Cloudflare "Full" TLS Setup with default certificate

I’m running Traefik as the reverse proxy in our Kubernetes cluster. All traffic to the cluster is proxied through Cloudflare. I’m running traefik v3.5.2 with the following configuration:

--providers.kubernetesingress=true
--entrypoints.websecure.address=:443/tcp
--entrypoints.websecure.asdefault=true
--entrypoints.websecure.http.tls=true
--entrypoints.traefik.address=:9000/tcp
--ping=true
--log.level=WARN
--accesslog=false

My understanding is that just having http.tls=true results in Traefik returning a standard, built-in certificate for the websecure Entrypoint.

Since this entrypoint isn’t public facing and all traffic comes through Cloudflare, is this certificate good enough to have encrypted end-to-end communication between Cloudflare and Traefik?

Since I’m not (yet) looking to use the “Full (Strict)” mode or “Authenticated Origin Pulls”, is there any reason why I shouldn’t just keep this setup?

The follow-up question is: Is the default certificate generated for each deployment or is it completely static?

If it is static, any attacker could just use the static certificate and decrypt traffic using it.

Edit Looking into the code, I can see that the default certificate is in fact generated seemingly randomly on each start of Traefik. I don’t see why this wouldn’t work just to secure the Cloudflare ←→ Traefik connection.

It works to secure the connection, you just need to tell CF to trust (not verify) the cert.