Scenario 01 · Quantum-safe public edge
A bank exposes account and payments APIs on the public internet. A well-funded adversary can't break TLS 1.3 now — so they copy the encrypted traffic and store it, betting that a cryptographically-relevant quantum computer will decrypt it later. The data underneath — balances, PII, signing keys — stays sensitive for decades. "Harvest now, decrypt later" turns today's recordings into tomorrow's breach.
Architecture
The client offers the hybrid group in its ClientHello; ZenoIngress requires it. Captured packets contain only ciphertext whose shared secret is protected by ML-KEM-768 — quantum-resistant by construction.
The setup
Crypto posture is set per listener through the Gateway's tls.options. Setting
pq-mode: require-pq rejects any client that won't negotiate the hybrid group, and the
TLS floor pins 1.3 (post-quantum key exchange only exists there).
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: zeno-gateway
namespace: zenoingress-system
spec:
gatewayClassName: zenoingress
listeners:
- name: https
port: 443
protocol: HTTPS
hostname: api.bank.example
tls:
mode: Terminate
certificateRefs:
- name: api-bank-example-tls
# crypto agility — posture lives here, per listener
options:
zenoingress.io/pq-mode: require-pq # prefer-pq | require-pq | classical
zenoingress.io/min-tls-version: "1.3"
allowedRoutes:
namespaces:
from: Same
Harvest-now-decrypt-later doesn't stop at the edge. When ZenoIngress re-originates TLS to an
HTTPS backend, a BackendTLSPolicy carries the same posture upstream:
apiVersion: zenoingress.io/v1alpha1
kind: BackendTLSPolicy
metadata:
name: backend-pq
namespace: default
spec:
targetRefs:
- group: ""
kind: Service
name: accounts-api
validation:
caCertificateRefs:
- name: backend-ca
group: ""
kind: ConfigMap
subjectAltNames:
- type: Hostname
hostname: accounts-api.default.svc
options:
zenoingress.io/pq-mode: prefer-pq # upstream may not be PQ-ready yet
What happens
curl on a recent OpenSSL) sends a
ClientHello advertising the X25519MLKEM768 hybrid key-share group.
require-pq mode, so it selects the hybrid group.
A legacy client offering only classical curves is rejected handshake_failure
prefer-pq) — no plaintext hop in between.
Outcome
Post-quantum key exchange is on by default and enforceable per listener — downstream and upstream — in one memory-safe Rust binary, with no extra TLS-terminating hop to harvest.
Run this yourself
Apply the Gateway above, then verify the handshake actually used the hybrid group with a PQ-capable
openssl s_client (OpenSSL 3.5+ or a build of aws-lc/BoringSSL with ML-KEM):
$ openssl s_client -connect api.bank.example:443 \
-groups X25519MLKEM768 </dev/null 2>/dev/null | grep -i "Negotiated"
Negotiated TLS1.3 group: X25519MLKEM768
$ # a classical-only client is refused under require-pq:
$ openssl s_client -connect api.bank.example:443 -groups X25519 </dev/null
...:ssl/tls alert handshake failure:...
Free for one production cluster — post-quantum TLS included, no add-on.
Deploy Free