Skip to main content
logoTetrate Enterprise Envoy Gateway (TEG)Version: next

Securing Your First Application Exposed Using TEG

The steps described in Expose Your Application exposed the httpbin application running in your cluster to external clients. Requests were sent to your application and each request passed through TEG. However, the requests sent by client were sent in clear-text. Follow the steps below to secure communication between your client and Tetrate Envoy Gateway.

Serving TLS to Clients

In this scenario communication between your client and TEG is encrypted using TLS. The encryption is terminated at the gateway. TLS uses public key encryption and in this scenario, only TEG maintains the public and private key pair. The client uses the gateway's public key to encrypt the communication. The gateway uses self-signed certificates. Self-signed certificates are not recommended for production scenario, but are sufficient for TLS demonstration purposes.

The configuration specified below preserves the clear-text port configured in Expose Your Application and adds additional port 443 over which the same application is exposed to external clients over TLS.

Generating the Certificates

Create a root certificate and private key to sign certificates:

openssl req -x509 -sha256 -nodes -days 365 \
-newkey rsa:2048 \
-subj '/O=example Inc./' \
-keyout \

Create a certificate and a private key for

openssl req -out \
-newkey rsa:2048 -nodes \
-keyout \
-subj "/ organization"
openssl x509 -req -days 365 \
-CA \
-CAkey \
-set_serial 0 \
-in \

In order for Tetrate Envoy Gateway to be able to use generated certificates, they need to be saved in the Kubernetes cluster as secrets, in the same namespace as the httpbin application:

kubectl create secret tls example-cert \ \ \
-n httpbin

Modify the Gateway config to expose your application over TLS on port 443:

kubectl patch gateway dedicated-gateway -n httpbin --type=json --patch '[{
"op": "add",
"path": "/spec/listeners/-",
"value": {
"name": "https",
"protocol": "HTTPS",
"port": 443,
"tls": {
"mode": "Terminate",
"certificateRefs": [{
"kind": "Secret",
"group": "",
"name": "example-cert",

Making HTTPS request to your httpbin application from outside the cluster

As described in Expose Your Application, the client needs Tetrate Envoy Gateway's external IP address:

export DEDICATED_GATEWAY_IP=$(kubectl get service -l -n envoy-gateway-system -o jsonpath='{.items[0].status.loadBalancer.ingress[0].ip}')

Now you can perform a request and examine the output:

curl --head \
--resolve "${DEDICATED_GATEWAY_IP}" \
--cacert \


HTTP/2 200
server: envoy
date: Mon, 04 Sep 2023 15:15:32 GMT
content-type: text/html; charset=utf-8
access-control-allow-origin: *
access-control-allow-credentials: true
content-length: 0
x-envoy-upstream-service-time: 2