From d5fdc7ffe9e4b69232fcded31b90b28215ca0f29 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Wed, 10 Jun 2026 21:00:05 +0000
Subject: [PATCH] cloudflared: disable in-place autoupdate (--no-autoupdate)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Viktor asked to root-cause the frequent t3 code disconnects and rule
infra in or out. The tunnel pods ran bare 'cloudflared tunnel run':
every Cloudflare release made the binary self-update and exit (code 11),
restarting all 3 pods and severing every WebSocket riding the tunnel —
one of the confirmed infra-side drop causes (pods cycled 2026-06-09
20:55/21:00 and 2026-06-10 02:31). Updates belong to pod image rollouts,
not in-place binary swaps.
---
 docs/architecture/networking.md                |  2 +-
 stacks/cloudflared/modules/cloudflared/main.tf | 10 +++++++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/docs/architecture/networking.md b/docs/architecture/networking.md
index c34e9944..e2c0ac2d 100644
--- a/docs/architecture/networking.md
+++ b/docs/architecture/networking.md
@@ -351,7 +351,7 @@ Containerd on all K8s nodes uses `hosts.toml` to redirect pulls to the local cac
 | CrowdSec | `stacks/platform/` (sub-module) | Helm release, LAPI + bouncer |
 | Authentik | `stacks/authentik/` | Helm release, ingress, OIDC configs |
 | MetalLB | `stacks/platform/` (sub-module) | Helm release, IPAddressPool |
-| Cloudflared | `stacks/cloudflared/` | Deployment (3 replicas), tunnel config |
+| Cloudflared | `stacks/cloudflared/` | Deployment (3 replicas), tunnel config; runs `--no-autoupdate` (in-place self-updates exited the pods and severed all tunnel WebSockets, 2026-06-09/10) |
 | ingress_factory | `modules/ingress_factory/` | IngressRoute + middleware chain |
 
 ### Key Configuration Files
diff --git a/stacks/cloudflared/modules/cloudflared/main.tf b/stacks/cloudflared/modules/cloudflared/main.tf
index a913c683..8501e278 100644
--- a/stacks/cloudflared/modules/cloudflared/main.tf
+++ b/stacks/cloudflared/modules/cloudflared/main.tf
@@ -64,9 +64,13 @@ resource "kubernetes_deployment" "cloudflared" {
         }
         container {
           # image = "wisdomsky/cloudflared-web:latest"
-          image   = "cloudflare/cloudflared"
-          name    = "cloudflared"
-          command = ["cloudflared", "tunnel", "run"]
+          image = "cloudflare/cloudflared"
+          name  = "cloudflared"
+          # --no-autoupdate: without it cloudflared self-updates in place and
+          # exits (code 11) when CF ships a release, severing every WebSocket
+          # riding the tunnel (observed as t3/terminal drops, 2026-06-09/10).
+          # Image updates are handled by pod rollouts, not in-place binaries.
+          command = ["cloudflared", "tunnel", "--no-autoupdate", "run"]
           env {
             name  = "TUNNEL_TOKEN"
             value = var.cloudflare_tunnel_token