Skip to content

For the complete documentation index, see llms.txt. Markdown versions of all docs pages are available by appending .md to any docs URL.

Page as Markdown 

    

  
  


          
Backend TLS

          
When your backend requires TLS (re-encryption), NGINX’s proxy-ssl-* annotations translate to a kgateway BackendConfigPolicy with TLS settings.


Before: Ingress with backend TLS
    



cat <<'EOF' > backend-tls-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: backend-tls-demo
  annotations:
    nginx.ingress.kubernetes.io/proxy-ssl-secret: "default/backend-tls-secret"
    nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
    nginx.ingress.kubernetes.io/proxy-ssl-name: "internal-api.example.com"
spec:
  ingressClassName: nginx
  rules:
  - host: app.example.com
    http:
      paths:
      - backend:
          service:
            name: secure-api
            port:
              number: 443
        path: /api
        pathType: Prefix
EOF

  





Convert
    



ingress2gateway print --providers=ingress-nginx --emitter=kgateway \
  --input-file backend-tls-ingress.yaml > backend-tls-kgateway.yaml

  





After: BackendConfigPolicy with TLS
    



cat backend-tls-kgateway.yaml

  








apiVersion: gateway.kgateway.dev/v1alpha1
kind: BackendConfigPolicy
metadata:
  name: secure-api-backend-config
spec:
  targetRefs:
  - group: ""
    kind: Service
    name: secure-api
  tls:
    secretRef:
      name: backend-tls-secret
      namespace: default
    sni: internal-api.example.com
    insecureSkipVerify: false

  





The insecureSkipVerify: false means certificate verification is enabled (matching proxy-ssl-verify: "on").


Apply
    



kubectl apply -f backend-tls-kgateway.yaml

  





        

        

        
Canary Deployments

        

  

    Was this page helpful?