Gloo Gateway uses Istio proxies to implement API gateway functionality and handle incoming request transformation and routing to workloads in your cluster. By default, traffic from the gateway to the workload is not encrypted. You can encrypt traffic to and between your workloads by adding your workloads to an Istio service mesh that is managed by Gloo Mesh Enterprise. Note that you must have a Gloo Mesh Enterprise license to use service mesh capabilities.
When you use Gloo Gateway in combination with Gloo Mesh Enterprise, the Istio control plane istiod must be configured with intermediate certificate authority certificates and keys. Istiod uses these credentials to issue and sign leaf certificates to the workloads in the service mesh.
To learn more about how to set up the Istio certificate architecture and how you can use the Gloo Mesh root trust policy to manage multicluster service meshes, see Istio certificates in the Gloo Mesh documentation.