This topic explains how to enable one-way TLS and mTLS on the Istio ingress.
Configuring one-way TLS
Use one-way TLS to secure API proxy endpoints on the Istio ingress. To enable
one-way TLS, you configure the ingress with TLS cert/key pairs or with a Kubernetes
Secret, as explained in the following options.
Option 1: key/cert pair
Provide SSL cert and key files in the virtualhosts property in your overrides file:
Where $ENVIRONMENT_GROUP_NAME is the name of an environment group with
corresponding host aliases, and $CERT_FILE and $KEY_FILE are TLS key and certificate
files. See Create TLS certificates.
Option 2: Kubernetes Secret
Create a Kubernetes Secret in the istio-system
namespace and add the Secret name to your overrides file:
Where $ENVIRONMENT_GROUP_NAME is the name of an environment group with
corresponding host aliases, $CA_FILE is an authorized certificate, and $CERT_FILE and
$KEY_FILE are TLS key and certificate
files. See Create TLS certificates.
Option 2: Kubernetes Secrets
Create two Kubernetes secrets in the istio-system
namespace. The first secret is for the SSL cert/key pair and the second is for the CA.
Then, add them to your overrides file.
Create two Kubernetes secrets in the istio-system
namespace:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis document provides instructions for securing API proxy endpoints on the Istio ingress using one-way TLS or mTLS.\u003c/p\u003e\n"],["\u003cp\u003eOne-way TLS can be configured by providing SSL certificate and key files directly in the \u003ccode\u003evirtualhosts\u003c/code\u003e property or by using a Kubernetes Secret.\u003c/p\u003e\n"],["\u003cp\u003emTLS can be configured by providing a Certificate Authority (CA) certificate along with SSL certificate and key files in the \u003ccode\u003evirtualhosts\u003c/code\u003e property.\u003c/p\u003e\n"],["\u003cp\u003emTLS can also be achieved using Kubernetes Secrets, using one for the SSL cert/key pair and a second for the CA, before adding them to the overrides file.\u003c/p\u003e\n"],["\u003cp\u003eThe document refers to version 1.7 of the Apigee hybrid documentation, which is end-of-life and recommends upgrading to a newer version.\u003c/p\u003e\n"]]],[],null,["# Configuring TLS and mTLS on the Istio ingress\n\n| You are currently viewing version 1.7 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\n\nThis topic explains how to enable one-way TLS and mTLS on the Istio ingress.\n\nConfiguring one-way TLS\n-----------------------\n\nUse one-way TLS to secure API proxy endpoints on the Istio ingress. To enable\none-way TLS, you configure the ingress with TLS cert/key pairs or with a Kubernetes\nSecret, as explained in the following options.\n\n### Option 1: key/cert pair\n\n\nProvide SSL cert and key files in the `virtualhosts` property in your overrides file: \n\n```scdoc\nvirtualhosts:\n - name: $ENVIRONMENT_GROUP_NAME\n sslCertPath: \"$CERT_FILE\"\n sslKeyPath: \"$KEY_FILE\"\n```\n\n\nWhere \u003cvar translate=\"no\"\u003e$ENVIRONMENT_GROUP_NAME\u003c/var\u003e is the name of an environment group with\ncorresponding host aliases, and \u003cvar translate=\"no\"\u003e$CERT_FILE\u003c/var\u003e and \u003cvar translate=\"no\"\u003e$KEY_FILE\u003c/var\u003e are TLS key and certificate\nfiles. See [Create TLS certificates](/apigee/docs/hybrid/v1.7/install-create-tls-certificates).\n\n### Option 2: Kubernetes Secret\n\n\nCreate a [Kubernetes Secret](https://kubernetes.io/docs/concepts/configuration/secret/) in the `istio-system`\nnamespace and add the Secret name to your overrides file:\n\n1. Create the Secret: \n\n ```\n kubectl create -n istio-system secret generic $SECRET_NAME \\\n --from-file=key=$KEY_FILE \\\n --from-file=cert=$CERT_FILE\n ```\n2. Configure the `virtualhosts` property in your overrides file: \n\n ```scdoc\n virtualhosts:\n - name: $ENVIRONMENT_GROUP_NAME\n tlsMode: SIMPLE # Note: SIMPLE is the default, so it is optional.\n sslSecret: $SECRET_NAME\n ```\n\nConfiguring mTLS\n----------------\n\n\nInstead of one-way TLS, you can configure [mTLS](https://en.wikipedia.org/wiki/Mutual_authentication) on the Istio ingress. There are two\noptions for configuring mTLS, as explained below.\n\n### Option 1: key/cert pair and CA file\n\n\nProvide a Certificate Authority (CA) certificate with SSL cert and key files in the\n`virtualhosts` property in your overrides file: \n\n```scdoc\nvirtualhosts:\n - name: $ENVIRONMENT_GROUP_NAME\n tlsMode: MUTUAL\n caCertPath: \"$CA_FILE\"\n sslCertPath: \"$CERT_FILE\"\n sslKeyPath: \"$KEY_FILE\"\n```\n\n\nWhere \u003cvar translate=\"no\"\u003e$ENVIRONMENT_GROUP_NAME\u003c/var\u003e is the name of an environment group with\ncorresponding host aliases, \u003cvar translate=\"no\"\u003e$CA_FILE\u003c/var\u003e is an authorized certificate, and \u003cvar translate=\"no\"\u003e$CERT_FILE\u003c/var\u003e and\n\u003cvar translate=\"no\"\u003e$KEY_FILE\u003c/var\u003e are TLS key and certificate\nfiles. See [Create TLS certificates](/apigee/docs/hybrid/v1.7/install-create-tls-certificates).\n\n### Option 2: Kubernetes Secrets\n\nCreate two Kubernetes secrets in the `istio-system` namespace. The first secret is for the SSL cert/key pair and the second is for the CA. Then, add them to your overrides file.\n\n1. Create two Kubernetes secrets in the `istio-system` namespace: \n\n ```\n kubectl create -n istio-system secret generic $SECRET_NAME \\\n --from-file=key=$KEY_FILE \\\n --from-file=cert=$CERT_FILE\n ```\n2. Create a secret for the CA: \n\n ```\n kubectl create -n istio-system secret generic $SECRET_NAME-cacert \\\n --from-file=cacert=$CA_FILE\n ```\n3. Configure the `virtualhosts` property in your overrides file: \n\n ```scdoc\n virtualhosts:\n - name: $ENVIRONMENT_GROUP_NAME\n tlsMode: MUTUAL # Note: Be sure to specify MUTUAL\n sslSecret: $SECRET_NAME\n ```"]]
