RootTrustPolicy
RootTrustPolicy API reference.
Proto: root_trust_policy.proto
Package: admin.gloo.solo.io
A RootTrustPolicy is used to designate the root of trust, including the trust domain and root certificates used by one or more service meshes. With a RootTrustPolicy, you can set set up an Istio root CA and use that root CA to automatically issue intermediate CA certificates for all your workload clusters that make up your multicluster service mesh. Because all intermediate CA certificates are derived from the same root, your workloads can securely talk to each other, even across cluster boundaries. This approach is also referred to as federated trust.
You have the option to fully or partially manage the Istio CA certificate lifecycle. The option that is right for you depends on the type of environment that you have and the level of control you want to have over the Istio CA certificate lifecycle.
Examples
The following example instructs Test the resilience of your apps by injecting delays and connection failures. to create a self-signed root CA certificate that is valid for 730 days.
apiVersion: admin.gloo.solo.io/v2
kind: RootTrustPolicy
metadata:
name: root-trust-policy
namespace: gloo-mesh
spec:
config:
mgmtServerCa:
generated:
ttlDays: 730
To bring your own root CA certificate, store the root CA credentials in a Kubernetes secret. Then, reference this secret in your RootTrustPolicy.
apiVersion: admin.gloo.solo.io/v2
kind: RootTrustPolicy
metadata:
name: istio-ingressgateway
namespace: gloo-mesh
spec:
config:
mgmtServerCa:
secretRef:
name: my-root-trust-cert
namespace: gloo-mesh
Creating a RootTrustPoliy resource triggers the renewal of Istio certificates. If your service mesh uses sidecars, you must restart your applications to apply the latest certificate.
RootTrustPolicySpec
| Field | Description |
|---|---|
applyToMeshes | (repeated common.gloo.solo.io.MeshSelector)select the meshes where the root of trust will be applied. If empty, will apply to all Meshes in the workspace. |
config | (RootTrustPolicySpec.Config)The details of the root of trust to apply to the selected meshes. |
RootTrustPolicySpec.Config
| Field | Description |
|---|---|
mgmtServerCa | (RootTrustPolicySpec.Config.MgmtServerCertificateAuthority)Configure a Root Certificate Authority which will be shared by all Meshes associated with this RootTrustPolicy. If this is not provided, a self-signed certificate will be generated by Gloo Mesh. |
agentCa | (tls.security.policy.gloo.solo.io.AgentCertificateAuthority)Configures an Intermediate Certificate Authority which selected meshes will use to generate intermediate certificates. The CA being used must be configured to generate the intermediate certificates. |
intermediateCertOptions | (tls.security.policy.gloo.solo.io.CommonCertOptions)Configuration options for generated intermediate certs. |
autoRestartPods | (bool)This setting specifies whether or not workload pods should be automatically restarted upon completion of a successful certificate issuance. |
passiveCertificateAuthorities | (repeated RootTrustPolicySpec.Config.MgmtServerCertificateAuthority)Configure a Root Certificate Authority which will be used for validating certificates, but not signing them. This CA can be used to rotate out expiring root certificates. |
RootTrustPolicySpec.Config.MgmtServerCertificateAuthority
Specify parameters for configuring the root certificate authority for a RootTrustPolicy.
| Field | Description |
|---|---|
generated | (tls.security.policy.gloo.solo.io.CommonCertOptions)Generate a self-signed root certificate with the given options. By default, the root CA is valid for 1 year. |
secretRef | (core.skv2.solo.io.ObjectRef)The name of a Kubernetes secret in the same namespace as the RootTrustPolicy that contains the root certificate authority. Provided certificates must conform to a specified format, documented here. |
RootTrustPolicyStatus
The status of the policy after it is applied to your Gloo environment.
| Field | Description |
|---|---|
observedGeneration | (int64)The most recent generation observed in the object’s metadata. If the observedGeneration does not match metadata.generation, Gloo Mesh has not processed the most recent version of this object. |
state | (common.gloo.solo.io.ApprovalState)Whether the resource has been accepted as valid and processed in the Gloo Mesh config translation. |