CRD Reference
API group: chutes.troubleshat.com/v1alpha1
ChuteConfig
Cluster-scoped resource that holds Cloudflare credentials and zone configuration. One ChuteConfig can be shared by ChuteInstance resources in any namespace.
Spec
| Field |
Type |
Required |
Description |
apiTokenSecretRef |
SecretKeyRef |
Yes |
Reference to a Secret containing the Cloudflare API token |
accountId |
string |
Yes |
Cloudflare account ID |
zoneId |
string |
Yes |
Cloudflare zone ID |
domain |
string |
Yes |
Base domain for the zone (e.g., example.com) |
SecretKeyRef
| Field |
Type |
Required |
Description |
name |
string |
Yes |
Name of the Secret |
namespace |
string |
Yes |
Namespace of the Secret |
key |
string |
No |
Key within the Secret (defaults to apiToken) |
Status
| Field |
Type |
Description |
ready |
bool |
Whether credentials have been validated and OTP IdP is available |
otpIdentityProviderId |
string |
Cloudflare Access OTP identity provider ID |
conditions |
[]Condition |
Standard Kubernetes conditions |
kubectl Columns
NAME READY DOMAIN AGE
default true example.com 5m
Full Example
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-credentials
namespace: chute-system
type: Opaque
stringData:
apiToken: "your-cloudflare-api-token-here"
---
apiVersion: chutes.troubleshat.com/v1alpha1
kind: ChuteConfig
metadata:
name: my-cloudflare
spec:
apiTokenSecretRef:
name: cloudflare-credentials
namespace: chute-system
key: apiToken
accountId: "your-cloudflare-account-id"
zoneId: "your-cloudflare-zone-id"
domain: "example.com"
ChuteInstance
Namespace-scoped resource that represents a single service exposed through a Cloudflare Tunnel with Access email OTP protection.
Spec
| Field |
Type |
Required |
Description |
configRef |
string |
Yes |
Name of the cluster-scoped ChuteConfig to use |
hostname |
string |
Yes |
Subdomain to expose (e.g., app becomes app.example.com) |
service |
ServiceTarget |
Yes |
Target Kubernetes Service to route traffic to |
access |
AccessConfig |
Yes |
Cloudflare Access policy configuration |
ServiceTarget
| Field |
Type |
Required |
Default |
Description |
name |
string |
Yes |
— |
Name of the Kubernetes Service (must be in the same namespace) |
port |
int32 |
Yes |
— |
Port on the Service to route to |
protocol |
string |
No |
http |
Protocol to use (http or https) |
AccessConfig
| Field |
Type |
Required |
Default |
Description |
allowedEmails |
[]string |
No |
— |
Email addresses allowed to access via OTP |
allowedDomains |
[]string |
No |
— |
Email domains allowed (e.g., example.com allows all @example.com) |
sessionDuration |
string |
No |
24h |
How long an authenticated session lasts |
!!! note
At least one of allowedEmails or allowedDomains must be specified.
Status
| Field |
Type |
Description |
ready |
bool |
Whether all Cloudflare resources are configured |
tunnelId |
string |
Cloudflare Tunnel ID |
dnsRecordId |
string |
Cloudflare DNS record ID |
accessAppId |
string |
Cloudflare Access application ID |
accessPolicyId |
string |
Cloudflare Access policy ID |
fqdn |
string |
Fully qualified domain name for this instance |
conditions |
[]Condition |
Standard Kubernetes conditions |
kubectl Columns
NAME READY FQDN SERVICE AGE
my-app true app.example.com gateway 5m
Full Example
apiVersion: chutes.troubleshat.com/v1alpha1
kind: ChuteInstance
metadata:
name: my-app
namespace: default
spec:
configRef: my-cloudflare
hostname: app
service:
name: gateway
port: 8337
protocol: http
access:
allowedEmails:
- admin@example.com
allowedDomains:
- example.com
sessionDuration: "24h"