Terminate TLS connections

Last update: April 04 2024

Terminate TLS connections

Terminating a TLS connection for a Managed Kubernetes cluster is the process of decrypting HTTPS traffic and redirecting it to the Kubernetes pods as HTTP traffic.

Termination of the TLS connection can be used:

• to protect the data transfer between the client and the service in the cluster;
• control of access to services in the cluster and protection against unauthorized access;
• productivity gains;
• simplifying certificate management.

In a Managed Kubernetes cluster, the TLS connection termination process can be configured on the load balancer.

Certificates can be managed through secrets manager — add your custom certificate or issue a Let's Encrypt® certificate.

For your information

TLS connection termination on the load balancer is available if you are running Kubernetes versions 1.25 and higher. You can upgrade cluster version.

1. Add a custom certificate or issue a certificate in the secrets manager.
2. Create a load balancer.
3. Change Domain A-Record.

Add or issue a certificate⁠

In the Secret Manager, you can download a certificate that has been issued from third-party certificate authorities or issue a Let's Encrypt® certificate. You can only issue a Let's Encrypt® certificate for a domain that is migrated to legacy DNS hosting version. For domains added to a new version of DNS hosting (actual), you cannot issue a certificate.

Добавить сертификат

1. In Control Panel, go to Cloud Platform → Secrets Manager.

2. Click Add Certificate.

3. Click User Certificate.

4. Enter the name of the certificate.

5. Insert certificate. It must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----

6. Insert the private key. It should start with -----BEGIN PRIVATE KEY----- and end with -----END PRIVATE KEY-----

7. Optional: To add an intermediate certificate, check the Add intermediate certificate checkbox and insert the certificate.

   The intermediate certificate binds the final TLS certificate to the root certificate authority, it is used by the browser to verify the authenticity of the issued TLS certificate. If you do not add an intermediate certificate, a client that connects over TLS may consider the connection to be insecure.

8. Optional: To add a root certificate, check the Add Root Certificate checkbox and insert the certificate.

   The root certificate is the part of the key that certificate authorities use to sign the TLS certificate. It may be required when using self-signed certificates.

9. Press Add.

10. Open the certificate page.

11. Copy the universally unique identifier (UUID) of the certificate.

Выпустить сертификат Let’s Encrypt®

You can add any of its subdomains to a Let's Encrypt® certificate for the main domain or issue a Wildcard certificate that will be valid for all subdomains at once.

You can issue a certificate that is valid only for a subdomain.

1. If you want to issue a certificate for the main domain and its subdomains or just the main domain, in control panel add the domain to DNS hosting (legacy). After adding the domain, delegate the domain by specifying Selectel's NS-servers: ns1.selectel.ru, ns2.selectel.ru, ns3.selectel.ru, ns4.selectel.ru in the domain's NS-records at your domain registrar.

2. If you only want to issue a certificate for a subdomain, but not issue one for the main one, in control panel add the subdomain to DNS hosting (legacy). After adding the domain, delegate the domain by specifying Selectel's NS-servers: ns1.selectel.ru, ns2.selectel.ru, ns3.selectel.ru, ns4.selectel.ru in the domain's NS-records at your domain registrar.

3. In Control Panel, go to Cloud Platform → Secrets Manager.

4. Open the Certificates tab.

5. Click Add Certificate.

6. Select Certificates from Let's Encrypt®.

7. Enter the name of the certificate.

8. Select the domain for which the certificate will be issued:

   • If you want to issue a certificate for the main domain and its subdomains or only for the main domain, select the domain that you delegated to Selectel DNS hosting in step 1;
   • If you only need the certificate for a subdomain, select the subdomain that you delegated in step 2.

9. Optional: To add a subdomain to the certificate for the primary domain, click Add Additional Domain.

   Enter the name of the subdomain. To issue a Wildcard certificate, enter a subdomain of the form *.<example.com>

10. Click Release Certificate.

11. Open the certificate page.

12. Copy the universally unique identifier (UUID) of the certificate.

13. In the Certificate Files block, select the certificate, intermediate certificate chain, root certificate, and private key.

14. Click Download.

15. Install it on the side of your service.

Create a load balancer⁠

Create a manifest with Service of type LoadBalancer:

apiVersion: v1
kind: Service
metadata:
  name: <loadbalancer_name>
  annotations:
    loadbalancer.openstack.org/default-tls-container-ref: "<certificate_uuid>"
spec:
  type: LoadBalancer
  selector:
    app: <application_name>
  ports:
  - port: 443
    protocol: TCP
    targetPort: 80
    name: https

Specify:

• <loadbalanacer_name> is the name of the load balancer;
• <certificate_uuid> is the universally unique identifier (UUID) of the certificate that you copied in the Add or issue certificate instruction;
• <application_name> is the name of the application.

The created load balancer will appear in control panel under Cloud Platform → Balancers.

Modify the A-record of the domain⁠

You can accelerate the propagation of changes to a resource record to caching servers. To do this, a few days before the planned change, reduce the TTL of the recording to the lowest possible value. Then, at the designated time, change the resource record, and when the change propagates to the caching servers, return the TTL to its previous value.

1. In Control Panel, go to Network Services → DNS Hosting.
2. Open the domain page.
3. From the menu ( ) of the A-record, select Edit.
4. Change the IP address to the load balancer address. The IP address of the load balancer can be viewed in control panel under Cloud Platform → Balancers.
5. Click Save.
6. Wait for the resource record to be updated on the DNS servers. The update can take from TTL recordings up to 72 hours to complete. The TTL of the resource record can be viewed in control panel: section Network Services → DNS hosting → domain page → expand record string.
7. Optional: check resource record. If the resource record has not been updated after 72 hours, create a ticket.
8. Verify that requests are only coming to the load balancer and there are no requests from users on the server.