Issues with Origin Certificate Path in Cloudflare Tunnel Guide

[ARAldhafeeri]

Hello,

Thank you for the detailed documentation! However, I encountered some issues while following the guide here:

Cloudflare One Tunnel Guide

Issue Description

While setting up the Cloudflare tunnel, I received the following error message regarding the origin certificate:

2024-09-22T12:55:04Z INF Cannot determine default origin certificate path. No file cert.pem in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared] originCertPath=
2024-09-22T12:55:04Z ERR You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable. See https://developers.cloudflare.com/argo-tunnel/reference/service/ for more information. originCertPath=
error parsing tunnel ID: Error locating origin cert: client didn't specify origincert path

Proposed Solution

To resolve this, I found that creating a Kubernetes secret for the certificate and updating the deployment YAML to add a volume for the certificates is necessary. The steps are as follows:

1. Create the secret for the certificate (after obtaining it during the first login):

   kubectl create secret generic origin-cert --from-file=cert.pem=C:/Users/User/.cloudflared/cert.pem -n cloudflare

2. Update the deployment YAML as shown below:

   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: cloudflared
     namespace: cloudflare
   spec:
     selector:
       matchLabels:
         app: cloudflared
     replicas: 2 
     template:
       metadata:
         labels:
           app: cloudflared
       spec:
         containers:
         - name: cloudflared
           image: cloudflare/cloudflared:2022.3.0
           args:
           - tunnel
           - --config
           - /etc/cloudflared/config/config.yaml
           - run
           livenessProbe:
             httpGet:
               path: /ready
               port: 2000
             failureThreshold: 1
             initialDelaySeconds: 10
             periodSeconds: 10
           volumeMounts:
           - name: config
             mountPath: /etc/cloudflared/config
             readOnly: true
           - name: creds
             mountPath: /etc/cloudflared/creds
             readOnly: true
           - name: certs
             mountPath: /usr/local/etc/cloudflared
             readOnly: true
         volumes:
         - name: creds
           secret:
             secretName: tunnel-credentials
         - name: config
           configMap:
             name: cloudflared
             items:
             - key: config.yaml
               path: config.yaml
         - name: certs
           secret: # this is important you will get cert error
             secretName: origin-cert

Final Note

While this is a fundamental Kubernetes issue, I noticed that the "Hello World" example works because it's in the same namespace. For tunneling to services in different namespaces, the format should be:

<protocol>://<serviceName>.<namespace>.svc.cluster.local:<protocol-port>
e.g.:
http://helloworld.helloworld.svc.cluster.local:6666

Thank you for your assistance!