Skip to content
FractalOps

Cloudflared OpenBao Runtime

Cloudflared OpenBao Runtime

Section titled “Cloudflared OpenBao Runtime”

cloudflared runs in CT 111 and reads tunnel credentials from OpenBao instead of keeping the service unit bound to a hardcoded tunnel argument.

Source Of Truth

Section titled “Source Of Truth”
  • Ingress definitions: ops/infra/topology/lxc-pve-lab.yaml
  • Rendered config: ops/infra/render_cloudflared_config.py
  • Cloudflare API base/token: .env via ref:runtime:*
  • Tunnel token and credentials JSON: OpenBao kv/fractalops/default/runtime/cloudflared

Install Or Reconcile

Section titled “Install Or Reconcile”
Terminal window
./ops/infra/install_cloudflared_openbao.sh

This script:

  • snapshots current CT 111 tunnel token and credentials into OpenBao
  • creates a read-only OpenBao policy/token for cloudflared
  • installs the sync helper into CT 111
  • renders /etc/cloudflared/config.yml from topology
  • restarts cloudflared

Notes

Section titled “Notes”
  • Token rotation is done by updating OpenBao and rerunning the installer.
  • DNS/tunnel host additions are driven from topology and applied through ops/infra/cloudflare_access_plan.py.