Package :



Table of Contents


Specify parameters for configuring the root certificate authority for a VirtualMesh.

Field Type Label Description
generated Generate a self-signed root certificate with the given options.
secret Reference to a Kubernetes Secret containing the root certificate authority. Provided secrets must conform to a specified format, documented here.


Shared trust is a trust model requiring a common root certificate shared between trusting Meshes, as well as shared identity between all Workloads and Destinations which wish to communicate within the VirtualMesh.

Field Type Label Description
rootCertificateAuthority Configure a Root Certificate Authority which will be shared by all Meshes associated with this VirtualMesh. If this is not provided, a self-signed certificate will be generated by Gloo Mesh.
intermediateCertificateAuthority Configures an Intermediate Certificiate Authority which remote clusters will use to generate intermediate certificates. In order for this to properly mesh all of the traffic across the different meshes, the CA being used must be configured to generate the intermediate certificates.
intermediateCertOptions Configuration options for generated intermediate certs.


Represents a logical grouping of Meshes for shared configuration and cross-mesh interoperability.

Field Type Label Description
meshes [] repeated Specify the Meshes configured by this VirtualMesh.
mtlsConfig Specify mTLS options.
federation Specify how to federate Destinations across service mesh boundaries.
globalAccessPolicy Specify a global access policy for all Workloads and Destinations associated with this VirtualMesh.


“Federation” refers to the ability to expose Destinations across service mesh boundaries, i.e. to traffic originating from Workloads external to the Destination's Mesh.

Field Type Label Description
ingressGatewaySelectors [] repeated Selects the Destination(s) acting as ingress gateways for cross cluster traffic. The supplied IngressGatewaySelectors will be used to select ingress gateways for all Meshes in this VirtualMesh.
permissive google.protobuf.Empty DEPRECATED: Use selectors with an empty selector (i.e. {}) for permissive semantics. Expose all Destinations to all Workloads in this VirtualMesh.
flatNetwork bool If true, all multicluster traffic will be routed directly to the Kubernetes service endpoints of the Destinations, rather than through an ingress gateway. This mode requires a flat network environment. This feature is exclusive to Gloo Mesh Enterprise.
hostnameSuffix string Configure the suffix for hostnames of Destinations federated within this VirtualMesh. Currently this is only supported for Istio with smart DNS proxying enabled, otherwise setting this field results in an error. If omitted, the hostname suffix defaults to “global”.
selectors [] repeated Selectively federate Destinations to specific external meshes. If omitted, no Destinations will be federated.
tcpKeepalive Specify a keepalive rule for all requests made within the VirtualMesh which cross clusters within that VirtualMesh, as well as any requests to externalService type destinations.
tlsEnforcementSettings Configure server-side enforcement of TLS for all connections contained by this virtual mesh.


Selects a set of Destinations to federate to the referenced Meshes.

Field Type Label Description
destinationSelectors [] repeated The set of Destinations that will be federated to external Meshes. If omitted, all Destinations will be selected.
meshes [] repeated The Meshes to which the selected Destinations will be federated. All referenced Meshes must exist in this VirtualMesh. If omitted, the selected Destinations will be federated to all Meshes in the VirtualMesh.


Specify mTLS options. This includes options for configuring Mutual TLS within an individual Mesh, as well as enabling mTLS across Meshes by establishing cross-mesh trust.

Field Type Label Description
shared Shared trust (allow communication between any pair of Workloads and Destinations in the grouped Meshes).
limited Limited trust (selectively allow communication between Workloads and Destinations in the grouped Meshes). Currently not available.
autoRestartPods bool NOTE: THIS IS NOT A RECOMMENDED SETTING FOR PRODUCTION! Specify whether to allow Gloo Mesh to restart Kubernetes Pods when certificates are rotated when establishing shared trust. This will auto-restart ALL of the workloads in your mesh. It is a convenience feature while testing Gloo Mesh. If this option is not explicitly enabled, users must restart Pods manually for the new certificates to be picked up. meshctl provides the command meshctl mesh restart to simplify this process, see here for more info.
rotationVerificationMethod Type of rotation verification to use when rotating root certificates.
rotationStrategy Type of rotation to use.


Limited trust is a trust model which does not require trusting Meshes to share the same root certificate or identity. Instead, trust is established between different Meshes by connecting their ingress/egress gateways with a common certificate/identity. In this model all requests between different have the following request path when communicating between clusters cluster 1 MTLS shared MTLS cluster 2 MTLS client/workload <-----------> egress gateway <----------> ingress gateway <--------------> server This approach has the downside of not maintaining identity from client to server, but allows for ad-hoc addition of additional Meshes into a VirtualMesh.


Settings for the default mtls enforcement behavior of meshes.

Field Type Label Description
enforcementMode The default level of TLS enforcement mode meshes. Defaults to UNSET. For istio-managed meshes, the enum values correspond to the values listed here. Note: If this setting is set to STRICT, but settings.mtls.istio.tlsMode is UNSET (or vice versa), then translation will fail because TLS cannot be enforced in one place but unenforced in another place. Make sure these settings align.


Field Type Label Description
observedGeneration int64 The most recent generation observed in the the VirtualMesh metadata. If the observedGeneration does not match metadata.generation, Gloo Mesh has not processed the most recent version of this resource.
state The state of the overall resource. It will only show accepted if it has been successfully applied to all selected Meshes.
errors []string repeated Any errors found while processing this generation of the resource.
meshes [] repeated The status of the VirtualMesh for each Mesh to which it has been applied. A VirtualMesh may be Accepted for some Meshes and rejected for others.
destinations [] repeated The status of the VirtualMesh for each Destination to which it has been applied. A VirtualMesh may be Accepted for some Destinations and rejected for others.
conditions [] repeated List of rotation conditions which have been completed/carried out for this Virtual Mesh
deployedSharedTrust A copy of the shared_trust object currently deployed in the cluster. If the shared trust object in the spec is different from this, we need to start a new rotation.


Field Type Label Description
key string


Field Type Label Description
key string


Specify a global access policy for all Workloads and Destinations associated with this VirtualMesh.

Name Number Description
MESH_DEFAULT 0 Assume the default for the service mesh type. Istio defaults to false, App Mesh defaults to true.
ENABLED 1 Disallow traffic to all Destinations in the VirtualMesh unless explicitly allowed through AccessPolicies.
DISABLED 2 Allow traffic to all Destinations in the VirtualMesh unless explicitly disallowed through AccessPolicies.


TLS enforcement settings

Name Number Description
UNSET 0 Inherit from unmanaged mesh configuration, if any. Acts like PERMISSIVE if there's nothing to inherit.
DISABLE 1 Connection is not tunneled.
PERMISSIVE 2 Connection can be either plaintext or mTLS tunnel.
STRICT 3 Connection is encrypted through an mTLS tunnel (TLS with client cert must be presented).