errors.Wrap(err, "fetch tunnel token")
+	var controllerVolumeMounts []v1.VolumeMount
+	for _, container := range controllerPod.Spec.Containers {
+		if container.Name == "cloudflare-tunnel-ingress-controller" {
+			controllerVolumeMounts = container.VolumeMounts
+		}
 	}
 
 	replicas, err := strconv.ParseInt(os.Getenv("CLOUDFLARED_REPLICA_COUNT"), 10, 32)
 	if err != nil {
 		return errors.Wrap(err, "invalid replica count")
 	}
 
-	deployment := cloudflaredConnectDeploymentTemplating(token, namespace, int32(replicas), extraVolumes, extraVolumeMounts)
+	deployment := cloudflaredConnectDeploymentTemplating(
+		token,
+		namespace,
+		controllerPod.Spec.Volumes,
+		controllerVolumeMounts,
+	)
+
 	err = kubeClient.Create(ctx, deployment)
 	if err != nil {
 		return errors.Wrap(err, "create controlled-cloudflared-connector deployment")
 	}
 	return nil
 }
 
-func GetCaPoolOptions(configMap, secret, key, mountPath *string) *CaPool {
-	var caPool *CaPool = nil
-	if configMap != nil || secret != nil {
-		caPool = &CaPool{
-			Key:       "ca-certificates.crt",
-			MountPath: "/etc/ssl/certs",
-		}
-
-		if configMap != nil {
-			caPool.ConfigMap = &struct{ Name string }{Name: *configMap}
-		}
-		if secret != nil {
-			caPool.Secret = &struct{ Name string }{Name: *secret}
-		}
-		if key != nil {
-			caPool.Key = *key
-		}
-		if mountPath != nil {
-			caPool.MountPath = *mountPath
-		}
-	}
-
-	return caPool
-}
-
 func cloudflaredConnectDeploymentTemplating(
 	token string,
 	namespace string,
@@ -170,11 +127,11 @@ func cloudflaredConnectDeploymentTemplating(
 								"--token",
 								token,
 							},
-							VolumeMounts: extraVolumeMounts,
+							VolumeMounts: volumeMounts,
 						},
 					},
 					RestartPolicy: v1.RestartPolicyAlways,
-					Volumes:       extraVolumes,
+					Volumes:       volumes,
 				},
 			},
 		},