Navigation :

Self-signed server certificate

You can choose to use Gloo Gateway self-signed certificates for the root CA and use these credentials to derive the server TLS certificate for the Gloo management server. The Gloo management server uses this certificate to prove its identity to Gloo agents and to encrypt the traffic between the management server and the agent.

For more information about this option, see Self-signed server TLS certificate.

Single cluster
Multicluster

Follow the Install Gloo Gateway with Helm guide.

In your Helm values file, add the following values.

glooMgmtServer:
  serviceType: ClusterIP
  registerCluster: true
  enabled: true
  extraEnvs: 
    RELAY_TOKEN: 
      value: "My token"
    RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION: 
      value: "true" 
glooAgent:
  enabled: true
  relay:
    serverAddress: gloo-mesh-mgmt-server.gloo-mesh:9900
  extraEnvs:
    RELAY_TOKEN: 
      value: "My token"
    RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION: 
      value: "true"

Helm value	Description
`glooMgmtServer.extraEnvs.RELAY_TOKEN`	Specify the relay token that the Gloo management server and agent use to establish initial trust. When you install Gloo Gateway and set `RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION` to true, the connection between the Gloo management server and agent is automatically secured by using simple, server-side TLS. In a simple TLS setup, only the management server presents a certificate to authenticate its identity. The identity of the agent is not verified. To ensure that only trusted agents connect to the management server, the relay identity token is used. The relay identity token can be any string value and is stored in the `relay-identity-token-secret` Kubernetes secret. You must set the same value in `glooAgent.extraEnvs.RELAY_TOKEN.value` to allow the Gloo agent to connect to the Gloo management server.
`glooMgmtServer.extraEnvs.` `RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION`	Set this value to true to not require a client TLS certificate from the Gloo agent to prove the agent's identity and establish the connection with the management server. This setting is required when you want to use simple TLS to secure the connection between the Gloo management server and agent.
`glooAgent.extraEnvs.RELAY_TOKEN`	Use the same value that you set in `glooMgmtServer.extraEnvs.RELAY_TOKEN`.
`glooAgent.extraEnvs.` `RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION`	Set to true to skip validating the server TLS certificate that the Gloo management server presents. This setting is required to configure the relay connection for TLS.

Follow the Install Gloo Gateway in a multicluster setup guide to set up Gloo Gateway.

In your Helm values file for the management server, add the following values.

glooMgmtServer:
  enabled: true
  extraEnvs:
    RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION:
      value: "true"  
    RELAY_TOKEN: 
      value: "My token"

Helm value Description

RELAY_TOKEN Specify the relay token that the Gloo management server and agent use to establish initial trust. When you install Gloo Gateway and set RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION to true, the connection between the Gloo management server and agent is automatically secured by using simple, server-side TLS. In a simple TLS setup, only the management server presents a certificate to authenticate its identity. The identity of the agent is not verified. To ensure that only trusted agents connect to the management server, the relay identity token is used. The relay identity token can be any string value and is stored in the relay-identity-token-secret Kubernetes secret on the management cluster. You must set the same value in glooAgent.extraEnvs.RELAY_TOKEN.value when installing Gloo Gateway in a workload cluster to allow Gloo agents to connect to the Gloo management server.

RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION Set this value to true to not require a client TLS certificate from the Gloo agent to prove the agent's identity and establish the connection with the management server. This setting is required when you want to use simple TLS to secure the connection between the Gloo management server and agent.

Helm value	Description
`RELAY_TOKEN`	Specify the relay token that the Gloo management server and agent use to establish initial trust. When you install Gloo Gateway and set `RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION` to true, the connection between the Gloo management server and agent is automatically secured by using simple, server-side TLS. In a simple TLS setup, only the management server presents a certificate to authenticate its identity. The identity of the agent is not verified. To ensure that only trusted agents connect to the management server, the relay identity token is used. The relay identity token can be any string value and is stored in the `relay-identity-token-secret` Kubernetes secret on the management cluster. You must set the same value in `glooAgent.extraEnvs.RELAY_TOKEN.value` when installing Gloo Gateway in a workload cluster to allow Gloo agents to connect to the Gloo management server.
`RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION`	Set this value to true to not require a client TLS certificate from the Gloo agent to prove the agent's identity and establish the connection with the management server. This setting is required when you want to use simple TLS to secure the connection between the Gloo management server and agent.

In your Helm values file for the workload cluster, add the following values.

glooAgent:
  enabled: true
  extraEnvs:
    RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION:
      value: "true"  
    RELAY_TOKEN: 
      value: "My token"
telemetryCollector:
  enabled: true
telemetryCollectorCustomization:
  skipVerify: true

Helm value	Description
`RELAY_TOKEN`	The relay token to establish initial trust between the Gloo management server and the agent. The relay token is saved in memory on the Gloo agent. You must set the same value that you set in `glooMgmtServer.extraEnvs.RELAY_TOKEN.value` when you installed the Gloo Gateway management plane to allow Gloo agents to connect to the Gloo management server.
`RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION`	Set to true to skip validating the server TLS certificate that the Gloo management server presents. This setting is required to configure the relay connection for TLS.
`telemetryCollectorCustomization.skipVerify`	Set to true to skip validation of the server certificate that the Gloo telemetry gateway presents. By default, the Gloo telemetry gateway uses the same TLS certificates that the Gloo management server uses for the relay connection. If you configure the relay connection for TLS, you must set `skipVerify` to true on the telemetry collector agent.