Package :



Table of Contents


IssuedCertificates are used to issue SSL certificates to workload Kubernetes clusters from a central (out-of-cluster) Certificate Authority.
When an IssuedCertificate is created, a certificate is issued to a workload cluster by a central Certificate Authority via the following workflow:
1. The Certificate Issuer creates the IssuedCertificate resource on the remote cluster 2. The Certificate Signature Requesting agent installed to the remote cluster generates a Certificate Signing Request (CSR) and writes it to the status of the IssuedCertificate 3. Finally, the Certificate Issuer generates a signed certificate for the CSR and writes it back as Kubernetes Secret in the remote cluster.
Trust can therefore be established across the Gloo Mesh server cluster and agents on workload clusters without requiring private keys to ever leave workload clusters.
The certificate requested here is for Gloo Mesh agents on workload clusters to securely establish communication with Gloo Mesh server. This is not related to certificates for services running in the mesh.

Field Type Label Description
hosts []string repeated A list of hostnames and IPs to generate a certificate for. This can also be set to the identity running the workload, e.g. a Kubernetes service account.
Generally for an Istio CA this will take the form spiffe://cluster.local/ns/istio-system/sa/citadel.
"cluster.local” may be replaced by the root of trust domain for the mesh.
issuedCertificateSecret The secret containing the SSL certificate to be generated for this IssuedCertificate (located in the Gloo Mesh agent's cluster). If nil, the sidecar agent stores the signing certificate in memory. (Enterprise only)
certOptions Set of options to configure the intermediate certificate being generated
mgmtServerCa Gloo Mesh CA options
agentCa Agent CA options
meshRef Reference to the mesh on which this cert is being issued for.
autoRestartPods bool Signals whether or not the workload pods should be restarted to pick up the new cert.


The IssuedCertificate status is written by the CertificateRequesting agent.

Field Type Label Description
observedGeneration int64 The most recent generation observed in the the IssuedCertificate metadata. If the observedGeneration does not match metadata.generation, the Gloo Mesh agent has not processed the most recent version of this IssuedCertificate.
error string Any error observed which prevented the CertificateRequest from being processed. If the error is empty, the request has been processed successfully.
state The current state of the IssuedCertificate workflow, reported by the agent.


Set of options which represent the certificate authorities the management cluster can use to sign the intermediate certs.

Field Type Label Description


Possible states in which an IssuedCertificate can exist.

Name Number Description
PENDING 0 The IssuedCertificate has yet to be picked up by the agent.
REQUESTED 1 The agent has created a local private key and a CertificateRequest for the IssuedCertificate. In this state, the agent is waiting for the Issuer to issue certificates for the CertificateRequest before proceeding.
ISSUED 2 The certificate has been issued. Any pods that require restarting will be restarted at this point.
FINISHED 3 The reply from the Issuer has been processed and the agent has placed the final certificate secret in the target location specified by the IssuedCertificate.
FAILED 4 Processing the certificate workflow failed.