Configuring TLS and mTLS on the Istio ingress

You are currently viewing version 1.4 of the Apigee hybrid documentation.This version is end of life. You should upgrade to a newer version. For more information, seeSupported versions.

This topic explains how to enable on-way TLS and mTLS on the Istio ingress.

Configuring one-way TLS

Use one-way TLS to secure API proxy endpoints on the Istio ingress. To enable one-way TLS, you configure the ingress with TLS cert/key pairs or with a KubernetesSecret, as explained in the following options.

Option 1: key/cert pair

Provide SSL cert and key files in thevirtualhosts property in your overrides file:

virtualhosts:- name:$ENVIRONMENT_GROUP_NAME    sslCertPath: "$CERT_FILE"    sslKeyPath: "$KEY_FILE"

Where$ENVIRONMENT_GROUP_NAME is the name of an environment group with corresponding host aliases, and$CERT_FILE and$KEY_FILE are TLS key and certificate files. SeeCreate TLS certificates.

Option 2: Kubernetes Secret

Create aKubernetes Secret in theistio-systemnamespace and add the Secret name to your overrides file:

  1. Create the Secret:
    kubectl create -n istio-system secret generic$SECRET_NAME  \--from-file=key=$KEY_FILE \--from-file=cert=$CERT_FILE
  2. Configure thevirtualhosts property in your overrides file:
    virtualhosts:- name:$ENVIRONMENT_GROUP_NAME    tlsMode: SIMPLE  # Note: SIMPLE is the default, so it is optional.    sslSecret:$SECRET_NAME

Configuring mTLS

Instead of one-way TLS, you can configuremTLS on the Istio ingress. There are two options for configuring mTLS, as explained below.

Option 1: key/cert pair and CA file

Provide a Certificate Authority (CA) certificate with SSL cert and key files in thevirtualhosts property in your overrides file:

virtualhosts:- name:$ENVIRONMENT_GROUP_NAME    tlsMode: MUTUAL    caCertPath: "$CA_FILE"    sslCertPath: "$CERT_FILE"    sslKeyPath: "$KEY_FILE"

Where$ENVIRONMENT_GROUP_NAME is the name of an environment group with corresponding host aliases,$CA_FILE is an authorized certificate, and$CERT_FILE and$KEY_FILE are TLS key and certificate files. SeeCreate TLS certificates.

Option 2: Kubernetes Secrets

Create two Kubernetes secrets in theistio-systemnamespace. The first secret is for the CA and the second is for the SSL cert/key pair.Then, add them to your overrides file.
  1. Create two Kubernetes secrets in theistio-systemnamespace. The first secret is for the CA and the second is for the SSL cert/key pair:
    kubectl create -n istio-system secret generic$SECRET_NAME  \--from-file=key=$KEY_FILE \--from-file=cert=$CERT_FILE
  2. Create a secret for the CA:
    kubectl create -n istio-system secret generic$SECRET_NAME-cacert  \--from-file=cacert=$CA_FILE
  3. Configure thevirtualhosts property in your overrides file:
    virtualhosts:- name:$ENVIRONMENT_GROUP_NAME    tlsMode: MUTUAL  # Note: Be sure to specify MUTUAL    sslSecret:$SECRET_NAME

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-05 UTC.