root_trust_policy.proto

Package : admin.gloo.solo.io

Top

root_trust_policy.proto

Table of Contents

RootTrustPolicySpec

RootTrustPolicy is used to designate the root of trust, including the trust domain and root certificates used by one or more service meshes. A shared RootTrustPolicy is currently required to support communication between workloads and destinations running in different meshes. In the future Gloo Mesh will support cross-mesh connectivity using a Limited Trust model (where participating meshes are permitted to use separate roots of trust).

Field Type Label Description
applyToMeshes []common.gloo.solo.io.MeshSelector repeated select the meshes where the root of trust will be applied. if left empty, will apply to all Meshes in the workspace.
config admin.gloo.solo.io.RootTrustPolicySpec.Config The details of the root of trust to apply to the selected meshes.

RootTrustPolicySpec.Config

Field Type Label Description
mgmtServerCa admin.gloo.solo.io.RootTrustPolicySpec.Config.MgmtServerCertificateAuthority Configure a Root Certificate Authority which will be shared by all Meshes associated with this RootTrustPolicy. If this is not provided, a self-signed certificate will be generated by Gloo Mesh.
agentCa tls.security.policy.gloo.solo.io.AgentCertificateAuthority Configures an Intermediate Certificate Authority which selected meshes will use to generate intermediate certificates. The CA being used must be configured to generate the intermediate certificates.
intermediateCertOptions tls.security.policy.gloo.solo.io.CommonCertOptions Configuration options for generated intermediate certs.
autoRestartPods bool This setting specifies whether or not workload pods should be automatically restarted upon completion of a successful certificate issuance.

RootTrustPolicySpec.Config.MgmtServerCertificateAuthority

Specify parameters for configuring the root certificate authority for a RootTrustPolicy.

Field Type Label Description
generated tls.security.policy.gloo.solo.io.CommonCertOptions Generate a self-signed root certificate with the given options.
secretRef core.skv2.solo.io.ObjectRef Name of a Kubernetes Secret in the same namespace as the RootTrustPolicy containing the root certificate authority. Provided certificates must conform to a specified format, documented here.

RootTrustPolicyStatus

reflects the status of the RootTrustPolicy

Field Type Label Description
observedGeneration int64 The most recent generation observed in the the object's metadata. If the observedGeneration does not match metadata.generation, Gloo Mesh has not processed the most recent version of this object.
state common.gloo.solo.io.ApprovalState Whether the resource has been accepted as valid and processed in the Gloo Mesh config translation.