Navigation :

OpenSSL

In this approach, you use OpenSSL to manually create a self-signed root CA certificates for your relay architecture. This certificate is then used to generate the server and client TLS certificates.

Although the root CA credentials are not stored on the management cluster, this setup is not recommended for production as it uses self-signed certificates for the root CA and requires you to protect and store your root CA credentials in a secure place. In a production-level setup, you generate and store the root CA with your preferred PKI provider, such as AWS Private CA, Google Cloud CA, or Vault. In addition, you might want to use certificate management tools, such as cert-manager to manage the issuing and renewing of your certificate. For more information about this type of setup, see the AWS or Vault guides.

Create the root CA credentials

Create a self-signed root CA certificate and key.

openssl req -new -newkey rsa:4096 -x509 -sha256 \
 -days 3650 -nodes -out relay-root-ca.crt -keyout relay-root-ca.key \
 -subj "/CN=relay-root-ca" \
 -addext "keyUsage = keyCertSign"

Create the server TLS certificate

Use the root CA credentials that you created earlier to derive the server TLS certificate that the Gloo management server uses for mutual TLS connections with the Gloo agents.

If it doesn't already exist, create the gloo-mesh namespace.
```
kubectl create namespace gloo-mesh 
```

Create the configuration for the server TLS certificate.

cat >"relay-server.conf" <<EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
[alt_names]
DNS = *.gloo-mesh
EOF

Generate the private key for the Gloo management server.
```
openssl genrsa -out "relay-server.key" 2048
```

Generate the certificate signing request for the Gloo management server.

openssl req -new -key "relay-server.key" -out "relay-server.csr" -subj "/CN=*.gloo-mesh" -config "relay-server.conf"

Use the root CA credentials that you created earlier to sign the certificate signing request and create the server TLS certificate.

openssl x509 -req \
 -days 3650 \
 -CA relay-root-ca.crt -CAkey relay-root-ca.key \
 -set_serial 0 \
 -in relay-server.csr -out relay-server.crt \
 -extensions v3_req -extfile "relay-server.conf"

Store the server TLS certificate, private key, and root CA in the relay-server-tls-secret Kubernetes secret.

kubectl create secret generic relay-server-tls-secret -n gloo-mesh \
 --from-file=tls.crt=relay-server.crt \
 --from-file=tls.key=relay-server.key \
 --from-file=ca.crt=relay-root-ca.crt

Create the client TLS certificate

Generate the client TLS certificate that the Gloo agent uses for mutual TLS connections with the Gloo management server and sign the certificate by using the root CA key that you created earlier.

Create the client TLS certificate configuration.

cat >"${CLUSTER_NAME}.conf" <<EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
commonName = ${CLUSTER_NAME}
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${CLUSTER_NAME}
EOF

Generate the private key and certificate signing request (CSR).

# Generate private key
openssl genrsa -out "$CLUSTER_NAME.key" 2048
# Create CSR
openssl req -new -key "$CLUSTER_NAME.key" -out $CLUSTER_NAME.csr -subj "/CN=${CLUSTER_NAME}/O=${CLUSTER_NAME}"

Sign the CSR with the root CA key.

# Sign certificate with root
openssl x509 -req \
  -days 3650 \
  -CA relay-root-ca.crt -CAkey relay-root-ca.key \
  -set_serial 0 \
  -in $CLUSTER_NAME.csr -out $CLUSTER_NAME.crt \
  -extensions v3_req -extfile "$CLUSTER_NAME.conf"

Save the client TLS certificate in the relay-client-tls-cert Kubernetes secret.

kubectl create secret generic relay-client-tls-cert \
  --from-file=tls.key=$CLUSTER_NAME.key \
  --from-file=tls.crt=$CLUSTER_NAME.crt \
  --from-file=ca.crt=relay-root-ca.crt \
  --namespace gloo-mesh

Create the certificate chain for the telemetry collector

Store the root CA certificate in the telemetry-root-secret Kubernetes secret.

kubectl create secret generic telemetry-root-secret \
 --from-file=ca.crt=relay-root-ca.crt \
 --namespace gloo-mesh

Install Gloo Gateway

Follow the Install Gloo Gateway with Helm guide.

In your Helm values file, add the following values. Note that mTLS is the default mode in Gloo Gateway and does not require any additional configuration.

glooMgmtServer:
  enabled: true
  registerCluster: true
  relay:
    disableCa: true
    disableCaCertGeneration: true
    disableTokenGeneration: true
    tlsSecret:
      name: relay-server-tls-secret
      namespace: gloo-mesh
    tokenSecret:
      key: null
      name: null
      namespace: null
  serviceType: ClusterIP
glooAgent:
  enabled: true
  relay:
    clientTlsSecret:
      name: relay-client-tls-cert
      namespace: gloo-mesh
    serverAddress: gloo-mesh-mgmt-server.gloo-mesh:9900
    tokenSecret:
      key: null
      name: null
      namespace: null
telemetryCollector: 
  enabled: true
  extraVolumes: 
    - name: root-ca
      secret:
        defaultMode: 420
        optional: true
        secretName: telemetry-root-secret
    - configMap:
        items:
          - key: relay
            path: relay.yaml
        name: gloo-telemetry-collector-config
      name: telemetry-configmap
    - hostPath:
        path: /var/run/cilium
        type: DirectoryOrCreate
      name: cilium-run

Helm value	Description
`glooMgmtServer.relay.disableCa`	Disable the generation of self-signed root and intermediate CA certificates and the use of identity tokens to establish initial trust between the Gloo management server and agent.
`glooMgmtServer.relay.disableCaCertGeneration`	Disable the generation of self-signed certificates to secure the relay connection between the Gloo management server and agent.
`glooMgmtServer.relay.disableTokenGeneration`	Disable the generation of relay identity tokens.
`glooMgmtServer.relay.tlsSecret`	Add the name and namespace of the Kubernetes secret that holds the server TLS certificate for the Gloo management server that you created earlier.
`glooMgmtServer.relay.tokenSecret`	Set all values to `null` to instruct the Gloo management server to not use identity tokens to establish initial trust with Gloo agents.
`glooAgent.relay.clientTlsSecret`	Add the name and namespace of the Kubernetes secret that holds the client TLS certificate for the Gloo agent that you created earlier.
`glooAgent.tokenSecret`	Set all values to `null` to instruct the Gloo agent to not use identity tokens to establish initial trust with the Gloo management server.

Create the root CA credentials

Create a self-signed root CA certificate and key.

openssl req -new -newkey rsa:4096 -x509 -sha256 \
 -days 3650 -nodes -out relay-root-ca.crt -keyout relay-root-ca.key \
 -subj "/CN=relay-root-ca" \
 -addext "keyUsage = keyCertSign"

Create the server TLS certificate

Use the root CA credentials that you created earlier to derive the server TLS certificate that the Gloo management server uses for mutual TLS connections with the Gloo agents.

If it doesn't already exist, create the gloo-mesh namespace in each cluster.

kubectl create namespace gloo-mesh --context $MGMT_CONTEXT
kubectl create namespace gloo-mesh --context $REMOTE_CONTEXT1
kubectl create namespace gloo-mesh --context $REMOTE_CONTEXT2

Create the configuration for the server TLS certificate with the *.gloo-mesh wildcard DNS name. Because a wildcard is used, the same certificate can later be used to configure the Gloo telemetry gateway.

cat >"relay-server.conf" <<EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
[alt_names]
DNS = *.gloo-mesh
EOF

Generate the private key for the Gloo management server.
```
openssl genrsa -out "relay-server.key" 2048
```

Generate the certificate signing request for the Gloo management server.

openssl req -new -key "relay-server.key" -out "relay-server.csr" -subj "/CN=*.gloo-mesh" -config "relay-server.conf"

Use the root CA credentials that you created earlier to sign the certificate signing request and create the server TLS certificate.

openssl x509 -req \
 -days 3650 \
 -CA relay-root-ca.crt -CAkey relay-root-ca.key \
 -set_serial 0 \
 -in relay-server.csr -out relay-server.crt \
 -extensions v3_req -extfile "relay-server.conf"

Store the server TLS certificate, private key, and root CA in the relay-server-tls-secret Kubernetes secret.

kubectl create secret generic relay-server-tls-secret -n gloo-mesh \
 --from-file=tls.crt=relay-server.crt \
 --from-file=tls.key=relay-server.key \
 --from-file=ca.crt=relay-root-ca.crt \
 --context ${MGMT_CONTEXT}

Create the client TLS certificate

Generate the client TLS certificate that the Gloo agent uses for mutual TLS connections with the Gloo management server and sign the certificate by using the root CA key that you created earlier.

Create the client TLS certificate configuration.

cat >"${REMOTE_CLUSTER1}.conf" <<EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
commonName = ${REMOTE_CLUSTER1}
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${REMOTE_CLUSTER1}
EOF

Generate the private key and certificate signing request (CSR).

# Generate private key
openssl genrsa -out "$REMOTE_CLUSTER1.key" 2048
# Create CSR
openssl req -new -key "$REMOTE_CLUSTER1.key" -out $REMOTE_CLUSTER1.csr -subj "/CN=${REMOTE_CLUSTER1}/O=${REMOTE_CLUSTER1}"

Sign the CSR with the root CA key.

# Sign certificate with root
openssl x509 -req \
  -days 3650 \
  -CA relay-root-ca.crt -CAkey relay-root-ca.key \
  -set_serial 0 \
  -in $REMOTE_CLUSTER1.csr -out $REMOTE_CLUSTER1.crt \
  -extensions v3_req -extfile "$REMOTE_CLUSTER1.conf"

Save the client TLS certificate in the relay-client-tls-secret Kubernetes secret on the workload cluster.

kubectl create secret generic $REMOTE_CLUSTER1-tls-cert \
  --from-file=tls.key=$REMOTE_CLUSTER1.key \
  --from-file=tls.crt=$REMOTE_CLUSTER1.crt \
  --from-file=ca.crt=relay-root-ca.crt \
  --context $REMOTE_CONTEXT1 \
  --namespace gloo-mesh

Repeat this step on each workload cluster.

Create the telemetry pipeline credentials

Use the same credentials for the Gloo telemetry gateway and store them in the gloo-telemetry-gateway-tls-secret Kubernetes secret. Using the same credentials is possible, because the configuration for the Gloo management server (relay-server.conf) used a wildcard for the DNS name.
```
kubectl create secret generic gloo-telemetry-gateway-tls-secret -n gloo-mesh \
 --from-file=tls.crt=relay-server.crt \
 --from-file=tls.key=relay-server.key \
 --from-file=ca.crt=relay-root-ca.crt \
 --context ${MGMT_CONTEXT} 
```

Store the root CA certificate in the telemetry-root-secret Kubernetes secret on the management and each workload cluster so that the Gloo telemetry collector agent can verify the identity of the Gloo telemetry gateway.

kubectl create secret generic telemetry-root-secret \
 --from-file=ca.crt=relay-root-ca.crt \
 --namespace gloo-mesh \
 --context ${MGMT_CONTEXT}

kubectl create secret generic telemetry-root-secret \
 --from-file=ca.crt=relay-root-ca.crt \
 --namespace gloo-mesh \
 --context ${REMOTE_CONTEXT1}

Install Gloo Gateway

Follow the Install Gloo Gateway in a multicluster setup guide to set up Gloo Gateway.

In your Helm values file for the management server, add the following values. Note that mTLS is the default mode in Gloo Gateway and does not require any additional configuration.

glooMgmtServer:
  enabled: true
  relay:
    disableCa: true
    disableCaCertGeneration: true
    disableTokenGeneration: true
    tlsSecret:
      name: relay-server-tls-secret
      namespace: gloo-mesh
    tokenSecret:
      key: null
      name: null
      namespace: null
telemetryCollector: 
  enabled: true
  extraVolumes: 
    - name: root-ca
      secret:
        defaultMode: 420
        optional: true
        secretName: telemetry-root-secret
    - configMap:
        items:
          - key: relay
            path: relay.yaml
        name: gloo-telemetry-collector-config
      name: telemetry-configmap
    - hostPath:
        path: /var/run/cilium
        type: DirectoryOrCreate
      name: cilium-run
telemetryGateway:
  enabled: true
  extraVolumes:
  - name: tls-keys
    secret:
      secretName:  gloo-telemetry-gateway-tls-secret
      defaultMode: 420
  - name: telemetry-configmap
    configMap:
      name: gloo-telemetry-gateway-config
      items:
        - key: relay
          path: relay.yaml
telemetryGatewayCustomization:
  disableCertGeneration: true

Helm value	Description
`relay.disableCa`	Disable the generation of self-signed root and intermediate CA certificates and the use of identity tokens to establish initial trust between the Gloo management server and agent.
`relay.disableCaCertGeneration`	Disable the generation of self-signed certificates to secure the relay connection between the Gloo management server and agent.
`relay.disableTokenGeneration`	Disable the generation of relay identity tokens.
`relay.tlsSecret`	Add the name and namespace of the Kubernetes secret that holds the server TLS certificate for the Gloo management server that you created earlier.
`relay.tokenSecret`	Set all values to `null` to instruct the Gloo management server to not use identity tokens to establish initial trust with Gloo agents.
`telemetryGateway.extraVolumes`	Add the `gloo-telemetry-gateway-tls-secret` Kubernetes secret that you created earlier to the `tls-keys` volume. Make sure that you also add the other volumes to your telemetry gateway configuration.
`telemetryCollector.extraVolumes`	Add the `telemetry-root-secret` Kubernetes secret that you created earlier to the `root-ca` volume. Make sure that you also add the other volumes to your telemetry collector configuration.

In your Helm values file for the agent, add the following values. Replace with the name of the Kubernetes secret that holds the client TLS certificate, and add the name of the Kubernetes secret that holds the telemetry gateway certificate to the root-ca telemetry collector volume.

glooAgent:
  enabled: true
  relay: 
    tokenSecret:
      # Key value of the data within the Kubernetes secret.
      key: null
      # Name of the Kubernetes secret.
      name: null
      # Namespace of the Kubernetes secret.
      namespace: null
    clientTlsSecret: 
      name: <client-tls-secret-name>
      namespace: gloo-mesh
telemetryCollector:
  enabled: true
  extraVolumes: 
    - name: root-ca
      secret:
        defaultMode: 420
        optional: true
        secretName: telemetry-root-secret
    - configMap:
        items:
          - key: relay
            path: relay.yaml
        name: gloo-telemetry-collector-config
      name: telemetry-configmap
    - hostPath:
        path: /var/run/cilium
        type: DirectoryOrCreate
      name: cilium-run

Helm value	Description
`glooAgent.relay.clientTlsSecret`	Add the name and namespace of the Kubernetes secret that holds the client TLS certificate for the Gloo agent that you created earlier.
`glooAgent.relay.tokenSecret`	Set all values to `null` to instruct the Gloo agent to not use identity tokens to establish initial trust with the Gloo management server.
`telemetryCollector.extraVolumes`	Add the name of the Kubernetes secret that holds the Gloo telemetry gateway certificate that you created earlier to the `root-ca` volume. Make sure that you also add the `configMap` and `hostPath` volumes to your configuration.