Backend TLS
Attach to:
Backend
By default, requests to backends use HTTP. To use HTTPS, configure a backend TLS TLS (Transport Layer Security) A cryptographic protocol that provides secure communication over a network. Agentgateway supports TLS for both incoming connections (listeners) and outgoing connections (backends). policy.
backendTLS:
# A file containing the root certificate to verify.
# If unset, the system trust bundle will be used.
root: ./certs/root-cert.pem
# For mutual TLS, the client certificate to use
cert: ./certs/cert.pem
# For mutual TLS, the client certificate key to use.
key: ./certs/key.pem
# Expected Subject Alternative Names (SANs) for certificate verification.
# If set, the upstream certificate must contain at least one matching SAN.
# subjectAltNames:
# - "spiffe://cluster.local/ns/default/sa/my-service"
# If set, hostname verification is disabled
# insecureHost: true
# If set, all TLS verification is disabled
# insecure: trueSubject Alternative Names
When connecting to upstream services over TLS, you can specify expected Subject Alternative Names (SANs) to verify. The upstream certificate must contain at least one SAN that matches the configured list. In Kubernetes environments, Service SANs are automatically populated from the service identity.
backendTLS:
subjectAltNames:
- "spiffe://cluster.local/ns/default/sa/my-service"