Terminate TLS connections
Terminating a TLS connection for a Managed Kubernetes cluster is the process of decrypting HTTPS traffic and redirecting it to the Kubernetes pods as HTTP traffic.
Termination of the TLS connection can be used:
- to protect the data transfer between the client and the service in the cluster;
- control of access to services in the cluster and protection against unauthorized access;
- productivity gains;
- simplifying certificate management.
In a Managed Kubernetes cluster, the TLS connection termination process can be configured on the load balancer. TLS connection termination on the load balancer is available in clusters with Kubernetes version 1.25 and higher. You can upgrade the cluster version.
Certificates can be managed via secret manager — Add your custom certificate or issue a Let's Encrypt® certificate.
- Add a custom certificate or issue a custom certificate in the secrets manager.
- Create a load balancer.
- Change the A-record of the domain.
Add or issue a certificate
In the Secret Manager, you can download a certificate that has been issued from third-party certificate authorities or issue a Let's Encrypt® certificate.
Add a certificate
Issue a Let's Encrypt® certificate
-
В control panels go to Cloud platform → The manager of secrets.
-
Click Add a certificate.
-
Select User certificate.
-
Enter the name of the certificate.
-
Insert the master certificate for the domain. It must begin with
-----BEGIN CERTIFICATE-----
and end-----END CERTIFICATE-----
. -
Insert the private key. It must begin with
-----BEGIN PRIVATE KEY-----
and end-----END PRIVATE KEY-----
. -
Optional: To add an intermediate certificate, check the checkbox Add an intermediate certificate and in the field Intermediate certificate insert the certificate. It must begin with
-----BEGIN CERTIFICATE-----
and end-----END CERTIFICATE-----
.If you need to add multiple intermediate certificates, make sure that all certificates (primary certificate for the domain, intermediate certificates, and root certificate) create a complete chain. Value
Issuer
of the main certificate must match the value of theSubject
of the first intermediate certificate, the value ofIssuer
of the first intermediate certificate withSubject
the second intermediate and so on.Intermediate certificates can be added in the field Intermediate certificate in any order, it's important to use the full chain.
-
Optional: to add a root certificate, check the checkbox Add root certificate and in the field Root certificate insert the certificate. It must begin with
-----BEGIN CERTIFICATE-----
and end-----END CERTIFICATE-----
. -
Click Add.
-
Open the certificate page.
-
Copy the UUID of the certificate.
You can issue a Let's Encrypt® certificate that is valid:
- only for the main domain or for the main domain and all its subdomains (Wildcard certificate);
- for the subdomain only. The certificate will not be valid for the main domain.
To issue a certificate:
-
Create an area for a domain or subdomain.
-
В control panels go to Cloud platform → The manager of secrets.
-
Open the tab Certificates.
-
Click Add a certificate.
-
Select Certificates from Let's Encrypt®.
-
Enter the name of the certificate.
-
Select the domain or subdomain that you delegated to DNS hosting in step 2.
-
Optional: to add a subdomain to the certificate for the main domain, click Add an additional domain.
Enter the name of the subdomain. To issue a Wildcard certificate, enter a subdomain of the form
*.example.com
-
Click Issue a certificate.
-
Open the certificate page.
-
Copy the UUID of the certificate.
-
In the block Certificate files Select a certificate, intermediate certificate chain, root certificate, and private key.
-
Click Download.
-
Install it on the side of your service.
Create a load balancer
Create a manifest with Service like LoadBalancer:
apiVersion: v1
kind: Service
metadata:
name: <loadbalancer_name>
annotations:
loadbalancer.openstack.org/default-tls-container-ref: "<certificate_uuid>"
spec:
type: LoadBalancer
selector:
app: <application_name>
ports:
- port: 443
protocol: TCP
targetPort: 80
name: https
Specify:
<loadbalancer_name>
— load balancer name;<certificate_uuid>
— the universally unique identifier (UUID) of the certificate that you copied in the instructions Add or issue a certificate;<application_name>
— application name.
The created load balancer will appear in control panels under Cloud platform → Balancers → tab Balancers.
Change the A-record of a domain
You can speed up the propagation of changes to a resource record to caching servers. To do this, reduce the TTL of the record to the lowest possible value a few days before the planned change. Then change the resource record at the scheduled time, and when the change propagates to the caching servers, return the TTL to the previous value.
- В control panels go to DNS.
- Open the zone page.
- On the menu. of the A-record group, select Edit.
- Change the IP address to that of the load balancer. The IP address of the load balancer can be viewed in the control panels under Cloud platform → Balancers → tab Balancers → balancer's card.
- Click Save.
- Wait for the resource record to update on the DNS servers. The refresh time can take up to 72 hours from the TTL of the record. You can view the TTL of the resource record in control panels: section DNS → zone page → field TTL.
- Optional: check the resource record. If the resource record has not been updated after 72 hours, file a ticket.
- Verify that requests are only coming to the load balancer and there are no requests from users on the server.