OpenSSL
Create your certificates by using OpenSSL and manually provide them to your Gloo management server and agent.
In this approach, you use OpenSSL to manually create a self-signed root CA certificates for your relay architecture. This certificate is then used to generate the server and client TLS certificates.
Although the root CA credentials are not stored on the management cluster, this setup is not recommended for production as it uses self-signed certificates for the root CA and requires you to protect and store your root CA credentials in a secure place. In a production-level setup, you generate and store the root CA with your preferred PKI provider, such as AWS Private CA, Google Cloud CA, or Vault. In addition, you might want to use certificate management tools, such as cert-manager
to manage the issuing and renewing of your certificate. For more information about this type of setup, see the AWS or Vault guides.
Single cluster
Create the root CA credentials
- Create a self-signed root CA certificate and key.
Create the server TLS certificate
Use the root CA credentials that you created earlier to derive the server TLS certificate that the Gloo management server uses for mutual TLS connections with the Gloo agents.
If it doesn’t already exist, create the
gloo-mesh
namespace.Create the configuration for the server TLS certificate.
Generate the private key for the Gloo management server.
Generate the certificate signing request for the Gloo management server.
Use the root CA credentials that you created earlier to sign the certificate signing request and create the server TLS certificate.
Store the server TLS certificate, private key, and root CA in the
relay-server-tls-secret
Kubernetes secret.
Create the client TLS certificate
Generate the client TLS certificate that the Gloo agent uses for mutual TLS connections with the Gloo management server and sign the certificate by using the root CA key that you created earlier.
Create the client TLS certificate configuration.
Generate the private key and certificate signing request (CSR).
Sign the CSR with the root CA key.
Save the client TLS certificate in the
relay-client-tls-cert
Kubernetes secret.
Create the certificate chain for the telemetry collector
- Store the root CA certificate in the
telemetry-root-secret
Kubernetes secret.
Install Gloo Mesh Enterprise
- Follow the Install with Helm guide.
- In your Helm values file, add the following values. Note that mTLS is the default mode in Gloo Mesh Enterprise and does not require any additional configuration.
Helm value Description glooMgmtServer.relay.disableCa
Disable the generation of self-signed root and intermediate CA certificates and the use of identity tokens to establish initial trust between the Gloo management server and agent. glooMgmtServer.relay.disableCaCertGeneration
Disable the generation of self-signed certificates to secure the relay connection between the Gloo management server and agent. glooMgmtServer.relay.disableTokenGeneration
Disable the generation of relay identity tokens. glooMgmtServer.relay.tlsSecret
Add the name and namespace of the Kubernetes secret that holds the server TLS certificate for the Gloo management server that you created earlier. glooMgmtServer.relay.tokenSecret
Set all values to null
to instruct the Gloo management server to not use identity tokens to establish initial trust with Gloo agents.glooAgent.relay.clientTlsSecret
Add the name and namespace of the Kubernetes secret that holds the client TLS certificate for the Gloo agent that you created earlier. glooAgent.tokenSecret
Set all values to null
to instruct the Gloo agent to not use identity tokens to establish initial trust with the Gloo management server.
Multicluster
Create the root CA credentials
- Create a self-signed root CA certificate and key.
Create the server TLS certificate
Use the root CA credentials that you created earlier to derive the server TLS certificate that the Gloo management server uses for mutual TLS connections with the Gloo agents.
If it doesn’t already exist, create the
gloo-mesh
namespace in each cluster.Create the configuration for the server TLS certificate with the
*.gloo-mesh
wildcard DNS name. Because a wildcard is used, the same certificate can later be used to configure the Gloo telemetry gateway.Generate the private key for the Gloo management server.
Generate the certificate signing request for the Gloo management server.
Use the root CA credentials that you created earlier to sign the certificate signing request and create the server TLS certificate.
Store the server TLS certificate, private key, and root CA in the
relay-server-tls-secret
Kubernetes secret.
Create the client TLS certificate
Generate the client TLS certificate that the Gloo agent uses for mutual TLS connections with the Gloo management server and sign the certificate by using the root CA key that you created earlier.
Create the client TLS certificate configuration.
Generate the private key and certificate signing request (CSR).
Sign the CSR with the root CA key.
Save the client TLS certificate in the
relay-client-tls-secret
Kubernetes secret on the workload cluster.Repeat this step on each workload cluster.
Create the telemetry pipeline credentials
Use the same credentials for the Gloo telemetry gateway and store them in the
gloo-telemetry-gateway-tls-secret
Kubernetes secret. Using the same credentials is possible, because the configuration for the Gloo management server (relay-server.conf
) used a wildcard for the DNS name.Store the root CA certificate in the
telemetry-root-secret
Kubernetes secret on the management and each workload cluster so that the Gloo telemetry collector agent can verify the identity of the Gloo telemetry gateway.
Install Gloo Mesh Enterprise
Follow the Install with Helm guide to set up Gloo Mesh Enterprise.
In your Helm values file for the management server, add the following values. Note that mTLS is the default mode in Gloo Mesh Enterprise and does not require any additional configuration.
Helm value Description relay.disableCa
Disable the generation of self-signed root and intermediate CA certificates and the use of identity tokens to establish initial trust between the Gloo management server and agent. relay.disableCaCertGeneration
Disable the generation of self-signed certificates to secure the relay connection between the Gloo management server and agent. relay.disableTokenGeneration
Disable the generation of relay identity tokens. relay.tlsSecret
Add the name and namespace of the Kubernetes secret that holds the server TLS certificate for the Gloo management server that you created earlier. relay.tokenSecret
Set all values to null
to instruct the Gloo management server to not use identity tokens to establish initial trust with Gloo agents.telemetryGateway.extraVolumes
Add the gloo-telemetry-gateway-tls-secret
Kubernetes secret that you created earlier to thetls-keys
volume. Make sure that you also add the other volumes to your telemetry gateway configuration.telemetryCollector.extraVolumes
Add the telemetry-root-secret
Kubernetes secret that you created earlier to theroot-ca
volume. Make sure that you also add the other volumes to your telemetry collector configuration.In your Helm values file for the agent, add the following values. Replace
with the name of the Kubernetes secret that holds the client TLS certificate, and add the name of the Kubernetes secret that holds the telemetry gateway certificate to the root-ca
telemetry collector volume.Helm value Description glooAgent.relay.clientTlsSecret
Add the name and namespace of the Kubernetes secret that holds the client TLS certificate for the Gloo agent that you created earlier. glooAgent.relay.tokenSecret
Set all values to null
to instruct the Gloo agent to not use identity tokens to establish initial trust with the Gloo management server.telemetryCollector.extraVolumes
Add the name of the Kubernetes secret that holds the Gloo telemetry gateway certificate that you created earlier to the root-ca
volume. Make sure that you also add theconfigMap
andhostPath
volumes to your configuration.