Configuring TLS and mTLS on the ingress gateway

You are currently viewing version 1.11 of the Apigee hybrid documentation.This version is end of life. You should upgrade to a newer version. For more information, seeSupported versions.

This topic explains how to enable one-way TLS and mTLS on the ingressgateway.

Configuring one-way TLS

Use one-way TLS to secure API proxy endpoints on the ingress gateway. To enable one-way TLS, you configure the ingress with TLS cert/key pairs or with a KubernetesSecret, as explained in the following options.

Option 1: key/cert pair

Provide SSL cert and key files in thevirtualhosts property in your overrides file:

virtualhosts:- name:$ENVIRONMENT_GROUP_NAME    sslCertPath: "$CERT_FILE"    sslKeyPath: "$KEY_FILE"

Where$ENVIRONMENT_GROUP_NAME is the name of an environment group with corresponding host aliases, and$CERT_FILE and$KEY_FILE are TLS key and certificate files. SeeCreate TLS certificates.

Tip: For security purposes, it is best practice to have a separate TLS cert/key pair for each virtual host. If you are using a Subject Alternative Name (SAN ) certificate, this TLS cert/key pair should be used on one virtual host that is shared across the domain.

Option 2: Kubernetes Secret

Create aKubernetes Secret and add it to your overrides file.

  1. Create the Secret in theapigee namespace:
    kubectl create -n apigee secret generic$SECRET_NAME  \  --from-file=key=$KEY_FILE \  --from-file=cert=$CERT_FILE
  2. Configure thevirtualhosts property in your overrides file:
    virtualhosts:- name:$ENVIRONMENT_GROUP_NAME    tlsMode: SIMPLE  # Note: SIMPLE is the default, so it is optional.    sslSecret:$SECRET_NAME

Configuring mTLS

Instead of one-way TLS, you can configuremTLS on the ingress gateway. There are two options for configuring mTLS, as explained below.

Option 1: key/cert pair and CA file

Provide TLS certificate data containing Certificate Authority certificates:

virtualhosts:- name:$ENVIRONMENT_GROUP_NAME    tlsMode: MUTUAL    caCertPath: "$CA_FILE"    sslCertPath: "$CERT_FILE"    sslKeyPath: "$KEY_FILE"

Where$ENVIRONMENT_GROUP_NAME is the name of an environment group with corresponding host aliases,$CA_FILE specifies TLS certificate data (CA bundle file) containing Certificate Authority certificates, and$CERT_FILE and$KEY_FILE are TLS key and certificate files. SeeCreate TLS certificates.

Option 2: Kubernetes Secrets

Create two Kubernetes Secrets. The first secret is for the SSL cert/key pair and the second is for the CA. Then, add them to your overrides file.

  1. Create two Kubernetes secrets theapigee namespace:
    kubectl create -n apigee secret generic$SECRET_NAME  \  --from-file=key=$KEY_FILE \  --from-file=cert=$CERT_FILE
  2. Create a secret for the CA:
    kubectl create -n apigee secret generic$SECRET_NAME-cacert  \  --from-file=cacert=$CA_FILE
  3. Configure thevirtualhosts property in your overrides file:
    virtualhosts:- name:$ENVIRONMENT_GROUP_NAME    tlsMode: MUTUAL  # Note: Be sure to specify MUTUAL    sslSecret:$SECRET_NAME

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-05 UTC.