Cloudflare Tunnel (cloudflared)
Deploy Cloudflare Tunnel on Kubernetes using the official cloudflare/cloudflared Docker image. Secure, outbound-only connections between your cluster and Cloudflare’s network — no open ports, no public IP required.
Key Features
- Zero-trust networking — no inbound firewall rules needed
- Remotely-managed — configure routes in the Cloudflare dashboard
- High availability — 2 replicas with PodDisruptionBudget by default
- Prometheus metrics —
/readyand/metricson port 2000 - ServiceMonitor — optional Prometheus Operator integration
- Existing secrets — bring your own Secret for the tunnel token
Installation
HTTPS repository:
helm repo add helmforge https://repo.helmforge.dev
helm repo update
helm install cloudflared helmforge/cloudflared -f values.yamlOCI registry:
helm install cloudflared oci://ghcr.io/helmforgedev/helm/cloudflared -f values.yamlBasic Example
# values.yaml
tunnel:
token: 'eyJhIjoiY2Y...' # From Cloudflare dashboardCreate a tunnel in the Cloudflare dashboard under Networks → Tunnels, copy the token, and configure public hostnames to route traffic to your Kubernetes services.
Production Example
tunnel:
existingSecret: cloudflare-tunnel
replicaCount: 2
pdb:
enabled: true
minAvailable: 1
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
memory: 128Mi
serviceMonitor:
enabled: true
labels:
release: prometheusKey Values
| Key | Default | Description |
|---|---|---|
tunnel.token | "" | Tunnel token from Cloudflare dashboard |
tunnel.existingSecret | "" | Existing secret with tunnel token |
replicaCount | 2 | Number of replicas |
cloudflared.logLevel | info | Log level |
cloudflared.noAutoupdate | true | Disable auto-update |
cloudflared.metricsPort | 2000 | Metrics listen port |
pdb.enabled | true | Create PodDisruptionBudget |
pdb.minAvailable | 1 | Min available during disruption |
metrics.enabled | true | Expose metrics service |
serviceMonitor.enabled | false | Create Prometheus ServiceMonitor |
Important Notes
- Do not use HPA — downscaling terminates active tunnel connections
- No ingress template — cloudflared replaces traditional ingress controllers
- Routing is dashboard-managed — use the Cloudflare dashboard to map hostnames to services
More Information
See the source code and full values reference on GitHub.