Adiastra
← All work

hap-cf-ingress

Open Source

Open Source · Kubernetes

A Kubernetes ingress controller: Cloudflare Proxy + HAProxy replacing cloudflared — faster, free.

01 / Context

Cloudflare Tunnel is convenient but adds WebSocket overhead and a fragile hop. We wanted a direct edge → origin path that still hides origin IPs, at no cost.

02 / What we built

  • Go operator: each Ingress is fully managed — Cloudflare zone, 15-year wildcard Origin Certificates, proxied DNS A records
  • Renders HAProxy config with graceful reloads (USR2 signal)
  • ACL: only Cloudflare edge IPs can reach backends
  • Per-Ingress edge controls: IP allow/deny and rate-limits
  • `hap-cf` IngressClass — drop-in for standard Ingress resources

03 / Architecture

Cloudflare edge Direct TCP :443 HAProxy K8s services Origin hidden

Need a system like this?

The team that built it is ready to build yours — or something entirely new.