Package : internal.gloo.solo.io



Table of Contents


CertificateRequests are generated by the Gloo Mesh agent installed on workload clusters. They are used to request a signed certificate from the certificate issuer (the Gloo Mesh server) based on a private key generated by the agent (which never leaves the workload cluster).
When Gloo Mesh server creates an IssuedCertificate on a workload cluster, the local Gloo Mesh agent will generate a CertificateRequest corresponding to it.
Gloo Mesh will then process the certificate signing request contained in the CertificateRequestSpec and write the signed SSL certificate back as a Kubernetes secret in the workload cluster, and update the CertificateRequestStatus to point to that secret.
The certificate requested here is for Gloo Mesh agents on workload clusters to securely establish communication with Gloo Mesh server. This is not related to certificates for services running in the mesh.

Field Type Label Description
certificateSigningRequest bytes Base64-encoded data for the PKCS#10 Certificate Signing Request issued by the Gloo Mesh agent deployed in the workload cluster, corresponding to the IssuedRequest received by the Gloo Mesh agent.


Field Type Label Description
observedGeneration int64 The most recent generation observed in the the CertificateRequest metadata. If the observedGeneration does not match metadata.generation, the issuer has not processed the most recent version of this request.
error string Any error observed which prevented the CertificateRequest from being processed. If the error is empty, the request has been processed successfully
state internal.gloo.solo.io.CertificateRequestStatus.State The current state of the CertificateRequest workflow reported by the issuer.
signedCertificate bytes The signed intermediate certificate issued by the CA.
signingRootCa bytes The root CA used by the issuer to sign the certificate.
certChain bytes The cert chain of signing CA.


Possible states in which a CertificateRequest can exist.

Name Number Description
PENDING 0 The CertificateRequest has yet to be picked up by the issuer.
FINISHED 1 The issuer has replied to the request and the signedCertificate and signingRootCa status fields will be populated.
FAILED 2 Processing the certificate workflow failed.