NOTE: Some aspects of this product are in Beta. The hybrid installation options are GA. To join the Beta program, reach out to your Apigee representative.

Configuring TLS and mTLS on the Istio ingress

This topic explains how to enable on-way TLS and mTLS on the Istio ingress.

Configuring one-way TLS

Use one-way TLS to secure API proxy endpoints on the Istio ingress. To enable one-way TLS, you configure the ingress with TLS cert/key pairs or with a Kubernetes Secret, as explained in the following options.

Option 1: key/cert pair

Provide SSL cert and key files in the virtualhosts property in your overrides file:

virtualhosts:
  - name: $ENVIRONMENT_GROUP_NAME
    sslCertPath: "$CERT_FILE"
    sslKeyPath: "$KEY_FILE"

Where $ENVIRONMENT_GROUP_NAME is the name of an environment group with corresponding host aliases, and $CERT_FILE and $KEY_FILE are TLS key and certificate files. See Create TLS certificates.

Option 2: Kubernetes Secret

Create a Kubernetes Secret in the istio-system namespace and add the Secret name to your overrides file:

  1. Create the Secret:
    kubectl create -n istio-system secret generic $SECRET_NAME  \
    --from-file=key=$KEY_FILE \
    --from-file=cert=$CERT_FILE
  2. Configure the virtualhosts property in your overrides file:
    virtualhosts:
      - name: $ENVIRONMENT_GROUP_NAME
        tlsMode: SIMPLE  # Note: SIMPLE is the default, so it is optional.
        sslSecret: $SECRET_NAME

Configuring mTLS

Instead of one-way TLS, you can configure mTLS on the Istio ingress. There are two options for configuring mTLS, as explained below.

Option 1: key/cert pair and CA file

Provide a Certificate Authority (CA) certificate with SSL cert and key files in the virtualhosts property in your overrides file:

virtualhosts:
  - name: $ENVIRONMENT_GROUP_NAME
    tlsMode: MUTUAL
    caCertPath: "$CA_FILE"
    sslCertPath: "$CERT_FILE"
    sslKeyPath: "$KEY_FILE"

Where $ENVIRONMENT_GROUP_NAME is the name of an environment group with corresponding host aliases, $CA_FILE is an authorized certificate, and $CERT_FILE and $KEY_FILE are TLS key and certificate files. See Create TLS certificates.

Option 2: Kubernetes Secrets

Create two Kubernetes secrets in the istio-system namespace. The first secret is for the CA and the second is for the SSL cert/key pair. Then, add them to your overrides file.
  1. Create two Kubernetes secrets in the istio-system namespace. The first secret is for the CA and the second is for the SSL cert/key pair:
    kubectl create -n istio-system secret generic $SECRET_NAME  \
    --from-file=key=$KEY_FILE \
    --from-file=cert=$CERT_FILE
  2. Create a secret for the CA:
    kubectl create -n istio-system secret generic $SECRET_NAME-cacert  \
    --from-file=cacert=$CA_FILE
  3. Configure the virtualhosts property in your overrides file:
    virtualhosts:
      - name: $ENVIRONMENT_GROUP_NAME
        tlsMode: MUTUAL  # Note: Be sure to specify MUTUAL
        sslSecret: $SECRET_NAME