You are browsing documentation for an outdated version.
See the latest documentation here.
TLS Termination / Passthrough
The Gateway API supports both TLS termination and TLS passthrough. TLS handling is configured via a combination of a Gateway’s
listeners.tls.mode and the attached route type:
Passthrough mode listeners inspect the TLS stream hostname via server name indication and pass the TLS stream unaltered upstream. These listeners do not use certificate configuration. They only accept
Terminate mode listeners decrypt the TLS stream and inspect the request it wraps before passing it upstream. They require certificate Secret reference in the
listeners.tls.certificateRefs field. They accept
To terminate TLS, create a
Gateway with a listener with
.tls.mode: "Terminate", create a TLS Secret and add it to the listener
.tls.certificateRefs array, and then create one of the supported route types with matching criteria that will bind it to the listener.
GRPCRoute, the route’s
hostname must match the listener hostname. For
TCPRoute the route’s
port must match the listener
The Ingress API supports TLS termination using the
.spec.tls field. To terminate TLS with the Ingress API, provide
.spec.tls.secretName that contains a TLS certificate and a list of
.spec.tls.hosts to match in your Ingress definition.