From e805a42cf6293c2d05c0c1c10ec8dc0526d62eb6 Mon Sep 17 00:00:00 2001
From: "Huabing (Robin) Zhao" <zhaohuabing@gmail.com>
Date: Thu, 31 Jul 2025 06:42:44 +0000
Subject: [PATCH 1/5] docs for skipping TLS verification

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
---
 .../security/backend-skip-tls-verification.md | 198 ++++++++++++++++++
 1 file changed, 198 insertions(+)
 create mode 100644 site/content/en/latest/tasks/security/backend-skip-tls-verification.md

diff --git a/site/content/en/latest/tasks/security/backend-skip-tls-verification.md b/site/content/en/latest/tasks/security/backend-skip-tls-verification.md
new file mode 100644
index 0000000000..3115e8b0bc
--- /dev/null
+++ b/site/content/en/latest/tasks/security/backend-skip-tls-verification.md
@@ -0,0 +1,198 @@
+---
+title: "Backend TLS: Skip TLS Verification"
+---
+
+This task demonstrates how to skip TLS verification for a backend service in Envoy Gateway.
+
+By default, you must configure a [BackendTLSPolicy][] to validate the TLS certificate of a backend service when it uses TLS.
+
+However, in certain scenarios—such as development or testing—you might want to skip TLS verification for a backend service.
+To do this, you can use the [Backend][] API and set the `tls.insecureSkipVerify` field to true in the [Backend][] resource.
+
+Warning: Skipping TLS verification disables certificate validation, which can expose your connection to man-in-the-middle
+attacks. This setting is typically used only for development or testing and is not recommended in production environments.
+
+## Installation
+
+Follow the steps from [Backend Routing][] to enable the [Backend][] API in the [EnvoyGateway][] startup configuration.
+Follow the steps from the [Backend TLS][] to install the `tls-backend` service. For this task, you don’t need to create the
+[BackendTLSPolicy][] in the [Backend TLS][] task, as we will skip TLS verification.
+
+## Skip TLS Verification
+
+In the following example, we will create a [Backend][] resource that routes to the `tls-backend` service, and an [HTTPRoute][]
+that references the [Backend][] resource.
+
+{{< tabpane text=true >}}
+{{% tab header="Apply from stdin" %}}
+
+```shell
+cat <<EOF | kubectl apply -f -
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: backend
+spec:
+  parentRefs:
+    - name: eg
+  hostnames:
+    - "www.example.com"
+  rules:
+    - backendRefs:
+        - group: gateway.envoyproxy.io
+          kind: Backend
+          name: tls-backend
+      matches:
+        - path:
+            type: PathPrefix
+            value: /
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: Backend
+metadata:
+  name: tls-backend
+  namespace: default
+spec:
+  endpoints:
+    - fqdn:
+        hostname: tls-backend.default.svc.cluster.local
+        port: 443
+EOF
+```
+
+{{% /tab %}}
+{{% tab header="Apply from file" %}}
+Save and apply the following resources to your cluster:
+
+```yaml
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: backend
+spec:
+  parentRefs:
+    - name: eg
+  hostnames:
+    - "www.example.com"
+  rules:
+    - backendRefs:
+        - group: gateway.envoyproxy.io
+          kind: Backend
+          name: tls-backend
+      matches:
+        - path:
+            type: PathPrefix
+            value: /
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: Backend
+metadata:
+  name: tls-backend
+  namespace: default
+spec:
+  endpoints:
+    - fqdn:
+        hostname: tls-backend.default.svc.cluster.local
+        port: 443
+```
+
+{{% /tab %}}
+{{< /tabpane >}}
+
+Send a request to the backend service:
+
+```shell
+curl -v -HHost:www.example.com --resolve "www.example.com:80:${GATEWAY_HOST}" \
+http://www.example.com:80/get
+```
+
+Because the backend service is using TLS, and no [BackendTLSPolicy][] is configured to validate the TLS certificate,
+the request will fail with a `400 Bad Request` error:
+
+```bash
+* Connected to www.example.com (172.18.0.200) port 80
+* using HTTP/1.x
+> GET /get HTTP/1.1
+> Host:www.example.com
+> User-Agent: curl/8.14.1
+> Accept: */*
+>
+* Request completely sent off
+< HTTP/1.1 400 Bad Request
+< date: Thu, 31 Jul 2025 06:09:51 GMT
+< transfer-encoding: chunked
+```
+
+Disabling TLS verification by setting the `InsecureSkipVerify` field to `true` allows the request to succeed:
+
+{{< tabpane text=true >}}
+{{% tab header="Apply from stdin" %}}
+
+```shell
+cat <<EOF | kubectl apply -f -
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: Backend
+metadata:
+  name: tls-backend
+  namespace: default
+spec:
+  endpoints:
+    - fqdn:
+        hostname: tls-backend.default.svc.cluster.local
+        port: 443
+  tls:
+    insecureSkipVerify: true
+EOF
+```
+
+{{% /tab %}}
+{{% tab header="Apply from file" %}}
+```yaml
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: Backend
+metadata:
+  name: tls-backend
+  namespace: default
+spec:
+  endpoints:
+    - fqdn:
+        hostname: tls-backend.default.svc.cluster.local
+        port: 443
+  tls:
+    insecureSkipVerify: true
+```
+
+{{% /tab %}}
+{{< /tabpane >}}
+
+Send the request again:
+
+```shell
+curl -v -HHost:www.example.com --resolve "www.example.com:80:${GATEWAY_HOST}" \
+http://www.example.com:80/get
+```
+
+You should now see a successful response from the backend service. Since TLS verification has been skipped, the request
+proceeds without validating the backend’s TLS certificate. The response will include TLS details such as the protocol
+version and cipher suite used for the connection.
+
+
+```shell
+< HTTP/1.1 200 OK
+[...]
+ "tls": {
+  "version": "TLSv1.2",
+  "serverName": "",
+  "negotiatedProtocol": "http/1.1",
+  "cipherSuite": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+ }
+```
+
+[Backend Routing]: ../traffic/backend/#enable-backend
+[Backend]: ../../../api/extension_types#backend
+[Backend TLS]: ./backend-tls
+[EnvoyGateway]: ../../../api/extension_types#envoygateway
+[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute
+[BackendTLSPolicy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/

From 063f6b56a76db844356115a1d0cbcac1ef4f9726 Mon Sep 17 00:00:00 2001
From: "Huabing (Robin) Zhao" <zhaohuabing@gmail.com>
Date: Thu, 31 Jul 2025 07:46:50 +0000
Subject: [PATCH 2/5] remove btlsp for skiptlsverify

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
---
 test/e2e/testdata/backend-tls.yaml | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/test/e2e/testdata/backend-tls.yaml b/test/e2e/testdata/backend-tls.yaml
index 1f6f7d0637..82135e0516 100644
--- a/test/e2e/testdata/backend-tls.yaml
+++ b/test/e2e/testdata/backend-tls.yaml
@@ -136,20 +136,6 @@ spec:
         hostname: gateway.envoyproxy.io
         port: 443
 ---
-apiVersion: gateway.networking.k8s.io/v1alpha3
-kind: BackendTLSPolicy
-metadata:
-  name: policy-btls-ca-mismatch
-  namespace: gateway-conformance-infra
-spec:
-  targetRefs:
-    - group: gateway.envoyproxy.io
-      kind: Backend
-      name: backend-insecure-tls-verify
-  validation:
-    wellKnownCACertificates: System
-    hostname: example.com
----
 apiVersion: gateway.envoyproxy.io/v1alpha1
 kind: Backend
 metadata:

From d405d36317f12b4faccc1d31d914357a1ce6d119 Mon Sep 17 00:00:00 2001
From: "Huabing (Robin) Zhao" <zhaohuabing@gmail.com>
Date: Thu, 31 Jul 2025 23:43:53 +0000
Subject: [PATCH 3/5] address comment

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
---
 .../security/backend-skip-tls-verification.md      |  5 +++--
 test/e2e/testdata/backend-tls.yaml                 | 14 ++++++++++++++
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/site/content/en/latest/tasks/security/backend-skip-tls-verification.md b/site/content/en/latest/tasks/security/backend-skip-tls-verification.md
index 3115e8b0bc..d85d725f86 100644
--- a/site/content/en/latest/tasks/security/backend-skip-tls-verification.md
+++ b/site/content/en/latest/tasks/security/backend-skip-tls-verification.md
@@ -15,8 +15,9 @@ attacks. This setting is typically used only for development or testing and is n
 ## Installation
 
 Follow the steps from [Backend Routing][] to enable the [Backend][] API in the [EnvoyGateway][] startup configuration.
-Follow the steps from the [Backend TLS][] to install the `tls-backend` service. For this task, you don’t need to create the
-[BackendTLSPolicy][] in the [Backend TLS][] task, as we will skip TLS verification.
+
+Next, follow the instructions from the [Backend TLS][] guide to install the `tls-backend` service.
+**For this task, you don’t need to create a [BackendTLSPolicy][]**—since we’re skipping TLS verification, you can simply install the `tls-backend` service and skip the policy creation step.
 
 ## Skip TLS Verification
 
diff --git a/test/e2e/testdata/backend-tls.yaml b/test/e2e/testdata/backend-tls.yaml
index 82135e0516..1f6f7d0637 100644
--- a/test/e2e/testdata/backend-tls.yaml
+++ b/test/e2e/testdata/backend-tls.yaml
@@ -136,6 +136,20 @@ spec:
         hostname: gateway.envoyproxy.io
         port: 443
 ---
+apiVersion: gateway.networking.k8s.io/v1alpha3
+kind: BackendTLSPolicy
+metadata:
+  name: policy-btls-ca-mismatch
+  namespace: gateway-conformance-infra
+spec:
+  targetRefs:
+    - group: gateway.envoyproxy.io
+      kind: Backend
+      name: backend-insecure-tls-verify
+  validation:
+    wellKnownCACertificates: System
+    hostname: example.com
+---
 apiVersion: gateway.envoyproxy.io/v1alpha1
 kind: Backend
 metadata:

From b08fb65655d7ca68f4c9cf6337c414bc53bc6c1a Mon Sep 17 00:00:00 2001
From: "Huabing (Robin) Zhao" <zhaohuabing@gmail.com>
Date: Fri, 1 Aug 2025 00:03:51 +0000
Subject: [PATCH 4/5] address comment

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
---
 public/categories/index.xml                   |  11 ++
 public/index.xml                              |  11 ++
 public/sitemap.xml                            |  11 ++
 public/tags/index.xml                         |  11 ++
 .../security/backend-skip-tls-verification.md | 150 +++++++++++++++++-
 5 files changed, 190 insertions(+), 4 deletions(-)
 create mode 100644 public/categories/index.xml
 create mode 100644 public/index.xml
 create mode 100644 public/sitemap.xml
 create mode 100644 public/tags/index.xml

diff --git a/public/categories/index.xml b/public/categories/index.xml
new file mode 100644
index 0000000000..97e554c9df
--- /dev/null
+++ b/public/categories/index.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
+  <channel>
+    <title>Categories on </title>
+    <link>//localhost:1313/categories/</link>
+    <description>Recent content in Categories on </description>
+    <generator>Hugo</generator>
+    <language>en</language>
+    <atom:link href="//localhost:1313/categories/index.xml" rel="self" type="application/rss+xml" />
+  </channel>
+</rss>
diff --git a/public/index.xml b/public/index.xml
new file mode 100644
index 0000000000..ddfcdb6d12
--- /dev/null
+++ b/public/index.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
+  <channel>
+    <title></title>
+    <link>//localhost:1313/</link>
+    <description>Recent content on </description>
+    <generator>Hugo</generator>
+    <language>en</language>
+    <atom:link href="//localhost:1313/index.xml" rel="self" type="application/rss+xml" />
+  </channel>
+</rss>
diff --git a/public/sitemap.xml b/public/sitemap.xml
new file mode 100644
index 0000000000..7501792848
--- /dev/null
+++ b/public/sitemap.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"
+  xmlns:xhtml="http://www.w3.org/1999/xhtml">
+  <url>
+    <loc>//localhost:1313/</loc>
+  </url><url>
+    <loc>//localhost:1313/categories/</loc>
+  </url><url>
+    <loc>//localhost:1313/tags/</loc>
+  </url>
+</urlset>
diff --git a/public/tags/index.xml b/public/tags/index.xml
new file mode 100644
index 0000000000..b21383f0a3
--- /dev/null
+++ b/public/tags/index.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
+  <channel>
+    <title>Tags on </title>
+    <link>//localhost:1313/tags/</link>
+    <description>Recent content in Tags on </description>
+    <generator>Hugo</generator>
+    <language>en</language>
+    <atom:link href="//localhost:1313/tags/index.xml" rel="self" type="application/rss+xml" />
+  </channel>
+</rss>
diff --git a/site/content/en/latest/tasks/security/backend-skip-tls-verification.md b/site/content/en/latest/tasks/security/backend-skip-tls-verification.md
index d85d725f86..4d862b0b18 100644
--- a/site/content/en/latest/tasks/security/backend-skip-tls-verification.md
+++ b/site/content/en/latest/tasks/security/backend-skip-tls-verification.md
@@ -12,12 +12,155 @@ To do this, you can use the [Backend][] API and set the `tls.insecureSkipVerify`
 Warning: Skipping TLS verification disables certificate validation, which can expose your connection to man-in-the-middle
 attacks. This setting is typically used only for development or testing and is not recommended in production environments.
 
+## Prerequisites
+
+- OpenSSL to generate TLS assets.
+
 ## Installation
 
-Follow the steps from [Backend Routing][] to enable the [Backend][] API in the [EnvoyGateway][] startup configuration.
+{{< boilerplate prerequisites >}}
+
+## Enable Backend
+
+The [Backend][] API is disabled by default in Envoy Gateway. To enable it, follow the steps outlined in [Backend Routing][] to configure the [EnvoyGateway][] startup settings accordingly.
+
+## TLS Certificates
+
+Generate the certificates and keys used by the backend to terminate TLS connections from the Gateways.
+
+Create a root certificate and private key to sign certificates:
+
+```shell
+openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout ca.key -out ca.crt
+```
+
+Create a certificate and a private key for `www.example.com`.
+
+First, create an openssl configuration file:
+
+```shell
+cat > openssl.conf  <<EOF
+[req]
+req_extensions = v3_req
+prompt = no
+
+[v3_req]
+keyUsage = keyEncipherment, digitalSignature
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = www.example.com
+EOF
+```
+
+Then create a certificate using this openssl configuration file:
+
+```shell
+openssl req -out www.example.com.csr -newkey rsa:2048 -nodes -keyout www.example.com.key -subj "/CN=www.example.com/O=example organization"
+openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -set_serial 0 -in www.example.com.csr -out www.example.com.crt -extfile openssl.conf -extensions v3_req
+```
+
+Note that the certificate must contain a DNS SAN for the relevant domain.
+
+Store the cert/key in a Secret:
+
+```shell
+kubectl create secret tls example-cert --key=www.example.com.key --cert=www.example.com.crt
+```
+
+Store the CA Cert in another Secret:
+
+```shell
+kubectl create configmap example-ca --from-file=ca.crt
+```
+
+## Setup TLS on the backend
 
-Next, follow the instructions from the [Backend TLS][] guide to install the `tls-backend` service.
-**For this task, you don’t need to create a [BackendTLSPolicy][]**—since we’re skipping TLS verification, you can simply install the `tls-backend` service and skip the policy creation step.
+Patch the existing quickstart backend to enable TLS. The patch will mount the TLS certificate secret into the backend as volume.
+
+```shell
+kubectl patch deployment backend --type=json --patch '
+  - op: add
+    path: /spec/template/spec/containers/0/volumeMounts
+    value:
+    - name: secret-volume
+      mountPath: /etc/secret-volume
+  - op: add
+    path: /spec/template/spec/volumes
+    value:
+    - name: secret-volume
+      secret:
+        secretName: example-cert
+        items:
+        - key: tls.crt
+          path: crt
+        - key: tls.key
+          path: key
+  - op: add
+    path: /spec/template/spec/containers/0/env/-
+    value:
+      name: TLS_SERVER_CERT
+      value: /etc/secret-volume/crt
+  - op: add
+    path: /spec/template/spec/containers/0/env/-
+    value:
+      name: TLS_SERVER_PRIVKEY
+      value: /etc/secret-volume/key
+  '
+```
+
+Create a service that exposes port 443 on the backend service.
+
+{{< tabpane text=true >}}
+{{% tab header="Apply from stdin" %}}
+
+```shell
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: backend
+    service: backend
+  name: tls-backend
+  namespace: default
+spec:
+  selector:
+    app: backend
+  ports:
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: 8443
+EOF
+```
+
+{{% /tab %}}
+{{% tab header="Apply from file" %}}
+Save and apply the following resource to your cluster:
+
+```yaml
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: backend
+    service: backend
+  name: tls-backend
+  namespace: default
+spec:
+  selector:
+    app: backend
+  ports:
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: 8443
+```
+
+{{% /tab %}}
+{{< /tabpane >}}
 
 ## Skip TLS Verification
 
@@ -193,7 +336,6 @@ version and cipher suite used for the connection.
 
 [Backend Routing]: ../traffic/backend/#enable-backend
 [Backend]: ../../../api/extension_types#backend
-[Backend TLS]: ./backend-tls
 [EnvoyGateway]: ../../../api/extension_types#envoygateway
 [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute
 [BackendTLSPolicy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/

From daee31ed1bc54260c1dc96e86e1fdf4e1fe5981b Mon Sep 17 00:00:00 2001
From: "Huabing (Robin) Zhao" <zhaohuabing@gmail.com>
Date: Fri, 1 Aug 2025 02:14:29 +0000
Subject: [PATCH 5/5] remove public

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
---
 public/categories/index.xml | 11 -----------
 public/index.xml            | 11 -----------
 public/sitemap.xml          | 11 -----------
 public/tags/index.xml       | 11 -----------
 4 files changed, 44 deletions(-)
 delete mode 100644 public/categories/index.xml
 delete mode 100644 public/index.xml
 delete mode 100644 public/sitemap.xml
 delete mode 100644 public/tags/index.xml

diff --git a/public/categories/index.xml b/public/categories/index.xml
deleted file mode 100644
index 97e554c9df..0000000000
--- a/public/categories/index.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<?xml version="1.0" encoding="utf-8" standalone="yes"?>
-<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
-  <channel>
-    <title>Categories on </title>
-    <link>//localhost:1313/categories/</link>
-    <description>Recent content in Categories on </description>
-    <generator>Hugo</generator>
-    <language>en</language>
-    <atom:link href="//localhost:1313/categories/index.xml" rel="self" type="application/rss+xml" />
-  </channel>
-</rss>
diff --git a/public/index.xml b/public/index.xml
deleted file mode 100644
index ddfcdb6d12..0000000000
--- a/public/index.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<?xml version="1.0" encoding="utf-8" standalone="yes"?>
-<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
-  <channel>
-    <title></title>
-    <link>//localhost:1313/</link>
-    <description>Recent content on </description>
-    <generator>Hugo</generator>
-    <language>en</language>
-    <atom:link href="//localhost:1313/index.xml" rel="self" type="application/rss+xml" />
-  </channel>
-</rss>
diff --git a/public/sitemap.xml b/public/sitemap.xml
deleted file mode 100644
index 7501792848..0000000000
--- a/public/sitemap.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<?xml version="1.0" encoding="utf-8" standalone="yes"?>
-<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"
-  xmlns:xhtml="http://www.w3.org/1999/xhtml">
-  <url>
-    <loc>//localhost:1313/</loc>
-  </url><url>
-    <loc>//localhost:1313/categories/</loc>
-  </url><url>
-    <loc>//localhost:1313/tags/</loc>
-  </url>
-</urlset>
diff --git a/public/tags/index.xml b/public/tags/index.xml
deleted file mode 100644
index b21383f0a3..0000000000
--- a/public/tags/index.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<?xml version="1.0" encoding="utf-8" standalone="yes"?>
-<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
-  <channel>
-    <title>Tags on </title>
-    <link>//localhost:1313/tags/</link>
-    <description>Recent content in Tags on </description>
-    <generator>Hugo</generator>
-    <language>en</language>
-    <atom:link href="//localhost:1313/tags/index.xml" rel="self" type="application/rss+xml" />
-  </channel>
-</rss>