update

Author: hhftechnology

main.go

@@ -20,44 +20,20 @@ func init() {
 		DisableColors: true,
 		FullTimestamp: true,
 	})
-	// Set log level based on environment variable or default to info
-	logLevel := os.Getenv("LOG_LEVEL")
-	if logLevel != "" {
-		level, err := log.ParseLevel(logLevel)
-		if err == nil {
-			log.SetLevel(level)
-		}
-	}
 }
 
 func main() {
-	// Validate required environment variables
-	requiredEnvVars := []string{
-		"CLOUDFLARE_API_TOKEN",
-		"CLOUDFLARE_ACCOUNT_ID",
-		"CLOUDFLARE_TUNNEL_ID",
-		"CLOUDFLARE_ZONE_ID",
-		"TRAEFIK_SERVICE_ENDPOINT",
-		"TRAEFIK_API_ENDPOINT",
-	}
-
-	for _, envVar := range requiredEnvVars {
-		if os.Getenv(envVar) == "" {
-			log.Fatalf("Required environment variable %s is not set", envVar)
-		}
-	}
-
+	// Initialize Cloudflare API client
 	cf, err := cloudflare.NewWithAPIToken(os.Getenv("CLOUDFLARE_API_TOKEN"))
 	if err != nil {
 		log.Fatal(err)
 	}
 
 	ctx := context.Background()
 
+	// Set up Traefik API client
 	client := resty.New().
-		SetBaseURL(os.Getenv("TRAEFIK_API_ENDPOINT")).
-		SetTimeout(10 * time.Second).
-		SetRetryCount(3)
+		SetBaseURL(os.Getenv("TRAEFIK_API_ENDPOINT"))
 
 	pollCh := pollTraefikRouters(client)
 	var cache []Router
@@ -66,159 +42,198 @@ func main() {
 			log.Fatal(poll.Err)
 		}
 
-		// skip if no changes to traefik routers
+		// Skip if no changes to Traefik routers
 		if reflect.DeepEqual(cache, poll.Routers) {
 			continue
 		}
 
 		log.Info("changes detected")
 
-		// update the cache
+		// Update the cache
 		cache = poll.Routers
 
-		ingress := []cloudflare.UnvalidatedIngressRule{}
-
+		// Collect unique domains from applicable routers
+		uniqueDomains := make(map[string]struct{})
 		for _, r := range poll.Routers {
-			// Only enabled routes
+			// Filter routers
 			if r.Status != "enabled" {
-				log.Debugf("Skipping disabled route: %s", r.Rule)
+				continue
+			}
+			if !contains(r.EntryPoints, os.Getenv("TRAEFIK_ENTRYPOINT")) {
 				continue
 			}
 
-			// Handle both HTTP and HTTPS routes
-			// We want to include all routes, including those with TLS configured
-			if os.Getenv("TRAEFIK_ENTRYPOINT") != "" {
-				// If TRAEFIK_ENTRYPOINT is specified, only use routes with that entrypoint
-				if !contains(r.EntryPoints, os.Getenv("TRAEFIK_ENTRYPOINT")) {
-					log.Debugf("Skipping route with different entrypoint: %s", r.Rule)
-					continue
-				}
+			// Log if router has TLS configured for debugging
+			if r.TLS.CertResolver != "" {
+				log.WithFields(log.Fields{
+					"router": r.ServiceName,
+					"rule":   r.Rule,
+				}).Warn("router has TLS configured but is included for tunnel")
 			}
 
 			domains, err := http.ParseDomains(r.Rule)
 			if err != nil {
-				log.Errorf("Failed to parse domains from rule %s: %v", r.Rule, err)
-				continue
+				log.WithFields(log.Fields{
+					"rule": r.Rule,
+				}).Fatal("failed to parse domains: ", err)
 			}
-
 			for _, domain := range domains {
-				log.WithFields(log.Fields{
-					"domain":  domain,
-					"service": os.Getenv("TRAEFIK_SERVICE_ENDPOINT"),
-					"tls":     r.TLS.CertResolver != "",
-				}).Info("upserting tunnel")
-
-				ingress = append(ingress, cloudflare.UnvalidatedIngressRule{
-					Hostname: domain,
-					Service:  os.Getenv("TRAEFIK_SERVICE_ENDPOINT"),
-					OriginRequest: &cloudflare.OriginRequestConfig{
-						HTTPHostHeader: &domain,
-						// Add other origin request options if needed
-						NoTLSVerify: boolPtr(true), // Skip TLS verification for internal traffic
-					},
-				})
+				uniqueDomains[domain] = struct{}{}
 			}
 		}
 
-		// add catch-all rule
+		// Build ingress rules from unique domains
+		ingress := []cloudflare.UnvalidatedIngressRule{}
+		for domain := range uniqueDomains {
+			log.WithFields(log.Fields{
+				"domain":  domain,
+				"service": os.Getenv("TRAEFIK_SERVICE_ENDPOINT"),
+			}).Info("adding ingress rule")
+
+			ingress = append(ingress, cloudflare.UnvalidatedIngressRule{
+				Hostname: domain,
+				Service:  os.Getenv("TRAEFIK_SERVICE_ENDPOINT"),
+				OriginRequest: &cloudflare.OriginRequestConfig{
+					HTTPHostHeader: &domain,
+				},
+			})
+		}
+
+		// Add catch-all rule
 		ingress = append(ingress, cloudflare.UnvalidatedIngressRule{
 			Service: "http_status:404",
 		})
 
+		// Update Cloudflare tunnel configuration
 		err = updateTunnels(ctx, cf, ingress)
 		if err != nil {
 			log.Fatal(err)
 		}
 	}
 }
 
-// Helper to create a bool pointer
-func boolPtr(b bool) *bool {
-	return &b
-}
-
 func pollTraefikRouters(client *resty.Client) (ch chan PollResponse) {
 	ch = make(chan PollResponse)
 	go func() {
-		defer func() {
-			close(ch)
-		}()
-		r := rand.New(rand.NewSource(time.Now().UnixNano()))
+		defer close(ch)
+		r := rand.New(rand.NewSource(time.Now().UnixNano())) // Use current time for better randomness
 		c := time.Tick(10 * time.Second)
 
 		for range c {
 			var pollRes PollResponse
+			maxRetries := 5
+			for attempt := 1; attempt <= maxRetries; attempt++ {
+				_, pollRes.Err = client.R().
+					EnableTrace().
+					SetResult(&pollRes.Routers).
+					Get("/api/http/routers")
+
+				if pollRes.Err == nil {
+					break
+				}
 
-			resp, err := client.R().
-				EnableTrace().
-				SetResult(&pollRes.Routers).
-				Get("/api/http/routers")
-
-			pollRes.Err = err
-			if err != nil {
-				log.Errorf("Error polling Traefik API: %v", err)
-				ch <- pollRes
-				time.Sleep(5 * time.Second) // Wait before retrying
-				continue
-			}
+				if attempt == maxRetries {
+					log.WithFields(log.Fields{
+						"attempts": maxRetries,
+						"error":    pollRes.Err,
+					}).Error("failed to fetch Traefik routers after max retries")
+					break
+				}
 
-			if resp.StatusCode() != 200 {
-				log.Errorf("Unexpected status code from Traefik API: %d", resp.StatusCode())
-				pollRes.Err = fmt.Errorf("unexpected status code: %d", resp.StatusCode())
-				ch <- pollRes
-				time.Sleep(5 * time.Second) // Wait before retrying
-				continue
+				// Exponential backoff with jitter
+				baseDelay := time.Duration(1<<uint(attempt)) * time.Second
+				jitter := time.Duration(r.Int63n(int64(time.Second))) // Random jitter up to 1s
+				delay := baseDelay + jitter
+				log.WithFields(log.Fields{
+					"attempt": attempt,
+					"delay":   delay,
+					"error":   pollRes.Err,
+				}).Warn("transient API failure, retrying...")
+				time.Sleep(delay)
 			}
 
 			ch <- pollRes
 
-			jitter := time.Duration(r.Int31n(5000)) * time.Millisecond
-			time.Sleep(jitter)
+			if pollRes.Err == nil {
+				jitter := time.Duration(r.Int31n(5000)) * time.Millisecond
+				time.Sleep(jitter)
+			}
 		}
 	}()
 	return
 }
 
 func updateTunnels(ctx context.Context, cf *cloudflare.API, ingress []cloudflare.UnvalidatedIngressRule) error {
-	// Get Current tunnel config
+	// Get current tunnel config
 	aid := cloudflare.AccountIdentifier(os.Getenv("CLOUDFLARE_ACCOUNT_ID"))
 	cfg, err := cf.GetTunnelConfiguration(ctx, aid, os.Getenv("CLOUDFLARE_TUNNEL_ID"))
 	if err != nil {
-		return fmt.Errorf("unable to pull current tunnel config, %s", err.Error())
+		return fmt.Errorf("unable to pull current tunnel config: %s", err)
 	}
 
 	// Update config with new ingress rules
 	cfg.Config.Ingress = ingress
-	cfg, err = cf.UpdateTunnelConfiguration(ctx, aid, cloudflare.TunnelConfigurationParams{
+	_, err = cf.UpdateTunnelConfiguration(ctx, aid, cloudflare.TunnelConfigurationParams{
 		TunnelID: os.Getenv("CLOUDFLARE_TUNNEL_ID"),
 		Config:   cfg.Config,
 	})
 	if err != nil {
-		return fmt.Errorf("unable to update tunnel config, %s", err.Error())
+		return fmt.Errorf("unable to update tunnel config: %s", err)
 	}
 
 	log.Info("tunnel config updated")
 
-	// Update DNS to point to new tunnel
+	// Update DNS records
+	tunnelContent := fmt.Sprintf("%s.cfargotunnel.com", os.Getenv("CLOUDFLARE_TUNNEL_ID"))
+	currentHostnames := make(map[string]struct{})
+	for _, i := range ingress {
+		if i.Hostname != "" {
+			currentHostnames[i.Hostname] = struct{}{}
+		}
+	}
+
+	zid := cloudflare.ZoneIdentifier(os.Getenv("CLOUDFLARE_ZONE_ID"))
+	records, _, err := cf.ListDNSRecords(ctx, zid, cloudflare.ListDNSRecordsParams{Type: "CNAME"})
+	if err != nil {
+		return fmt.Errorf("error listing DNS records: %s", err)
+	}
+
+	for _, record := range records {
+		if record.Type == "CNAME" && record.Content == tunnelContent {
+			if _, exists := currentHostnames[record.Name]; !exists {
+				// Delete unused CNAME record
+				err := cf.DeleteDNSRecord(ctx, zid, record.ID)
+				if err != nil {
+					log.WithFields(log.Fields{
+						"domain": record.Name,
+						"error":  err,
+					}).Error("failed to delete unused DNS record")
+					continue
+				}
+				log.WithFields(log.Fields{
+					"domain": record.Name,
+				}).Info("deleted unused DNS record")
+			}
+		}
+	}
+
 	for _, i := range ingress {
 		if i.Hostname == "" {
 			continue
 		}
 
 		var proxied bool = true
-
 		record := cloudflare.DNSRecord{
 			Type:    "CNAME",
 			Name:    i.Hostname,
-			Content: fmt.Sprintf("%s.cfargotunnel.com", os.Getenv("CLOUDFLARE_TUNNEL_ID")),
+			Content: tunnelContent,
 			TTL:     1,
 			Proxied: &proxied,
 		}
 
-		zid := cloudflare.ZoneIdentifier(os.Getenv("CLOUDFLARE_ZONE_ID"))
 		r, _, err := cf.ListDNSRecords(ctx, zid, cloudflare.ListDNSRecordsParams{Name: i.Hostname})
 		if err != nil {
-			return fmt.Errorf("err checking DNS records, %s", err.Error())
+			return fmt.Errorf("error checking DNS records: %s", err)
 		}
 
 		if len(r) == 0 {
@@ -230,7 +245,7 @@ func updateTunnels(ctx context.Context, cf *cloudflare.API, ingress []cloudflare
 				Proxied: record.Proxied,
 			})
 			if err != nil {
-				return fmt.Errorf("unable to create DNS record, %s", err.Error())
+				return fmt.Errorf("unable to create DNS record: %s", err)
 			}
 			log.WithFields(log.Fields{
 				"domain": record.Name,
@@ -240,15 +255,15 @@ func updateTunnels(ctx context.Context, cf *cloudflare.API, ingress []cloudflare
 
 		if r[0].Content != record.Content {
 			_, err = cf.UpdateDNSRecord(ctx, zid, cloudflare.UpdateDNSRecordParams{
-				ID:      r[0].ID, // Use the actual ID from the retrieved record
+				ID:      r[0].ID,
 				Name:    record.Name,
 				Type:    record.Type,
 				Content: record.Content,
 				TTL:     record.TTL,
 				Proxied: record.Proxied,
 			})
 			if err != nil {
-				return fmt.Errorf("could not update record for %s, %s", i.Hostname, err)
+				return fmt.Errorf("could not update record for %s: %s", i.Hostname, err)
 			}
 			log.WithFields(log.Fields{
 				"domain": record.Name,