Implement per-hostname client certificate validation (mTLS) #5391
-
|
Question: Is there a way to enable mTLS on only one specific service in a single Gateway without impacting others? Current config:
tls: Problem: When we enable mTLS on the Gateway, ALL services get prompted for client certs, not just the one that needs it (even with different ports). Constraint: Single Gateway (avoid multiple LoadBalancers) any solution ? Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Just to confirm, are you looking to enable mTLS for incoming connections into the Gateway (frontend), or for outgoing connections from the Gateway to a specific backend service? Based on your config, it looks like frontend mTLS. A few things to note: Frontend mTLS (client → Gateway): This is inherently Gateway-wide. There's no native way to require client certificates only for certain routes on a single Gateway listener. Here are two guides that may help depending on your use case: Frontend mTLS — Gateway-level client validation If frontend mTLS scoped to a single route is the actual requirement, that's worth filing as a feature request it's not something the current Gateway API spec supports at the route level today. |
Beta Was this translation helpful? Give feedback.
Your instinct is right — TLS Passthrough + TLSRoute is the better fit here. I tested it and it works exactly as expected.
Recommendation: Let each backend own its own TLS configuration and use TLS Passthrough on the Gateway. The Gateway stays transparent and just forwards the request as is with no cert management at the gateway level at all. Services that need mTLS configure it on their own.
Setup tested:
Gateway with 2 TLS Passthrough listeners on separate ports
2 TLSRoutes, one per listener
catalog backend: standard TLS, no client cert required
payments backend: TLS + ssl_verify_client on, rejects requests without a valid client cert
Example File:
Gateway: