Self-signed server certificate with managed client certificates
Use self-signed root and intermediate CA certificates credentials to create the server TLS certificate for the Gloo management server and the client TLS certificate for the Gloo agent. The Gloo management server and agents use these certificates to establish a mutual TLS relay connection.
For more information about this setup, see Self-signed CAs with automatic client certificate rotation.
Single cluster
- Follow the Install with Helm guide.
- In your Helm values file, add the following values. Note that mTLS is the default mode in Gloo Mesh (Gloo Platform APIs) and does not require any additional configuration.
glooMgmtServer: enabled: true glooAgent: enabled: true
Multicluster
Follow the Install with Helm guide to set up Gloo Mesh (Gloo Platform APIs).
In your Helm values file for the management server, add the following values. Note that mTLS is the default mode in Gloo Mesh (Gloo Platform APIs) and does not require any additional configuration.
glooMgmtServer: enabled: trueGet the value of the root CA certificate from the management cluster and create a secret in the workload cluster.
kubectl get secret relay-root-tls-secret -n gloo-mesh --context $MGMT_CONTEXT -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt kubectl create secret generic relay-root-tls-secret -n gloo-mesh --context $REMOTE_CONTEXT --from-file ca.crt=ca.crt rm ca.crtGet the relay identity token from the management cluster and create a secret in the workload cluster.
kubectl get secret relay-identity-token-secret -n gloo-mesh --context $MGMT_CONTEXT -o jsonpath='{.data.token}' | base64 -d > token kubectl create secret generic relay-identity-token-secret -n gloo-mesh --context $REMOTE_CONTEXT --from-file token=token rm tokenIn your Helm values file for the agent, add the following values.
glooAgent: enabled: true