Table of Contents
IssuedCertificates are used to issue SSL certificates to workload Kubernetes clusters from a central (out-of-cluster) Certificate Authority.
When an IssuedCertificate is created, a certificate is issued to a workload cluster by a central Certificate Authority via the following workflow:
1. The Certificate Issuer creates the IssuedCertificate resource on the remote cluster 2. The Certificate Signature Requesting agent installed to the remote cluster generates a Certificate Signing Request (CSR) and writes it to the status of the IssuedCertificate 3. Finally, the Certificate Issuer generates a signed certificate for the CSR and writes it back as Kubernetes Secret in the remote cluster.
Trust can therefore be established across the Gloo Mesh server cluster and agents on workload clusters without requiring private keys to ever leave workload clusters.
The certificate requested here is for Gloo Mesh agents on workload clusters to securely establish communication with Gloo Mesh server. This is not related to certificates for services running in the mesh.
|hosts||string||repeated||A list of hostnames and IPs to generate a certificate for. This can also be set to the identity running the workload, e.g. a Kubernetes service account.
Generally for an Istio CA this will take the form
"cluster.local” may be replaced by the root of trust domain for the mesh.
|issuedCertificateSecret||core.skv2.solo.io.ObjectRef||The secret containing the SSL certificate to be generated for this IssuedCertificate (located in the Gloo Mesh agent's cluster). If nil, the sidecar agent stores the signing certificate in memory. (Enterprise only)|
|certOptions||tls.security.policy.gloo.solo.io.CommonCertOptions||Set of options to configure the intermediate certificate being generated|
|mgmtServerCa||internal.gloo.solo.io.MgmtServerCertificateAuthority||Gloo Mesh CA options|
|agentCa||tls.security.policy.gloo.solo.io.AgentCertificateAuthority||Agent CA options|
|meshRef||core.skv2.solo.io.ObjectRef||Reference to the mesh on which this cert is being issued for.|
|autoRestartPods||bool||Signals whether or not the workload pods should be restarted to pick up the new cert.|
The IssuedCertificate status is written by the CertificateRequesting agent.
|observedGeneration||int64||The most recent generation observed in the the IssuedCertificate metadata. If the
|error||string||Any error observed which prevented the CertificateRequest from being processed. If the error is empty, the request has been processed successfully.|
|state||internal.gloo.solo.io.IssuedCertificateStatus.State||The current state of the IssuedCertificate workflow, reported by the agent.|
Set of options which represent the certificate authorities the management cluster can use to sign the intermediate certs.
Possible states in which an IssuedCertificate can exist.
|PENDING||0||The IssuedCertificate has yet to be picked up by the agent.|
|REQUESTED||1||The agent has created a local private key and a CertificateRequest for the IssuedCertificate. In this state, the agent is waiting for the Issuer to issue certificates for the CertificateRequest before proceeding.|
|ISSUED||2||The certificate has been issued. Any pods that require restarting will be restarted at this point.|
|FINISHED||3||The reply from the Issuer has been processed and the agent has placed the final certificate secret in the target location specified by the IssuedCertificate.|
|FAILED||4||Processing the certificate workflow failed.|