Package :



Table of Contents


RootTrustPolicy is used to designate the root of trust, including the trust domain and root certificates used by one or more service meshes. A shared RootTrustPolicy is currently required to support communication between workloads and destinations running in different meshes. In the future Gloo Mesh will support cross-mesh connectivity using a Limited Trust model (where participating meshes are permitted to use separate roots of trust).

Field Type Label Description
applyToMeshes [] repeated select the meshes where the root of trust will be applied. if left empty, will apply to all Meshes in the workspace.
config The details of the root of trust to apply to the selected meshes.


Field Type Label Description
mgmtServerCa Configure a Root Certificate Authority which will be shared by all Meshes associated with this RootTrustPolicy. If this is not provided, a self-signed certificate will be generated by Gloo Mesh.
agentCa Configures an Intermediate Certificate Authority which selected meshes will use to generate intermediate certificates. The CA being used must be configured to generate the intermediate certificates.
intermediateCertOptions Configuration options for generated intermediate certs.
autoRestartPods bool This setting specifies whether or not workload pods should be automatically restarted upon completion of a successful certificate issuance.


Specify parameters for configuring the root certificate authority for a RootTrustPolicy.

Field Type Label Description
generated Generate a self-signed root certificate with the given options.
secretRef Name of a Kubernetes Secret in the same namespace as the RootTrustPolicy containing the root certificate authority. Provided certificates must conform to a specified format, documented here.


reflects the status of the RootTrustPolicy

Field Type Label Description
observedGeneration int64 The most recent generation observed in the the object's metadata. If the observedGeneration does not match metadata.generation, Gloo Mesh has not processed the most recent version of this object.
state Whether the resource has been accepted as valid and processed in the Gloo Mesh config translation.