On this page
RootTrustPolicy
RootTrustPolicy API reference.
Proto: root_trust_policy.proto
Package: admin.gloo.solo.io
Types:
- RootTrustPolicySpec
- RootTrustPolicySpec.Config
- RootTrustPolicySpec.Config.MgmtServerCertificateAuthority
- RootTrustPolicyStatus
RootTrustPolicySpec
RootTrustPolicy is used to designate the root of trust, including the trust domain and root certificates used by one or more service meshes. A shared RootTrustPolicy is currently required to support communication between workloads and destinations running in different meshes. In the future Gloo Mesh will support cross-mesh connectivity using a Limited Trust model (where participating meshes are permitted to use separate roots of trust).
Field | Description |
---|---|
applyToMeshes | (repeated common.gloo.solo.io.MeshSelector )select the meshes where the root of trust will be applied. if left empty, will apply to all Meshes in the workspace. |
config | (RootTrustPolicySpec.Config )The details of the root of trust to apply to the selected meshes. |
RootTrustPolicySpec.Config
Field | Description |
---|---|
mgmtServerCa | (RootTrustPolicySpec.Config.MgmtServerCertificateAuthority )Configure a Root Certificate Authority which will be shared by all Meshes associated with this RootTrustPolicy. If this is not provided, a self-signed certificate will be generated by Gloo Mesh. |
agentCa | (tls.security.policy.gloo.solo.io.AgentCertificateAuthority )Configures an Intermediate Certificate Authority which selected meshes will use to generate intermediate certificates. The CA being used must be configured to generate the intermediate certificates. |
intermediateCertOptions | (tls.security.policy.gloo.solo.io.CommonCertOptions )Configuration options for generated intermediate certs. |
autoRestartPods | (bool )This setting specifies whether or not workload pods should be automatically restarted upon completion of a successful certificate issuance. |
passiveCertificateAuthorities | (repeated RootTrustPolicySpec.Config.MgmtServerCertificateAuthority )Configure a Root Certificate Authority which will be used for validating certificates, but not signing them. This CA can be used to rotate out expiring root certificates. |
RootTrustPolicySpec.Config.MgmtServerCertificateAuthority
Specify parameters for configuring the root certificate authority for a RootTrustPolicy.
Field | Description |
---|---|
generated | (tls.security.policy.gloo.solo.io.CommonCertOptions )Generate a self-signed root certificate with the given options. |
secretRef | (core.skv2.solo.io.ObjectRef )Name of a Kubernetes Secret in the same namespace as the RootTrustPolicy containing the root certificate authority. Provided certificates must conform to a specified format, documented here. |
RootTrustPolicyStatus
Field | Description |
---|---|
observedGeneration | (int64 )The most recent generation observed in the object’s metadata. If the observedGeneration does not match metadata.generation , Gloo Mesh has not processed the most recent version of this object. |
state | (common.gloo.solo.io.ApprovalState )Whether the resource has been accepted as valid and processed in the Gloo Mesh config translation. |