# docs/03-04-k3s-cloudflare-tunnel-配置接入.md
# Secret `cloudflared-credentials`（key=TUNNEL_TOKEN）由 verify playbook / 手工 kubectl create secret 创建，勿与此 Deployment 同 apply，避免覆盖 token。
# 参考：ansible/playbooks/verify/03-04.yml → ensure-cloudflared-tunnel-secret
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cloudflared
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: cloudflared
  template:
    metadata:
      labels:
        app: cloudflared
    spec:
      containers:
        - name: cloudflared
          image: cloudflare/cloudflared:latest
          args:
            - tunnel
            - run
          env:
            - name: TUNNEL_TOKEN
              valueFrom:
                secretKeyRef:
                  name: cloudflared-credentials
                  key: TUNNEL_TOKEN