On this page
Self-signed server certificate
Use Gloo Mesh Enterprise self-signed certificates for the root CA and use these credentials to derive the server TLS certificate for the Gloo management server.
You can choose to use self-signed certificates for the root CA and use these credentials to derive the server TLS certificate for the Gloo management server. The Gloo management server uses this certificate to prove its identity to Gloo agents and to encrypt the traffic between the management server and the agent.
For more information about this option, see Self-signed server TLS certificate.
Do not use self-signed certs for production. This setup is recommended for testing purposes only.
Single cluster
Follow the Install with Helm guide.
In your Helm values file, add the following values.
glooMgmtServer: serviceType: ClusterIP registerCluster: true enabled: true extraEnvs: RELAY_TOKEN: value: "My token" RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION: value: "true" glooAgent: enabled: true relay: serverAddress: gloo-mesh-mgmt-server.gloo-mesh:9900 extraEnvs: RELAY_TOKEN: value: "My token" RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION: value: "true"Helm value Description glooMgmtServer.extraEnvs.RELAY_TOKENSpecify the relay token that the Gloo management server and agent use to establish initial trust. When you install Gloo Mesh Enterprise and set RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATIONto true, the connection between the Gloo management server and agent is automatically secured by using simple, server-side TLS. In a simple TLS setup, only the management server presents a certificate to authenticate its identity. The identity of the agent is not verified. To ensure that only trusted agents connect to the management server, the relay identity token is used. The relay identity token can be any string value and is stored in therelay-identity-token-secretKubernetes secret. You must set the same value inglooAgent.extraEnvs.RELAY_TOKEN.valueto allow the Gloo agent to connect to the Gloo management server.glooMgmtServer.extraEnvs.RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATIONSet this value to true to not require a client TLS certificate from the Gloo agent to prove the agent’s identity and establish the connection with the management server. This setting is required when you want to use simple TLS to secure the connection between the Gloo management server and agent. glooAgent.extraEnvs.RELAY_TOKENUse the same value that you set in glooMgmtServer.extraEnvs.RELAY_TOKEN.glooAgent.extraEnvs.RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATIONSet to true to skip validating the server TLS certificate that the Gloo management server presents. This setting is required to configure the relay connection for TLS.
Multicluster
Follow the Install with Helm guide to set up Gloo Mesh Enterprise.
In your Helm values file for the management server, add the following values.
glooMgmtServer: enabled: true extraEnvs: RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION: value: "true" RELAY_TOKEN: value: "My token"Helm value Description RELAY_TOKENSpecify the relay token that the Gloo management server and agent use to establish initial trust. When you install Gloo Mesh Enterprise and set RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATIONto true, the connection between the Gloo management server and agent is automatically secured by using simple, server-side TLS. In a simple TLS setup, only the management server presents a certificate to authenticate its identity. The identity of the agent is not verified. To ensure that only trusted agents connect to the management server, the relay identity token is used. The relay identity token can be any string value and is stored in therelay-identity-token-secretKubernetes secret on the management cluster. You must set the same value inglooAgent.extraEnvs.RELAY_TOKEN.valuewhen installing Gloo Mesh Enterprise in a workload cluster to allow Gloo agents to connect to the Gloo management server.RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATIONSet this value to true to not require a client TLS certificate from the Gloo agent to prove the agent’s identity and establish the connection with the management server. This setting is required when you want to use simple TLS to secure the connection between the Gloo management server and agent. In your Helm values file for the workload cluster, add the following values.
glooAgent: enabled: true extraEnvs: RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION: value: "true" RELAY_TOKEN: value: "My token" telemetryCollector: enabled: true telemetryCollectorCustomization: skipVerify: trueHelm value Description RELAY_TOKENThe relay token to establish initial trust between the Gloo management server and the agent. The relay token is saved in memory on the Gloo agent. You must set the same value that you set in glooMgmtServer.extraEnvs.RELAY_TOKEN.valuewhen you installed the Gloo Mesh Enterprise management plane to allow Gloo agents to connect to the Gloo management server.RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATIONSet to true to skip validating the server TLS certificate that the Gloo management server presents. This setting is required to configure the relay connection for TLS. telemetryCollectorCustomization.skipVerifySet to true to skip validation of the server certificate that the Gloo telemetry gateway presents. By default, the Gloo telemetry gateway uses the same TLS certificates that the Gloo management server uses for the relay connection. If you configure the relay connection for TLS, you must set skipVerifyto true on the telemetry collector agent.