Docker-based deployer that handles building and publishing the Confidence resolver Worker to your Cloudflare account. The resolver enables feature flag evaluation at Cloudflare's edge locations worldwide, powered by the Confidence Resolver.
- Edge evaluation: Flag rules evaluate at Cloudflare's edge locations worldwide
- Ultra-low latency: Evaluation happens close to users, minimizing latency
- Rust-based resolver: High-performance flag evaluation powered by the Confidence Resolver
- Deployer-driven sync: Run the deployer to fetch the latest flag rules from Confidence and re-deploy the Worker
From the root of the repository, run:
docker build --target confidence-cloudflare-resolver.deployer -t <YOUR_IMAGE_NAME> .A pre-built image is also available at ghcr.io/spotify/confidence-cloudflare-deployer:latest.
- Docker installed
- Cloudflare API token with the following permissions:
- Account > Workers Scripts > Edit
- Account > Workers Queues > Edit (needed for the first deploy)
- Confidence client secret (must be type BACKEND)
Run the deployer with your credentials:
docker run -it \
-e CLOUDFLARE_API_TOKEN='your-cloudflare-api-token' \
-e CONFIDENCE_CLIENT_SECRET='your-confidence-client-secret' \
ghcr.io/spotify/confidence-cloudflare-deployer:latestThe deployer automatically:
- Detects Cloudflare account ID from your API token
- Creates the queue (
flag-logs-queue) if it doesn't exist - Fetches resolver state from Confidence CDN
- Skips deployment if state hasn't changed (using ETags)
Note: The deployer does not poll for changes. Each run fetches the current state from Confidence, deploys the Worker if the state has changed, and then exits. To keep the Worker up to date, run the deployer on a schedule (for example, via a cron job) or trigger it when flag rules or targeting changes are made in Confidence.
| Variable | Description |
|---|---|
CLOUDFLARE_ACCOUNT_ID |
Required only if the API token has access to multiple accounts |
CONFIDENCE_RESOLVER_STATE_URL |
Custom resolver state URL (overrides default URL to Confidence CDN) |
CONFIDENCE_RESOLVER_ALLOWED_ORIGIN |
Configure allowed origins for CORS |
RESOLVE_TOKEN_ENCRYPTION_KEY |
AES-128 key (base64 encoded) used to encrypt resolve tokens when apply=false. Not needed since the resolver defaults apply to true |
FORCE_DEPLOY |
Force re-deploy regardless of state changes |
NO_DEPLOY |
Build only, skip deployment |
WORKER_NAME_PREFIX |
Prefix for worker and queue names. Deploys as <prefix>-confidence-cloudflare-resolver with queue <prefix>-flag-logs-queue (auto-created) |
When integrating with the Cloudflare resolver, you have two options:
Service binding (recommended): Cloudflare's service bindings allow Workers to call other Workers directly within Cloudflare's network. This internal routing bypasses the public internet, resulting in ultra-low latency.
HTTP calls: Standard HTTP requests to the resolver endpoint. Use this approach when calling from external services or client applications.
For more details on integration, including code examples using the @spotify-confidence/sdk, see the Confidence documentation.
- Sticky assignments: Not currently supported with the Cloudflare resolver. Flags with sticky assignment rules will return "flag not found".