/

Console

• English
• Deutsch
• Español
• Español – América Latina
• Français
• Indonesia
• Italiano
• Português
• Português – Brasil
• עברית
• 中文 – 简体
• 中文 – 繁體
• 日本語
• 한국어

Sign in

• Apigee

Start free

Configuring TLS and mTLS on the Istio ingress

   Supported versions:

• v1.16 (latest)                        
• v1.15                         
• v1.14                        
• List of supported versions

   Unsupported versions:

• v1.13                         
• v1.12                         
• v1.11                         
• v1.10                                      
• v1.9                                         
• v1.8                                         
• v1.7                                         
• v1.6                                         
• v1.5                                         
• v1.4                                         
• v1.3                                         
• v1.2                                         
• v1.1                                         

This topic explains how to enable on-way TLS and mTLS on the Istio ingress.

Configuring one-way TLS

Use one-way TLS to secure API proxy endpoints on the Istio ingress. To enable one-way TLS, you configure the ingress with TLS cert/key pairs or with a Kubernetes Secret, as explained in the following options.

Option 1: key/cert pair

Provide SSL cert and key files in the virtualhosts property in your overrides file:

virtualhosts:
  - name: $ENVIRONMENT_GROUP_NAME
    sslCertPath: "$CERT_FILE"
    sslKeyPath: "$KEY_FILE"

Where $ENVIRONMENT_GROUP_NAME is the name of an environment group with corresponding host aliases, and $CERT_FILE and $KEY_FILE are TLS key and certificate files. See Create TLS certificates.

Option 2: Kubernetes Secret

Create a Kubernetes Secret in the istio-system namespace and add the Secret name to your overrides file:

1. Create the Secret:

   kubectl create -n istio-system secret generic $SECRET_NAME  \
   --from-file=key=$KEY_FILE \
   --from-file=cert=$CERT_FILE

2. Configure the virtualhosts property in your overrides file:

   virtualhosts:
     - name: $ENVIRONMENT_GROUP_NAME
       tlsMode: SIMPLE  # Note: SIMPLE is the default, so it is optional.
       sslSecret: $SECRET_NAME

Configuring mTLS

Instead of one-way TLS, you can configure mTLS on the Istio ingress. There are two options for configuring mTLS, as explained below.

Option 1: key/cert pair and CA file

Provide a Certificate Authority (CA) certificate with SSL cert and key files in the virtualhosts property in your overrides file:

virtualhosts:
  - name: $ENVIRONMENT_GROUP_NAME
    tlsMode: MUTUAL
    caCertPath: "$CA_FILE"
    sslCertPath: "$CERT_FILE"
    sslKeyPath: "$KEY_FILE"

Where $ENVIRONMENT_GROUP_NAME is the name of an environment group with corresponding host aliases, $CA_FILE is an authorized certificate, and $CERT_FILE and $KEY_FILE are TLS key and certificate files. See Create TLS certificates.

Option 2: Kubernetes Secrets

1. Create two Kubernetes secrets in the istio-system namespace. The first secret is for the CA and the second is for the SSL cert/key pair:

   kubectl create -n istio-system secret generic $SECRET_NAME  \
   --from-file=key=$KEY_FILE \
   --from-file=cert=$CERT_FILE

2. Create a secret for the CA:

   kubectl create -n istio-system secret generic $SECRET_NAME-cacert  \
   --from-file=cacert=$CA_FILE

3. Configure the virtualhosts property in your overrides file:

   virtualhosts:
     - name: $ENVIRONMENT_GROUP_NAME
       tlsMode: MUTUAL  # Note: Be sure to specify MUTUAL
       sslSecret: $SECRET_NAME