Putting the portal behind Cloudflare Tunnel

Why this mattered

The portal needed a public URL without opening a router or turning the home network into an ingress experiment.

This belongs in the development timeline because RPi Kubernetes is not a single feature. It is a hybrid k3s homelab with an Ubuntu control plane, four Raspberry Pi 5 workers, Cloudflare Tunnel, and a data platform made from Kafka, Flink, Redis Stack, MinIO, DataHub, Airbyte, Polaris, and observability services. The project only became useful once its infrastructure decisions were written down well enough to be repeated.

Design decision

Cloudflare Tunnel gave the site a stable edge while Kubernetes still owns the app lifecycle.

The practical stack around this decision includes k3s, Kustomize, Helm, Strimzi Kafka, Flink Operator, Redis Stack, RAGFlow, DataHub, Airbyte, Polaris, MinIO, Prometheus, Grafana, Loki, OpenTelemetry, Cloudflare Tunnel, FastAPI, Next.js. I try to keep the interfaces small: configuration describes intent, runtime code owns behavior, and operational notes explain what a future maintainer should check first.

What I would repeat

The split is clean: Cloudflare terminates public exposure, ingress-nginx routes inside the cluster, and the portal pod stays ordinary.

The repeatable pattern is to make the boring path explicit. For this project that means clear repository boundaries, documented setup, predictable deployment commands, and enough observability to know whether the system is healthy or merely quiet.

Reader takeaway

If you are building something similar, start with the workflow you need to repeat every week. Then add only the platform pieces that make that workflow easier to recover, explain, and extend.