infra/stacks/platform/modules/cloudflared/main.tf

# Contents for cloudflare tunnel

variable "tls_secret_name" {}
variable "cloudflare_tunnel_token" {}
resource "kubernetes_namespace" "cloudflared" {
  metadata {
    name = "cloudflared"
    labels = {
      tier = var.tier
    }
  }
}
variable "tier" { type = string }

module "tls_secret" {
  source          = "../../../../modules/kubernetes/setup_tls_secret"
  namespace       = kubernetes_namespace.cloudflared.metadata[0].name
  tls_secret_name = var.tls_secret_name
}

resource "kubernetes_deployment" "cloudflared" {
  metadata {
    name      = "cloudflared"
    namespace = kubernetes_namespace.cloudflared.metadata[0].name
    labels = {
      app  = "cloudflared"
      tier = var.tier
    }
    annotations = {
      "reloader.stakater.com/search" = "true"
    }
  }
  spec {
    replicas = 3
    strategy {
      type = "RollingUpdate"
    }
    selector {
      match_labels = {
        app = "cloudflared"
      }
    }
    template {
      metadata {
        labels = {
          app = "cloudflared"
        }
      }
      spec {
        topology_spread_constraint {
          max_skew           = 1
          topology_key       = "kubernetes.io/hostname"
          when_unsatisfiable = "ScheduleAnyway"
          label_selector {
            match_labels = {
              app = "cloudflared"
            }
          }
        }
        container {
          # image = "wisdomsky/cloudflared-web:latest"
          image   = "cloudflare/cloudflared"
          name    = "cloudflared"
          command = ["cloudflared", "tunnel", "run"]
          env {
            name  = "TUNNEL_TOKEN"
            value = var.cloudflare_tunnel_token
          }

          port {
            container_port = 14333
          }
          resources {
            requests = {
              cpu    = "15m"
              memory = "128Mi"
            }
            limits = {
              memory = "128Mi"
            }
          }
        }
        dns_config {
          option {
            name  = "ndots"
            value = "2"
          }
        }
      }
    }
  }
}

resource "kubernetes_pod_disruption_budget_v1" "cloudflared" {
  metadata {
    name      = "cloudflared"
    namespace = kubernetes_namespace.cloudflared.metadata[0].name
  }
  spec {
    max_unavailable = "1"
    selector {
      match_labels = {
        app = "cloudflared"
      }
    }
  }
}

resource "kubernetes_service" "cloudflared" {
  metadata {
    name      = "cloudflared"
    namespace = kubernetes_namespace.cloudflared.metadata[0].name
    labels = {
      "app" = "cloudflared"
    }
  }

  spec {
    selector = {
      app = "cloudflared"
    }
    port {
      name        = "http"
      target_port = 14333
      port        = 80
      protocol    = "TCP"
    }
  }
}
add cloudflare configs for tunnels and dns [ci skip] 2024-12-23 18:20:16 +00:00			`# Contents for cloudflare tunnel`

add acls to tailnet and limit who can access what[ci skip] 2024-01-06 21:33:05 +00:00			`variable "tls_secret_name" {}`
add cloudflare configs for tunnels and dns [ci skip] 2024-12-23 18:20:16 +00:00			`variable "cloudflare_tunnel_token" {}`
add acls to tailnet and limit who can access what[ci skip] 2024-01-06 21:33:05 +00:00			`resource "kubernetes_namespace" "cloudflared" {`
			`metadata {`
			`name = "cloudflared"`
[ci skip] Add tier labels to all namespace resources for Kyverno resource governance Added `tier = var.tier` to kubernetes_namespace labels in ~73 service modules. This enables Kyverno to generate LimitRange defaults, ResourceQuotas, and PriorityClass injection for all namespaces. Previously only 11 namespaces had tier labels; now all 80 active namespaces are labeled. All pods restarted in rolling waves to pick up the new policies. 2026-02-21 23:38:05 +00:00			`labels = {`
			`tier = var.tier`
			`}`
add acls to tailnet and limit who can access what[ci skip] 2024-01-06 21:33:05 +00:00			`}`
			`}`
add tier to all deployments [ci skip] 2026-01-10 16:28:12 +00:00			`variable "tier" { type = string }`
add acls to tailnet and limit who can access what[ci skip] 2024-01-06 21:33:05 +00:00
			`module "tls_secret" {`
[ci skip] Move Terraform modules into stack directories Move all 88 service modules (66 individual + 22 platform) from modules/kubernetes/<service>/ into their corresponding stack directories: - Service stacks: stacks/<service>/module/ - Platform stack: stacks/platform/modules/<service>/ This collocates module source code with its Terragrunt definition. Only shared utility modules remain in modules/kubernetes/: ingress_factory, setup_tls_secret, dockerhub_secret, oauth-proxy. All cross-references to shared modules updated to use correct relative paths. Verified with terragrunt run --all -- plan: 0 adds, 0 destroys across all 68 stacks. 2026-02-22 14:38:14 +00:00			`source = "../../../../modules/kubernetes/setup_tls_secret"`
replace hardcoded namespace with module reference [ci skip] 2025-12-29 10:23:42 +00:00			`namespace = kubernetes_namespace.cloudflared.metadata[0].name`
add acls to tailnet and limit who can access what[ci skip] 2024-01-06 21:33:05 +00:00			`tls_secret_name = var.tls_secret_name`
			`}`

			`resource "kubernetes_deployment" "cloudflared" {`
			`metadata {`
			`name = "cloudflared"`
replace hardcoded namespace with module reference [ci skip] 2025-12-29 10:23:42 +00:00			`namespace = kubernetes_namespace.cloudflared.metadata[0].name`
add acls to tailnet and limit who can access what[ci skip] 2024-01-06 21:33:05 +00:00			`labels = {`
add tier to all deployments [ci skip] 2026-01-10 16:28:12 +00:00			`app = "cloudflared"`
			`tier = var.tier`
add acls to tailnet and limit who can access what[ci skip] 2024-01-06 21:33:05 +00:00			`}`
			`annotations = {`
			`"reloader.stakater.com/search" = "true"`
			`}`
			`}`
			`spec {`
scale cloudflared to 3 replicate for resiliene [ci skip] 2025-04-06 18:13:44 +00:00			`replicas = 3`
add acls to tailnet and limit who can access what[ci skip] 2024-01-06 21:33:05 +00:00			`strategy {`
			`type = "RollingUpdate"`
			`}`
			`selector {`
			`match_labels = {`
			`app = "cloudflared"`
			`}`
			`}`
			`template {`
			`metadata {`
			`labels = {`
			`app = "cloudflared"`
			`}`
			`}`
			`spec {`
resource quota review: fix OOM risks, close quota gaps, add HA protections Phase 1 - OOM fixes: - dashy: increase memory limit 512Mi→1Gi (was at 99% utilization) - caretta DaemonSet: set explicit resources 300Mi/512Mi (was at 85-98%) - mysql-operator: add Helm resource values 256Mi/512Mi, create namespace with tier label (was at 92% of LimitRange default) - prowlarr, flaresolverr, annas-archive-stacks: add explicit resources (outgrowing 256Mi LimitRange defaults) - real-estate-crawler celery: add resources 512Mi/3Gi (608Mi actual, no explicit resources) Phase 2 - Close quota gaps: - nvidia, real-estate-crawler, trading-bot: remove custom-quota=true labels so Kyverno generates tier-appropriate quotas - descheduler: add tier=1-cluster label for proper classification Phase 3 - Reduce excessive quotas: - monitoring: limits.memory 240Gi→64Gi, limits.cpu 120→64 - woodpecker: limits.memory 128Gi→32Gi, limits.cpu 64→16 - GPU tier default: limits.memory 96Gi→32Gi, limits.cpu 48→16 Phase 4 - Kubelet protection: - Add cpu: 200m to systemReserved and kubeReserved in kubelet template Phase 5 - HA improvements: - cloudflared: add topology spread (ScheduleAnyway) + PDB (maxUnavailable:1) - grafana: add topology spread + PDB via Helm values - crowdsec LAPI: add topology spread + PDB via Helm values - authentik server: add topology spread via Helm values - authentik worker: add topology spread + PDB via Helm values 2026-03-08 18:17:46 +00:00			`topology_spread_constraint {`
			`max_skew = 1`
			`topology_key = "kubernetes.io/hostname"`
			`when_unsatisfiable = "ScheduleAnyway"`
			`label_selector {`
			`match_labels = {`
			`app = "cloudflared"`
			`}`
			`}`
			`}`
add acls to tailnet and limit who can access what[ci skip] 2024-01-06 21:33:05 +00:00			`container {`
add cloudflare configs for tunnels and dns [ci skip] 2024-12-23 18:20:16 +00:00			`# image = "wisdomsky/cloudflared-web:latest"`
			`image = "cloudflare/cloudflared"`
			`name = "cloudflared"`
			`command = ["cloudflared", "tunnel", "run"]`
			`env {`
			`name = "TUNNEL_TOKEN"`
			`value = var.cloudflare_tunnel_token`
			`}`
add acls to tailnet and limit who can access what[ci skip] 2024-01-06 21:33:05 +00:00
			`port {`
			`container_port = 14333`
			`}`
[ci skip] right-size all pod resources based on VPA + live metrics audit Full cluster resource audit: cross-referenced Goldilocks VPA recommendations, live kubectl top metrics, and Terraform definitions for 100+ containers. Critical fixes: - dashy: CPU throttled at 98% (490m/500m) → 2 CPU limit - stirling-pdf: CPU throttled at 99.7% (299m/300m) → 2 CPU limit - traefik auth-proxy/bot-block-proxy: mem limit 32Mi → 128Mi Added explicit resources to ~40 containers that had none: - audiobookshelf, changedetection, cyberchef, dawarich, diun, echo, excalidraw, freshrss, hackmd, isponsorblocktv, linkwarden, n8n, navidrome, ntfy, owntracks, privatebin, send, shadowsocks, tandoor, tor-proxy, wealthfolio, networking-toolbox, rybbit, mailserver, cloudflared, pgadmin, phpmyadmin, crowdsec-web, xray, wireguard, k8s-portal, tuya-bridge, ollama-ui, whisper, piper, immich-server, immich-postgresql, osrm-foot GPU containers: added CPU/mem alongside GPU limits: - ollama: removed CPU/mem limits (models vary in size), keep GPU only - frigate: req 500m/2Gi, lim 4/8Gi + GPU - immich-ml: req 100m/1Gi, lim 2/4Gi + GPU Right-sized ~25 over-provisioned containers: - kms-web-page: 500m/512Mi → 50m/64Mi (was using 0m/10Mi) - onlyoffice: CPU 8 → 2 (VPA upper 45m) - realestate-crawler-api: CPU 2000m → 250m - blog/travel-blog/webhook-handler: 500m → 100m - coturn/health/plotting-book: reduced to match actual usage Conservative methodology: limits = max(VPA upper * 2, live usage * 2) 2026-03-01 19:18:50 +00:00			`resources {`
			`requests = {`
			`cpu = "15m"`
equalize memory req=lim across 70+ containers using Prometheus 7d max data After node2 OOM incident, right-size memory across the cluster by setting requests=limits based on max_over_time(container_memory_working_set_bytes[7d]) with 1.3x headroom. Eliminates ~37Gi overcommit gap. Categories: - Safe equalization (50 containers): set req=lim where max7d well within target - Limit increases (8 containers): raise limits for services spiking above current - No Prometheus data (12 containers): conservatively set lim=req - Exception: nextcloud keeps req=256Mi/lim=8Gi due to Apache memory spikes Also increased dbaas namespace quota from 12Gi to 16Gi to accommodate mysql 4Gi limits across 3 replicas. 2026-03-14 21:46:49 +00:00			`memory = "128Mi"`
[ci skip] right-size all pod resources based on VPA + live metrics audit Full cluster resource audit: cross-referenced Goldilocks VPA recommendations, live kubectl top metrics, and Terraform definitions for 100+ containers. Critical fixes: - dashy: CPU throttled at 98% (490m/500m) → 2 CPU limit - stirling-pdf: CPU throttled at 99.7% (299m/300m) → 2 CPU limit - traefik auth-proxy/bot-block-proxy: mem limit 32Mi → 128Mi Added explicit resources to ~40 containers that had none: - audiobookshelf, changedetection, cyberchef, dawarich, diun, echo, excalidraw, freshrss, hackmd, isponsorblocktv, linkwarden, n8n, navidrome, ntfy, owntracks, privatebin, send, shadowsocks, tandoor, tor-proxy, wealthfolio, networking-toolbox, rybbit, mailserver, cloudflared, pgadmin, phpmyadmin, crowdsec-web, xray, wireguard, k8s-portal, tuya-bridge, ollama-ui, whisper, piper, immich-server, immich-postgresql, osrm-foot GPU containers: added CPU/mem alongside GPU limits: - ollama: removed CPU/mem limits (models vary in size), keep GPU only - frigate: req 500m/2Gi, lim 4/8Gi + GPU - immich-ml: req 100m/1Gi, lim 2/4Gi + GPU Right-sized ~25 over-provisioned containers: - kms-web-page: 500m/512Mi → 50m/64Mi (was using 0m/10Mi) - onlyoffice: CPU 8 → 2 (VPA upper 45m) - realestate-crawler-api: CPU 2000m → 250m - blog/travel-blog/webhook-handler: 500m → 100m - coturn/health/plotting-book: reduced to match actual usage Conservative methodology: limits = max(VPA upper * 2, live usage * 2) 2026-03-01 19:18:50 +00:00			`}`
			`limits = {`
equalize memory req=lim across 70+ containers using Prometheus 7d max data After node2 OOM incident, right-size memory across the cluster by setting requests=limits based on max_over_time(container_memory_working_set_bytes[7d]) with 1.3x headroom. Eliminates ~37Gi overcommit gap. Categories: - Safe equalization (50 containers): set req=lim where max7d well within target - Limit increases (8 containers): raise limits for services spiking above current - No Prometheus data (12 containers): conservatively set lim=req - Exception: nextcloud keeps req=256Mi/lim=8Gi due to Apache memory spikes Also increased dbaas namespace quota from 12Gi to 16Gi to accommodate mysql 4Gi limits across 3 replicas. 2026-03-14 21:46:49 +00:00			`memory = "128Mi"`
[ci skip] right-size all pod resources based on VPA + live metrics audit Full cluster resource audit: cross-referenced Goldilocks VPA recommendations, live kubectl top metrics, and Terraform definitions for 100+ containers. Critical fixes: - dashy: CPU throttled at 98% (490m/500m) → 2 CPU limit - stirling-pdf: CPU throttled at 99.7% (299m/300m) → 2 CPU limit - traefik auth-proxy/bot-block-proxy: mem limit 32Mi → 128Mi Added explicit resources to ~40 containers that had none: - audiobookshelf, changedetection, cyberchef, dawarich, diun, echo, excalidraw, freshrss, hackmd, isponsorblocktv, linkwarden, n8n, navidrome, ntfy, owntracks, privatebin, send, shadowsocks, tandoor, tor-proxy, wealthfolio, networking-toolbox, rybbit, mailserver, cloudflared, pgadmin, phpmyadmin, crowdsec-web, xray, wireguard, k8s-portal, tuya-bridge, ollama-ui, whisper, piper, immich-server, immich-postgresql, osrm-foot GPU containers: added CPU/mem alongside GPU limits: - ollama: removed CPU/mem limits (models vary in size), keep GPU only - frigate: req 500m/2Gi, lim 4/8Gi + GPU - immich-ml: req 100m/1Gi, lim 2/4Gi + GPU Right-sized ~25 over-provisioned containers: - kms-web-page: 500m/512Mi → 50m/64Mi (was using 0m/10Mi) - onlyoffice: CPU 8 → 2 (VPA upper 45m) - realestate-crawler-api: CPU 2000m → 250m - blog/travel-blog/webhook-handler: 500m → 100m - coturn/health/plotting-book: reduced to match actual usage Conservative methodology: limits = max(VPA upper * 2, live usage * 2) 2026-03-01 19:18:50 +00:00			`}`
			`}`
add acls to tailnet and limit who can access what[ci skip] 2024-01-06 21:33:05 +00:00			`}`
[ci skip] platform: add ndots=2 dns_config to all deployment pod specs Prevents Terraform from reverting the Kyverno inject-ndots mutation on every apply. 23 pod specs across 19 platform module files. 2026-02-23 22:43:05 +00:00			`dns_config {`
			`option {`
			`name = "ndots"`
			`value = "2"`
			`}`
			`}`
add acls to tailnet and limit who can access what[ci skip] 2024-01-06 21:33:05 +00:00			`}`
			`}`
			`}`
			`}`

resource quota review: fix OOM risks, close quota gaps, add HA protections Phase 1 - OOM fixes: - dashy: increase memory limit 512Mi→1Gi (was at 99% utilization) - caretta DaemonSet: set explicit resources 300Mi/512Mi (was at 85-98%) - mysql-operator: add Helm resource values 256Mi/512Mi, create namespace with tier label (was at 92% of LimitRange default) - prowlarr, flaresolverr, annas-archive-stacks: add explicit resources (outgrowing 256Mi LimitRange defaults) - real-estate-crawler celery: add resources 512Mi/3Gi (608Mi actual, no explicit resources) Phase 2 - Close quota gaps: - nvidia, real-estate-crawler, trading-bot: remove custom-quota=true labels so Kyverno generates tier-appropriate quotas - descheduler: add tier=1-cluster label for proper classification Phase 3 - Reduce excessive quotas: - monitoring: limits.memory 240Gi→64Gi, limits.cpu 120→64 - woodpecker: limits.memory 128Gi→32Gi, limits.cpu 64→16 - GPU tier default: limits.memory 96Gi→32Gi, limits.cpu 48→16 Phase 4 - Kubelet protection: - Add cpu: 200m to systemReserved and kubeReserved in kubelet template Phase 5 - HA improvements: - cloudflared: add topology spread (ScheduleAnyway) + PDB (maxUnavailable:1) - grafana: add topology spread + PDB via Helm values - crowdsec LAPI: add topology spread + PDB via Helm values - authentik server: add topology spread via Helm values - authentik worker: add topology spread + PDB via Helm values 2026-03-08 18:17:46 +00:00			`resource "kubernetes_pod_disruption_budget_v1" "cloudflared" {`
			`metadata {`
			`name = "cloudflared"`
			`namespace = kubernetes_namespace.cloudflared.metadata[0].name`
			`}`
			`spec {`
			`max_unavailable = "1"`
			`selector {`
			`match_labels = {`
			`app = "cloudflared"`
			`}`
			`}`
			`}`
			`}`

add acls to tailnet and limit who can access what[ci skip] 2024-01-06 21:33:05 +00:00			`resource "kubernetes_service" "cloudflared" {`
			`metadata {`
			`name = "cloudflared"`
replace hardcoded namespace with module reference [ci skip] 2025-12-29 10:23:42 +00:00			`namespace = kubernetes_namespace.cloudflared.metadata[0].name`
add acls to tailnet and limit who can access what[ci skip] 2024-01-06 21:33:05 +00:00			`labels = {`
			`"app" = "cloudflared"`
			`}`
			`}`

			`spec {`
			`selector = {`
			`app = "cloudflared"`
			`}`
			`port {`
			`name = "http"`
			`target_port = 14333`
			`port = 80`
			`protocol = "TCP"`
			`}`
			`}`
			`}`