cloudflare-zero-trust-operator

command module

v0.0.0-...-6fdb42f Latest Latest Go to latest Published: Nov 22, 2023 License: Apache-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/bojanzelic/cloudflare-zero-trust-operator

Links

Open Source Insights

README ¶

Cloudflare Zero-Trust Operator

Cloudflare Zero-Trust operator allow you to manage your zero-trust configuration directly from kubernetes

Example Usage

Cloudflare Access Group

apiVersion: cloudflare.zelic.io/v1alpha1
kind: CloudflareAccessGroup
metadata:
  name: accessgroup-example
  annotations:
    # (optional) default: "false"
    #   ensures that the resource isn't removed from cloudflare if the CR is deleted
    cloudflare.zelic.io/prevent-destroy: "true"
spec:
  name: my access group
  include:
    - emails:
      - testemail1@domain.com
      - testemail2@domain.com

apiVersion: cloudflare.zelic.io/v1alpha1
kind: CloudflareAccessApplication
metadata:
  name: domain-example
  annotations:
    # (optional) default: "false"
    #   ensures that the resource isn't removed from cloudflare if the CR is deleted
    cloudflare.zelic.io/prevent-destroy: "true"
spec:
  name: my application
  domain: domain.example.com
  autoRedirectToIdentity: true
  policies: 
    - name: Allow testemail1
      decision: allow
      include:
        - emails:
          - testemail1@domain.com

Example App

Features

Currently in Project scope

Manage Cloudflare Access Groups
Manage Cloudflare Access Applications
Manage Cloudflare Access Tokens

Complete Example

apiVersion: cloudflare.zelic.io/v1alpha1
kind: CloudflareAccessApplication
metadata:
  name: domain-example
  annotations:
    cloudflare.zelic.io/prevent-destroy: "false"
spec:
  name: my application
  domain: domain.example.com
  autoRedirectToIdentity: true
  appLauncherVisible: true
  type: self_hosted
  allowedIdps:
    - "699d98642c564d2e855e9661899b7252"
  sessionDuration: 24h
  enableBindingCookie: false
  httpOnlyCookieAttribute: true
  logoUrl: "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg"
  policies: 
    - name: Allow my rules
      decision: allow
      include:
        - emails:
          - testemail1@domain.com
        - emailDomains:
          - my-domain.com
        - ipRanges:
          - "11.22.33.44/32"
        - accessGroups:
          - value: "my-access-group-id"
        - googleGroups:
          - email: my-google-group@domain.com
            identityProviderId: 00000000-0000-0000-0000-00000000000000
        - oktaGroup:
          - name: my-okta-group
            identityProviderId: 10000000-0000-0000-0000-00000000000000

Advanced Usage

See some more examples of how to use the cloudflare zero-trust operator here

Install

Token Permissions

On your Cloudflare Dashboard; Create a custom API token with the following permissions:

Access: Service Tokens:Edit
Access: Organizations, Identity Providers, and Groups: Edit
Access: Apps and Policies:Edit

This token will be used referenced as CLOUDFLARE_API_TOKEN in the secret below;

Install with Helm

Create your namespace

kubectl create ns zero-trust-system

Create a secret with your cloudflare credentials

apiVersion: v1
metadata:
  name: cloudflare-creds
  namespace: zero-trust-system
kind: Secret
type: Opaque
stringData:
  CLOUDFLARE_ACCOUNT_ID: <id>
  # Either EMAIL+KEY or TOKEN must be supplied
  CLOUDFLARE_API_EMAIL: <email>
  CLOUDFLARE_API_KEY: <api_key>
  CLOUDFLARE_API_TOKEN: <api_token>

Install the helm repo

helm repo add zelic-io https://zelic-io.github.io/charts
 
helm install --namespace=zero-trust-system --set secretRef=cloudflare-creds cloudflare-zero-trust-operator zelic-io/cloudflare-zero-trust-operator

Install with Kustomize

kustomization.yaml

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
  - https://github.com/BojanZelic/cloudflare-zero-trust-operator//config/default?ref=main

secretGenerator:
- name: cloudflare-creds
  literals:
    - CLOUDFLARE_API_KEY=""
    - CLOUDFLARE_API_EMAIL=""
    - CLOUDFLARE_ACCOUNT_ID=""
    - CLOUDFLARE_API_TOKEN=""

Compatability

This provider's versions are able to install and manage the following versions of Kubernetes:

	v1.22	v1.23	v1.24	v1.25	v1.26
Cloudflare Zero Trust Operator v0.0.1-current	✓	✓	✓	✓	✓

Local Development

cp .env.example .env.integration
vim .env.integration # add your creds here
make integration-test

License

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
api
v1alpha1 Package v1alpha1 contains API Schema definitions for the cloudflare v1alpha1 API group +kubebuilder:object:generate=true +groupName=cloudflare.zelic.io	Package v1alpha1 contains API Schema definitions for the cloudflare v1alpha1 API group +kubebuilder:object:generate=true +groupName=cloudflare.zelic.io
controllers
internal
cfapi
cfcollections
cftypes
config
ctrlhelper
services

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL