Self-signed server certificate with managed client certificates
Use self-signed root and intermediate CA certificates credentials to create the server TLS certificate for the Gloo management server and the client TLS certificate for the Gloo agent. The Gloo management server and agents use these certificates to establish a mutual TLS relay connection.
For more information about this setup, see Self-signed CAs with automatic client certificate rotation.
Do not use self-signed certs for production. This setup is recommended for testing purposes only.
Single cluster
- Follow the Install with Helm guide.
- In your Helm values file, add the following values. Note that mTLS is the default mode in Gloo Mesh Core and does not require any additional configuration.
glooMgmtServer: enabled: true glooAgent: enabled: true
Multicluster
Follow the Install with Helm guide to set up Gloo Mesh Core.
In your Helm values file for the management server, add the following values. Note that mTLS is the default mode in Gloo Mesh Core and does not require any additional configuration.
glooMgmtServer: enabled: true
Get the value of the root CA certificate from the management cluster and create a secret in the workload cluster.
kubectl get secret relay-root-tls-secret -n gloo-mesh --context $MGMT_CONTEXT -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt kubectl create secret generic relay-root-tls-secret -n gloo-mesh --context $REMOTE_CONTEXT --from-file ca.crt=ca.crt rm ca.crt
Get the relay identity token from the management cluster and create a secret in the workload cluster.
kubectl get secret relay-identity-token-secret -n gloo-mesh --context $MGMT_CONTEXT -o jsonpath='{.data.token}' | base64 -d > token kubectl create secret generic relay-identity-token-secret -n gloo-mesh --context $REMOTE_CONTEXT --from-file token=token rm token
In your Helm values file for the agent, add the following values.
glooAgent: enabled: true