TUN-9583: set proper url and hostname for cloudflared tail command

This commit adds support for FedRAMP environments. Cloudflared will now dynamically configure the management hostname and API URL, switching to FedRAMP-specific values like `management.fed.argotunnel.com` and `https://api.fed.cloudflare.com/client/v4` when a FedRAMP endpoint is detected. Key to this is an enhanced `ParseToken` function, which now includes an `IsFed()` method to determine if a management token's issuer is `fed-tunnelstore`. This allows cloudflared to correctly identify and operate within a FedRAMP context, ensuring proper connectivity. Closes TUN-9583
2026-06-05 00:50:24 +08:00 · 2025-07-23 20:09:50 +01:00
parent ddf4e6d854
commit 1cedefa1c2
7 changed files with 60 additions and 19 deletions
--- a/cmd/cloudflared/flags/flags.go
+++ b/cmd/cloudflared/flags/flags.go
@@ -160,4 +160,7 @@ const (

 	// Virtual DNS resolver service resolver addresses to use instead of dynamically fetching them from the OS.
 	VirtualDNSServiceResolverAddresses = "dns-resolver-addrs"
+
+	// Management hostname to signify incoming management requests
+	ManagementHostname = "management-hostname"
 )
--- a/cmd/cloudflared/tail/cmd.go
+++ b/cmd/cloudflared/tail/cmd.go
@@ -51,6 +51,7 @@ func buildTailManagementTokenSubcommand() *cli.Command {

 func managementTokenCommand(c *cli.Context) error {
 	log := createLogger(c)
+
 	token, err := getManagementToken(c, log)
 	if err != nil {
 		return err
@@ -99,7 +100,7 @@ func buildTailCommand(subcommands []*cli.Command) *cli.Command {
 				EnvVars: []string{"TUNNEL_MANAGEMENT_TOKEN"},
 			},
 			&cli.StringFlag{
-				Name:    "management-hostname",
+				Name:    cfdflags.ManagementHostname,
 				Usage:   "Management hostname to signify incoming management requests",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
 				Hidden:  true,
@@ -236,7 +237,14 @@ func getManagementToken(c *cli.Context, log *zerolog.Logger) (string, error) {
 		return "", err
 	}

-	client, err := userCreds.Client(c.String(cfdflags.ApiURL), buildInfo.UserAgent(), log)
+	var apiURL string
+	if userCreds.IsFEDEndpoint() {
+		apiURL = credentials.FedRampBaseApiURL
+	} else {
+		apiURL = c.String(cfdflags.ApiURL)
+	}
+
+	client, err := userCreds.Client(apiURL, buildInfo.UserAgent(), log)
 	if err != nil {
 		return "", err
 	}
@@ -261,7 +269,7 @@ func getManagementToken(c *cli.Context, log *zerolog.Logger) (string, error) {
 // buildURL will build the management url to contain the required query parameters to authenticate the request.
 func buildURL(c *cli.Context, log *zerolog.Logger) (url.URL, error) {
 	var err error
-	managementHostname := c.String("management-hostname")
+
 	token := c.String("token")
 	if token == "" {
 		token, err = getManagementToken(c, log)
@@ -269,6 +277,19 @@ func buildURL(c *cli.Context, log *zerolog.Logger) (url.URL, error) {
 			return url.URL{}, fmt.Errorf("unable to acquire management token for requested tunnel id: %w", err)
 		}
 	}
+
+	claims, err := management.ParseToken(token)
+	if err != nil {
+		return url.URL{}, fmt.Errorf("failed to determine if token is FED: %w", err)
+	}
+
+	var managementHostname string
+	if claims.IsFed() {
+		managementHostname = credentials.FedRampHostname
+	} else {
+		managementHostname = c.String(cfdflags.ManagementHostname)
+	}
+
 	query := url.Values{}
 	query.Add("access_token", token)
 	connector := c.String("connector-id")
--- a/cmd/cloudflared/tunnel/cmd.go
+++ b/cmd/cloudflared/tunnel/cmd.go
@@ -97,7 +97,7 @@ var (
 		"no-tls-verify",
 		"no-chunked-encoding",
 		"http2-origin",
-		"management-hostname",
+		cfdflags.ManagementHostname,
 		"service-op-ip",
 		"local-ssh-port",
 		"ssh-idle-timeout",
@@ -459,8 +459,23 @@ func StartServer(
 		}
 	}

+	userCreds, err := credentials.Read(c.String(cfdflags.OriginCert), log)
+	var isFEDEndpoint bool
+	if err != nil {
+		isFEDEndpoint = false
+	} else {
+		isFEDEndpoint = userCreds.IsFEDEndpoint()
+	}
+
+	var managementHostname string
+	if isFEDEndpoint {
+		managementHostname = credentials.FedRampHostname
+	} else {
+		managementHostname = c.String(cfdflags.ManagementHostname)
+	}
+
 	mgmt := management.New(
-		c.String("management-hostname"),
+		managementHostname,
 		c.Bool("management-diagnostics"),
 		serviceIP,
 		connectorID,
@@ -1042,7 +1057,7 @@ func configureProxyFlags(shouldHide bool) []cli.Flag {
 			Value:   false,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "management-hostname",
+			Name:    cfdflags.ManagementHostname,
 			Usage:   "Management hostname to signify incoming management requests",
 			EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
 			Hidden:  true,