Enabling backend mTLS requires changes to the GatewayClass? #5248

aukevanleeuwen · 2025-02-10T22:23:16Z

aukevanleeuwen
Feb 10, 2025

Hello,

I'm trying to enable mTLS on the backend configuration by reading https://gateway.envoyproxy.io/docs/tasks/security/backend-mtls/. It states that I should do have this config on the GatewayClass:

---
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: eg
spec:
  controllerName: gateway.envoyproxy.io/gatewayclass-controller
  parametersRef:
    group: gateway.envoyproxy.io
    kind: EnvoyProxy
    name: custom-proxy-config
    namespace: envoy-gateway-system

I already have this setup on the Gateway though, does that achieve the same thing? I'm a bit confused about that. I would guess that Gateway points to the GatewayClass and therefore I can declare it on either one of those?

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: eg
spec:
  gatewayClassName: eg
  infrastructure:
    parametersRef:
      group: gateway.envoyproxy.io
      kind: EnvoyProxy
      name: envoy-config
  # ...

Answered by arkodg

Feb 10, 2025

yeah you can attach it to the Gateway or GatewayClass, and the Gateway attachment takes precedence

View full answer

arkodg · 2025-02-10T22:26:01Z

arkodg
Feb 10, 2025
Maintainer

yeah you can attach it to the Gateway or GatewayClass, and the Gateway attachment takes precedence

1 reply

aukevanleeuwen Feb 11, 2025
Author

Thanks!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enabling backend mTLS requires changes to the GatewayClass? #5248

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Enabling backend mTLS requires changes to the GatewayClass? #5248

aukevanleeuwen Feb 10, 2025

Replies: 1 comment · 1 reply

arkodg Feb 10, 2025 Maintainer

aukevanleeuwen Feb 11, 2025 Author

aukevanleeuwen
Feb 10, 2025

Replies: 1 comment 1 reply

arkodg
Feb 10, 2025
Maintainer

aukevanleeuwen Feb 11, 2025
Author