On this page
Additional TLS settings
Configure additional settings for your HTTPS/TLS listener on the Gateway
The following Gateway resource shows how you can set the additional TLS settings for an HTTPS listener.
kind: Gateway
apiVersion: gateway.networking.k8s.io/v1
metadata:
name: https
spec:
gatewayClassName: gloo-gateway
listeners:
- protocol: HTTPS
port: 443
name: oneway
hostname: "oneway.example.com"
tls:
mode: Terminate
certificateRefs:
- name: tls-secret-with-ca
kind: Secret
options:
"gateway.gloo.solo.io/ssl/one-way-tls": "true"
"gateway.gloo.solo.io/ssl/minimum-tls-version": "TLS_v12"
"gateway.gloo.solo.io/ssl/maximum-tls-version": "TLS_v13"
"gateway.gloo.solo.io/ssl/cipher-suites": "ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256"
"gateway.gloo.solo.io/ssl/verify-subject-alt-name": "example.com,example.org"
allowedRoutes:
namespaces:
from: All
| Setting | Description |
|---|---|
one-way-tls | Instruct Gloo Gateway to ignore the CA certificate in the upstream secret to enable one-way TLS to an upstream service. Note that you can also remove the CA certificate from the secret to enable one-way TLS. For an example, see Upstream TLS. |
minimum-tls-version | Enforce a minimum TLS version for the Gateway to use. In this example, TLS version 1.2 is used. |
maximum-tls-version | Enforce a maximum TLS version for the Gateway to use. In this example, TLS version 1.3 is used. |
cipher-suites | Enter a comma-delimited list of the cipher suites that the Gateway can use during a TLS handshake. The example shows the TLS_v12 and TLS_v13 cipher suites. |
verify-subject-alt-name | Enter a comma-delimited list of the Subject Alternative Names that must be present in the peer certificate that is presented during the TLS handshake. The example uses example.com and example.org. |