This message was deleted.

Somewhat - I would say you should do tls termination on the ingress that way the traffic is encrypted all the way to the cluster where as how you have it set up its not encrypted from the loadbalancer to the cluster. So using the self signed cert from the lb to the ingress is bad tls practice... But at least it's encypted..

Ah, yeah, sorry, I was unclear. At the moment I am doing TLS offloading on the traefik ingress. 👍 So traffic stays inside the cluster from there. If we decided to move to cloudflare loadbalancer, the traffic to the cluster would be encrypted by the zero trust tunnel.