OpenSSL
Create your certificates by using OpenSSL and manually provide them to your Gloo management server and agent.
In this approach, you use OpenSSL to manually create a self-signed root CA certificates for your relay architecture. This certificate is then used to generate the server and client TLS certificates.
Although the root CA credentials are not stored on the management cluster, this setup is not recommended for production as it uses self-signed certificates for the root CA and requires you to protect and store your root CA credentials in a secure place. In a production-level setup, you generate and store the root CA with your preferred PKI provider, such as AWS Private CA, Google Cloud CA, or Vault. In addition, you might want to use certificate management tools, such as cert-manager
to manage the issuing and renewing of your certificate. For more information about this type of setup, see the AWS or Vault guides.
Single cluster
Create the root CA credentials
- Create a self-signed root CA certificate and key.
openssl req -new -newkey rsa:4096 -x509 -sha256 \ -days 3650 -nodes -out relay-root-ca.crt -keyout relay-root-ca.key \ -subj "/CN=relay-root-ca" \ -addext "keyUsage = keyCertSign"
Create the server TLS certificate
Use the root CA credentials that you created earlier to derive the server TLS certificate that the Gloo management server uses for mutual TLS connections with the Gloo agents.
If it doesn’t already exist, create the
gloo-mesh
namespace.kubectl create namespace gloo-mesh
Create the configuration for the server TLS certificate.
cat >"relay-server.conf" <<EOF [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth subjectAltName = @alt_names [alt_names] DNS = *.gloo-mesh EOF
Generate the private key for the Gloo management server.
openssl genrsa -out "relay-server.key" 2048
Generate the certificate signing request for the Gloo management server.
openssl req -new -key "relay-server.key" -out "relay-server.csr" -subj "/CN=*.gloo-mesh" -config "relay-server.conf"
Use the root CA credentials that you created earlier to sign the certificate signing request and create the server TLS certificate.
openssl x509 -req \ -days 3650 \ -CA relay-root-ca.crt -CAkey relay-root-ca.key \ -set_serial 0 \ -in relay-server.csr -out relay-server.crt \ -extensions v3_req -extfile "relay-server.conf"
Store the server TLS certificate, private key, and root CA in the
relay-server-tls-secret
Kubernetes secret.kubectl create secret generic relay-server-tls-secret -n gloo-mesh \ --from-file=tls.crt=relay-server.crt \ --from-file=tls.key=relay-server.key \ --from-file=ca.crt=relay-root-ca.crt
Create the client TLS certificate
Generate the client TLS certificate that the Gloo agent uses for mutual TLS connections with the Gloo management server and sign the certificate by using the root CA key that you created earlier.
Create the client TLS certificate configuration.
cat >"${CLUSTER_NAME}.conf" <<EOF [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] commonName = ${CLUSTER_NAME} [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = ${CLUSTER_NAME} EOF
Generate the private key and certificate signing request (CSR).
# Generate private key openssl genrsa -out "$CLUSTER_NAME.key" 2048 # Create CSR openssl req -new -key "$CLUSTER_NAME.key" -out $CLUSTER_NAME.csr -subj "/CN=${CLUSTER_NAME}/O=${CLUSTER_NAME}"
Sign the CSR with the root CA key.
# Sign certificate with root openssl x509 -req \ -days 3650 \ -CA relay-root-ca.crt -CAkey relay-root-ca.key \ -set_serial 0 \ -in $CLUSTER_NAME.csr -out $CLUSTER_NAME.crt \ -extensions v3_req -extfile "$CLUSTER_NAME.conf"
Save the client TLS certificate in the
relay-client-tls-cert
Kubernetes secret.kubectl create secret generic relay-client-tls-cert \ --from-file=tls.key=$CLUSTER_NAME.key \ --from-file=tls.crt=$CLUSTER_NAME.crt \ --from-file=ca.crt=relay-root-ca.crt \ --namespace gloo-mesh
Create the certificate chain for the telemetry collector
- Store the root CA certificate in the
telemetry-root-secret
Kubernetes secret.kubectl create secret generic telemetry-root-secret \ --from-file=ca.crt=relay-root-ca.crt \ --namespace gloo-mesh
Install Gloo Mesh Gateway
- Follow the Install with Helm guide.
- In your Helm values file, add the following values. Note that mTLS is the default mode in Gloo Mesh Gateway and does not require any additional configuration.
glooMgmtServer: enabled: true registerCluster: true relay: disableCa: true disableCaCertGeneration: true disableTokenGeneration: true tlsSecret: name: relay-server-tls-secret namespace: gloo-mesh tokenSecret: key: null name: null namespace: null serviceType: ClusterIP glooAgent: enabled: true relay: clientTlsSecret: name: relay-client-tls-cert namespace: gloo-mesh serverAddress: gloo-mesh-mgmt-server.gloo-mesh:9900 tokenSecret: key: null name: null namespace: null telemetryCollector: enabled: true extraVolumes: - name: root-ca secret: defaultMode: 420 optional: true secretName: telemetry-root-secret - configMap: items: - key: relay path: relay.yaml name: gloo-telemetry-collector-config name: telemetry-configmap - hostPath: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run
Helm value Description glooMgmtServer.relay.disableCa
Disable the generation of self-signed root and intermediate CA certificates and the use of identity tokens to establish initial trust between the Gloo management server and agent. glooMgmtServer.relay.disableCaCertGeneration
Disable the generation of self-signed certificates to secure the relay connection between the Gloo management server and agent. glooMgmtServer.relay.disableTokenGeneration
Disable the generation of relay identity tokens. glooMgmtServer.relay.tlsSecret
Add the name and namespace of the Kubernetes secret that holds the server TLS certificate for the Gloo management server that you created earlier. glooMgmtServer.relay.tokenSecret
Set all values to null
to instruct the Gloo management server to not use identity tokens to establish initial trust with Gloo agents.glooAgent.relay.clientTlsSecret
Add the name and namespace of the Kubernetes secret that holds the client TLS certificate for the Gloo agent that you created earlier. glooAgent.tokenSecret
Set all values to null
to instruct the Gloo agent to not use identity tokens to establish initial trust with the Gloo management server.
Multicluster
Create the root CA credentials
- Create a self-signed root CA certificate and key.
openssl req -new -newkey rsa:4096 -x509 -sha256 \ -days 3650 -nodes -out relay-root-ca.crt -keyout relay-root-ca.key \ -subj "/CN=relay-root-ca" \ -addext "keyUsage = keyCertSign"
Create the server TLS certificate
Use the root CA credentials that you created earlier to derive the server TLS certificate that the Gloo management server uses for mutual TLS connections with the Gloo agents.
If it doesn’t already exist, create the
gloo-mesh
namespace in each cluster.kubectl create namespace gloo-mesh --context $MGMT_CONTEXT kubectl create namespace gloo-mesh --context $REMOTE_CONTEXT1 kubectl create namespace gloo-mesh --context $REMOTE_CONTEXT2
Create the configuration for the server TLS certificate with the
*.gloo-mesh
wildcard DNS name. Because a wildcard is used, the same certificate can later be used to configure the Gloo telemetry gateway.cat >"relay-server.conf" <<EOF [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth subjectAltName = @alt_names [alt_names] DNS = *.gloo-mesh EOF
Generate the private key for the Gloo management server.
openssl genrsa -out "relay-server.key" 2048
Generate the certificate signing request for the Gloo management server.
openssl req -new -key "relay-server.key" -out "relay-server.csr" -subj "/CN=*.gloo-mesh" -config "relay-server.conf"
Use the root CA credentials that you created earlier to sign the certificate signing request and create the server TLS certificate.
openssl x509 -req \ -days 3650 \ -CA relay-root-ca.crt -CAkey relay-root-ca.key \ -set_serial 0 \ -in relay-server.csr -out relay-server.crt \ -extensions v3_req -extfile "relay-server.conf"
Store the server TLS certificate, private key, and root CA in the
relay-server-tls-secret
Kubernetes secret.kubectl create secret generic relay-server-tls-secret -n gloo-mesh \ --from-file=tls.crt=relay-server.crt \ --from-file=tls.key=relay-server.key \ --from-file=ca.crt=relay-root-ca.crt \ --context ${MGMT_CONTEXT}
Create the client TLS certificate
Generate the client TLS certificate that the Gloo agent uses for mutual TLS connections with the Gloo management server and sign the certificate by using the root CA key that you created earlier.
Create the client TLS certificate configuration.
cat >"${REMOTE_CLUSTER1}.conf" <<EOF [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] commonName = ${REMOTE_CLUSTER1} [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = ${REMOTE_CLUSTER1} EOF
Generate the private key and certificate signing request (CSR).
# Generate private key openssl genrsa -out "$REMOTE_CLUSTER1.key" 2048 # Create CSR openssl req -new -key "$REMOTE_CLUSTER1.key" -out $REMOTE_CLUSTER1.csr -subj "/CN=${REMOTE_CLUSTER1}/O=${REMOTE_CLUSTER1}"
Sign the CSR with the root CA key.
# Sign certificate with root openssl x509 -req \ -days 3650 \ -CA relay-root-ca.crt -CAkey relay-root-ca.key \ -set_serial 0 \ -in $REMOTE_CLUSTER1.csr -out $REMOTE_CLUSTER1.crt \ -extensions v3_req -extfile "$REMOTE_CLUSTER1.conf"
Save the client TLS certificate in the
relay-client-tls-secret
Kubernetes secret on the workload cluster.kubectl create secret generic $REMOTE_CLUSTER1-tls-cert \ --from-file=tls.key=$REMOTE_CLUSTER1.key \ --from-file=tls.crt=$REMOTE_CLUSTER1.crt \ --from-file=ca.crt=relay-root-ca.crt \ --context $REMOTE_CONTEXT1 \ --namespace gloo-mesh
Repeat this step on each workload cluster.
Create the telemetry pipeline credentials
Use the same credentials for the Gloo telemetry gateway and store them in the
gloo-telemetry-gateway-tls-secret
Kubernetes secret. Using the same credentials is possible, because the configuration for the Gloo management server (relay-server.conf
) used a wildcard for the DNS name.kubectl create secret generic gloo-telemetry-gateway-tls-secret -n gloo-mesh \ --from-file=tls.crt=relay-server.crt \ --from-file=tls.key=relay-server.key \ --from-file=ca.crt=relay-root-ca.crt \ --context ${MGMT_CONTEXT}
Store the root CA certificate in the
telemetry-root-secret
Kubernetes secret on the management and each workload cluster so that the Gloo telemetry collector agent can verify the identity of the Gloo telemetry gateway.kubectl create secret generic telemetry-root-secret \ --from-file=ca.crt=relay-root-ca.crt \ --namespace gloo-mesh \ --context ${MGMT_CONTEXT}
kubectl create secret generic telemetry-root-secret \ --from-file=ca.crt=relay-root-ca.crt \ --namespace gloo-mesh \ --context ${REMOTE_CONTEXT1}
Install Gloo Mesh Gateway
Follow the Install with Helm guide to set up Gloo Mesh Gateway.
In your Helm values file for the management server, add the following values. Note that mTLS is the default mode in Gloo Mesh Gateway and does not require any additional configuration.
glooMgmtServer: enabled: true relay: disableCa: true disableCaCertGeneration: true disableTokenGeneration: true tlsSecret: name: relay-server-tls-secret namespace: gloo-mesh tokenSecret: key: null name: null namespace: null telemetryCollector: enabled: true extraVolumes: - name: root-ca secret: defaultMode: 420 optional: true secretName: telemetry-root-secret - configMap: items: - key: relay path: relay.yaml name: gloo-telemetry-collector-config name: telemetry-configmap - hostPath: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run telemetryGateway: enabled: true extraVolumes: - name: tls-keys secret: secretName: gloo-telemetry-gateway-tls-secret defaultMode: 420 - name: telemetry-configmap configMap: name: gloo-telemetry-gateway-config items: - key: relay path: relay.yaml telemetryGatewayCustomization: disableCertGeneration: true
Helm value Description relay.disableCa
Disable the generation of self-signed root and intermediate CA certificates and the use of identity tokens to establish initial trust between the Gloo management server and agent. relay.disableCaCertGeneration
Disable the generation of self-signed certificates to secure the relay connection between the Gloo management server and agent. relay.disableTokenGeneration
Disable the generation of relay identity tokens. relay.tlsSecret
Add the name and namespace of the Kubernetes secret that holds the server TLS certificate for the Gloo management server that you created earlier. relay.tokenSecret
Set all values to null
to instruct the Gloo management server to not use identity tokens to establish initial trust with Gloo agents.telemetryGateway.extraVolumes
Add the gloo-telemetry-gateway-tls-secret
Kubernetes secret that you created earlier to thetls-keys
volume. Make sure that you also add the other volumes to your telemetry gateway configuration.telemetryCollector.extraVolumes
Add the telemetry-root-secret
Kubernetes secret that you created earlier to theroot-ca
volume. Make sure that you also add the other volumes to your telemetry collector configuration.In your Helm values file for the agent, add the following values. Replace
with the name of the Kubernetes secret that holds the client TLS certificate, and add the name of the Kubernetes secret that holds the telemetry gateway certificate to the root-ca
telemetry collector volume.glooAgent: enabled: true relay: tokenSecret: # Key value of the data within the Kubernetes secret. key: null # Name of the Kubernetes secret. name: null # Namespace of the Kubernetes secret. namespace: null clientTlsSecret: name: <client-tls-secret-name> namespace: gloo-mesh telemetryCollector: enabled: true extraVolumes: - name: root-ca secret: defaultMode: 420 optional: true secretName: telemetry-root-secret - configMap: items: - key: relay path: relay.yaml name: gloo-telemetry-collector-config name: telemetry-configmap - hostPath: path: /var/run/cilium type: DirectoryOrCreate name: cilium-run
Helm value Description glooAgent.relay.clientTlsSecret
Add the name and namespace of the Kubernetes secret that holds the client TLS certificate for the Gloo agent that you created earlier. glooAgent.relay.tokenSecret
Set all values to null
to instruct the Gloo agent to not use identity tokens to establish initial trust with the Gloo management server.telemetryCollector.extraVolumes
Add the name of the Kubernetes secret that holds the Gloo telemetry gateway certificate that you created earlier to the root-ca
volume. Make sure that you also add theconfigMap
andhostPath
volumes to your configuration.