For the complete documentation index, see llms.txt. Markdown versions of all docs pages are available by appending .md to any docs URL.
Client TLS (mTLS)
Mutual TLS (mTLS) allows the gateway to verify the identity of the client via a certificate. NGINX uses annotations like auth-tls-verify-client, whereas Gateway API handles this through frontendValidation on a Gateway listener.
tls.frontendValidation was added to Gateway API v1.3 and is still under the experimental channel in some builds. Make sure your cluster has the experimental Gateway API CRDs installed (experimental-install.yaml) before applying the manifest below.Before: Ingress with Client Verification
An NGINX Ingress requiring a client certificate verified against a specific CA:
cat <<'EOF' > mtls-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: mtls-demo
annotations:
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-secret: "default/client-ca"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "2"
spec:
ingressClassName: nginx
rules:
- host: secure.example.com
http:
paths:
- backend:
service:
name: secret-svc
port:
number: 8443
path: /
EOFConvert
ingress2gateway print --providers=ingress-nginx --emitter=kgateway \
--input-file mtls-ingress.yaml > mtls-kgateway.yamlAfter: Gateway Listener with Frontend Validation
In Gateway API, mTLS is configured on the Gateway resource’s listener using frontendValidation.
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: gateway-mtls
spec:
gatewayClassName: kgateway
listeners:
- name: https
hostname: secure.example.com
port: 443
protocol: HTTPS
tls:
mode: Terminate
certificateRefs:
- name: server-cert
frontendValidation:
caCertificateRefs:
- name: client-ca
kind: SecretApply and verify
kubectl apply -f mtls-kgateway.yaml
kubectl get gateways
Was this page helpful?