Gatez

Appearance

TLS Configuration

Overview

Gatez supports TLS at two levels:

  1. External TLS — HTTPS termination at the ingress for client-facing traffic
  2. Internal mTLS — Mutual TLS between services for zero-trust networking

Production (Kubernetes + cert-manager)

Prerequisites

bash
# Install cert-manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.0/cert-manager.yaml

Enable TLS in Helm

yaml
# values-production.yaml
tls:
  enabled: true
  clusterIssuer: letsencrypt-prod
  acmeEmail: admin@yourcompany.com
  mtls:
    enabled: true
    secretName: gatez-internal-tls

ingress:
  enabled: true
  className: nginx
  hosts:
    api: api.gatez.yourcompany.com
    operator: operator.gatez.yourcompany.com
    developer: developer.gatez.yourcompany.com
bash
helm upgrade --install gatez infra/helm/gatez -f values-production.yaml

This will:

  • Create a ClusterIssuer for Let's Encrypt
  • Request TLS certificates for all 3 hostnames
  • Auto-renew 15 days before expiry
  • Mount internal TLS secrets into service pods (when mTLS enabled)

Certificate Lifecycle

EventTiming
Initial issuanceOn helm install
Renewal15 days before expiry (automatic)
Certificate duration90 days
RotationZero-downtime (cert-manager updates secret, pods detect via inotify)

Development (Docker Compose)

For local development with TLS:

bash
# Generate self-signed CA + service certs
./infra/tls/generate-dev-certs.sh

# Start with TLS overlay
docker compose -f docker-compose.yml -f docker-compose.tls.yml up -d

The dev certs are self-signed and only valid for localhost and Docker service names. They are gitignored (infra/tls/dev/).

Air-Gap Deployment

For air-gapped environments without Let's Encrypt access:

  1. Generate certificates using your internal CA
  2. Create Kubernetes secrets manually:
    bash
    kubectl create secret tls gatez-tls-secret \
  --cert=path/to/tls.crt \
  --key=path/to/tls.key
  3. Set tls.enabled=true but omit the ClusterIssuer (use the pre-created secret)

Service-Specific TLS Configuration

Each Rust service (L2, L3, CP API) accepts these env vars when TLS is enabled:

VariableDescription
RUST_TLS_CERTPath to service TLS certificate
RUST_TLS_KEYPath to service TLS private key
RUST_TLS_CAPath to CA certificate for client verification (mTLS)

When these are set, the service binds HTTPS instead of HTTP.

Enterprise API + AI + Agent Gateway

Copyright 2026 Gatez