Terminate TLS connections

Last update: October 08 2024

Terminate TLS connections

Terminating a TLS connection for a Managed Kubernetes cluster is the process of decrypting HTTPS traffic and redirecting it to the Kubernetes pods as HTTP traffic.

Termination of the TLS connection can be used:

• to protect the data transfer between the client and the service in the cluster;
• control of access to services in the cluster and protection against unauthorized access;
• productivity gains;
• simplifying certificate management.

In a Managed Kubernetes cluster, the TLS connection termination process can be configured on the load balancer.

Certificates can be managed via secret manager — Add your custom certificate or issue a Let's Encrypt® certificate.

For your information

Terminating a TLS connection on a load balancer is available if you are running Kubernetes versions 1.25 and higher. You can upgrade the cluster version.

1. Add a custom certificate or issue a custom certificate in the secrets manager.
2. Create a load balancer.
3. Change the A-record of the domain.

Add or issue a certificate⁠

In the Secret Manager, you can download a certificate that has been issued from third-party certificate authorities or issue a Let's Encrypt® certificate.

Add a certificate

1. В control panels go to Cloud platform → The manager of secrets.

2. Click Add a certificate.

3. Select User certificate.

4. Enter the name of the certificate.

5. Insert the master certificate for the domain. It must begin with -----BEGIN CERTIFICATE----- and end -----END CERTIFICATE-----.

6. Insert the private key. It must begin with -----BEGIN PRIVATE KEY----- and end -----END PRIVATE KEY-----.

7. Optional: To add an intermediate certificate, check the checkbox Add an intermediate certificate and in the field Intermediate certificate insert the certificate. It must begin with -----BEGIN CERTIFICATE----- and end -----END CERTIFICATE-----.

   If you need to add multiple intermediate certificates, make sure that all certificates (primary certificate for the domain, intermediate certificates, and root certificate) create a complete chain. Value Issuer of the main certificate must match the value of the Subject of the first intermediate certificate, the value of Issuer of the first intermediate certificate with Subject the second intermediate and so on.

   Intermediate certificates can be added in the field Intermediate certificate in any order, it's important to use the full chain.

8. Optional: to add a root certificate, check the check box Add root certificate and in the field Root certificate insert the certificate. It must begin with -----BEGIN CERTIFICATE----- and end -----END CERTIFICATE-----.

9. Click Add.

10. Open the certificate page.

11. Copy the UUID of the certificate.

Issue a Let's Encrypt® certificate

You can issue a Let's Encrypt® certificate that is valid:

• only for the main domain or for the main domain and all its subdomains (Wildcard certificate);
• for the subdomain only. The certificate will not be valid for the main domain.

To issue a certificate:

1. Create an area for a domain or subdomain.

2. Delegate a domain or subdomain.

3. В control panels go to Cloud platform → The manager of secrets.

4. Open the tab Certificates.

5. Click Add a certificate.

6. Select Certificates from Let's Encrypt®.

7. Enter the name of the certificate.

8. Select the domain or subdomain that you delegated to DNS hosting in step 2.

9. Optional: to add a subdomain to the certificate for the main domain, click Add an additional domain.

   Enter the name of the subdomain. To issue a Wildcard certificate, enter a subdomain of the form *.example.com

10. Click Issue a certificate.

11. Open the certificate page.

12. Copy the UUID of the certificate.

13. In the block Certificate files Select a certificate, intermediate certificate chain, root certificate, and private key.

14. Click Download.

15. Install it on the side of your service.

Create a load balancer⁠

Create a manifest with Service like LoadBalancer:

apiVersion: v1
kind: Service
metadata:
  name: <loadbalancer_name>
  annotations:
    loadbalancer.openstack.org/default-tls-container-ref: "<certificate_uuid>"
spec:
  type: LoadBalancer
  selector:
    app: <application_name>
  ports:
  - port: 443
    protocol: TCP
    targetPort: 80
    name: https

Specify:

• <loadbalancer_name> — load balancer name;
• <certificate_uuid> — the universally unique identifier (UUID) of the certificate that you copied in the instructions Add or issue a certificate;
• <application_name> — application name.

The created load balancer will appear in control panels under Cloud platform → Balancers → tab Balancers.

Change the A-record of a domain⁠

You can speed up the propagation of changes to a resource record to caching servers. To do this, reduce the TTL of the record to the lowest possible value a few days before the planned change. Then change the resource record at the scheduled time, and when the change propagates to the caching servers, return the TTL to the previous value.

1. В control panels go to DNS.
2. Open the zone page.
3. On the menu. of the A-record group, select Edit.
4. Change the IP address to that of the load balancer. You can view the IP address of the load balancer in the control panels under Cloud platform → Balancers → tab Balancers → balancer's card.
5. Click Save.
6. Wait for the resource record to update on the DNS servers. The refresh time can take up to 72 hours from the TTL of the record. You can view the TTL of the resource record in control panels: section DNS → zone page → field TTL.
7. Optional: check the resource record. If the resource record has not been updated after 72 hours, file a ticket.
8. Verify that requests are only coming to the load balancer and the server has no requests from users.