I spent the better part of a weekend troubleshooting why I could not expose Traefik's dashboard out via a Cloudflare tunnel only to have the issue be with the actual Cloudflare tunnel! To start I was following this guide https://developers.cloudflare.com/cloudflare-one/tutorials/many-cfd-one-tunnel/ along with this manifest file https://github.com/cloudflare/argo-tunnel-examples/blob/master/named-tunnel-k8s/cloudflared.yaml which turned out to be totally wrong. This must have been for a much older version of Cloudflared or Kuberenetes - not actually sure why this didn't work even after all of my troubleshooting. Basic apps like just an NGINX container worked but anything else either didn't route or just gave me a blank white page.
In the end, the fix was to simply deploy this https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/deployment-guides/kubernetes/#routing-with-cloudflare-tunnel
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: cloudflared
name: cloudflared-deployment
namespace: default
spec:
replicas: 2
selector:
matchLabels:
pod: cloudflared
template:
metadata:
creationTimestamp: null
labels:
pod: cloudflared
spec:
securityContext:
sysctls:
- name: net.ipv4.ping_group_range
value: "65532 65532"
containers:
- command:
- cloudflared
- tunnel
- --no-autoupdate
# In a k8s environment, the metrics server needs to listen outside the pod it runs on.
# The address 0.0.0.0:2000 allows any pod in the namespace.
- --metrics
- 0.0.0.0:2000
- run
args:
- --token
- <token value>
image: cloudflare/cloudflared:latest
name: cloudflared
livenessProbe:
httpGet:
# Cloudflared has a /ready endpoint which returns 200 if and only if
# it has an active connection to the edge.
path: /ready
port: 2000
failureThreshold: 1
initialDelaySeconds: 10
periodSeconds: 10kubectl create -f cloudflared-deployment.yaml
Notice I used the cluster's internal DNS domain instead of the MetalLB IP.