RootTrustPolicy
Proto: root_trust_policy.proto
Package: admin.gloo.solo.io
Types:
- RootTrustPolicySpec
- RootTrustPolicySpec.Config
- RootTrustPolicySpec.Config.MgmtServerCertificateAuthority
- RootTrustPolicyStatus
RootTrustPolicySpec
RootTrustPolicy is used to designate the root of trust, including the trust domain and root certificates used by one or more service meshes. A shared RootTrustPolicy is currently required to support communication between workloads and destinations running in different meshes. In the future Gloo Mesh will support cross-mesh connectivity using a Limited Trust model (where participating meshes are permitted to use separate roots of trust).
| Field | Description |
|---|---|
applyToMeshes |
(repeated common.gloo.solo.io.MeshSelector)select the meshes where the root of trust will be applied. If empty, will apply to all Meshes in the workspace. |
config |
(RootTrustPolicySpec.Config)The details of the root of trust to apply to the selected meshes. |
RootTrustPolicySpec.Config
| Field | Description |
|---|---|
mgmtServerCa |
(RootTrustPolicySpec.Config.MgmtServerCertificateAuthority)Configure a Root Certificate Authority which will be shared by all Meshes associated with this RootTrustPolicy. If this is not provided, a self-signed certificate will be generated by Gloo Mesh. |
agentCa |
(tls.security.policy.gloo.solo.io.AgentCertificateAuthority)Configures an Intermediate Certificate Authority which selected meshes will use to generate intermediate certificates. The CA being used must be configured to generate the intermediate certificates. |
intermediateCertOptions |
(tls.security.policy.gloo.solo.io.CommonCertOptions)Configuration options for generated intermediate certs. |
autoRestartPods |
(bool)This setting specifies whether or not workload pods should be automatically restarted upon completion of a successful certificate issuance. |
passiveCertificateAuthorities |
(repeated RootTrustPolicySpec.Config.MgmtServerCertificateAuthority)Configure a Root Certificate Authority which will be used for validating certificates, but not signing them. This CA can be used to rotate out expiring root certificates. |
RootTrustPolicySpec.Config.MgmtServerCertificateAuthority
Specify parameters for configuring the root certificate authority for a RootTrustPolicy.
| Field | Description |
|---|---|
generated |
(tls.security.policy.gloo.solo.io.CommonCertOptions)Generate a self-signed root certificate with the given options. |
secretRef |
(core.skv2.solo.io.ObjectRef)Name of a Kubernetes Secret in the same namespace as the RootTrustPolicy containing the root certificate authority. Provided certificates must conform to a specified format, documented here. |
RootTrustPolicyStatus
The status of the policy after it is applied to your Gloo environment.
| Field | Description |
|---|---|
observedGeneration |
(int64)The most recent generation observed in the object's metadata. If the observedGeneration does not match metadata.generation, Gloo Mesh has not processed the most recent version of this object. |
state |
(common.gloo.solo.io.ApprovalState)Whether the resource has been accepted as valid and processed in the Gloo Mesh config translation. |