Cloudflare Type
This type is intended for public clusters if you do not have public IP addresses or want to use the additional load balancing, caching, and security features provided by Cloudflare.
When to Use Cloudflare
This method uses MetalLB together with Cloudflare tunneling technology. Therefore, for the virtual address, specify an unused private address routed in your VPC. If you do not also plan to use it to access services inside the VPC, you can even specify any unoccupied private address outside the address pool that corresponds to the VPC CIDR.
For example, for a VPC with CIDR 10.10.6.0/24, this can be either an available address such as 10.10.6.100 or an unoccupied address such as 192.168.10.10, which does not belong to this private network. In the second case, access from the private network will be impossible without manual routing, but it is not needed if the system node is used only as a Cloudflare entry point.
In this case, fault tolerance is provided by Cloudflare tools, not by the ARP protocol (see Metal Type). A Cloudflare tunnel is installed on each system node.
Configuration Requirements
For this type to work, the user must configure one Cloudflare tunnel and, if necessary, Cloudflare DNS in the Cloudflare account (see Configuring Cloudflare for a Cluster).
For this type, we do not recommend enabling a TLS certificate with SHIPOPS tools, because Cloudflare configures TLS itself with its own certificate. Using two certificates complicates the Cloudflare configuration. This is possible only for experienced Cloudflare users and only if SHIPOPS uses a trusted certificate. A self-signed certificate is not suitable for this.