chore(cf): reap orphan Access apps on CP startup#146
Closed
posix4e wants to merge 1 commit into
Closed
Conversation
DD preview readyURL: https://pr-146.devopsdefender.com Browser login: visit https://pr-146.devopsdefender.com — Cloudflare Access routes you Machine-to-machine: GitHub Actions workflows in the Register endpoint for a local agent: |
CF Access apps accumulate in the account whenever an agent/CP tunnel
gets torn down outside the collector's orphan-GC path — a PR preview
VM force-deleted in GCP, apps from an older naming scheme, or the
tail of a long preview cycle. The dashboard ends up with a huge pile
of `dd-*` self-hosted apps nobody's looking at.
New `cf::reap_orphan_access_apps(env)` lists every `dd-{env}-*`
Access app, resolves each domain's CNAME to its target cfd tunnel
id, and deletes the app if the tunnel isn't in the live set. CP's
`run()` fires it 10s after startup as a spawned task so a slow CF
API call doesn't block the collector or agent registration. CNAME
lookups cache per base hostname to keep the round-trip count
bounded. Best-effort: delete failures log and continue.
Every new CP deploy is also a cleanup pass. No separate workflow.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
posix4e
force-pushed
the
chore/cf-access-reap
branch
from
970b157 to
cf0403d
Compare
posix4e
changed the title
Member
Author
|
Closing — parked in #149 for later. Not pursuing right now. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The CF Access dashboard fills up with dead `dd-*` apps whenever a tunnel gets torn down outside the collector's orphan-GC path — force-deleted preview VMs, apps from older naming schemes, the tail of long preview cycles.
New `cf::reap_orphan_access_apps(env)` in `src/cf.rs`: lists every `dd-{env}-*` Access app, resolves each one's `domain` to the CNAME's target cfd tunnel id, deletes anything whose tunnel isn't in the live set (or whose CNAME no longer exists). CP's `run()` spawns it 10 s after startup so a slow CF API call doesn't delay the collector or agent registration. CNAME lookups cache per base hostname to keep the round-trip count bounded. Best-effort: delete failures log and continue.
Every CP deploy is a cleanup pass. Stacks on main (independent of PR #145's vanity-claim work).
Test plan
🤖 Generated with Claude Code