Self-signed server certificate with managed client certificates
You can choose to use Gloo Gateway self-signed certificates for the root CA and intermediate CA and to use these credentials to derive the server TLS certificate for the Gloo management server and the client TLS certificates for the Gloo agents. The Gloo management server and agents use these certificates to establish a mutual TLS relay connection.
For more information about this setup, see Self-signed CAs with automatic client certificate rotation.
- Follow the Install Gloo Gateway with Helm guide.
- In your Helm values file, add the following values. Note that mTLS is the default mode in Gloo Gateway and does not require any additional configuration.
glooMgmtServer: enabled: true glooAgent: enabled: true
-
Follow the Install Gloo Gateway in a multicluster setup guide to set up Gloo Gateway.
-
In your Helm values file for the management server, add the following values. Note that mTLS is the default mode in Gloo Gateway and does not require any additional configuration.
glooMgmtServer: enabled: true -
Get the value of the root CA certificate from the management cluster and create a secret in the workload cluster.
kubectl get secret relay-root-tls-secret -n gloo-mesh --context $MGMT_CONTEXT -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt kubectl create secret generic relay-root-tls-secret -n gloo-mesh --context $REMOTE_CONTEXT --from-file ca.crt=ca.crt rm ca.crt -
Get the relay identity token from the management cluster and create a secret in the workload cluster.
kubectl get secret relay-identity-token-secret -n gloo-mesh --context $MGMT_CONTEXT -o jsonpath='{.data.token}' | base64 -d > token kubectl create secret generic relay-identity-token-secret -n gloo-mesh --context $REMOTE_CONTEXT --from-file token=token rm token -
In your Helm values file for the agent, add the following values.
glooAgent: enabled: true