| title | keywords | description | |||
|---|---|---|---|---|---|
ApisixTls |
|
Guide to using ApisixTls custom Kubernetes resource. |
ApisixTls is a Kubernetes CRD object used to create an APISIX SSL object. It uses a Kubernetes secret with two keys, cert containing the certificate, and key containing the private key in PEM format.
See reference for the full API documentation.
The example below shows how you can configure an ApisixTls resource:
apiVersion: apisix.apache.org/v2
kind: ApisixTls
metadata:
name: sample-tls
spec:
hosts:
- httpbin.org
secret:
name: htpbin-cert
namespace: default:::info IMPORTANT
Make sure that the hosts field is accurate. APISIX uses the host field to match the correct certificate. It should also match the Server Name Indication extension in TLS, or the TLS handshake might fail.
:::
APISIX Ingress will watch the secret resources referred by ApisixTls objects and re-translates it to APISIX resources if they are changed.
::: note This feature is only supported with APISIX version 3.4 or above. :::
APISIX allows configuring an URI whitelist to bypass MTLS. If the URI of a request is in the whitelist, then the client certificate will not be checked. Note that other URIs of the associated SNI will get HTTP 400 response instead of alert error in the SSL handshake phase, if the client certificate is missing or invalid.
The below example creates an APISIX ssl resource where MTLS is bypassed for any route that starts with /ip.
apiVersion: %s
kind: ApisixTls
metadata:
name: my-tls
spec:
hosts:
- httpbin.org
secret:
name: my-secret
namespace: default
client:
caSecret:
name: ca-secret
namespace: default
depth: 10
skip_mtls_uri_regex:
- /ip.*