ldraney/palinks
1
0
Fork 0
Code Issues 12 Pull requests 1 Projects Releases Packages Wiki Activity Actions

Deploy Cloudflare Tunnel for canonical palinks.app #38

New issue
Closed
opened 2026-06-08 03:21:52 +00:00 by ldraney · 0 comments
ldraney commented 2026-06-08 03:21:52 +00:00
Owner
Copy link

Type

Feature

Lineage

Follow-up from spike #15 (docs/custom-domain.md — Phase 2). After Keycloak integration stabilizes.

Repo

ldraney/pal-e-platform + ldraney/pal-e-services + ldraney/pal-e-deployments + ldraney/palinks

User Story

As Lucas
I want palinks.app to be the canonical URL
So that visitors see a professional domain in their browser

Context

Phase 1 (#28) sets up GoDaddy redirect. Phase 2 makes palinks.app canonical via Cloudflare Tunnel. Cloudflare terminates TLS, cloudflared pod in the cluster tunnels traffic to the k8s Service. Coexists with Tailscale Funnel (both point at same Service). Wait until Keycloak is stable to avoid changing redirect URIs twice.

File Targets

pal-e-platform:

  • Cloudflare Tunnel operator or helm chart

pal-e-services:

  • terraform/ — Cloudflare tunnel resources, DNS record, API token

pal-e-deployments:

  • overlays/palinks/prod/ — cloudflared deployment, RAILS_HOST env var

palinks:

  • config/environments/production.rb — add palinks.app to config.hosts
  • Update hardcoded .ts.net references
  • Update Keycloak redirect URIs to include palinks.app
  • Add 301 redirect from .ts.net to palinks.app

Feature Flag

None — infrastructure change. The domain either works or it doesn't.

Acceptance Criteria

  • DNS for palinks.app managed by Cloudflare
  • Cloudflare Tunnel routes traffic to palinks k8s Service
  • https://palinks.app serves the app directly (no redirect)
  • https://palinks.tail5b443a.ts.net redirects to palinks.app
  • Keycloak redirect URIs updated for palinks.app
  • TLS valid for palinks.app (Cloudflare edge cert)
  • Health check: curl https://palinks.app/up returns 200

Test Expectations

  • Manual: browser loads palinks.app with valid TLS
  • Manual: .ts.net URL redirects to palinks.app
  • Manual: Keycloak login flow works with new redirect URIs
  • Manual: existing Tailscale Funnel still works for internal access

Constraints

  • Wait until Keycloak integration (#31, #32) is stable
  • Cloudflare free tier (no cost)
  • Keep GoDaddy as registrar, transfer DNS nameservers only
  • Both Cloudflare Tunnel and Tailscale Funnel coexist

Checklist

  • Cloudflare account + zone configured
  • Tunnel deployed to cluster
  • DNS propagated
  • Rails config updated
  • Keycloak URIs updated
  • Old redirect reversed

Related

  • project-palinks — project page
  • docs/custom-domain.md — full spike findings
  • #28 — GoDaddy redirect (Phase 1, prerequisite)
  • #31 — Keycloak provisioning (must stabilize first)
### Type Feature ### Lineage Follow-up from spike #15 (`docs/custom-domain.md` — Phase 2). After Keycloak integration stabilizes. ### Repo `ldraney/pal-e-platform` + `ldraney/pal-e-services` + `ldraney/pal-e-deployments` + `ldraney/palinks` ### User Story As Lucas I want palinks.app to be the canonical URL So that visitors see a professional domain in their browser ### Context Phase 1 (#28) sets up GoDaddy redirect. Phase 2 makes `palinks.app` canonical via Cloudflare Tunnel. Cloudflare terminates TLS, `cloudflared` pod in the cluster tunnels traffic to the k8s Service. Coexists with Tailscale Funnel (both point at same Service). Wait until Keycloak is stable to avoid changing redirect URIs twice. ### File Targets **pal-e-platform:** - Cloudflare Tunnel operator or helm chart **pal-e-services:** - `terraform/` — Cloudflare tunnel resources, DNS record, API token **pal-e-deployments:** - `overlays/palinks/prod/` — cloudflared deployment, RAILS_HOST env var **palinks:** - `config/environments/production.rb` — add `palinks.app` to `config.hosts` - Update hardcoded `.ts.net` references - Update Keycloak redirect URIs to include `palinks.app` - Add 301 redirect from `.ts.net` to `palinks.app` ### Feature Flag None — infrastructure change. The domain either works or it doesn't. ### Acceptance Criteria - [ ] DNS for palinks.app managed by Cloudflare - [ ] Cloudflare Tunnel routes traffic to palinks k8s Service - [ ] `https://palinks.app` serves the app directly (no redirect) - [ ] `https://palinks.tail5b443a.ts.net` redirects to `palinks.app` - [ ] Keycloak redirect URIs updated for `palinks.app` - [ ] TLS valid for palinks.app (Cloudflare edge cert) - [ ] Health check: `curl https://palinks.app/up` returns 200 ### Test Expectations - [ ] Manual: browser loads `palinks.app` with valid TLS - [ ] Manual: `.ts.net` URL redirects to `palinks.app` - [ ] Manual: Keycloak login flow works with new redirect URIs - [ ] Manual: existing Tailscale Funnel still works for internal access ### Constraints - Wait until Keycloak integration (#31, #32) is stable - Cloudflare free tier (no cost) - Keep GoDaddy as registrar, transfer DNS nameservers only - Both Cloudflare Tunnel and Tailscale Funnel coexist ### Checklist - [ ] Cloudflare account + zone configured - [ ] Tunnel deployed to cluster - [ ] DNS propagated - [ ] Rails config updated - [ ] Keycloak URIs updated - [ ] Old redirect reversed ### Related - `project-palinks` — project page - `docs/custom-domain.md` — full spike findings - #28 — GoDaddy redirect (Phase 1, prerequisite) - #31 — Keycloak provisioning (must stabilize first)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
40-canvas-view-activity-sizing
28-custom-domain-reverse-proxy
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/palinks#38
No description provided.