Proto: root_trust_policy.proto

Package: admin.gloo.solo.io

A RootTrustPolicy is used to designate the root of trust, including the trust domain and root certificates used by one or more service meshes. With a RootTrustPolicy, you can set set up an Istio root CA and use that root CA to automatically issue intermediate CA certificates for all your workload clusters that make up your multicluster service mesh. Because all intermediate CA certificates are derived from the same root, your workloads can securely talk to each other, even across cluster boundaries. This approach is also referred to as federated trust.

You have the option to fully or partially manage the Istio CA certificate lifecycle. The option that is right for you depends on the type of environment that you have and the level of control you want to have over the Istio CA certificate lifecycle.

Examples

The following example instructs Test the resilience of your apps by injecting delays and connection failures. to create a self-signed root CA certificate that is valid for 730 days.

  apiVersion: admin.gloo.solo.io/v2
kind: RootTrustPolicy
metadata:
 name: root-trust-policy
 namespace: gloo-mesh
spec:
  config:
    mgmtServerCa:
      generated:
        ttlDays: 730
  

To bring your own root CA certificate, store the root CA credentials in a Kubernetes secret. Then, reference this secret in your RootTrustPolicy.

  apiVersion: admin.gloo.solo.io/v2
kind: RootTrustPolicy
metadata:
  name: istio-ingressgateway
  namespace: gloo-mesh
spec:
  config:
    mgmtServerCa:
      secretRef:
        name: my-root-trust-cert
        namespace: gloo-mesh
  

Types:

RootTrustPolicySpec

FieldDescription
applyToMeshes(repeated common.gloo.solo.io.MeshSelector)

select the meshes where the root of trust will be applied. if left empty, will apply to all Meshes in the workspace.
config(RootTrustPolicySpec.Config)

The details of the root of trust to apply to the selected meshes.

RootTrustPolicySpec.Config

FieldDescription
mgmtServerCa(RootTrustPolicySpec.Config.MgmtServerCertificateAuthority)

Configure a Root Certificate Authority which will be shared by all Meshes associated with this RootTrustPolicy. If this is not provided, a self-signed certificate will be generated by Gloo Mesh.
agentCa(tls.security.policy.gloo.solo.io.AgentCertificateAuthority)

Configures an Intermediate Certificate Authority which selected meshes will use to generate intermediate certificates. The CA being used must be configured to generate the intermediate certificates.
intermediateCertOptions(tls.security.policy.gloo.solo.io.CommonCertOptions)

Configuration options for generated intermediate certs.
autoRestartPods(bool)

This setting specifies whether or not workload pods should be automatically restarted upon completion of a successful certificate issuance.
passiveCertificateAuthorities(repeated RootTrustPolicySpec.Config.MgmtServerCertificateAuthority)

Configure a Root Certificate Authority which will be used for validating certificates, but not signing them. This CA can be used to rotate out expiring root certificates.

RootTrustPolicySpec.Config.MgmtServerCertificateAuthority

Specify parameters for configuring the root certificate authority for a RootTrustPolicy.

FieldDescription
generated(tls.security.policy.gloo.solo.io.CommonCertOptions)

Generate a self-signed root certificate with the given options.
secretRef(core.skv2.solo.io.ObjectRef)

Name of a Kubernetes Secret in the same namespace as the RootTrustPolicy containing the root certificate authority. Provided certificates must conform to a specified format, documented here.

RootTrustPolicyStatus

FieldDescription
observedGeneration(int64)

The most recent generation observed in the object’s metadata. If the observedGeneration does not match metadata.generation, Gloo Mesh has not processed the most recent version of this object.
state(common.gloo.solo.io.ApprovalState)

Whether the resource has been accepted as valid and processed in the Gloo Mesh config translation.