Proto: root_trust_policy.proto




RootTrustPolicy is used to designate the root of trust, including the trust domain and root certificates used by one or more service meshes. A shared RootTrustPolicy is currently required to support communication between workloads and destinations running in different meshes. In the future Gloo Mesh will support cross-mesh connectivity using a Limited Trust model (where participating meshes are permitted to use separate roots of trust).

Field Description
applyToMeshes (repeated

select the meshes where the root of trust will be applied. If empty, will apply to all Meshes in the workspace.
config (RootTrustPolicySpec.Config)

The details of the root of trust to apply to the selected meshes.


Field Description
mgmtServerCa (RootTrustPolicySpec.Config.MgmtServerCertificateAuthority)

Configure a Root Certificate Authority which will be shared by all Meshes associated with this RootTrustPolicy. If this is not provided, a self-signed certificate will be generated by Gloo Mesh.
agentCa (

Configures an Intermediate Certificate Authority which selected meshes will use to generate intermediate certificates. The CA being used must be configured to generate the intermediate certificates.
intermediateCertOptions (

Configuration options for generated intermediate certs.
autoRestartPods (bool)

This setting specifies whether or not workload pods should be automatically restarted upon completion of a successful certificate issuance.
passiveCertificateAuthorities (repeated RootTrustPolicySpec.Config.MgmtServerCertificateAuthority)

Configure a Root Certificate Authority which will be used for validating certificates, but not signing them. This CA can be used to rotate out expiring root certificates.


Specify parameters for configuring the root certificate authority for a RootTrustPolicy.

Field Description
generated (

Generate a self-signed root certificate with the given options.
secretRef (

Name of a Kubernetes Secret in the same namespace as the RootTrustPolicy containing the root certificate authority. Provided certificates must conform to a specified format, documented here.


The status of the policy after it is applied to your Gloo environment.

Field Description
observedGeneration (int64)

The most recent generation observed in the object's metadata. If the observedGeneration does not match metadata.generation, Gloo Mesh has not processed the most recent version of this object.
state (

Whether the resource has been accepted as valid and processed in the Gloo Mesh config translation.