# Cloudflare Tunnel Configuration for Control Plane
# This tunnel connects the Kubernetes control plane to Cloudflare

tunnel: control-plane-tunnel
credentials-file: /etc/cloudflared/control-plane-tunnel.json

ingress:
  # Portal
  - hostname: portal.sankofa.nexus
    service: http://portal.portal.svc.cluster.local:80
    originRequest:
      noHappyEyeballs: true
      connectTimeout: 30s
      tcpKeepAlive: 30s
      keepAliveConnections: 100
      keepAliveTimeout: 90s

  # Rancher
  - hostname: rancher.sankofa.nexus
    service: http://rancher.rancher-system.svc.cluster.local:80
    originRequest:
      noHappyEyeballs: true
      connectTimeout: 30s

  # ArgoCD
  - hostname: argocd.sankofa.nexus
    service: http://argocd-server.argocd.svc.cluster.local:80
    originRequest:
      noHappyEyeballs: true
      connectTimeout: 30s

  # Grafana
  - hostname: grafana.sankofa.nexus
    service: http://kube-prometheus-stack-grafana.monitoring.svc.cluster.local:80
    originRequest:
      noHappyEyeballs: true
      connectTimeout: 30s

  # Vault
  - hostname: vault.sankofa.nexus
    service: http://vault.vault.svc.cluster.local:8200
    originRequest:
      noHappyEyeballs: true
      connectTimeout: 30s

  # Keycloak
  - hostname: keycloak.sankofa.nexus
    service: http://keycloak.keycloak.svc.cluster.local:8080
    originRequest:
      noHappyEyeballs: true
      connectTimeout: 30s

  # Kubernetes API (restricted)
  - hostname: k8s-api.sankofa.nexus
    service: https://kubernetes.default.svc.cluster.local:443
    originRequest:
      noHappyEyeballs: true
      connectTimeout: 30s
      tls:
        skipVerify: false

  # Catch-all rule (must be last)
  - service: http_status:404

# Logging
loglevel: info
logfile: /var/log/cloudflared/control-plane-tunnel.log

# Metrics
metrics: 0.0.0.0:9090

# Health check
health-probe:
  enabled: true
  path: /health
  port: 8080