{"id":20816249,"url":"https://github.com/peknur/uks-tls-termination","last_synced_at":"2026-04-21T17:32:27.899Z","repository":{"id":210537750,"uuid":"726807501","full_name":"peknur/uks-tls-termination","owner":"peknur","description":"Serve multiple secured websites using single Kubernetes load balancer service object (UKS).","archived":false,"fork":false,"pushed_at":"2023-12-03T13:33:39.000Z","size":5,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-01-18T15:52:08.228Z","etag":null,"topics":["kubernetes","kubernetes-deployment","kubernetes-service","terraform","upcloud","upcloud-terraform"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/peknur.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-12-03T13:15:31.000Z","updated_at":"2023-12-03T13:31:06.000Z","dependencies_parsed_at":null,"dependency_job_id":"e2d91d48-d19f-42c0-bef4-cd3a127201e1","html_url":"https://github.com/peknur/uks-tls-termination","commit_stats":null,"previous_names":["peknur/uks-tls-termination"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/peknur%2Fuks-tls-termination","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/peknur%2Fuks-tls-termination/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/peknur%2Fuks-tls-termination/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/peknur%2Fuks-tls-termination/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/peknur","download_url":"https://codeload.github.com/peknur/uks-tls-termination/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243164534,"owners_count":20246715,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kubernetes","kubernetes-deployment","kubernetes-service","terraform","upcloud","upcloud-terraform"],"created_at":"2024-11-17T21:29:18.528Z","updated_at":"2026-04-21T17:32:27.845Z","avatar_url":"https://github.com/peknur.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# TLS termination at UKS load balancer using multiple domains (PoC)\n\nThis is small experiment on how you could serve multiple secured websites using single Kubernetes load balancer `service` object.\nExample uses single dynamic certificate bundle to register multiple TLS domains using SAN, but it can be easily extended to support multiple bundles (manual or dynamic).   \nCloudflare is used as DNS provider, but any Terraform DNS provider can be used same way.\n\n## Requirements\n- UpCloud's managed Kubernetes (UKS) cluster running\n- Cloudflare API key to modify domain(s) DNS records, defined in `app_domains` variable\n- use `terraform.tfvars.skell` as template to define variables\n- UpCloud credentials defined as environment variables `UPCLOUD_USERNAME` and `UPCLOUD_PASSWORD`\n\n## Concept\nTerminating multiple TLS domains at load balancer in UKS using dynamic certificate bundle isn't totally straightforward thing, because domains DNS records needs to point to towards the load balancer's DNS name using e.g. `CNAME` record but that name is available only after load balancer is already created. So we need to create load balancer service, use DNS name of newly created service to update domains DNS records and after that apply new TLS config to load balancer.   \n\n## Resources\n`kubernetes_namespace`  \nCreates namespace for application.\n\n`kubernetes_deployment`  \nCreates deployment that runs pods that can handle multiple domain names (e.g. virtual hosts).\n\n`kubernetes_service`  \nCreates load balancer service with initial config. Initial config is applied using special annotations and further modifications to annotations is disabled so that autogenerated annotations are not lost. \n\n`kubernetes_annotations`  \nUpdates load balancer's config to use certificate bundle when it's available.\n\n`cloudflare_record`  \nUpdates domain CNAME record to point to LB's domain name. \n\n`upcloud_loadbalancer_dynamic_certificate_bundle`  \nCreates dynamic certificate bundle for hosted domains.  \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpeknur%2Fuks-tls-termination","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpeknur%2Fuks-tls-termination","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpeknur%2Fuks-tls-termination/lists"}