ADR-007: Cloudflare Tunnels for Ingress¶
Status: Accepted Date: 2026-03-09
Context¶
Tablez needs to expose web and API services to the internet. Must work on both self-hosted k3s (bootstrap phase) and managed cloud Kubernetes (post-funding).
Options Considered¶
| Option | Pros | Cons |
|---|---|---|
| Cloudflare Tunnels | No exposed ports, free TLS, DDoS protection, works anywhere | Depends on Cloudflare |
| Nginx Ingress + cert-manager | Standard k8s pattern, no vendor dependency | Requires public IP, cert-manager complexity, manual DDoS protection |
| Traefik (built into k3s) | Zero config for k3s | Still needs public IP, no DDoS protection, cert renewal complexity |
| Cloud load balancer | Managed, reliable | Expensive, cloud-specific, doesn't work on k3s |
Decision¶
Use Cloudflare Tunnels (cloudflared) for all ingress.
Rationale¶
- No exposed ports. The k3s cluster has no public IP. Cloudflare Tunnel runs inside the cluster as a DaemonSet and establishes an outbound connection to Cloudflare's edge. No firewall rules, no port forwarding.
- Free TLS. Cloudflare handles certificate provisioning and renewal. No cert-manager, no Let's Encrypt rate limits.
- DDoS protection. Cloudflare's network absorbs attacks before they reach the cluster.
- Portable. Same tunnel config works on k3s at home and AKS/GKE in cloud. One YAML file in Flux, identical across environments.
- Free tier is sufficient. Cloudflare's free plan includes tunnels, DNS, and basic DDoS protection.
Consequences¶
- Depends on Cloudflare availability. If Cloudflare is down, Tablez is unreachable. Acceptable tradeoff for a startup.
- DNS must be managed through Cloudflare (domain's nameservers point to Cloudflare).
cloudflaredDaemonSet must be maintained in the gitops repo.