cloudflared: disable in-place autoupdate (--no-autoupdate)

Viktor asked to root-cause the frequent t3 code disconnects and rule infra in or out. The tunnel pods ran bare 'cloudflared tunnel run': every Cloudflare release made the binary self-update and exit (code 11), restarting all 3 pods and severing every WebSocket riding the tunnel — one of the confirmed infra-side drop causes (pods cycled 2026-06-09 20:55/21:00 and 2026-06-10 02:31). Updates belong to pod image rollouts, not in-place binary swaps.
2026-06-10 21:00:05 +00:00 · 2026-06-10 21:00:05 +00:00 · d5fdc7ffe9
commit d5fdc7ffe9
parent ac6f19dd3b
2 changed files with 8 additions and 4 deletions
--- a/docs/architecture/networking.md
+++ b/docs/architecture/networking.md
@ -351,7 +351,7 @@ Containerd on all K8s nodes uses `hosts.toml` to redirect pulls to the local cac
 | CrowdSec | `stacks/platform/` (sub-module) | Helm release, LAPI + bouncer |
 | Authentik | `stacks/authentik/` | Helm release, ingress, OIDC configs |
 | MetalLB | `stacks/platform/` (sub-module) | Helm release, IPAddressPool |
-| Cloudflared | `stacks/cloudflared/` | Deployment (3 replicas), tunnel config |
+| Cloudflared | `stacks/cloudflared/` | Deployment (3 replicas), tunnel config; runs `--no-autoupdate` (in-place self-updates exited the pods and severed all tunnel WebSockets, 2026-06-09/10) |
 | ingress_factory | `modules/ingress_factory/` | IngressRoute + middleware chain |

 ### Key Configuration Files
--- a/stacks/cloudflared/modules/cloudflared/main.tf
+++ b/stacks/cloudflared/modules/cloudflared/main.tf
@ -64,9 +64,13 @@ resource "kubernetes_deployment" "cloudflared" {
        }
        container {
          # image = "wisdomsky/cloudflared-web:latest"
-          image   = "cloudflare/cloudflared"
-          name    = "cloudflared"
-          command = ["cloudflared", "tunnel", "run"]
+          image = "cloudflare/cloudflared"
+          name  = "cloudflared"
+          # --no-autoupdate: without it cloudflared self-updates in place and
+          # exits (code 11) when CF ships a release, severing every WebSocket
+          # riding the tunnel (observed as t3/terminal drops, 2026-06-09/10).
+          # Image updates are handled by pod rollouts, not in-place binaries.
+          command = ["cloudflared", "tunnel", "--no-autoupdate", "run"]
          env {
            name  = "TUNNEL_TOKEN"
            value = var.cloudflare_tunnel_token