BYO server certificate
Use your preferred PKI provider to generate the server TLS certificate for the Gloo management server.
For more information about this option, see Bring your own server TLS certificate.
Single cluster
To generate and store your own root CA certificate and key, you typically use your preferred PKI provider, such as Vault, Google Cloud CA, or AWS Private CA. If you do not have a PKI provider, you can use tools, such as OpenSSL to generate the certificate and key for the root CA as described in this guide.
Create the root CA credentials
- Create a self-signed root CA certificate and key.
openssl req -new -newkey rsa:4096 -x509 -sha256 \ -days 3650 -nodes -out relay-root-ca.crt -keyout relay-root-ca.key \ -subj "/CN=relay-root-ca" \ -addext "keyUsage = keyCertSign"
Create the server TLS certificate and certificate chain
Create the configuration for the server TLS certificate.
cat >"relay-server.conf" <<EOF [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth subjectAltName = @alt_names [alt_names] DNS = *.gloo-mesh EOF
Generate the private key for the Gloo management server.
openssl genrsa -out "relay-server.key" 2048
Generate the certificate signing request for the Gloo management server.
openssl req -new -key "relay-server.key" -out "relay-server.csr" -subj "/CN=*.gloo-mesh" -config "relay-server.conf"
Use the root CA credentials that you created earlier to sign the certificate signing request and create the server TLS certificate.
openssl x509 -req \ -days 3650 \ -CA relay-root-ca.crt -CAkey relay-root-ca.key \ -set_serial 0 \ -in relay-server.csr -out relay-server.crt \ -extensions v3_req -extfile "relay-server.conf"
If it doesn’t already exist, create the
gloo-mesh
namespace.kubectl create namespace gloo-mesh
Store the server TLS certificate, private key, and root CA in the
relay-server-tls-secret-custom
Kubernetes secret. You can use a different name for the secret, but make sure to not userelay-server-tls-secret
as this name is reserved by the Gloo management server when creating self-signed root CAs and server TLS certificates.kubectl create secret generic relay-server-tls-secret-custom -n gloo-mesh \ --from-file=tls.crt=relay-server.crt \ --from-file=tls.key=relay-server.key \ --from-file=ca.crt=relay-root-ca.crt
Store the root CA certificate in the
telemetry-root-secret
Kubernetes secret.kubectl create secret generic telemetry-root-secret \ --from-file=ca.crt=relay-root-ca.crt \ --namespace gloo-mesh
Install Gloo Mesh Enterprise
- Follow the Install with Helm guide.
- In your Helm values file, add the following values.
glooMgmtServer: serviceType: ClusterIP registerCluster: true enabled: true relay: tlsSecret: name: relay-server-tls-secret-custom extraEnvs: RELAY_TOKEN: value: "My token" RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION: value: "true" glooAgent: enabled: true relay: serverAddress: gloo-mesh-mgmt-server.gloo-mesh:9900 extraEnvs: RELAY_TOKEN: value: "My token" RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION: value: "true" telemetryCollector: enabled: true extraVolumes: - name: root-ca secret: defaultMode: 420 optional: true secretName: telemetry-root-secret - configMap: items: - key: relay path: relay.yaml name: gloo-telemetry-collector-config name: telemetry-configmap - hostPath: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run
Helm value Description glooMgmtServer.relay.tlsSecret.name
The name and namespace of the Kubernetes secret where you stored your custom server TLS certificate. glooMgmtServer.extraEnvs.RELAY_TOKEN
Specify the relay token that the Gloo management server and agent use to establish initial trust. When you install Gloo Mesh Enterprise and set RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION
to true, the connection between the Gloo management server and agent is automatically secured by using simple, server-side TLS. In a simple TLS setup, only the management server presents a certificate to authenticate its identity. The identity of the agent is not verified. To ensure that only trusted agents connect to the management server, the relay identity token is used. The relay identity token can be any string value and is stored in therelay-identity-token-secret
Kubernetes secret. You must set the same value inglooAgent.extraEnvs.RELAY_TOKEN.value
to allow the Gloo agent to connect to the Gloo management server.glooMgmtServer.extraEnvs.
RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION
Set this value to true to not require a client TLS certificate from the Gloo agent to prove the agent’s identity and establish the connection with the management server. glooAgent.extraEnvs.
RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION
Set to true to skip validating the server TLS certificate that the Gloo management server presents. This setting is required to configure the relay connection for TLS. telemetryCollector.extraVolumes
Add the telemetry-root-secret
Kubernetes secret that you created earlier to theroot-ca
volume. Make sure that you also add the other volumes to your telemetry collector configuration.
Multicluster
To generate and store your own root CA certificate and key, you typically use your preferred PKI provider, such as Vault, Google Cloud CA, or AWS Private CA. If you do not have a PKI provider, you can use tools, such as OpenSSL to generate the certificate and key for the root CA as described in this guide.
Create the root CA credentials
- Create a self-signed root CA certificate and key.
openssl req -new -newkey rsa:4096 -x509 -sha256 \ -days 3650 -nodes -out relay-root-ca.crt -keyout relay-root-ca.key \ -subj "/CN=relay-root-ca" \ -addext "keyUsage = keyCertSign"
Create the server TLS certificate
Create the configuration for the server TLS certificate.
cat >"relay-server.conf" <<EOF [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth subjectAltName = @alt_names [alt_names] DNS = *.gloo-mesh EOF
Generate the private key for the Gloo management server.
openssl genrsa -out "relay-server.key" 2048
Generate the certificate signing request for the Gloo management server.
openssl req -new -key "relay-server.key" -out "relay-server.csr" -subj "/CN=*.gloo-mesh" -config "relay-server.conf"
Use the root CA credentials that you created earlier to sign the certificate signing request and create the server TLS certificate.
openssl x509 -req \ -days 3650 \ -CA relay-root-ca.crt -CAkey relay-root-ca.key \ -set_serial 0 \ -in relay-server.csr -out relay-server.crt \ -extensions v3_req -extfile "relay-server.conf"
If it doesn’t already exist, create the
gloo-mesh
namespace in the management cluster.kubectl create namespace gloo-mesh --context $MGMT_CONTEXT
Store the server TLS certificate, private key, and root CA in the
relay-server-tls-secret-custom
Kubernetes secret. You can use a different name for the secret, but make sure to not userelay-server-tls-secret
as this name is reserved by the Gloo management server when creating self-signed root CAs and server TLS certificates.kubectl create secret generic relay-server-tls-secret-custom -n gloo-mesh \ --from-file=tls.crt=relay-server.crt \ --from-file=tls.key=relay-server.key \ --from-file=ca.crt=relay-root-ca.crt \ --context ${MGMT_CONTEXT}
Create the telemetry pipeline credentials
Use the same credentials for the Gloo telemetry gateway and store them in the
gloo-telemetry-gateway-tls-secret-custom
Kubernetes secret.kubectl create secret generic gloo-telemetry-gateway-tls-secret-custom -n gloo-mesh \ --from-file=tls.crt=relay-server.crt \ --from-file=tls.key=relay-server.key \ --from-file=ca.crt=relay-root-ca.crt \ --context ${MGMT_CONTEXT}
Store the root CA certificate in the
telemetry-root-secret
Kubernetes secret on the management and each workload cluster so that the Gloo telemetry collector agent can verify the identity of the Gloo telemetry gateway.kubectl create secret generic telemetry-root-secret \ --from-file=ca.crt=relay-root-ca.crt \ --namespace gloo-mesh \ --context ${MGMT_CONTEXT}
kubectl create secret generic telemetry-root-secret \ --from-file=ca.crt=relay-root-ca.crt \ --namespace gloo-mesh \ --context ${REMOTE_CONTEXT1}
Install Gloo Mesh Enterprise
Follow the Install with Helm guide to set up Gloo Mesh Enterprise.
In your Helm values file for the management server, add the following values.
glooMgmtServer: enabled: true relay: tlsSecret: name: relay-server-tls-secret-custom extraEnvs: RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION: value: "true" RELAY_TOKEN: value: "My token" telemetryCollector: enabled: true extraVolumes: - name: root-ca secret: defaultMode: 420 optional: true secretName: telemetry-root-secret - configMap: items: - key: relay path: relay.yaml name: gloo-telemetry-collector-config name: telemetry-configmap - hostPath: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run telemetryGateway: enabled: true extraVolumes: - name: tls-keys secret: secretName: gloo-telemetry-gateway-tls-secret-custom defaultMode: 420 - name: telemetry-configmap configMap: name: gloo-telemetry-gateway-config items: - key: relay path: relay.yaml telemetryGatewayCustomization: disableCertGeneration: true
Helm value Description relay.tlsSecret.name
Add the name of the Kubernetes secret with the custom server TLS secret that you created earlier. RELAY_TOKEN
Specify the relay token that the Gloo management server and agent use to establish initial trust. When you install Gloo Mesh Enterprise and set RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION
to true, the connection between the Gloo management server and agent is automatically secured by using simple, server-side TLS. In a simple TLS setup, only the management server presents a certificate to authenticate its identity. The identity of the agent is not verified. To ensure that only trusted agents connect to the management server, the relay identity token is used. The relay identity token can be any string value and is stored in therelay-identity-token-secret
Kubernetes secret on the management cluster. You must set the same value inglooAgent.extraEnvs.RELAY_TOKEN.value
when you install the Gloo agent to allow the Gloo agent to connect to the Gloo management server.RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION
Set this value to true to not require a client TLS certificate from the Gloo agent to prove the agent’s identity and establish the connection with the management server. This setting is required when you want to use simple TLS to secure the connection between the Gloo management server and agent. telemetryGateway.extraVolumes
Add the gloo-telemetry-gateway-tls-secret-custom
Kubernetes secret that you created earlier to thetls-keys
volume. Make sure that you also add the other volumes to your telemetry gateway configuration.telemetryCollector.extraVolumes
Add the telemetry-root-secret
Kubernetes secret that you created earlier to theroot-ca
volume. Make sure that you also add the other volumes to your telemetry collector configuration.In your Helm values file for the workload cluster, add the following values.
glooAgent: enabled: true extraEnvs: RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION: value: "true" RELAY_TOKEN: value: "My token" telemetryCollector: enabled: true extraVolumes: - name: root-ca secret: defaultMode: 420 optional: true secretName: telemetry-root-secret - configMap: items: - key: relay path: relay.yaml name: gloo-telemetry-collector-config name: telemetry-configmap - hostPath: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run telemetryCollectorCustomization: skipVerify: true
Helm value Description RELAY_TOKEN
The relay token to establish initial trust between the Gloo management server and the agent. The relay token is saved in memory on the Gloo agent. You must set the same value that you set in glooMgmtServer.extraEnvs.RELAY_TOKEN.value
when you installed the Gloo Mesh Enterprise management plane to allow Gloo agents to connect to the Gloo management server.RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION
Set to true to skip validating the server TLS certificate that the Gloo management server presents. This setting is required to configure the relay connection for TLS. telemetryCollector.extraVolumes
Add the telemetry-root-secret
Kubernetes secret that you created earlier to theroot-ca
volume. Make sure that you also add the other volumes to your telemetry collector configuration.telemetryCollectorCustomization.skipVerify
Set to true to skip validation of the server certificate that the Gloo telemetry gateway presents. By default, the Gloo telemetry gateway uses the same TLS certificates that the Gloo management server uses for the relay connection. If you configure the relay connection for TLS, you must set skipVerify
to true on the telemetry collector agent.