TLS Termination for TCP

This task will walk through the steps required to configure TLS Terminate mode for TCP traffic via Envoy Gateway. This task uses a self-signed CA, so it should be used for testing and demonstration purposes only.


  • OpenSSL to generate TLS assets.


Follow the steps from the Quickstart to install Envoy Gateway.

TLS Certificates

Generate the certificates and keys used by the Gateway to terminate client TLS connections.

Create a root certificate and private key to sign certificates:

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./' -keyout -out

Create a certificate and a private key for

openssl req -out -newkey rsa:2048 -nodes -keyout -subj "/ organization"
openssl x509 -req -days 365 -CA -CAkey -set_serial 0 -in -out

Store the cert/key in a Secret:

kubectl create secret tls example-cert

Install the TLS Termination for TCP example resources:

kubectl apply -f

Verify the Gateway status:

kubectl get gateway/eg -o yaml


Get the External IP of the Gateway:

export GATEWAY_HOST=$(kubectl get gateway/eg -o jsonpath='{.status.addresses[0].value}')

Query the example app through the Gateway:

curl -v --resolve "${GATEWAY_HOST}" \

Get the name of the Envoy service created the by the example Gateway:

export ENVOY_SERVICE=$(kubectl get svc -n envoy-gateway-system, -o jsonpath='{.items[0]}')

Port forward to the Envoy service:

kubectl -n envoy-gateway-system port-forward service/${ENVOY_SERVICE} 8443:443 &

Query the example app through Envoy proxy:

curl -v --resolve "" \