Argo Tunnel and Unique Token

I’ve been setting up our first Argo Tunnels out of a kubernetes cluster, and it’s gone reasonably smoothly. What I discovered, however, is that when I try to increase the number of replicas on the cloudflared deployment, they each crash with errors from the CF Load Balancer that

Serve tunnel error: Origin addresses must be unique within a pool. Origin address tunnel:...

It seems like the origin name in this context is like tunnel:... with a token which I presume comes from the cert.pem. If that’s the case, do I need to produce a new PEM file for each replica? That’s going to be in conflict with Kubernetes replicas, which are meant to be identical.

Does anyone have a successful Kubernetes deploy of multiple Argo Tunnels from the same cluster?

Hi @judson.lester , your tunnels can share the same PEM file as long as they are creating tunnels under the same zone. It will help us understand your configuration better if you share your deployment file. We have some examples of setting up Argo Tunnel as a sidecar, but without load balancer in https://github.com/cloudflare/argo-tunnel-examples.

2 Likes

Hey, @chungting - here’s our deployment. If the replicas is set >1, the tunnel won’t open.

---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/instance: management
    app.kubernetes.io/name: cloudflare-kubectl
    app.kubernetes.io/version: 2020.8.0
  name: management-cloudflare-kubectl
  namespace: management
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/instance: management
      app.kubernetes.io/name: cloudflare-kubectl
  template:
    metadata:
      labels:
        app.kubernetes.io/instance: management
        app.kubernetes.io/name: cloudflare-kubectl
    spec:
      containers:
      - name: cloudflare-kubectl
        image: cloudflare/cloudflared:2020.8.0
        imagePullPolicy: Always
        command:
        - cloudflared
        - tunnel
        args:
        - --no-autoupdate
        - --url
        - tcp://kubernetes.default.svc.cluster.local:443
        - --hostname
        - cluster-product-qa.example.com
        - --origincert=/etc/cloudflared/cert.pem
        - --socks5=true
        - --lb-pool=cluster-product
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        resources:
          requests:
            cpu: 25m
            memory: 20Mi
        securityContext:
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 1000
        volumeMounts:
        - mountPath: /etc/cloudflared
          name: tunnel-secret
          readOnly: true
      securityContext:
        fsGroup: 2000
      serviceAccountName: management-cloudflare-kubectl
      terminationGracePeriodSeconds: 60
      volumes:
      - name: tunnel-secret
        secret:
          secretName: cluster-product-qa.example.com

Your config looks correct, I’ll have to try it myself. In the meantime, can you try with a different lb-pool?