Terminate TLS connections in a Managed Kubernetes cluster for Envoy Gateway

Terminating a TLS connection for a Managed Kubernetes cluster is the process of decrypting HTTPS traffic and redirecting it to Kubernetes pods as HTTP traffic.

TLS connection termination can be used to:

• protect data transmission between a client and a service in a cluster;
• control access to services in a cluster and protect against unauthorized access;
• improve performance;
• simplify certificate management.

In a Managed Kubernetes cluster, the process of terminating TLS connections can be configured on a load balancer. TLS connection termination on a load balancer is available in clusters with Kubernetes version 1.25 and higher. You can upgrade the cluster version.

You can manage certificates through the Secrets Manager — add your custom certificate or issue a Let’s Encrypt® certificate.

1. Add a custom certificate or issue one in Secrets Manager.
2. Create a load balancer.
3. Change the domain A record.

1. Add or issue a certificate

In Secrets Manager, you can upload a certificate issued by third-party certificate authorities or issue a Let’s Encrypt® certificate.

Add a certificate

1. In the control panel, on the top menu, click Products and select Secrets Manager.

2. Open the Certificates tab.

3. Click Add certificate.

4. Select Custom certificate.

5. Enter the certificate name.

6. Paste the primary certificate for the domain. It must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

7. Paste the private key. It must begin with -----BEGIN PRIVATE KEY----- and end with -----END PRIVATE KEY-----.

8. Optional: to add an intermediate certificate, select the Add intermediate certificate checkbox and paste the certificate in the Intermediate certificate field. It must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

   If you need to add multiple intermediate certificates, ensure that all certificates (the primary domain certificate, intermediate certificates, and root certificate) form a complete chain. The Issuer value of the primary certificate must match the Subject value of the first intermediate certificate, the Issuer value of the first intermediate certificate — with the Subject value of the second intermediate, and so on.

   Intermediate certificates can be added to the Intermediate certificate field in any order; it is important to use a complete chain.

9. Optional: to add a root certificate, select the Add root certificate checkbox and paste the certificate in the Root certificate field. It must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

10. Click Add.

11. Open the certificate page.

12. Copy the certificate UUID.

Issue a Let’s Encrypt® certificate

You can issue a Let’s Encrypt® certificate that will be valid:

• only for the primary domain or for the primary domain and all its subdomains (Wildcard certificate);
• only for a subdomain. The certificate will not be valid for the primary domain.

To issue a certificate:

1. Create a zone for the domain or subdomain.

2. Delegate the domain or subdomain.

3. In the control panel, on the top menu, click Products and select Secrets Manager.

4. Open the Certificates tab.

5. Click Add certificate.

6. Select Certificates from Let’s Encrypt®.

7. Enter the certificate name.

8. Select the domain or subdomain that you delegated in DNS hosting in step 2.

9. Optional: to add a subdomain to a certificate for the primary domain, click Add additional domain.

   Enter the subdomain name. To issue a Wildcard certificate, enter a subdomain like *.example.com.

10. Click Issue certificate.

11. Open the certificate page.

12. Copy the certificate UUID.

13. In the Certificate files block, select the certificate, the intermediate certificate chain, root certificate, and private key.

14. Click Download.

15. Install the files on your service side.

2. Create a load balancer

Use the Create a load balancer subsection in the Create and configure a load balancer in a Managed Kubernetes cluster for Envoy Gateway instruction.

To the Gateway object manifest, in the annotations block, add the annotation:

loadbalancer.openstack.org/default-tls-container-ref: "<certificate_uuid>"

Specify <certificate_uuid> — the universally unique identifier (UUID) of the certificate you copied in the Add or issue a certificate instruction.

The created load balancer will appear in the Control Panel: in the top menu, click Products and select Cloud Servers → Load Balancers → section → Load Balancers tab.

3. Change the domain A record

You can speed up the propagation of resource record changes to caching servers. To do this, reduce the record TTL to the minimum possible value a few days before the planned change. Then, change the resource record at the scheduled time, and once the change has propagated to the caching servers, revert to the original TTL value.

1. In the control panel, on the top menu, click Products and choose DNS Hosting.
2. In the Domain zones section, open the zone page.
3. In the menu of the A-record group, select Edit.
4. Change the IP address to the load balancer address. You can view the load balancer IP address in the Control Panel: in the top menu, click Products and select Cloud Servers → Load Balancers → tab Load Balancers → load balancer card.
5. Click Save.
6. Wait for the resource record to update on DNS servers. Update time can take from the record TTL up to 72 hours. You can view the resource record TTL in the Control Panel: in the top menu, click Products and select DNS Hosting → Domain zones → zone page → record row → TTL field.
7. Optional: check the resource record. If the resource record has not updated after 72 hours, create a ticket.
8. Verify that requests are arriving only at the load balancer, and that there are no requests from users on the server.