Enable automated certificate generation with Hetzner Loadbalancer

[yaser-aibees]

I have recently deployed Kong Gateway Enterprise free mode on Kubernetes through bellow document:

https://docs.konghq.com/gateway/3.7.x/install/kubernetes/proxy/

Everything went OK but I cannot find a way to automate certificate generation on Hetzner Loadbalancer.

My main domain is configured on Cloudflare and domain addresses point to Hetzner Loadbalancer. I have generated Let's encrypt certificate on Hetzner Loadbalancer through this tutorial:

https://dennmart.com/articles/deploy-secure-load-balancers-on-hetzner-cloud-with-terraform/

And on Hetzner I configured a tcp service to proxy traffic 443 to a nodePort on my Kubernetes cluster. So right now I'm not using TLS termination but I want to switch TCP proxy to HTTPS proxy cause I want to enable proxy protocol which cannot be enabled on TCP proxy. The problem is that my application inside the cluster need to generate automated certificate for our customer's domains and I cannot generate a Let's encrypt certificate for every customer manually. Also, there is a limitation for number on certificates which can be issued on Hetzner.

Is there a way to solve this issue ?

[ProBrian]

Hi @yaser-aibees , let me just confirm if I understand right: as I see, your network topology is like: clients -> hetzner cloud(as a load balancer) -> kong ee(as a reverse proxy in a k8s deployment) -> cloudflare(where your backend services deployed in),
And your problem is that you want to do TLS termination on hetzner LB but you find it hard to manager SSL certs on hetzner LB, so you want to move the TLS termination forward to the kong proxy, make kong proxy to do the TLS termination, and you want to know if kong has a better way to generate and manager SSL certs for your multiple domain services, is that right?

[yaser-aibees]

Hi @ProBrian
Almost.
Here's how the application suppose to works: There is no issue for the main domain of the application(Let's say that my main application works with sso.my-domain.com URL). Customers came to us and we give them some configurations to them to set up on their environment and they also need to add an A record pointing to our loadbalancer IP on Hetzner. When we give them the configuration, our application inside the Kubernetes watches their domain and wait for that A record to be configured. When the customer adds the A record, the application needs to do two things(Let's assume the A record is this: sso.domain.com):

1. The first one is to generate a Let's ecnrypt ssl for sso.domain.com
2. The Second one is to create a Kong Ingress to route sso.domain.com traffic to our backend service.

The ingress configuration is going to be applied through Kong admin API.

So, there is no problem auto generating SSL for sso.my-domain.com url but for sso.domain.com, I don't know how to configure it on Hetzner to be automatically re-issued. Maybe I should not have deployed Kong Gateway on Kubernetes with this workflow and use it outside the Kubernetes and even before sending traffics to Hetzner loadbalancer? Any thoughts would be appreciated.

[fffonion]

You can use the acme plugin to get certificate from let's encrypt.

[yaser-aibees]

Yes I can do that but then I should configure my Loadbalancer on Hetzner to pass the traffic as TCP which means I cannot use Sticky sessions and Proxy Protocol(passing the client's real IP). I need to use Proxy Protocol for rate limiting on the backend.