cloudflare-zero-trust-operator

command module
v0.0.0-...-64859ff Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 24, 2024 License: Apache-2.0 Imports: 15 Imported by: 0

README

Cloudflare Zero-Trust Operator

Cloudflare Zero-Trust operator allow you to manage your zero-trust configuration directly from kubernetes

CRD - reference Unit Tests Go Report Card PkgGoDev codecov

Example Usage

Cloudflare Access Group

apiVersion: cloudflare.zelic.io/v1alpha1
kind: CloudflareAccessGroup
metadata:
  name: accessgroup-example
  annotations:
    # (optional) default: "false"
    #   ensures that the resource isn't removed from cloudflare if the CR is deleted
    cloudflare.zelic.io/prevent-destroy: "true"
spec:
  name: my access group
  include:
    - emails:
      - testemail1@domain.com
      - testemail2@domain.com

apiVersion: cloudflare.zelic.io/v1alpha1
kind: CloudflareAccessApplication
metadata:
  name: domain-example
  annotations:
    # (optional) default: "false"
    #   ensures that the resource isn't removed from cloudflare if the CR is deleted
    cloudflare.zelic.io/prevent-destroy: "true"
spec:
  name: my application
  domain: domain.example.com
  autoRedirectToIdentity: true
  policies: 
    - name: Allow testemail1
      decision: allow
      include:
        - emails:
          - testemail1@domain.com

Example App

Features

Currently in Project scope

  • Manage Cloudflare Access Groups
  • Manage Cloudflare Access Applications
  • Manage Cloudflare Access Tokens

Complete Example

apiVersion: cloudflare.zelic.io/v1alpha1
kind: CloudflareAccessApplication
metadata:
  name: domain-example
  annotations:
    cloudflare.zelic.io/prevent-destroy: "false"
spec:
  name: my application
  domain: domain.example.com
  autoRedirectToIdentity: true
  appLauncherVisible: true
  type: self_hosted
  allowedIdps:
    - "699d98642c564d2e855e9661899b7252"
  sessionDuration: 24h
  enableBindingCookie: false
  httpOnlyCookieAttribute: true
  logoUrl: "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg"
  policies: 
    - name: Allow my rules
      decision: allow
      include:
        - emails:
          - testemail1@domain.com
        - emailDomains:
          - my-domain.com
        - ipRanges:
          - "11.22.33.44/32"
        - accessGroups:
          - value: "my-access-group-id"
        - googleGroups:
          - email: my-google-group@domain.com
            identityProviderId: 00000000-0000-0000-0000-00000000000000
        - oktaGroup:
          - name: my-okta-group
            identityProviderId: 10000000-0000-0000-0000-00000000000000

Advanced Usage

See some more examples of how to use the cloudflare zero-trust operator here

Install

Token Permissions

On your Cloudflare Dashboard; Create a custom API token with the following permissions:

  • Access: Service Tokens:Edit
  • Access: Organizations, Identity Providers, and Groups: Edit
  • Access: Apps and Policies:Edit

This token will be used referenced as CLOUDFLARE_API_TOKEN in the secret below;

Install with Helm
  1. Create your namespace
kubectl create ns zero-trust-system
  1. Create a secret with your cloudflare credentials
apiVersion: v1
metadata:
  name: cloudflare-creds
  namespace: zero-trust-system
kind: Secret
type: Opaque
stringData:
  CLOUDFLARE_ACCOUNT_ID: <id>
  # Either EMAIL+KEY or TOKEN must be supplied
  CLOUDFLARE_API_EMAIL: <email>
  CLOUDFLARE_API_KEY: <api_key>
  CLOUDFLARE_API_TOKEN: <api_token>
  1. Install the helm repo
helm repo add zelic-io https://zelic-io.github.io/charts
 
helm install --namespace=zero-trust-system --set secretRef=cloudflare-creds cloudflare-zero-trust-operator zelic-io/cloudflare-zero-trust-operator

Install with Kustomize

kustomization.yaml

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
  - https://github.com/BojanZelic/cloudflare-zero-trust-operator//config/default?ref=main

secretGenerator:
- name: cloudflare-creds
  literals:
    - CLOUDFLARE_API_KEY=""
    - CLOUDFLARE_API_EMAIL=""
    - CLOUDFLARE_ACCOUNT_ID=""
    - CLOUDFLARE_API_TOKEN=""

Compatability

This provider's versions are able to install and manage the following versions of Kubernetes:

v1.22 v1.23 v1.24 v1.25 v1.26
Cloudflare Zero Trust Operator v0.0.1-current

Local Development

cp .env.example .env.integration
vim .env.integration # add your creds here
make integration-test

License

Copyright 2022.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
api
v1alpha1
Package v1alpha1 contains API Schema definitions for the cloudflare v1alpha1 API group +kubebuilder:object:generate=true +groupName=cloudflare.zelic.io
 Package v1alpha1 contains API Schema definitions for the cloudflare v1alpha1 API group +kubebuilder:object:generate=true +groupName=cloudflare.zelic.io
internal
cfapi
cfcollections
cftypes
config
ctrlhelper
services

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.