OpenSSL
Create your certificates by using OpenSSL and manually provide them to your Gloo management server and agent.
In this approach, you use OpenSSL to manually create a self-signed root CA certificates for your relay architecture. This certificate is then used to generate the server and client TLS certificates.
Although the root CA credentials are not stored on the management cluster, this setup is not recommended for production as it uses self-signed certificates for the root CA and requires you to protect and store your root CA credentials in a secure place. In a production-level setup, you generate and store the root CA with your preferred PKI provider, such as AWS Private CA, Google Cloud CA, or Vault. In addition, you might want to use certificate management tools, such as cert-manager to manage the issuing and renewing of your certificate. For more information about this type of setup, see the AWS or Vault guides.
Single cluster
Create the root CA credentials
- Create a self-signed root CA certificate and key.
openssl req -new -newkey rsa:4096 -x509 -sha256 \ -days 3650 -nodes -out relay-root-ca.crt -keyout relay-root-ca.key \ -subj "/CN=relay-root-ca" \ -addext "keyUsage = keyCertSign"
Create the server TLS certificate
Use the root CA credentials that you created earlier to derive the server TLS certificate that the Gloo management server uses for mutual TLS connections with the Gloo agents.
If it doesn’t already exist, create the
gloo-meshnamespace.kubectl create namespace gloo-meshCreate the configuration for the server TLS certificate.
cat >"relay-server.conf" <<EOF [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth subjectAltName = @alt_names [alt_names] DNS = *.gloo-mesh EOFGenerate the private key for the Gloo management server.
openssl genrsa -out "relay-server.key" 2048Generate the certificate signing request for the Gloo management server.
openssl req -new -key "relay-server.key" -out "relay-server.csr" -subj "/CN=*.gloo-mesh" -config "relay-server.conf"Use the root CA credentials that you created earlier to sign the certificate signing request and create the server TLS certificate.
openssl x509 -req \ -days 3650 \ -CA relay-root-ca.crt -CAkey relay-root-ca.key \ -set_serial 0 \ -in relay-server.csr -out relay-server.crt \ -extensions v3_req -extfile "relay-server.conf"Store the server TLS certificate, private key, and root CA in the
relay-server-tls-secretKubernetes secret.kubectl create secret generic relay-server-tls-secret -n gloo-mesh \ --from-file=tls.crt=relay-server.crt \ --from-file=tls.key=relay-server.key \ --from-file=ca.crt=relay-root-ca.crt
Create the client TLS certificate
Generate the client TLS certificate that the Gloo agent uses for mutual TLS connections with the Gloo management server and sign the certificate by using the root CA key that you created earlier.
Create the client TLS certificate configuration.
cat >"${CLUSTER_NAME}.conf" <<EOF [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] commonName = ${CLUSTER_NAME} [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = ${CLUSTER_NAME} EOFGenerate the private key and certificate signing request (CSR).
# Generate private key openssl genrsa -out "$CLUSTER_NAME.key" 2048 # Create CSR openssl req -new -key "$CLUSTER_NAME.key" -out $CLUSTER_NAME.csr -subj "/CN=${CLUSTER_NAME}/O=${CLUSTER_NAME}"Sign the CSR with the root CA key.
# Sign certificate with root openssl x509 -req \ -days 3650 \ -CA relay-root-ca.crt -CAkey relay-root-ca.key \ -set_serial 0 \ -in $CLUSTER_NAME.csr -out $CLUSTER_NAME.crt \ -extensions v3_req -extfile "$CLUSTER_NAME.conf"Save the client TLS certificate in the
relay-client-tls-certKubernetes secret.kubectl create secret generic relay-client-tls-cert \ --from-file=tls.key=$CLUSTER_NAME.key \ --from-file=tls.crt=$CLUSTER_NAME.crt \ --from-file=ca.crt=relay-root-ca.crt \ --namespace gloo-mesh
Create the certificate chain for the telemetry collector
- Store the root CA certificate in the
telemetry-root-secretKubernetes secret.kubectl create secret generic telemetry-root-secret \ --from-file=ca.crt=relay-root-ca.crt \ --namespace gloo-mesh
Install Gloo Mesh Core
- Follow the Install with Helm guide.
- In your Helm values file, add the following values. Note that mTLS is the default mode in Gloo Mesh Core and does not require any additional configuration.
glooMgmtServer: enabled: true registerCluster: true relay: disableCa: true disableCaCertGeneration: true disableTokenGeneration: true tlsSecret: name: relay-server-tls-secret namespace: gloo-mesh tokenSecret: key: null name: null namespace: null serviceType: ClusterIP glooAgent: enabled: true relay: clientTlsSecret: name: relay-client-tls-cert namespace: gloo-mesh serverAddress: gloo-mesh-mgmt-server.gloo-mesh:9900 tokenSecret: key: null name: null namespace: null telemetryCollector: enabled: true extraVolumes: - name: root-ca secret: defaultMode: 420 optional: true secretName: telemetry-root-secret - configMap: items: - key: relay path: relay.yaml name: gloo-telemetry-collector-config name: telemetry-configmap - hostPath: path: /var/run/cilium type: DirectoryOrCreate name: cilium-runHelm value Description glooMgmtServer.relay.disableCaDisable the generation of self-signed root and intermediate CA certificates and the use of identity tokens to establish initial trust between the Gloo management server and agent. glooMgmtServer.relay.disableCaCertGenerationDisable the generation of self-signed certificates to secure the relay connection between the Gloo management server and agent. glooMgmtServer.relay.disableTokenGenerationDisable the generation of relay identity tokens. glooMgmtServer.relay.tlsSecretAdd the name and namespace of the Kubernetes secret that holds the server TLS certificate for the Gloo management server that you created earlier. glooMgmtServer.relay.tokenSecretSet all values to nullto instruct the Gloo management server to not use identity tokens to establish initial trust with Gloo agents.glooAgent.relay.clientTlsSecretAdd the name and namespace of the Kubernetes secret that holds the client TLS certificate for the Gloo agent that you created earlier. glooAgent.tokenSecretSet all values to nullto instruct the Gloo agent to not use identity tokens to establish initial trust with the Gloo management server.
Multicluster
Create the root CA credentials
- Create a self-signed root CA certificate and key.
openssl req -new -newkey rsa:4096 -x509 -sha256 \ -days 3650 -nodes -out relay-root-ca.crt -keyout relay-root-ca.key \ -subj "/CN=relay-root-ca" \ -addext "keyUsage = keyCertSign"
Create the server TLS certificate
Use the root CA credentials that you created earlier to derive the server TLS certificate that the Gloo management server uses for mutual TLS connections with the Gloo agents.
If it doesn’t already exist, create the
gloo-meshnamespace in each cluster.kubectl create namespace gloo-mesh --context $MGMT_CONTEXT kubectl create namespace gloo-mesh --context $REMOTE_CONTEXT1 kubectl create namespace gloo-mesh --context $REMOTE_CONTEXT2Create the configuration for the server TLS certificate with the
*.gloo-meshwildcard DNS name. Because a wildcard is used, the same certificate can later be used to configure the Gloo telemetry gateway.cat >"relay-server.conf" <<EOF [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth subjectAltName = @alt_names [alt_names] DNS = *.gloo-mesh EOFGenerate the private key for the Gloo management server.
openssl genrsa -out "relay-server.key" 2048Generate the certificate signing request for the Gloo management server.
openssl req -new -key "relay-server.key" -out "relay-server.csr" -subj "/CN=*.gloo-mesh" -config "relay-server.conf"Use the root CA credentials that you created earlier to sign the certificate signing request and create the server TLS certificate.
openssl x509 -req \ -days 3650 \ -CA relay-root-ca.crt -CAkey relay-root-ca.key \ -set_serial 0 \ -in relay-server.csr -out relay-server.crt \ -extensions v3_req -extfile "relay-server.conf"Store the server TLS certificate, private key, and root CA in the
relay-server-tls-secretKubernetes secret.kubectl create secret generic relay-server-tls-secret -n gloo-mesh \ --from-file=tls.crt=relay-server.crt \ --from-file=tls.key=relay-server.key \ --from-file=ca.crt=relay-root-ca.crt \ --context ${MGMT_CONTEXT}
Create the client TLS certificate
Generate the client TLS certificate that the Gloo agent uses for mutual TLS connections with the Gloo management server and sign the certificate by using the root CA key that you created earlier.
Create the client TLS certificate configuration.
cat >"${REMOTE_CLUSTER1}.conf" <<EOF [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] commonName = ${REMOTE_CLUSTER1} [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = ${REMOTE_CLUSTER1} EOFGenerate the private key and certificate signing request (CSR).
# Generate private key openssl genrsa -out "$REMOTE_CLUSTER1.key" 2048 # Create CSR openssl req -new -key "$REMOTE_CLUSTER1.key" -out $REMOTE_CLUSTER1.csr -subj "/CN=${REMOTE_CLUSTER1}/O=${REMOTE_CLUSTER1}"Sign the CSR with the root CA key.
# Sign certificate with root openssl x509 -req \ -days 3650 \ -CA relay-root-ca.crt -CAkey relay-root-ca.key \ -set_serial 0 \ -in $REMOTE_CLUSTER1.csr -out $REMOTE_CLUSTER1.crt \ -extensions v3_req -extfile "$REMOTE_CLUSTER1.conf"Save the client TLS certificate in the
relay-client-tls-secretKubernetes secret on the workload cluster.kubectl create secret generic $REMOTE_CLUSTER1-tls-cert \ --from-file=tls.key=$REMOTE_CLUSTER1.key \ --from-file=tls.crt=$REMOTE_CLUSTER1.crt \ --from-file=ca.crt=relay-root-ca.crt \ --context $REMOTE_CONTEXT1 \ --namespace gloo-meshRepeat this step on each workload cluster.
Create the telemetry pipeline credentials
Use the same credentials for the Gloo telemetry gateway and store them in the
gloo-telemetry-gateway-tls-secretKubernetes secret. Using the same credentials is possible, because the configuration for the Gloo management server (relay-server.conf) used a wildcard for the DNS name.kubectl create secret generic gloo-telemetry-gateway-tls-secret -n gloo-mesh \ --from-file=tls.crt=relay-server.crt \ --from-file=tls.key=relay-server.key \ --from-file=ca.crt=relay-root-ca.crt \ --context ${MGMT_CONTEXT}Store the root CA certificate in the
telemetry-root-secretKubernetes secret on the management and each workload cluster so that the Gloo telemetry collector agent can verify the identity of the Gloo telemetry gateway.kubectl create secret generic telemetry-root-secret \ --from-file=ca.crt=relay-root-ca.crt \ --namespace gloo-mesh \ --context ${MGMT_CONTEXT}kubectl create secret generic telemetry-root-secret \ --from-file=ca.crt=relay-root-ca.crt \ --namespace gloo-mesh \ --context ${REMOTE_CONTEXT1}
Install Gloo Mesh Core
Follow the Install with Helm guide to set up Gloo Mesh Core.
In your Helm values file for the management server, add the following values. Note that mTLS is the default mode in Gloo Mesh Core and does not require any additional configuration.
glooMgmtServer: enabled: true relay: disableCa: true disableCaCertGeneration: true disableTokenGeneration: true tlsSecret: name: relay-server-tls-secret namespace: gloo-mesh tokenSecret: key: null name: null namespace: null telemetryCollector: enabled: true extraVolumes: - name: root-ca secret: defaultMode: 420 optional: true secretName: telemetry-root-secret - configMap: items: - key: relay path: relay.yaml name: gloo-telemetry-collector-config name: telemetry-configmap - hostPath: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run telemetryGateway: enabled: true extraVolumes: - name: tls-keys secret: secretName: gloo-telemetry-gateway-tls-secret defaultMode: 420 - name: telemetry-configmap configMap: name: gloo-telemetry-gateway-config items: - key: relay path: relay.yaml telemetryGatewayCustomization: disableCertGeneration: trueHelm value Description relay.disableCaDisable the generation of self-signed root and intermediate CA certificates and the use of identity tokens to establish initial trust between the Gloo management server and agent. relay.disableCaCertGenerationDisable the generation of self-signed certificates to secure the relay connection between the Gloo management server and agent. relay.disableTokenGenerationDisable the generation of relay identity tokens. relay.tlsSecretAdd the name and namespace of the Kubernetes secret that holds the server TLS certificate for the Gloo management server that you created earlier. relay.tokenSecretSet all values to nullto instruct the Gloo management server to not use identity tokens to establish initial trust with Gloo agents.telemetryGateway.extraVolumesAdd the gloo-telemetry-gateway-tls-secretKubernetes secret that you created earlier to thetls-keysvolume. Make sure that you also add the other volumes to your telemetry gateway configuration.telemetryCollector.extraVolumesAdd the telemetry-root-secretKubernetes secret that you created earlier to theroot-cavolume. Make sure that you also add the other volumes to your telemetry collector configuration.In your Helm values file for the agent, add the following values. Replace
with the name of the Kubernetes secret that holds the client TLS certificate, and add the name of the Kubernetes secret that holds the telemetry gateway certificate to the root-catelemetry collector volume.glooAgent: enabled: true relay: tokenSecret: # Key value of the data within the Kubernetes secret. key: null # Name of the Kubernetes secret. name: null # Namespace of the Kubernetes secret. namespace: null clientTlsSecret: name: <client-tls-secret-name> namespace: gloo-mesh telemetryCollector: enabled: true extraVolumes: - name: root-ca secret: defaultMode: 420 optional: true secretName: telemetry-root-secret - configMap: items: - key: relay path: relay.yaml name: gloo-telemetry-collector-config name: telemetry-configmap - hostPath: path: /var/run/cilium type: DirectoryOrCreate name: cilium-runHelm value Description glooAgent.relay.clientTlsSecretAdd the name and namespace of the Kubernetes secret that holds the client TLS certificate for the Gloo agent that you created earlier. glooAgent.relay.tokenSecretSet all values to nullto instruct the Gloo agent to not use identity tokens to establish initial trust with the Gloo management server.telemetryCollector.extraVolumesAdd the name of the Kubernetes secret that holds the Gloo telemetry gateway certificate that you created earlier to the root-cavolume. Make sure that you also add theconfigMapandhostPathvolumes to your configuration.