BYO server certificate
Use your preferred PKI provider to generate the server TLS certificate for the Gloo management server.
For more information about this option, see Bring your own server TLS certificate.
Single cluster
To generate and store your own root CA certificate and key, you typically use your preferred PKI provider, such as Vault, Google Cloud CA, or AWS Private CA. If you do not have a PKI provider, you can use tools, such as OpenSSL to generate the certificate and key for the root CA as described in this guide.
Create the root CA credentials
- Create a self-signed root CA certificate and key.
openssl req -new -newkey rsa:4096 -x509 -sha256 \ -days 3650 -nodes -out relay-root-ca.crt -keyout relay-root-ca.key \ -subj "/CN=relay-root-ca" \ -addext "keyUsage = keyCertSign"
Create the server TLS certificate and certificate chain
Create the configuration for the server TLS certificate.
cat >"relay-server.conf" <<EOF [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth subjectAltName = @alt_names [alt_names] DNS = *.gloo-mesh EOFGenerate the private key for the Gloo management server.
openssl genrsa -out "relay-server.key" 2048Generate the certificate signing request for the Gloo management server.
openssl req -new -key "relay-server.key" -out "relay-server.csr" -subj "/CN=*.gloo-mesh" -config "relay-server.conf"Use the root CA credentials that you created earlier to sign the certificate signing request and create the server TLS certificate.
openssl x509 -req \ -days 3650 \ -CA relay-root-ca.crt -CAkey relay-root-ca.key \ -set_serial 0 \ -in relay-server.csr -out relay-server.crt \ -extensions v3_req -extfile "relay-server.conf"If it doesn’t already exist, create the
gloo-meshnamespace.kubectl create namespace gloo-meshStore the server TLS certificate, private key, and root CA in the
relay-server-tls-secret-customKubernetes secret. You can use a different name for the secret, but make sure to not userelay-server-tls-secretas this name is reserved by the Gloo management server when creating self-signed root CAs and server TLS certificates.kubectl create secret generic relay-server-tls-secret-custom -n gloo-mesh \ --from-file=tls.crt=relay-server.crt \ --from-file=tls.key=relay-server.key \ --from-file=ca.crt=relay-root-ca.crtStore the root CA certificate in the
telemetry-root-secretKubernetes secret.kubectl create secret generic telemetry-root-secret \ --from-file=ca.crt=relay-root-ca.crt \ --namespace gloo-mesh
Install Gloo Mesh Enterprise
- Follow the Install with Helm guide.
- In your Helm values file, add the following values.
glooMgmtServer: serviceType: ClusterIP registerCluster: true enabled: true relay: tlsSecret: name: relay-server-tls-secret-custom extraEnvs: RELAY_TOKEN: value: "My token" RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION: value: "true" glooAgent: enabled: true relay: serverAddress: gloo-mesh-mgmt-server.gloo-mesh:9900 extraEnvs: RELAY_TOKEN: value: "My token" RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION: value: "true" telemetryCollector: enabled: true extraVolumes: - name: root-ca secret: defaultMode: 420 optional: true secretName: telemetry-root-secret - configMap: items: - key: relay path: relay.yaml name: gloo-telemetry-collector-config name: telemetry-configmap - hostPath: path: /var/run/cilium type: DirectoryOrCreate name: cilium-runHelm value Description glooMgmtServer.relay.tlsSecret.nameThe name and namespace of the Kubernetes secret where you stored your custom server TLS certificate. glooMgmtServer.extraEnvs.RELAY_TOKENSpecify the relay token that the Gloo management server and agent use to establish initial trust. When you install Gloo Mesh Enterprise and set RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATIONto true, the connection between the Gloo management server and agent is automatically secured by using simple, server-side TLS. In a simple TLS setup, only the management server presents a certificate to authenticate its identity. The identity of the agent is not verified. To ensure that only trusted agents connect to the management server, the relay identity token is used. The relay identity token can be any string value and is stored in therelay-identity-token-secretKubernetes secret. You must set the same value inglooAgent.extraEnvs.RELAY_TOKEN.valueto allow the Gloo agent to connect to the Gloo management server.glooMgmtServer.extraEnvs.RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATIONSet this value to true to not require a client TLS certificate from the Gloo agent to prove the agent’s identity and establish the connection with the management server. glooAgent.extraEnvs.RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATIONSet to true to skip validating the server TLS certificate that the Gloo management server presents. This setting is required to configure the relay connection for TLS. telemetryCollector.extraVolumesAdd the telemetry-root-secretKubernetes secret that you created earlier to theroot-cavolume. Make sure that you also add the other volumes to your telemetry collector configuration.
Multicluster
To generate and store your own root CA certificate and key, you typically use your preferred PKI provider, such as Vault, Google Cloud CA, or AWS Private CA. If you do not have a PKI provider, you can use tools, such as OpenSSL to generate the certificate and key for the root CA as described in this guide.
Create the root CA credentials
- Create a self-signed root CA certificate and key.
openssl req -new -newkey rsa:4096 -x509 -sha256 \ -days 3650 -nodes -out relay-root-ca.crt -keyout relay-root-ca.key \ -subj "/CN=relay-root-ca" \ -addext "keyUsage = keyCertSign"
Create the server TLS certificate
Create the configuration for the server TLS certificate.
cat >"relay-server.conf" <<EOF [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth subjectAltName = @alt_names [alt_names] DNS = *.gloo-mesh EOFGenerate the private key for the Gloo management server.
openssl genrsa -out "relay-server.key" 2048Generate the certificate signing request for the Gloo management server.
openssl req -new -key "relay-server.key" -out "relay-server.csr" -subj "/CN=*.gloo-mesh" -config "relay-server.conf"Use the root CA credentials that you created earlier to sign the certificate signing request and create the server TLS certificate.
openssl x509 -req \ -days 3650 \ -CA relay-root-ca.crt -CAkey relay-root-ca.key \ -set_serial 0 \ -in relay-server.csr -out relay-server.crt \ -extensions v3_req -extfile "relay-server.conf"If it doesn’t already exist, create the
gloo-meshnamespace in the management cluster.kubectl create namespace gloo-mesh --context $MGMT_CONTEXTStore the server TLS certificate, private key, and root CA in the
relay-server-tls-secret-customKubernetes secret. You can use a different name for the secret, but make sure to not userelay-server-tls-secretas this name is reserved by the Gloo management server when creating self-signed root CAs and server TLS certificates.kubectl create secret generic relay-server-tls-secret-custom -n gloo-mesh \ --from-file=tls.crt=relay-server.crt \ --from-file=tls.key=relay-server.key \ --from-file=ca.crt=relay-root-ca.crt \ --context ${MGMT_CONTEXT}
Create the telemetry pipeline credentials
Use the same credentials for the Gloo telemetry gateway and store them in the
gloo-telemetry-gateway-tls-secret-customKubernetes secret.kubectl create secret generic gloo-telemetry-gateway-tls-secret-custom -n gloo-mesh \ --from-file=tls.crt=relay-server.crt \ --from-file=tls.key=relay-server.key \ --from-file=ca.crt=relay-root-ca.crt \ --context ${MGMT_CONTEXT}Store the root CA certificate in the
telemetry-root-secretKubernetes secret on the management and each workload cluster so that the Gloo telemetry collector agent can verify the identity of the Gloo telemetry gateway.kubectl create secret generic telemetry-root-secret \ --from-file=ca.crt=relay-root-ca.crt \ --namespace gloo-mesh \ --context ${MGMT_CONTEXT}kubectl create secret generic telemetry-root-secret \ --from-file=ca.crt=relay-root-ca.crt \ --namespace gloo-mesh \ --context ${REMOTE_CONTEXT1}
Install Gloo Mesh Enterprise
Follow the Install with Helm guide to set up Gloo Mesh Enterprise.
In your Helm values file for the management server, add the following values.
glooMgmtServer: enabled: true relay: tlsSecret: name: relay-server-tls-secret-custom extraEnvs: RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION: value: "true" RELAY_TOKEN: value: "My token" telemetryCollector: enabled: true extraVolumes: - name: root-ca secret: defaultMode: 420 optional: true secretName: telemetry-root-secret - configMap: items: - key: relay path: relay.yaml name: gloo-telemetry-collector-config name: telemetry-configmap - hostPath: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run telemetryGateway: enabled: true extraVolumes: - name: tls-keys secret: secretName: gloo-telemetry-gateway-tls-secret-custom defaultMode: 420 - name: telemetry-configmap configMap: name: gloo-telemetry-gateway-config items: - key: relay path: relay.yaml telemetryGatewayCustomization: disableCertGeneration: trueHelm value Description relay.tlsSecret.nameAdd the name of the Kubernetes secret with the custom server TLS secret that you created earlier. RELAY_TOKENSpecify the relay token that the Gloo management server and agent use to establish initial trust. When you install Gloo Mesh Enterprise and set RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATIONto true, the connection between the Gloo management server and agent is automatically secured by using simple, server-side TLS. In a simple TLS setup, only the management server presents a certificate to authenticate its identity. The identity of the agent is not verified. To ensure that only trusted agents connect to the management server, the relay identity token is used. The relay identity token can be any string value and is stored in therelay-identity-token-secretKubernetes secret on the management cluster. You must set the same value inglooAgent.extraEnvs.RELAY_TOKEN.valuewhen you install the Gloo agent to allow the Gloo agent to connect to the Gloo management server.RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATIONSet this value to true to not require a client TLS certificate from the Gloo agent to prove the agent’s identity and establish the connection with the management server. This setting is required when you want to use simple TLS to secure the connection between the Gloo management server and agent. telemetryGateway.extraVolumesAdd the gloo-telemetry-gateway-tls-secret-customKubernetes secret that you created earlier to thetls-keysvolume. Make sure that you also add the other volumes to your telemetry gateway configuration.telemetryCollector.extraVolumesAdd the telemetry-root-secretKubernetes secret that you created earlier to theroot-cavolume. Make sure that you also add the other volumes to your telemetry collector configuration.In your Helm values file for the workload cluster, add the following values.
glooAgent: enabled: true extraEnvs: RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION: value: "true" RELAY_TOKEN: value: "My token" telemetryCollector: enabled: true extraVolumes: - name: root-ca secret: defaultMode: 420 optional: true secretName: telemetry-root-secret - configMap: items: - key: relay path: relay.yaml name: gloo-telemetry-collector-config name: telemetry-configmap - hostPath: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run telemetryCollectorCustomization: skipVerify: trueHelm value Description RELAY_TOKENThe relay token to establish initial trust between the Gloo management server and the agent. The relay token is saved in memory on the Gloo agent. You must set the same value that you set in glooMgmtServer.extraEnvs.RELAY_TOKEN.valuewhen you installed the Gloo Mesh Enterprise management plane to allow Gloo agents to connect to the Gloo management server.RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATIONSet to true to skip validating the server TLS certificate that the Gloo management server presents. This setting is required to configure the relay connection for TLS. telemetryCollector.extraVolumesAdd the telemetry-root-secretKubernetes secret that you created earlier to theroot-cavolume. Make sure that you also add the other volumes to your telemetry collector configuration.telemetryCollectorCustomization.skipVerifySet to true to skip validation of the server certificate that the Gloo telemetry gateway presents. By default, the Gloo telemetry gateway uses the same TLS certificates that the Gloo management server uses for the relay connection. If you configure the relay connection for TLS, you must set skipVerifyto true on the telemetry collector agent.