Skip to content

Traffic Flow & TLS

How a request reaches a customer pod, and how TLS is terminated without cert-manager.

Traffic enters at Cloudflare's edge, crosses to a DigitalOcean Load Balancer over an encrypted origin link, and is routed at L7 by Envoy Gateway by hostname to the customer's Service and Pod.

flowchart TB
  classDef built fill:#3434DC22,stroke:#3434DC,color:#5B5EE8;
  classDef third fill:transparent,stroke:#808080,color:#808080;

  USER["User browser"]:::third
  DNS["DNS · Cloudflare"]:::third
  EDGE["Cloudflare Edge<br/>TLS termination · CDN · WAF · DDoS"]:::third
  LB["DO Load Balancer<br/>$12/mo · auto-provisioned by Gateway Service"]:::third
  ENVOY["Envoy Gateway<br/>L7 routing by hostname · HTTPRoute"]:::third
  SVC["Customer Service"]:::third
  POD["Customer Pod"]:::third

  USER --> DNS
  DNS --> EDGE
  EDGE -- "Cloudflare Origin Certificate · encrypted" --> LB
  LB -- "forwarded to worker nodes" --> ENVOY
  ENVOY --> SVC
  SVC --> POD
Diagram — Traffic flow. Cloudflare edge → DO Load Balancer (over the Origin Certificate) → Envoy Gateway (L7 by hostname) → customer Service → Pod. All boxes are third-party here; the LB is auto-provisioned by the Gateway Service (§34).

TLS strategy — no cert-manager needed

  • *.starform.app subdomains: Cloudflare wildcard edge certificate (automatic, free)
  • Custom domains (myapp.com): Customer CNAMEs to Starform proxy hostname → Cloudflare issues edge cert
  • Cloudflare → origin encryption: Cloudflare Origin Certificate (free, 15-year validity, stored as K8s Secret on Gateway listener)

Cross-references

VPC & IP plan that this traffic lands in → §4.4 · Gateway architecture (the Envoy hop) → §33 · Load Balancer lifecycle → §34 · HTTPRoute naming (how a hostname maps to a route) → §20.2. Canonical map: Canonical Sources.