RootTrustPolicy
Proto: root_trust_policy.proto
Package: admin.gloo.solo.io
Types:
- RootTrustPolicySpec
- RootTrustPolicySpec.Config
- RootTrustPolicySpec.Config.MgmtServerCertificateAuthority
- RootTrustPolicyStatus
RootTrustPolicySpec
RootTrustPolicy is used to designate the root of trust, including the trust domain and root certificates used by one or more service meshes. A shared RootTrustPolicy is currently required to support communication between workloads and destinations running in different meshes. In the future Gloo Mesh will support cross-mesh connectivity using a Limited Trust model (where participating meshes are permitted to use separate roots of trust).
Field | Description |
---|---|
applyToMeshes |
(repeated common.gloo.solo.io.MeshSelector )select the meshes where the root of trust will be applied. if left empty, will apply to all Meshes in the workspace. |
config |
(RootTrustPolicySpec.Config )The details of the root of trust to apply to the selected meshes. |
RootTrustPolicySpec.Config
Field | Description |
---|---|
mgmtServerCa |
(RootTrustPolicySpec.Config.MgmtServerCertificateAuthority )Configure a Root Certificate Authority which will be shared by all Meshes associated with this RootTrustPolicy. If this is not provided, a self-signed certificate will be generated by Gloo Mesh. |
agentCa |
(tls.security.policy.gloo.solo.io.AgentCertificateAuthority )Configures an Intermediate Certificate Authority which selected meshes will use to generate intermediate certificates. The CA being used must be configured to generate the intermediate certificates. |
intermediateCertOptions |
(tls.security.policy.gloo.solo.io.CommonCertOptions )Configuration options for generated intermediate certs. |
autoRestartPods |
(bool )This setting specifies whether or not workload pods should be automatically restarted upon completion of a successful certificate issuance. |
passiveCertificateAuthorities |
(repeated RootTrustPolicySpec.Config.MgmtServerCertificateAuthority )Configure a Root Certificate Authority which will be used for validating certificates, but not signing them. This CA can be used to rotate out expiring root certificates. |
RootTrustPolicySpec.Config.MgmtServerCertificateAuthority
Specify parameters for configuring the root certificate authority for a RootTrustPolicy.
Field | Description |
---|---|
generated |
(tls.security.policy.gloo.solo.io.CommonCertOptions )Generate a self-signed root certificate with the given options. |
secretRef |
(core.skv2.solo.io.ObjectRef )Name of a Kubernetes Secret in the same namespace as the RootTrustPolicy containing the root certificate authority. Provided certificates must conform to a specified format, documented here. |
RootTrustPolicyStatus
Field | Description |
---|---|
observedGeneration |
(int64 )The most recent generation observed in the the object's metadata. If the observedGeneration does not match metadata.generation , Gloo Mesh has not processed the most recent version of this object. |
state |
(common.gloo.solo.io.ApprovalState )Whether the resource has been accepted as valid and processed in the Gloo Mesh config translation. |