Navigation :

BYO server certificate

Use your preferred PKI provider to generate the server TLS certificate for the Gloo management server.

For more information about this option, see Bring your own server TLS certificate.

Single cluster
Multicluster

Step 1: Create a server TLS certificate

To generate and store your own root CA certificate and key, you typically use your preferred PKI provider, such as Vault, Google Cloud CA, or AWS Private CA. If you do not have a PKI provider, you can use tools, such as OpenSSL to generate the certificate and key for the root CA as described in this guide.

Create the root CA credentials

Create a self-signed root CA certificate and key.

openssl req -new -newkey rsa:4096 -x509 -sha256 \
 -days 3650 -nodes -out relay-root-ca.crt -keyout relay-root-ca.key \
 -subj "/CN=relay-root-ca" \
 -addext "keyUsage = keyCertSign"

Create the server TLS certificate and certificate chain

Create the configuration for the server TLS certificate.

cat >"relay-server.conf" <<EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
[alt_names]
DNS = *.gloo-mesh
EOF

Generate the private key for the Gloo management server.
```
openssl genrsa -out "relay-server.key" 2048
```

Generate the certificate signing request for the Gloo management server.

openssl req -new -key "relay-server.key" -out "relay-server.csr" -subj "/CN=*.gloo-mesh" -config "relay-server.conf"

Use the root CA credentials that you created earlier to sign the certificate signing request and create the server TLS certificate.

openssl x509 -req \
 -days 3650 \
 -CA relay-root-ca.crt -CAkey relay-root-ca.key \
 -set_serial 0 \
 -in relay-server.csr -out relay-server.crt \
 -extensions v3_req -extfile "relay-server.conf"

If it doesn't already exist, create the gloo-mesh namespace.
```
kubectl create namespace gloo-mesh 
```
Store the server TLS certificate, private key, and root CA in the relay-server-tls-secret-custom Kubernetes secret. You can use a different name for the secret, but make sure to not use relay-server-tls-secret as this name is reserved by the Gloo management server when creating self-signed root CAs and server TLS certificates.
```
kubectl create secret generic relay-server-tls-secret-custom -n gloo-mesh \
 --from-file=tls.crt=relay-server.crt \
 --from-file=tls.key=relay-server.key \
 --from-file=ca.crt=relay-root-ca.crt 
```

Store the root CA certificate in the telemetry-root-secret Kubernetes secret.

kubectl create secret generic telemetry-root-secret \
 --from-file=ca.crt=relay-root-ca.crt \
 --namespace gloo-mesh

Step 2: Install Gloo Gateway

Follow the Install Gloo Gateway with Helm guide.

In your Helm values file, add the following values.

glooMgmtServer:
  serviceType: ClusterIP
  registerCluster: true
  enabled: true
  relay: 
    tlsSecret:
      name: relay-server-tls-secret-custom
  extraEnvs: 
    RELAY_TOKEN: 
      value: "My token"
    RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION: 
      value: "true" 
glooAgent:
  enabled: true
  relay:
    serverAddress: gloo-mesh-mgmt-server.gloo-mesh:9900
  extraEnvs:
    RELAY_TOKEN: 
      value: "My token"
    RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION: 
      value: "true"
telemetryCollector: 
  enabled: true
  extraVolumes: 
    - name: root-ca
      secret:
        defaultMode: 420
        optional: true
        secretName: telemetry-root-secret
    - configMap:
        items:
          - key: relay
            path: relay.yaml
        name: gloo-telemetry-collector-config
      name: telemetry-configmap
    - hostPath:
        path: /var/run/cilium
        type: DirectoryOrCreate
      name: cilium-run

Helm value	Description
`glooMgmtServer.relay.tlsSecret.name`	The name and namespace of the Kubernetes secret where you stored your custom server TLS certificate.
`glooMgmtServer.extraEnvs.RELAY_TOKEN`	Specify the relay token that the Gloo management server and agent use to establish initial trust. When you install Gloo Gateway and set `RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION` to true, the connection between the Gloo management server and agent is automatically secured by using simple, server-side TLS. In a simple TLS setup, only the management server presents a certificate to authenticate its identity. The identity of the agent is not verified. To ensure that only trusted agents connect to the management server, the relay identity token is used. The relay identity token can be any string value and is stored in the `relay-identity-token-secret` Kubernetes secret. You must set the same value in `glooAgent.extraEnvs.RELAY_TOKEN.value` to allow the Gloo agent to connect to the Gloo management server.
`glooMgmtServer.extraEnvs.` `RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION`	Set this value to true to not require a client TLS certificate from the Gloo agent to prove the agent's identity and establish the connection with the management server.
`glooAgent.extraEnvs.` `RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION`	Set to true to skip validating the server TLS certificate that the Gloo management server presents. This setting is required to configure the relay connection for TLS.
`telemetryCollector.extraVolumes`	Add the `telemetry-root-secret` Kubernetes secret that you created earlier to the `root-ca` volume. Make sure that you also add the other volumes to your telemetry collector configuration.

Step 1: Create a server TLS certificate

Create the root CA credentials

Create a self-signed root CA certificate and key.

openssl req -new -newkey rsa:4096 -x509 -sha256 \
 -days 3650 -nodes -out relay-root-ca.crt -keyout relay-root-ca.key \
 -subj "/CN=relay-root-ca" \
 -addext "keyUsage = keyCertSign"

Create the server TLS certificate

Create the configuration for the server TLS certificate.

cat >"relay-server.conf" <<EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
[alt_names]
DNS = *.gloo-mesh
EOF

Generate the private key for the Gloo management server.
```
openssl genrsa -out "relay-server.key" 2048
```

Generate the certificate signing request for the Gloo management server.

openssl req -new -key "relay-server.key" -out "relay-server.csr" -subj "/CN=*.gloo-mesh" -config "relay-server.conf"

Use the root CA credentials that you created earlier to sign the certificate signing request and create the server TLS certificate.

openssl x509 -req \
 -days 3650 \
 -CA relay-root-ca.crt -CAkey relay-root-ca.key \
 -set_serial 0 \
 -in relay-server.csr -out relay-server.crt \
 -extensions v3_req -extfile "relay-server.conf"

If it doesn't already exist, create the gloo-mesh namespace in the management cluster.
```
kubectl create namespace gloo-mesh --context $MGMT_CONTEXT
```
Store the server TLS certificate, private key, and root CA in the relay-server-tls-secret-custom Kubernetes secret. You can use a different name for the secret, but make sure to not use relay-server-tls-secret as this name is reserved by the Gloo management server when creating self-signed root CAs and server TLS certificates.
```
kubectl create secret generic relay-server-tls-secret-custom -n gloo-mesh \
 --from-file=tls.crt=relay-server.crt \
 --from-file=tls.key=relay-server.key \
 --from-file=ca.crt=relay-root-ca.crt \
 --context ${MGMT_CONTEXT} 
```

Create the telemetry pipeline credentials

Use the same credentials for the Gloo telemetry gateway and store them in the gloo-telemetry-gateway-tls-secret-custom Kubernetes secret.

kubectl create secret generic gloo-telemetry-gateway-tls-secret-custom -n gloo-mesh \
 --from-file=tls.crt=relay-server.crt \
 --from-file=tls.key=relay-server.key \
 --from-file=ca.crt=relay-root-ca.crt \
 --context ${MGMT_CONTEXT}

Store the root CA certificate in the telemetry-root-secret Kubernetes secret on the management and each workload cluster so that the Gloo telemetry collector agent can verify the identity of the Gloo telemetry gateway.

kubectl create secret generic telemetry-root-secret \
 --from-file=ca.crt=relay-root-ca.crt \
 --namespace gloo-mesh \
 --context ${MGMT_CONTEXT}

kubectl create secret generic telemetry-root-secret \
 --from-file=ca.crt=relay-root-ca.crt \
 --namespace gloo-mesh \
 --context ${REMOTE_CONTEXT1}

Step 2: Install Gloo Gateway

Follow the Install Gloo Gateway in a multicluster setup guide to set up Gloo Gateway.

In your Helm values file for the management server, add the following values.

glooMgmtServer:
  enabled: true
  relay:
    tlsSecret:
      name: relay-server-tls-secret-custom
  extraEnvs:
    RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION:
      value: "true"  
    RELAY_TOKEN: 
      value: "My token"
telemetryCollector: 
  enabled: true
  extraVolumes: 
    - name: root-ca
      secret:
        defaultMode: 420
        optional: true
        secretName: telemetry-root-secret
    - configMap:
        items:
          - key: relay
            path: relay.yaml
        name: gloo-telemetry-collector-config
      name: telemetry-configmap
    - hostPath:
        path: /var/run/cilium
        type: DirectoryOrCreate
      name: cilium-run
telemetryGateway:
  enabled: true
  extraVolumes:
  - name: tls-keys
    secret:
      secretName:  gloo-telemetry-gateway-tls-secret-custom
      defaultMode: 420
  - name: telemetry-configmap
    configMap:
      name: gloo-telemetry-gateway-config
      items:
        - key: relay
          path: relay.yaml
telemetryGatewayCustomization:
  disableCertGeneration: true

Helm value	Description
`relay.tlsSecret.name`	Add the name of the Kubernetes secret with the custom server TLS secret that you created earlier.
`RELAY_TOKEN`	Specify the relay token that the Gloo management server and agent use to establish initial trust. When you install Gloo Gateway and set `RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION` to true, the connection between the Gloo management server and agent is automatically secured by using simple, server-side TLS. In a simple TLS setup, only the management server presents a certificate to authenticate its identity. The identity of the agent is not verified. To ensure that only trusted agents connect to the management server, the relay identity token is used. The relay identity token can be any string value and is stored in the `relay-identity-token-secret` Kubernetes secret on the management cluster. You must set the same value in `glooAgent.extraEnvs.RELAY_TOKEN.value` when you install the Gloo agent to allow the Gloo agent to connect to the Gloo management server.
`RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION`	Set this value to true to not require a client TLS certificate from the Gloo agent to prove the agent's identity and establish the connection with the management server. This setting is required when you want to use simple TLS to secure the connection between the Gloo management server and agent.
`telemetryGateway.extraVolumes`	Add the `gloo-telemetry-gateway-tls-secret-custom` Kubernetes secret that you created earlier to the `tls-keys` volume. Make sure that you also add the other volumes to your telemetry gateway configuration.
`telemetryCollector.extraVolumes`	Add the `telemetry-root-secret` Kubernetes secret that you created earlier to the `root-ca` volume. Make sure that you also add the other volumes to your telemetry collector configuration.

In your Helm values file for the workload cluster, add the following values.

glooAgent:
  enabled: true
  extraEnvs:
    RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION:
      value: "true"  
    RELAY_TOKEN: 
      value: "My token"
telemetryCollector: 
  enabled: true
  extraVolumes: 
    - name: root-ca
      secret:
        defaultMode: 420
        optional: true
        secretName: telemetry-root-secret
    - configMap:
        items:
          - key: relay
            path: relay.yaml
        name: gloo-telemetry-collector-config
      name: telemetry-configmap
    - hostPath:
        path: /var/run/cilium
        type: DirectoryOrCreate
      name: cilium-run
telemetryCollectorCustomization:
  skipVerify: true

Helm value	Description
`RELAY_TOKEN`	The relay token to establish initial trust between the Gloo management server and the agent. The relay token is saved in memory on the Gloo agent. You must set the same value that you set in `glooMgmtServer.extraEnvs.RELAY_TOKEN.value` when you installed the Gloo Gateway management plane to allow Gloo agents to connect to the Gloo management server.
`RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION`	Set to true to skip validating the server TLS certificate that the Gloo management server presents. This setting is required to configure the relay connection for TLS.
`telemetryCollector.extraVolumes`	Add the `telemetry-root-secret` Kubernetes secret that you created earlier to the `root-ca` volume. Make sure that you also add the other volumes to your telemetry collector configuration.
`telemetryCollectorCustomization.skipVerify`	Set to true to skip validation of the server certificate that the Gloo telemetry gateway presents. By default, the Gloo telemetry gateway uses the same TLS certificates that the Gloo management server uses for the relay connection. If you configure the relay connection for TLS, you must set `skipVerify` to true on the telemetry collector agent.