chute

Getting Started

Prerequisites

• A Kubernetes cluster (v1.24+)
• kubectl configured to access your cluster
• A Cloudflare account with a zone (domain) you control

Step 1: Create a Cloudflare API Token

1. Go to Cloudflare Dashboard → My Profile → API Tokens
2. Click Create Token → Create Custom Token
3. Configure the following permissions:

Permission	Access Level	Scope
Cloudflare Tunnel	Edit	Account — your account
DNS	Edit	Zone — your zone
Access: Apps and Policies	Edit	Account — your account
Access: Organizations, Identity Providers, and Groups	Edit	Account — your account

1. Under Account Resources, select your account
2. Under Zone Resources, select Specific zone → pick the zone you’ll use
3. Click Continue to summary → Create Token
4. Copy the token — you won’t see it again

Finding Your Account ID and Zone ID

Both are on the Overview page of your zone in the Cloudflare dashboard, in the right-hand sidebar under API.

Step 2: Install the Operator

kubectl apply -f https://github.com/nabkey/chute/releases/latest/download/manifest.yaml

This installs the CRDs, RBAC, and operator Deployment into the chute-system namespace.

!!! tip “Verify the operator is running” bash kubectl -n chute-system get pods You should see the chute-operator pod in Running state.

Step 3: Configure Cloudflare Credentials

Create a Secret with your API token:

kubectl -n chute-system create secret generic cloudflare-credentials \
  --from-literal=apiToken=YOUR_TOKEN

Then create a ChuteConfig pointing to it:

apiVersion: chutes.troubleshat.com/v1alpha1
kind: ChuteConfig
metadata:
  name: default
spec:
  apiTokenSecretRef:
    name: cloudflare-credentials
    namespace: chute-system
    key: apiToken
  accountId: "YOUR_ACCOUNT_ID"
  zoneId: "YOUR_ZONE_ID"
  domain: "example.com"

kubectl apply -f chuteconfig.yaml

!!! tip “Verify the config is ready” bash kubectl get chuteconfig default The READY column should show true.

Step 4: Expose a Service

Create a ChuteInstance to expose a Kubernetes Service:

apiVersion: chutes.troubleshat.com/v1alpha1
kind: ChuteInstance
metadata:
  name: my-app
  namespace: default
spec:
  configRef: default
  hostname: myapp
  service:
    name: my-service
    port: 8080
  access:
    allowedEmails:
      - you@example.com
    sessionDuration: "24h"

kubectl apply -f chuteinstance.yaml

Step 5: Verify

Check the instance status:

kubectl get chuteinstance my-app

The READY column should show true and FQDN should display your hostname (e.g., myapp.example.com).

Check the cloudflared deployment is running:

kubectl get deploy chute-my-app-cloudflared

Visit https://myapp.example.com — you’ll be prompted for an email OTP.

Cleanup

Delete the ChuteInstance to tear down all Cloudflare resources:

kubectl delete chuteinstance my-app

The operator automatically removes the tunnel, DNS record, Access application, and Access policy via a finalizer.