On this page
Additional TLS settings
Configure additional settings for your HTTPS/TLS listener on the Gateway
The following Gateway resource shows how you can set the additional TLS settings for an HTTPS listener.
kind: Gateway
apiVersion: gateway.networking.k8s.io/v1
metadata:
name: https
spec:
gatewayClassName: gloo-gateway
listeners:
- protocol: HTTPS
port: 443
name: oneway
hostname: "oneway.example.com"
tls:
mode: Terminate
certificateRefs:
- name: tls-secret-with-ca
kind: Secret
options:
"gateway.gloo.solo.io/ssl/one-way-tls": "true"
"gateway.gloo.solo.io/ssl/minimum-tls-version": "TLSv1_2"
"gateway.gloo.solo.io/ssl/maximum-tls-version": "TLSv1_3"
"gateway.gloo.solo.io/ssl/cipher-suites": "ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256"
"gateway.gloo.solo.io/ssl/verify-subject-alt-name": "example.com,example.org"
"gateway.gloo.solo.io/ssl/echd-curves": "X25519MLKEM768,X25519,P-256"
allowedRoutes:
namespaces:
from: All
| Setting | Description |
|---|---|
one-way-tls | Instruct Gloo Gateway to ignore the CA certificate in the upstream secret to enable one-way TLS to an upstream service. Note that you can also remove the CA certificate from the secret to enable one-way TLS. For an example, see Upstream TLS. |
minimum-tls-version | Enforce a minimum TLS version for the Gateway to use. In this example, TLS version 1.2 is used. |
maximum-tls-version | Enforce a maximum TLS version for the Gateway to use. In this example, TLS version 1.3 is used. |
cipher-suites | Enter a comma-delimited list of the cipher suites that the Gateway can use during a TLS handshake. The example shows the TLSv1_2 and TLSv1_3 cipher suites. |
verify-subject-alt-name | Enter a comma-delimited list of the Subject Alternative Names that must be present in the peer certificate that is presented during the TLS handshake. The example uses example.com and example.org. |
ecdh-curves | Enter a comma-delimited list of key exchange protocols. If unset, the Envoy default of X25519 and P-256 are used. When adding a new protocol to this list, it’s important to ensure it is backwards compatible in the case that the client does not specifically support the new protocol. This example adds the Post-Quantum safe key exchange protocol X25519MLKEM768, but fall backs to the classic X25519 or P-256 protocols if the client does not support it. If you want to allow only the Post-Quantum safe protocol, remove the safe protocols and specify X25519MLKEM768 only. |