TLS Termination

This document outlines setting up TLS termination in FSM Gateway.

TLS offloading is the process of terminating TLS connections at a load balancer or gateway, decrypting the traffic and passing it to the backend server, thereby relieving the backend server of the encryption and decryption burden.

This doc will show you how to use TSL termination for service.


  • Kubernetes cluster version v1.21.0 or higher.
  • kubectl CLI
  • FSM Gateway installed via guide doc.


export GATEWAY_IP=$(kubectl get svc -n httpbin -l app=fsm-gateway -o jsonpath='{.items[0].status.loadBalancer.ingress[0].ip}')

Issue TLS certificate

If configure TLS, a certificate is required. Let’s issue a certificate first.

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 \
  -keyout -out \
  -subj "/"

With command above executed, you will get two files and which we can create a secret with.

kubectl create namespace httpbin
kubectl create secret tls simple-gateway-cert -n httpbin

Deploy sample app

kubectl apply -n httpbin -f


curl --cacert  --connect-to$GATEWAY_IP:8000
  "headers": {
    "Accept": "*/*",
    "Connection": "keep-alive",
    "Host": "",
    "User-Agent": "curl/7.68.0"


Was this page helpful?

Last modified April 11, 2024: update versions of fsm and pipy (cea5b3e)