Skip to main content
Terminate TLS connections
Last update:

Terminate TLS connections

Terminating a TLS connection for a Managed Kubernetes cluster is the process of decrypting HTTPS traffic and redirecting it to the Kubernetes pods as HTTP traffic.

Termination of the TLS connection can be used:

  • to protect the data transfer between the client and the service in the cluster;
  • control of access to services in the cluster and protection against unauthorized access;
  • productivity gains;
  • simplifying certificate management.

In a Managed Kubernetes cluster, the TLS connection termination process can be configured on the load balancer. TLS connection termination on the load balancer is available in clusters with Kubernetes version 1.25 and higher. You can upgrade the cluster version.

Certificates can be managed via secret manager — Add your custom certificate or issue a Let's Encrypt® certificate.

  1. Add a custom certificate or issue a custom certificate in the secrets manager.
  2. Create a load balancer.
  3. Change the A-record of the domain.

Add or issue a certificate

In the Secret Manager, you can download a certificate that has been issued from third-party certificate authorities or issue a Let's Encrypt® certificate.

  1. В control panels go to Cloud platformThe manager of secrets.

  2. Click Add a certificate.

  3. Select User certificate.

  4. Enter the name of the certificate.

  5. Insert the master certificate for the domain. It must begin with -----BEGIN CERTIFICATE----- and end -----END CERTIFICATE-----.

  6. Insert the private key. It must begin with -----BEGIN PRIVATE KEY----- and end -----END PRIVATE KEY-----.

  7. Optional: To add an intermediate certificate, check the checkbox Add an intermediate certificate and in the field Intermediate certificate insert the certificate. It must begin with -----BEGIN CERTIFICATE----- and end -----END CERTIFICATE-----.

    If you need to add multiple intermediate certificates, make sure that all certificates (primary certificate for the domain, intermediate certificates, and root certificate) create a complete chain. Value Issuer of the main certificate must match the value of the Subject of the first intermediate certificate, the value of Issuer of the first intermediate certificate with Subject the second intermediate and so on.

    Intermediate certificates can be added in the field Intermediate certificate in any order, it's important to use the full chain.

  8. Optional: to add a root certificate, check the checkbox Add root certificate and in the field Root certificate insert the certificate. It must begin with -----BEGIN CERTIFICATE----- and end -----END CERTIFICATE-----.

  9. Click Add.

  10. Open the certificate page.

  11. Copy the UUID of the certificate.

Create a load balancer

Create a manifest with Service like LoadBalancer:

apiVersion: v1
kind: Service
metadata:
name: <loadbalancer_name>
annotations:
loadbalancer.openstack.org/default-tls-container-ref: "<certificate_uuid>"
spec:
type: LoadBalancer
selector:
app: <application_name>
ports:
- port: 443
protocol: TCP
targetPort: 80
name: https

Specify:

  • <loadbalancer_name> — load balancer name;
  • <certificate_uuid> — the universally unique identifier (UUID) of the certificate that you copied in the instructions Add or issue a certificate;
  • <application_name> — application name.

The created load balancer will appear in control panels under Cloud platformBalancers → tab Balancers.

Change the A-record of a domain

You can speed up the propagation of changes to a resource record to caching servers. To do this, reduce the TTL of the record to the lowest possible value a few days before the planned change. Then change the resource record at the scheduled time, and when the change propagates to the caching servers, return the TTL to the previous value.

  1. В control panels go to DNS.
  2. Open the zone page.
  3. On the menu. of the A-record group, select Edit.
  4. Change the IP address to that of the load balancer. The IP address of the load balancer can be viewed in the control panels under Cloud platformBalancers → tab Balancers → balancer's card.
  5. Click Save.
  6. Wait for the resource record to update on the DNS servers. The refresh time can take up to 72 hours from the TTL of the record. You can view the TTL of the resource record in control panels: section DNS → zone page → field TTL.
  7. Optional: check the resource record. If the resource record has not been updated after 72 hours, file a ticket.
  8. Verify that requests are only coming to the load balancer and there are no requests from users on the server.