Skip to main content

Terminate TLS connections in a Managed Kubernetes cluster for Envoy Gateway

Terminating a TLS connection for a Managed Kubernetes cluster is the process of decrypting HTTPS traffic and redirecting it to Kubernetes pods as HTTP traffic.

TLS connection termination can be used to:

  • protect data transmission between a client and a service in a cluster;
  • control access to services in a cluster and protect against unauthorized access;
  • improve performance;
  • simplify certificate management.

In a Managed Kubernetes cluster, TLS connection termination can be configured on the load balancer. TLS connection termination on the load balancer is available in clusters with Kubernetes version 1.25 and later. You can upgrade the cluster version.

Certificates can be managed via the Certificate Manageradd your custom certificate or issue a Let’s Encrypt® certificate.

  1. Add a custom certificate or issue one in Secrets Manager.
  2. Create a load balancer.
  3. Change the domain A record.

1. Add or issue a certificate

In Certificate Manager, you can upload a certificate issued by a third-party certificate authority or issue a Let’s Encrypt® certificate.

  1. A custom certificate is only valid in the project it was added to. Make sure you are in the correct project. To do this, open the project menu (the name of the current project) and select the project.

  2. In the Control panel, in the top menu, click Products and select Certificate Manager.

  3. In the Certificates section, click Add certificate.

  4. Select Custom certificate.

  5. Enter the certificate name.

  6. Paste the primary certificate for the domain. It must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

  7. Paste the private key. It must start with -----BEGIN PRIVATE KEY----- and end with -----END PRIVATE KEY-----.

  8. Optional: to add an intermediate certificate:

    8.1. Select the Add intermediate certificate checkbox.

    8.2. In the Intermediate certificate field, paste the certificate. It must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

    If you need to add several intermediate certificates, ensure that all certificates (the primary domain certificate, intermediate certificates, and the root certificate) form a complete chain. The Issuer value of the primary certificate must match the Subject value of the first intermediate certificate, the Issuer value of the first intermediate certificate — with the Subject value of the second intermediate, and so on.

    You can add intermediate certificates in the Intermediate Certificate field in any order. It is important to use the full chain.

  9. Optional: to add a root certificate:

    9.1. Select the Add root certificate checkbox.

    9.2. In the Root certificate field, paste the certificate. It must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

  10. Click Add.

  11. Open the certificate page.

  12. Copy the certificate UUID.

2. Create a load balancer

Use the Create load balancer subsection of the Create and configure a load balancer in a Managed Kubernetes cluster for Envoy Gateway instruction.

In the Gateway object manifest, add the following annotation to the annotations block:

loadbalancer.openstack.org/default-tls-container-ref: "<certificate_uuid>"

Specify <certificate_uuid> — the universal unique identifier (UUID) of the certificate you copied in the Add or issue a certificate instruction.

The created load balancer will appear in the Control panel: in the top menu, click Products and select Cloud servers → section Load Balancers → tab Load Balancers.

3. Change the A record for the domain

You can speed up the propagation of changes in a resource record to caching servers. To do this, a few days before the planned change, reduce the record TTL to the minimum possible value. Then, at the scheduled time, change the resource record, and once the change has propagated to the caching servers, revert the TTL to its previous value.

  1. In the Control panel, on the top menu, click Products and select DNS hosting.
  2. In the Domain zones section, open the zone page.
  3. In the menu of the A record group, select Edit.
  4. Change the IP address to the load balancer IP address. The load balancer IP address can be found in the Control panel: in the top menu, click Products and select Cloud ServersLoad BalancersLoad Balancers tab → load balancer card.
  5. Click Save.
  6. Wait for the resource record to update on the DNS servers. The update may take from the record group TTL to 72 hours. You can find the record group TTL in the Control panel: in the top menu, click ProductsDNS HostingDomain Zones → zone page → record row → TTL.
  7. Optional: check the resource record. If the resource record has not updated after 72 hours, create a ticket.
  8. Verify that requests are only reaching the load balancer and that there are no requests from users on the server.