Skip to content
CTRL K
    Docs Standalone Kubernetes Models Blog Enterprise Community Get Started GitHub
    🎯 New workshop: Govern AI Costs in Real Time — Hands-On with agentgateway agentgateway has joined the Agentic AI FoundationLearn more

    For the complete documentation index, see llms.txt. Markdown versions of all docs pages are available by appending .md to any docs URL.

    Page as Markdown
    Backend TLS
    Migrate NGINX backend TLS annotations to agentgateway backend TLS policies.
    When your backend requires TLS (re-encryption or mTLS), NGINX’s proxy-ssl-* annotations are translated by the agentgateway emitter into an AgentgatewayPolicy with spec.backend.tls settings. The policy targets the backend Service.
    Before: Ingress with backend TLS

    cat <<'EOF' > backend-tls-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: backend-tls-demo
  annotations:
    nginx.ingress.kubernetes.io/proxy-ssl-secret: "default/backend-tls-secret"
    nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
    nginx.ingress.kubernetes.io/proxy-ssl-name: "internal-api.example.com"
spec:
  ingressClassName: agentgateway
  rules:
  - host: app.example.com
    http:
      paths:
      - backend:
          service:
            name: secure-api
            port:
              number: 443
        path: /api
        pathType: Prefix
EOF
    Convert

    ingress2gateway print --providers=ingress-nginx --emitter=agentgateway \
  --input-file backend-tls-ingress.yaml > backend-tls-agentgateway.yaml
    After: AgentgatewayPolicy with backend TLS

    cat backend-tls-agentgateway.yaml
    The tool generates a Gateway, HTTPRoute(s), and an AgentgatewayPolicy per backend Service. The policy name is <service-name>-backend-tls. With verification enabled (proxy-ssl-verify: "on"), the emitter configures mTLS via mtlsCertificateRef and does not set insecureSkipVerify:
    apiVersion: agentgateway.dev/v1alpha1
kind: AgentgatewayPolicy
metadata:
  name: secure-api-backend-tls
  namespace: default
spec:
  targetRefs:
  - group: ""
    kind: Service
    name: secure-api
  backend:
    tls:
      mtlsCertificateRef:
      - name: backend-tls-secret
      sni: internal-api.example.com
    If you set proxy-ssl-verify: "off", the emitter would set spec.backend.tls.insecureSkipVerify: All instead of mTLS.
    Apply

    kubectl apply -f backend-tls-agentgateway.yaml
    Canary Deployments
    Was this page helpful?
    

    
Agentgateway assistant
    


    Ask me anything about agentgateway configuration, features, or usage.
    Note: AI-generated content might contain errors; please verify and test all returned information.
    Tip: one topic per conversation gives the best results. Use the + button in the chat header to start a new conversation.
    Switching topics? Starting a new conversation improves accuracy.

    ↑↓ navigate
 select
esc dismiss
    

    

    What could be improved?
    Your feedback helps us improve assistant answers and identify docs gaps we should fix.
    Need more help? Join us on Discord:
https://discord.gg/y9efgEmppm
    Want to use your own agent? Add the Solo MCP server to query our docs directly. Get started here:
https://search.solo.io/.