MCPcopy Index your code
hub / github.com/BojanZelic/cloudflare-zero-trust-operator

github.com/BojanZelic/cloudflare-zero-trust-operator @0.7.1

Chat with this repo
repository ↗ · DeepWiki ↗ · release 0.7.1 ↗ · + Follow
203 symbols 553 edges 32 files 86 documented · 42%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Cloudflare Zero-Trust Operator

Cloudflare Zero-Trust operator allow you to manage your zero-trust configuration directly from kubernetes

Version: 0.7.1 CRD - reference Unit Tests Go Report Card PkgGoDev codecov

Example Usage

Cloudflare Access Group

apiVersion: cloudflare.zelic.io/v1alpha1
kind: CloudflareAccessGroup
metadata:
  name: accessgroup-example
  annotations:
    # (optional) default: "false"
    #   ensures that the resource isn't removed from cloudflare if the CR is deleted
    cloudflare.zelic.io/prevent-destroy: "true"
spec:
  name: my access group
  include:
    - emails:
      - testemail1@domain.com
      - testemail2@domain.com
apiVersion: cloudflare.zelic.io/v1alpha1
kind: CloudflareAccessApplication
metadata:
  name: domain-example
  annotations:
    # (optional) default: "false"
    #   ensures that the resource isn't removed from cloudflare if the CR is deleted
    cloudflare.zelic.io/prevent-destroy: "true"
spec:
  name: my application
  domain: domain.example.com
  autoRedirectToIdentity: true
  policies: 
    - name: Allow testemail1
      decision: allow
      include:
        - emails:
          - testemail1@domain.com

Example App

Features

Currently in Project scope - [x] Manage Cloudflare Access Groups - [x] Manage Cloudflare Access Applications - [x] Manage Cloudflare Access Tokens

Complete Example

apiVersion: cloudflare.zelic.io/v1alpha1
kind: CloudflareAccessApplication
metadata:
  name: domain-example
  annotations:
    cloudflare.zelic.io/prevent-destroy: "false"
spec:
  name: my application
  domain: domain.example.com
  autoRedirectToIdentity: true
  appLauncherVisible: true
  type: self_hosted
  allowedIdps:
    - "699d98642c564d2e855e9661899b7252"
  sessionDuration: 24h
  enableBindingCookie: false
  httpOnlyCookieAttribute: true
  logoUrl: "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg"
  policies: 
    - name: Allow my rules
      decision: allow
      include:
        - emails:
          - testemail1@domain.com
        - emailDomains:
          - my-domain.com
        - ipRanges:
          - "11.22.33.44/32"
        - accessGroups:
          - value: "my-access-group-id"
        - googleGroups:
          - email: my-google-group@domain.com
            identityProviderId: 00000000-0000-0000-0000-00000000000000
        - oktaGroup:
          - name: my-okta-group
            identityProviderId: 10000000-0000-0000-0000-00000000000000

Advanced Usage

See some more examples of how to use the cloudflare zero-trust operator here

Install

Token Permissions

On your Cloudflare Dashboard; Create a custom API token with the following permissions: * Access: Service Tokens:Edit * Access: Organizations, Identity Providers, and Groups: Edit * Access: Apps and Policies:Edit

This token will be used referenced as CLOUDFLARE_API_TOKEN in the secret below;

Install with Helm

1) Create your namespace

kubectl create ns zero-trust-system

2) Create a secret with your cloudflare credentials

apiVersion: v1
metadata:
  name: cloudflare-creds
  namespace: zero-trust-system
kind: Secret
type: Opaque
stringData:
  CLOUDFLARE_ACCOUNT_ID: <id>
  # Either EMAIL+KEY or TOKEN must be supplied
  CLOUDFLARE_API_EMAIL: <email>
  CLOUDFLARE_API_KEY: <api_key>
  CLOUDFLARE_API_TOKEN: <api_token>

3) Install the helm repo

helm repo add zelic-io https://zelic-io.github.io/charts

helm install --namespace=zero-trust-system --set secretRef=cloudflare-creds cloudflare-zero-trust-operator zelic-io/cloudflare-zero-trust-operator

Install with Kustomize

kustomization.yaml

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
  - https://github.com/BojanZelic/cloudflare-zero-trust-operator//config/default?ref=main

secretGenerator:
- name: cloudflare-creds
  literals:
    - CLOUDFLARE_API_KEY=""
    - CLOUDFLARE_API_EMAIL=""
    - CLOUDFLARE_ACCOUNT_ID=""
    - CLOUDFLARE_API_TOKEN=""

Compatability

This provider's versions are able to install and manage the following versions of Kubernetes:

v1.22 - v1.31
Cloudflare Zero Trust Operator v0.0.1-current

Local Development

cp .env.example .env.integration
vim .env.integration # add your creds here
make integration-test

License

Copyright 2022.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Extension points exported contracts — how you extend this code

CloudflareCR (Interface)
(no doc) [3 implementers]
internal/ctrlhelper/cloudflare_cr.go
AccessPolicyList (Interface)
(no doc) [2 implementers]
internal/services/accesspolicies.go

Core symbols most depended-on inside this repo

ToCloudflare
called by 20
api/v1alpha1/cloudflareaccessgroup_types.go
ServiceTokens
called by 8
internal/cfapi/cfapi.go
AccessApplication
called by 7
internal/cfapi/cfapi.go
SetupWithManager
called by 6
internal/controller/cloudflareaccessgroup_controller.go
ParseCloudflareConfig
called by 5
internal/config/config.go
AccessGroupEqual
called by 4
internal/cfcollections/access_groups.go
GetID
called by 4
internal/ctrlhelper/cloudflare_cr.go
New
called by 4
internal/cfapi/cfapi.go

Shape

Method 134
Struct 33
Function 30
TypeAlias 4
Interface 2

Languages

Go100%

Modules by API surface

api/v1alpha1/zz_generated.deepcopy.go56 symbols
internal/cfapi/cfapi.go22 symbols
api/v1alpha1/cloudflareaccessgroup_types.go15 symbols
api/v1alpha1/cloudflareaccessapplication_types.go15 symbols
internal/cfapi/access_group_types.go14 symbols
internal/controller/suite_test.go13 symbols
api/v1alpha1/cloudflareservicetoken_types.go11 symbols
api/v1alpha1/reference_types.go9 symbols
internal/services/accesspolicies.go7 symbols
internal/controller/cloudflareaccessapplication_controller.go5 symbols
internal/ctrlhelper/cloudflare_cr.go4 symbols
internal/controller/cloudflareservicetoken_controller.go4 symbols

For agents

$ claude mcp add cloudflare-zero-trust-operator \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page