--- # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: cloudflared spec: interval: 1h chartRef: kind: OCIRepository name: app-template install: remediation: retries: 3 upgrade: cleanupOnFail: true remediation: strategy: rollback retries: 3 dependsOn: - name: nginx-external namespace: network values: controllers: cloudflared: replicas: 2 strategy: RollingUpdate annotations: reloader.stakater.com/auto: "true" containers: app: image: repository: docker.io/cloudflare/cloudflared tag: 2025.7.0@sha256:803b17adb5326a38ce397b9c9f374289ad290ee5526d204b5879a1423b6f5c3e env: NO_AUTOUPDATE: true TUNNEL_CRED_FILE: /etc/cloudflared/creds/credentials.json TUNNEL_METRICS: 0.0.0.0:8080 TUNNEL_ORIGIN_ENABLE_HTTP2: true TUNNEL_TRANSPORT_PROTOCOL: quic TUNNEL_POST_QUANTUM: true args: - tunnel - --config - /etc/cloudflared/config/config.yaml - run - ${SECRET_CLOUDFLARE_TUNNEL_ID} probes: liveness: &probes enabled: true custom: true spec: httpGet: path: /ready port: &port 8080 initialDelaySeconds: 0 periodSeconds: 10 timeoutSeconds: 1 failureThreshold: 3 readiness: *probes securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: { drop: ["ALL"] } resources: requests: cpu: 10m limits: memory: 256Mi defaultPodOptions: securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 seccompProfile: { type: RuntimeDefault } service: app: controller: cloudflared ports: http: port: *port serviceMonitor: app: serviceName: cloudflared endpoints: - port: http scheme: http path: /metrics interval: 1m scrapeTimeout: 10s persistence: config: type: configMap name: cloudflared-configmap globalMounts: - path: /etc/cloudflared/config/config.yaml subPath: config.yaml readOnly: true creds: type: secret name: cloudflared-tunnel-secret globalMounts: - path: /etc/cloudflared/creds/credentials.json subPath: credentials.json readOnly: true