Configuring TLS and mTLS on the ingress gateway

This topic explains how to enable one-way TLS and mTLS on the ingressgateway .

Configuring one-way TLS

Use one-way TLS to secure API proxy endpoints on the ingress gateway. To enable one-way TLS, you configure the ingress with TLS cert/key pairs or with a Kubernetes Secret, as explained in the following options.

Option 1: key/cert pair

Provide SSL cert and key files in the virtualhosts property in your overrides file:

virtualhosts:
  - name: $ENVIRONMENT_GROUP_NAME
    sslCertPath: "$CERT_FILE"
    sslKeyPath: "$KEY_FILE"

Where $ENVIRONMENT_GROUP_NAME is the name of an environment group with corresponding host aliases, and $CERT_FILE and $KEY_FILE are TLS key and certificate files. See Create TLS certificates.

Option 2: Kubernetes Secret

Create a Kubernetes Secret and add it to your overrides file.

  1. Create the Secret in one of the two following namespaces:
    • apigee namespace if you are using Apigee ingress gateway.
    • istio-system namespace if you are using customer-installed Anthos Service Mesh.

    Apigee ingress gateway

    kubectl create -n apigee secret generic $SECRET_NAME  \
    --from-file=key=$KEY_FILE \
    --from-file=cert=$CERT_FILE

    Anthos Service Mesh

    kubectl create -n istio-system secret generic $SECRET_NAME  \
    --from-file=key=$KEY_FILE \
    --from-file=cert=$CERT_FILE
  2. Configure the virtualhosts property in your overrides file:
    virtualhosts:
      - name: $ENVIRONMENT_GROUP_NAME
        tlsMode: SIMPLE  # Note: SIMPLE is the default, so it is optional.
        sslSecret: $SECRET_NAME

Configuring mTLS

Instead of one-way TLS, you can configure mTLS on the ingress gateway. There are two options for configuring mTLS, as explained below.

Option 1: key/cert pair and CA file

Provide a Certificate Authority (CA) certificate with SSL cert and key files in the virtualhosts property in your overrides file:

virtualhosts:
  - name: $ENVIRONMENT_GROUP_NAME
    tlsMode: MUTUAL
    caCertPath: "$CA_FILE"
    sslCertPath: "$CERT_FILE"
    sslKeyPath: "$KEY_FILE"

Where $ENVIRONMENT_GROUP_NAME is the name of an environment group with corresponding host aliases, $CA_FILE is an authorized certificate, and $CERT_FILE and $KEY_FILE are TLS key and certificate files. See Create TLS certificates.

Option 2: Kubernetes Secrets

Create two Kubernetes Secrets. The first secret is for the SSL cert/key pair and the second is for the CA. Then, add them to your overrides file.

  1. Create two Kubernetes secrets in one ofthe two following namespaces:
    • apigee namespace if you are using Apigee ingress gateway.
    • istio-system namespace if you are using customer-installed Anthos Service Mesh.

    Apigee ingress gateway

    kubectl create -n apigee secret generic $SECRET_NAME  \
    --from-file=key=$KEY_FILE \
    --from-file=cert=$CERT_FILE

    Anthos Service Mesh

    kubectl create -n istio-system secret generic $SECRET_NAME  \
    --from-file=key=$KEY_FILE \
    --from-file=cert=$CERT_FILE
  2. Create a secret for the CA:

    Apigee ingress gateway

    kubectl create -n apigee secret generic $SECRET_NAME-cacert  \
    --from-file=cacert=$CA_FILE

    Anthos Service Mesh

    kubectl create -n istio-system secret generic $SECRET_NAME-cacert  \
    --from-file=cacert=$CA_FILE
  3. Configure the virtualhosts property in your overrides file:
    virtualhosts:
      - name: $ENVIRONMENT_GROUP_NAME
        tlsMode: MUTUAL  # Note: Be sure to specify MUTUAL
        sslSecret: $SECRET_NAME