← All work
hap-cf-ingress
Open SourceOpen Source · Kubernetes
A Kubernetes ingress controller: Cloudflare Proxy + HAProxy replacing cloudflared — faster, free.
01 / Context
Cloudflare Tunnel is convenient but adds WebSocket overhead and a fragile hop. We wanted a direct edge → origin path that still hides origin IPs, at no cost.
02 / What we built
- ■ Go operator: each Ingress is fully managed — Cloudflare zone, 15-year wildcard Origin Certificates, proxied DNS A records
- ■ Renders HAProxy config with graceful reloads (USR2 signal)
- ■ ACL: only Cloudflare edge IPs can reach backends
- ■ Per-Ingress edge controls: IP allow/deny and rate-limits
- ■ `hap-cf` IngressClass — drop-in for standard Ingress resources
03 / Architecture
Cloudflare edge Direct TCP :443 HAProxy K8s services Origin hidden
Need a system like this?
The team that built it is ready to build yours — or something entirely new.