Skip to main content
Terminate TLS connections
Last update:

Terminate TLS connections

Terminating a TLS connection for a Managed Kubernetes cluster is the process of decrypting HTTPS traffic and redirecting it to the Kubernetes pods as HTTP traffic.

Termination of the TLS connection can be used:

  • to protect the data transfer between the client and the service in the cluster;
  • control of access to services in the cluster and protection against unauthorized access;
  • productivity gains;
  • simplifying certificate management.

In a Managed Kubernetes cluster, the TLS connection termination process can be configured on the load balancer.

Certificates can be managed through secrets manager — add your custom certificate or issue a Let's Encrypt® certificate.

For your information

TLS connection termination on the load balancer is available if you are running Kubernetes versions 1.25 and higher. You can upgrade cluster version.

  1. Add a custom certificate or issue a certificate in the secrets manager.
  2. Create a load balancer.
  3. Change Domain A-Record.

Add or issue a certificate

In the Secret Manager, you can download a certificate that has been issued from third-party certificate authorities or issue a Let's Encrypt® certificate. You can only issue a Let's Encrypt® certificate for a domain that is migrated to legacy DNS hosting version. For domains added to a new version of DNS hosting (actual), you cannot issue a certificate.

  1. In Control Panel, go to Cloud PlatformSecrets Manager.

  2. Click Add Certificate.

  3. Click User Certificate.

  4. Enter the name of the certificate.

  5. Insert certificate. It must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----

  6. Insert the private key. It should start with -----BEGIN PRIVATE KEY----- and end with -----END PRIVATE KEY-----

  7. Optional: To add an intermediate certificate, check the Add intermediate certificate checkbox and insert the certificate.

    The intermediate certificate binds the final TLS certificate to the root certificate authority, it is used by the browser to verify the authenticity of the issued TLS certificate. If you do not add an intermediate certificate, a client that connects over TLS may consider the connection to be insecure.

  8. Optional: To add a root certificate, check the Add Root Certificate checkbox and insert the certificate.

    The root certificate is the part of the key that certificate authorities use to sign the TLS certificate. It may be required when using self-signed certificates.

  9. Press Add.

  10. Open the certificate page.

  11. Copy the universally unique identifier (UUID) of the certificate.

Create a load balancer

Create a manifest with Service of type LoadBalancer:

apiVersion: v1
kind: Service
name: <loadbalancer_name>
annotations: "<certificate_uuid>"
type: LoadBalancer
app: <application_name>
- port: 443
protocol: TCP
targetPort: 80
name: https


  • <loadbalanacer_name> is the name of the load balancer;
  • <certificate_uuid> is the universally unique identifier (UUID) of the certificate that you copied in the Add or issue certificate instruction;
  • <application_name> is the name of the application.

The created load balancer will appear in control panel under Cloud PlatformBalancers.

Modify the A-record of the domain

You can accelerate the propagation of changes to a resource record to caching servers. To do this, a few days before the planned change, reduce the TTL of the recording to the lowest possible value. Then, at the designated time, change the resource record, and when the change propagates to the caching servers, return the TTL to its previous value.

  1. In Control Panel, go to Network ServicesDNS Hosting.
  2. Open the domain page.
  3. From the menu ( ) of the A-record, select Edit.
  4. Change the IP address to the load balancer address. The IP address of the load balancer can be viewed in control panel under Cloud PlatformBalancers.
  5. Click Save.
  6. Wait for the resource record to be updated on the DNS servers. The update can take from TTL recordings up to 72 hours to complete. The TTL of the resource record can be viewed in control panel: section Network ServicesDNS hosting → domain page → expand record string.
  7. Optional: check resource record. If the resource record has not been updated after 72 hours, create a ticket.
  8. Verify that requests are only coming to the load balancer and there are no requests from users on the server.