Alper Cicek
Alper Cicek's Blog


Alper Cicek's Blog

Configuring Traefik Ingress and Clouflare in Kubernetes using Full (Strict) Encryption Mode

Photo by Towfiqu barbhuiya on Unsplash

Configuring Traefik Ingress and Clouflare in Kubernetes using Full (Strict) Encryption Mode

Alper Cicek's photo
Alper Cicek
·Nov 1, 2022·

3 min read

Table of contents

  • Introduction
  • Configuring Cloudflare
  • Configuring Kubernetes


If you have a Kubernetes cluster and you want to use Cloudflare this guide is for you. Cloudflare operates as a reverse proxy for the web traffic. All requests to and from the origin, will flow through Cloudflare. The benefit of this approach is that when the traffic is proxied through Cloudflare before reaching the origin server, the application gets additional security, performance, and reliability benefits. Another benefit is that we do not need to deploy Cert-Manager or Let's Encrypt. Cloudflare will handle this automatically for us.

Configuring Cloudflare

Assuming you have created a Cloudflare account and added your domain, go to your Cloudflare Dashboard and point your domain to your Load Balancer IP. If you have used the Kubernetes on Hetzner guide, point your Hetzner Load Balancer IP address that you have just created. Under DNS add two A Record. One is for the root and one is for the subdomains:

    Type       Name              Content           Proxy status       TTL       

      A              @              Your-LB-IP             Proxied           Auto
      A              *              Your-LB-IP             Proxied           Auto

Do not forget to activate proxy:

Screenshot 2022-11-01 at 00.59.42.png

Go to the SSL/TLS menu and activate Always Use HTTPS. You can also see that there are automatically generated Edge Certificates.

Cloudflare will automatically create a TLS certificate for connections between the end user and Cloudflare. However at this point there is no encryption between our servers and Cloudflare. This setup will work without it but I definitely recommend that you configure it.

Go to SSL/TLS from the menu and click Origin Server: Screenshot 2022-10-31 at 23.43.34.png

Create the certificate: Screenshot 2022-10-31 at 23.44.25.png

Create two files called tls.crt and tls.key

touch tls.crt
touch tls.key

and copy the certificates into these files.

Configuring Kubernetes

Afterwards create a secret inside of Kubernetes. Since this will be the default certificate for the whole cluster, you can create this secret in the kube-system namespace:

kubectl create secret generic default-cloudflare-tls -n kube-system --from-file=tls.crt=tls.crt --from-file=tls.key=tls.key

Create a Traefik store for the secret, so that you can reference it from any namespace later:

kind: TLSStore
  name: default-cloudflare-tls
  namespace: kube-system

    secretName: default-cloudflare-tls

Under the SSL/TLS menu, do not forget to enable the encryption mode to Full (Strict)

Screenshot 2022-10-31 at 23.41.59.png

Expose the Traefik Dashboard using IngressRoute

Now we will expose Traefik dashboard using an Ingressroute. Optionally you can also create a middleware for securing the Traefik Dashboard with a password. You can find more information here.

Create the ingressroute:

kind: IngressRoute
  name: traefik-dashboard
  namespace: traefik
  annotations: traefik-external
    - web
    - websecure
    - match: Host(``)
      kind: Rule
        - name: api@internal
          kind: TraefikService
        ##- name: auth
      name: default-cloudflare-tls

We have added our Cloudflare Origin certificate in the Traefik Secret Store here:

      name: default-cloudflare-tls

Note: If you wish to use another Origin Certificate (for another domain etc.) you can follow the steps above, create the secret in the same namespace where your application is in, and simply add your secret like this:

    secretName: your-other-origin-secret

Now go to, you should see a page like this:

Screenshot 2022-10-31 at 23.41.04.png

Did you find this article valuable?

Support Alper Cicek by becoming a sponsor. Any amount is appreciated!

Learn more about Hashnode Sponsors
Share this