TLS terminates here, once

There is exactly one place in the whole lab that deals with certificates: HAProxy on pfSense. It holds a wildcard certificate for *.example.com and terminates TLS for every service. Behind it, traffic to the backends is plain HTTP on the trusted private network.

browser --HTTPS (*.example.com)--> HAProxy --HTTP--> backend service
                (decrypts here)              (private, trusted)

A wildcard cert is the trick that makes this painless: one certificate covers git., docs., registry., kong-admin., and any future *.example.com name, so adding a new service is just a new HAProxy backend — no new certificate dance.

This single decision ripples through the rest of the lab. It's why the Kubernetes gateway serves HTTP, why the registry serves HTTP, why none of the internal apps carry certificates. They all trust that the edge already did the encryption.

Why we use this: terminate TLS in one place and the rest of your estate never has to think about certificates, renewals, or cipher config. Centralising TLS is one of those decisions that quietly removes work from every service you'll ever add.