cloudflared: disable in-place autoupdate (--no-autoupdate)

Viktor asked to root-cause the frequent t3 code disconnects and rule infra in or out. The tunnel pods ran bare 'cloudflared tunnel run': every Cloudflare release made the binary self-update and exit (code 11), restarting all 3 pods and severing every WebSocket riding the tunnel — one of the confirmed infra-side drop causes (pods cycled 2026-06-09 20:55/21:00 and 2026-06-10 02:31). Updates belong to pod image rollouts, not in-place binary swaps.
2026-06-10 21:00:05 +00:00 · 2026-06-10 21:00:05 +00:00 · d5fdc7ffe9
commit d5fdc7ffe9
parent ac6f19dd3b
2 changed files with 8 additions and 4 deletions
--- a/stacks/cloudflared/modules/cloudflared/main.tf
+++ b/stacks/cloudflared/modules/cloudflared/main.tf
@ -64,9 +64,13 @@ resource "kubernetes_deployment" "cloudflared" {
        }
        container {
          # image = "wisdomsky/cloudflared-web:latest"
-          image   = "cloudflare/cloudflared"
-          name    = "cloudflared"
-          command = ["cloudflared", "tunnel", "run"]
+          image = "cloudflare/cloudflared"
+          name  = "cloudflared"
+          # --no-autoupdate: without it cloudflared self-updates in place and
+          # exits (code 11) when CF ships a release, severing every WebSocket
+          # riding the tunnel (observed as t3/terminal drops, 2026-06-09/10).
+          # Image updates are handled by pod rollouts, not in-place binaries.
+          command = ["cloudflared", "tunnel", "--no-autoupdate", "run"]
          env {
            name  = "TUNNEL_TOKEN"
            value = var.cloudflare_tunnel_token