Skip to content
CTRL K
    Docs Standalone Kubernetes Models Blog Enterprise Community Get Started GitHub
    🎯 New workshop: Govern AI Costs in Real Time — Hands-On with agentgateway agentgateway has joined the Agentic AI FoundationLearn more

    For the complete documentation index, see llms.txt. Markdown versions of all docs pages are available by appending .md to any docs URL.

    Page as Markdown
    TLS encryption
    Enable TLS encryption for the control plane xDS gRPC server communications.
    Enable server-side TLS encryption for the xDS gRPC server in the agentgateway control plane. For more information about the server, see the Architecture docs.
    Before you begin

    Install the agentgateway control plane.
    Step 2: Update the control plane to use TLS

    Upgrade agentgateway with TLS enabled for the controller. For complete steps, review the Upgrade guide.
    1. Set your version of agentgateway in an environment variable, such as the latest patch version ().
      export NEW_VERSION=
    2. Get the Helm values file for your current version.
      helm get values agentgateway -n agentgateway-system -o yaml > values.yaml
open values.yaml
    3. Add the following values to the Helm values file to enable TLS for the xDS gRPC server.
    4. Upgrade your Helm installation.
      helm upgrade -i -n agentgateway-system agentgateway oci://cr.agentgateway.dev/charts/agentgateway \
  -f values.yaml \
  --version v$NEW_VERSION 
    5. Confirm that the agentgateway control plane is up and running.
      kubectl get pods -n agentgateway-system
    Step 3: Verify the TLS connection

    Now that the control plane is up and running, verify the TLS connection.
    1. Port-forward the control plane service on port 9977.
      kubectl port-forward -n agentgateway-system svc/agentgateway 9978
    2. Send a request to the control plane in plaintext without TLS authentication. You get back an authentication failed error.
      grpcurl -plaintext localhost:9978 list
      Example output:
      Failed to list services: rpc error: code = Unknown desc = authentication failed: [Authenticator KubeJWTAuthenticator: target JWT extraction error: no HTTP authorization header exists]
    3. Port-forward the control plane deployment on port 9092.
      kubectl port-forward -n agentgateway-system deploy/agentgateway 9092
    4. Send a request to the metrics endpoint to check for xds_auth metrics.
      curl localhost:9092/metrics | grep xds_auth
      Example output:
      # HELP kgateway_xds_auth_rq_failure_total Total number of failed xDS auth requests
# TYPE kgateway_xds_auth_rq_failure_total counter
kgateway_xds_auth_rq_failure_total 2
# HELP kgateway_xds_auth_rq_success_total Total number of successful xDS auth requests
# TYPE kgateway_xds_auth_rq_success_total counter
kgateway_xds_auth_rq_success_total 1
# HELP kgateway_xds_auth_rq_total Total number of xDS auth requests
# TYPE kgateway_xds_auth_rq_total counter
kgateway_xds_auth_rq_total 3
    Advanced settings
    Was this page helpful?
    

    
Agentgateway assistant
    


    Ask me anything about agentgateway configuration, features, or usage.
    Note: AI-generated content might contain errors; please verify and test all returned information.
    Tip: one topic per conversation gives the best results. Use the + button in the chat header to start a new conversation.
    Switching topics? Starting a new conversation improves accuracy.

    ↑↓ navigate
 select
esc dismiss
    

    

    What could be improved?
    Your feedback helps us improve assistant answers and identify docs gaps we should fix.
    Need more help? Join us on Discord:
https://discord.gg/y9efgEmppm
    Want to use your own agent? Add the Solo MCP server to query our docs directly. Get started here:
https://search.solo.io/.