Skip to content

Cloudflare Tunnel (OCI Access)

Cloudflare Tunnel (cloudflared) provides secure, encrypted access to internal K3s services without exposing public ports.

1. Overview

The OCI instance of Cloudflare Tunnel acts as the primary gateway for HTTPS access to services like OpenClaw, optimized for Oracle Cloud’s network architecture.

  • Status: Active
  • Target Environment: Cloud (Oracle Cloud)

2. Requirements & Prerequisites

Necessary components or states prior to implementation:

  • Cloudflare Account: Configured tunnel token.
  • Sealed Secrets: cloudflare-tunnel-token provisioned in the cluster.

3. Implementation Procedure

The tunnel is deployed as a standard K8s Deployment within the OCI cluster.

A. Protocol Optimization

Due to specific network constraints in Oracle Cloud, the tunnel protocol is forced to HTTP/2.

B. Service Deployment

The deployment is managed via ArgoCD.

# Deploy the cloudflared agent
kubectl apply -f apps/services/cloudflare-tunnel.yaml

4. Configuration Standards

Settings are managed according to the following standards:

  • Persistence: Stateless execution with no local storage requirements.
  • Security: Token-based authentication using Kubernetes Secrets.
  • Network: Configured with --protocol http2 for Oracle Cloud compatibility.

5. Verification

System health is validated through these procedures:

  1. Tunnel Status: Confirm the tunnel status is "Healthy" in the Cloudflare Zero Trust dashboard.
  2. Connectivity: Test HTTPS access to openclaw.snawf.my.id (or equivalent hostname).