Skip to main content
Version: 1.8.0

ApisixTls

ApisixTls is a Kubernetes CRD object used to create an APISIX SSL object. It uses a Kubernetes secret with two keys, cert containing the certificate, and key containing the private key in PEM format.

See reference for the full API documentation.

The example below shows how you can configure an ApisixTls resource:

apiVersion: apisix.apache.org/v2
kind: ApisixTls
metadata:
name: sample-tls
spec:
hosts:
- httpbin.org
secret:
name: htpbin-cert
namespace: default
IMPORTANT

Make sure that the hosts field is accurate. APISIX uses the host field to match the correct certificate. It should also match the Server Name Indication extension in TLS, or the TLS handshake might fail.

APISIX Ingress will watch the secret resources referred by ApisixTls objects and re-translates it to APISIX resources if they are changed.

Bypassing MTLS based on regular expression matching against URI#

::: note This feature is only supported with APISIX version 3.4 or above. :::

APISIX allows configuring an URI whitelist to bypass MTLS. If the URI of a request is in the whitelist, then the client certificate will not be checked. Note that other URIs of the associated SNI will get HTTP 400 response instead of alert error in the SSL handshake phase, if the client certificate is missing or invalid.

The below example creates an APISIX ssl resource where MTLS is bypassed for any route that starts with /ip.

apiVersion: %s
kind: ApisixTls
metadata:
name: my-tls
spec:
hosts:
- httpbin.org
secret:
name: my-secret
namespace: default
client:
caSecret:
name: ca-secret
namespace: default
depth: 10
skip_mtls_uri_regex:
- /ip.*