Tunnels and Zero Trust Apps
Im trying to figure out the right way to use named tunnels and zero-trust apps per customer for on-prem deployments.
Current Setup:
K3s cluster with a tunnel management container running cloudflared
I create a named tunnel for each customer deployment, and use its tokens to activate it
Each customer gets a Zero Trust CF application, with 2 policies attached:
1: Require customer-specific service token (which I also create)
2: Block all other requests
Tunnels are associated with the customers CF App via the aud config
Tunnels have ingress rules for target services with public DNS records created for endpoints
At runtime I make a server side request to this tunnel with the authenticated users creds in the headers
This setup works, but it’s awkward to manage and has too many moving parts (app + service token + policy + tunnel + DNS).
Is there a more streamlined approach for managing customer named tunnels?
Are there recommended patterns for this use case that would simplify the architecture or should I be doing this a more “Cloudflare” way?
0 Replies