---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cloudflared
  namespace: cloudflare

spec:
  selector:
    matchLabels:
      app: cloudflared
  replicas: 2
  template:
    metadata:
      labels:
        app: cloudflared
    spec:
      containers:
      - name: cloudflared
        image: cloudflare/cloudflared:2024.4.1
        args:
        - tunnel
        - --config
        - /etc/cloudflared/config/config.yaml
        - run
        ports:
          - containerPort: 2000
            name: metrics
        livenessProbe:
          httpGet:
            # Cloudflared has a /ready endpoint which returns 200 if and only if
            # it has an active connection to the edge.
            path: /ready
            port: 2000
          failureThreshold: 1
          initialDelaySeconds: 10
          periodSeconds: 10
        volumeMounts:
        - name: config
          mountPath: /etc/cloudflared/config
          readOnly: true
        - name: creds
          mountPath: /etc/cloudflared/creds
          readOnly: true
      volumes:
      - name: creds
        secret:
          secretName: tunnel-credentials
      - name: config
        configMap:
          name: cloudflared
          items:
          - key: config.yaml
            path: config.yaml
---
apiVersion: v1
kind: Service
metadata:
  name: cloudflared-metrics
  namespace: cloudflare

spec:
  selector:
    app: cloudflared
  ports:
  - name: metrics
    port: 2000
    targetPort: 2000
---
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
  name: cloudflared
  namespace: cloudflare
  labels:
    release: prometheus
spec:
  selector:
    matchLabels:
      app: cloudflared
  podMetricsEndpoints:
  - port: metrics
    interval: 30s
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: cloudflared
  namespace: cloudflare
data:
  config.yaml: |
    tunnel: new-homelab
    credentials-file: /etc/cloudflared/creds/credentials.json
    metrics: 0.0.0.0:2000
    no-autoupdate: true
    ingress:
    - hostname: photos.gmem.ca
      service: http://immich-server.immich.svc.cluster.local:3001
    - hostname: pw.gmem.ca
      service: http://vaultwarden.vaultwarden.svc.cluster.local:80
    - hostname: authentik.gmem.ca
      service: http://authentik-server.authentik.svc.cluster.local:80
    - hostname: nitter.gmem.ca
      service: http://nitter.nitter.svc.cluster.local:8081
    - hostname: git.gmem.ca
      service: http://192.168.50.229
    - hostname: proxmox.gmem.ca
      service: http://proxmox.endpoints.svc.cluster.local:8006
    - hostname: tokyo.gmem.ca
      service: http://tokyo.endpoints.svc.cluster.local:8000
    - hostname: ibiza.gmem.ca
      service: http://ibiza.endpoints.svc.cluster.local:8000
    - hostname: chat.gmem.ca
      service: tcp://192.168.50.45:443
    - hostname: paste.gmem.ca
      service: http://tclip.tclip.svc.cluster.local:8080
    - service: http_status:404