In this approach, you use OpenSSL to manually create a self-signed root CA certificates for your relay architecture. This certificate is then used to generate the server and client TLS certificates.

Single cluster

Create the root CA credentials

  1. Create a self-signed root CA certificate and key.
      openssl req -new -newkey rsa:4096 -x509 -sha256 \
     -days 3650 -nodes -out relay-root-ca.crt -keyout relay-root-ca.key \
     -subj "/CN=relay-root-ca" \
     -addext "keyUsage = keyCertSign"
      

Create the server TLS certificate

Use the root CA credentials that you created earlier to derive the server TLS certificate that the Gloo management server uses for mutual TLS connections with the Gloo agents.

  1. If it doesn’t already exist, create the gloo-mesh namespace.

      kubectl create namespace gloo-mesh 
      
  2. Create the configuration for the server TLS certificate.

      cat >"relay-server.conf" <<EOF
    [req]
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    [req_distinguished_name]
    [ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage = clientAuth, serverAuth
    subjectAltName = @alt_names
    [alt_names]
    DNS = *.gloo-mesh
    EOF
      
  3. Generate the private key for the Gloo management server.

      openssl genrsa -out "relay-server.key" 2048
      
  4. Generate the certificate signing request for the Gloo management server.

      openssl req -new -key "relay-server.key" -out "relay-server.csr" -subj "/CN=*.gloo-mesh" -config "relay-server.conf"
      
  5. Use the root CA credentials that you created earlier to sign the certificate signing request and create the server TLS certificate.

      openssl x509 -req \
     -days 3650 \
     -CA relay-root-ca.crt -CAkey relay-root-ca.key \
     -set_serial 0 \
     -in relay-server.csr -out relay-server.crt \
     -extensions v3_req -extfile "relay-server.conf"
      
  6. Store the server TLS certificate, private key, and root CA in the relay-server-tls-secret Kubernetes secret.

      kubectl create secret generic relay-server-tls-secret -n gloo-mesh \
     --from-file=tls.crt=relay-server.crt \
     --from-file=tls.key=relay-server.key \
     --from-file=ca.crt=relay-root-ca.crt 
      

Create the client TLS certificate

Generate the client TLS certificate that the Gloo agent uses for mutual TLS connections with the Gloo management server and sign the certificate by using the root CA key that you created earlier.

  1. Create the client TLS certificate configuration.

      cat >"${CLUSTER_NAME}.conf" <<EOF
    [req]
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    [req_distinguished_name]
    commonName = ${CLUSTER_NAME}
    [ v3_req ]
    basicConstraints = CA:FALSE
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always,issuer:always
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage = clientAuth, serverAuth
    subjectAltName = @alt_names
    [alt_names]
    DNS.1 = ${CLUSTER_NAME}
    EOF
      
  2. Generate the private key and certificate signing request (CSR).

      # Generate private key
    openssl genrsa -out "$CLUSTER_NAME.key" 2048
    # Create CSR
    openssl req -new -key "$CLUSTER_NAME.key" -out $CLUSTER_NAME.csr -subj "/CN=${CLUSTER_NAME}/O=${CLUSTER_NAME}"
      
  3. Sign the CSR with the root CA key.

      # Sign certificate with root
    openssl x509 -req \
      -days 3650 \
      -CA relay-root-ca.crt -CAkey relay-root-ca.key \
      -set_serial 0 \
      -in $CLUSTER_NAME.csr -out $CLUSTER_NAME.crt \
      -extensions v3_req -extfile "$CLUSTER_NAME.conf"
      
  4. Save the client TLS certificate in the relay-client-tls-cert Kubernetes secret.

      kubectl create secret generic relay-client-tls-cert \
      --from-file=tls.key=$CLUSTER_NAME.key \
      --from-file=tls.crt=$CLUSTER_NAME.crt \
      --from-file=ca.crt=relay-root-ca.crt \
      --namespace gloo-mesh
      

Create the certificate chain for the telemetry collector

  1. Store the root CA certificate in the telemetry-root-secret Kubernetes secret.
      kubectl create secret generic telemetry-root-secret \
     --from-file=ca.crt=relay-root-ca.crt \
     --namespace gloo-mesh
      

Install Gloo Mesh Gateway

  1. Follow the Install with Helm guide.
  2. In your Helm values file, add the following values. Note that mTLS is the default mode in Gloo Mesh Gateway and does not require any additional configuration.
      
    glooMgmtServer:
      enabled: true
      registerCluster: true
      relay:
        disableCa: true
        disableCaCertGeneration: true
        disableTokenGeneration: true
        tlsSecret:
          name: relay-server-tls-secret
          namespace: gloo-mesh
        tokenSecret:
          key: null
          name: null
          namespace: null
      serviceType: ClusterIP
    glooAgent:
      enabled: true
      relay:
        clientTlsSecret:
          name: relay-client-tls-cert
          namespace: gloo-mesh
        serverAddress: gloo-mesh-mgmt-server.gloo-mesh:9900
        tokenSecret:
          key: null
          name: null
          namespace: null
    telemetryCollector: 
      enabled: true
      extraVolumes: 
        - name: root-ca
          secret:
            defaultMode: 420
            optional: true
            secretName: telemetry-root-secret
        - configMap:
            items:
              - key: relay
                path: relay.yaml
            name: gloo-telemetry-collector-config
          name: telemetry-configmap
        - hostPath:
            path: /var/run/cilium
            type: DirectoryOrCreate
          name: cilium-run
      
    Helm valueDescription
    glooMgmtServer.relay.disableCaDisable the generation of self-signed root and intermediate CA certificates and the use of identity tokens to establish initial trust between the Gloo management server and agent.
    glooMgmtServer.relay.disableCaCertGenerationDisable the generation of self-signed certificates to secure the relay connection between the Gloo management server and agent.
    glooMgmtServer.relay.disableTokenGenerationDisable the generation of relay identity tokens.
    glooMgmtServer.relay.tlsSecretAdd the name and namespace of the Kubernetes secret that holds the server TLS certificate for the Gloo management server that you created earlier.
    glooMgmtServer.relay.tokenSecretSet all values to null to instruct the Gloo management server to not use identity tokens to establish initial trust with Gloo agents.
    glooAgent.relay.clientTlsSecretAdd the name and namespace of the Kubernetes secret that holds the client TLS certificate for the Gloo agent that you created earlier.
    glooAgent.tokenSecretSet all values to null to instruct the Gloo agent to not use identity tokens to establish initial trust with the Gloo management server.

Multicluster

Create the root CA credentials

  1. Create a self-signed root CA certificate and key.
      openssl req -new -newkey rsa:4096 -x509 -sha256 \
     -days 3650 -nodes -out relay-root-ca.crt -keyout relay-root-ca.key \
     -subj "/CN=relay-root-ca" \
     -addext "keyUsage = keyCertSign"
      

Create the server TLS certificate

Use the root CA credentials that you created earlier to derive the server TLS certificate that the Gloo management server uses for mutual TLS connections with the Gloo agents.

  1. If it doesn’t already exist, create the gloo-mesh namespace in each cluster.

      kubectl create namespace gloo-mesh --context $MGMT_CONTEXT
    kubectl create namespace gloo-mesh --context $REMOTE_CONTEXT1
    kubectl create namespace gloo-mesh --context $REMOTE_CONTEXT2
      
  2. Create the configuration for the server TLS certificate with the *.gloo-mesh wildcard DNS name. Because a wildcard is used, the same certificate can later be used to configure the Gloo telemetry gateway.

      cat >"relay-server.conf" <<EOF
    [req]
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    [req_distinguished_name]
    [ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage = clientAuth, serverAuth
    subjectAltName = @alt_names
    [alt_names]
    DNS = *.gloo-mesh
    EOF
      
  3. Generate the private key for the Gloo management server.

      openssl genrsa -out "relay-server.key" 2048
      
  4. Generate the certificate signing request for the Gloo management server.

      openssl req -new -key "relay-server.key" -out "relay-server.csr" -subj "/CN=*.gloo-mesh" -config "relay-server.conf"
      
  5. Use the root CA credentials that you created earlier to sign the certificate signing request and create the server TLS certificate.

      openssl x509 -req \
     -days 3650 \
     -CA relay-root-ca.crt -CAkey relay-root-ca.key \
     -set_serial 0 \
     -in relay-server.csr -out relay-server.crt \
     -extensions v3_req -extfile "relay-server.conf"
      
  6. Store the server TLS certificate, private key, and root CA in the relay-server-tls-secret Kubernetes secret.

      kubectl create secret generic relay-server-tls-secret -n gloo-mesh \
     --from-file=tls.crt=relay-server.crt \
     --from-file=tls.key=relay-server.key \
     --from-file=ca.crt=relay-root-ca.crt \
     --context ${MGMT_CONTEXT} 
      

Create the client TLS certificate

Generate the client TLS certificate that the Gloo agent uses for mutual TLS connections with the Gloo management server and sign the certificate by using the root CA key that you created earlier.

  1. Create the client TLS certificate configuration.

      cat >"${REMOTE_CLUSTER1}.conf" <<EOF
    [req]
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    [req_distinguished_name]
    commonName = ${REMOTE_CLUSTER1}
    [ v3_req ]
    basicConstraints = CA:FALSE
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always,issuer:always
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage = clientAuth, serverAuth
    subjectAltName = @alt_names
    [alt_names]
    DNS.1 = ${REMOTE_CLUSTER1}
    EOF
      
  2. Generate the private key and certificate signing request (CSR).

      # Generate private key
    openssl genrsa -out "$REMOTE_CLUSTER1.key" 2048
    # Create CSR
    openssl req -new -key "$REMOTE_CLUSTER1.key" -out $REMOTE_CLUSTER1.csr -subj "/CN=${REMOTE_CLUSTER1}/O=${REMOTE_CLUSTER1}"
      
  3. Sign the CSR with the root CA key.

      # Sign certificate with root
    openssl x509 -req \
      -days 3650 \
      -CA relay-root-ca.crt -CAkey relay-root-ca.key \
      -set_serial 0 \
      -in $REMOTE_CLUSTER1.csr -out $REMOTE_CLUSTER1.crt \
      -extensions v3_req -extfile "$REMOTE_CLUSTER1.conf"
      
  4. Save the client TLS certificate in the relay-client-tls-secret Kubernetes secret on the workload cluster.

      kubectl create secret generic $REMOTE_CLUSTER1-tls-cert \
      --from-file=tls.key=$REMOTE_CLUSTER1.key \
      --from-file=tls.crt=$REMOTE_CLUSTER1.crt \
      --from-file=ca.crt=relay-root-ca.crt \
      --context $REMOTE_CONTEXT1 \
      --namespace gloo-mesh
      
  5. Repeat this step on each workload cluster.

Create the telemetry pipeline credentials

  1. Use the same credentials for the Gloo telemetry gateway and store them in the gloo-telemetry-gateway-tls-secret Kubernetes secret. Using the same credentials is possible, because the configuration for the Gloo management server (relay-server.conf) used a wildcard for the DNS name.

      kubectl create secret generic gloo-telemetry-gateway-tls-secret -n gloo-mesh \
     --from-file=tls.crt=relay-server.crt \
     --from-file=tls.key=relay-server.key \
     --from-file=ca.crt=relay-root-ca.crt \
     --context ${MGMT_CONTEXT} 
      
  2. Store the root CA certificate in the telemetry-root-secret Kubernetes secret on the management and each workload cluster so that the Gloo telemetry collector agent can verify the identity of the Gloo telemetry gateway.

      kubectl create secret generic telemetry-root-secret \
     --from-file=ca.crt=relay-root-ca.crt \
     --namespace gloo-mesh \
     --context ${MGMT_CONTEXT} 
      
      kubectl create secret generic telemetry-root-secret \
     --from-file=ca.crt=relay-root-ca.crt \
     --namespace gloo-mesh \
     --context ${REMOTE_CONTEXT1} 
      

Install Gloo Mesh Gateway

  1. Follow the Install with Helm guide to set up Gloo Mesh Gateway.

  2. In your Helm values file for the management server, add the following values. Note that mTLS is the default mode in Gloo Mesh Gateway and does not require any additional configuration.

      
    glooMgmtServer:
      enabled: true
      relay:
        disableCa: true
        disableCaCertGeneration: true
        disableTokenGeneration: true
        tlsSecret:
          name: relay-server-tls-secret
          namespace: gloo-mesh
        tokenSecret:
          key: null
          name: null
          namespace: null
    telemetryCollector: 
      enabled: true
      extraVolumes: 
        - name: root-ca
          secret:
            defaultMode: 420
            optional: true
            secretName: telemetry-root-secret
        - configMap:
            items:
              - key: relay
                path: relay.yaml
            name: gloo-telemetry-collector-config
          name: telemetry-configmap
        - hostPath:
            path: /var/run/cilium
            type: DirectoryOrCreate
          name: cilium-run
    telemetryGateway:
      enabled: true
      extraVolumes:
      - name: tls-keys
        secret:
          secretName:  gloo-telemetry-gateway-tls-secret
          defaultMode: 420
      - name: telemetry-configmap
        configMap:
          name: gloo-telemetry-gateway-config
          items:
            - key: relay
              path: relay.yaml
    telemetryGatewayCustomization:
      disableCertGeneration: true
      
    Helm valueDescription
    relay.disableCaDisable the generation of self-signed root and intermediate CA certificates and the use of identity tokens to establish initial trust between the Gloo management server and agent.
    relay.disableCaCertGenerationDisable the generation of self-signed certificates to secure the relay connection between the Gloo management server and agent.
    relay.disableTokenGenerationDisable the generation of relay identity tokens.
    relay.tlsSecretAdd the name and namespace of the Kubernetes secret that holds the server TLS certificate for the Gloo management server that you created earlier.
    relay.tokenSecretSet all values to null to instruct the Gloo management server to not use identity tokens to establish initial trust with Gloo agents.
    telemetryGateway.extraVolumesAdd the gloo-telemetry-gateway-tls-secret Kubernetes secret that you created earlier to the tls-keys volume. Make sure that you also add the other volumes to your telemetry gateway configuration.
    telemetryCollector.extraVolumesAdd the telemetry-root-secret Kubernetes secret that you created earlier to the root-ca volume. Make sure that you also add the other volumes to your telemetry collector configuration.
  3. In your Helm values file for the agent, add the following values. Replace with the name of the Kubernetes secret that holds the client TLS certificate, and add the name of the Kubernetes secret that holds the telemetry gateway certificate to the root-ca telemetry collector volume.

      
    glooAgent:
      enabled: true
      relay: 
        tokenSecret:
          # Key value of the data within the Kubernetes secret.
          key: null
          # Name of the Kubernetes secret.
          name: null
          # Namespace of the Kubernetes secret.
          namespace: null
        clientTlsSecret: 
          name: <client-tls-secret-name>
          namespace: gloo-mesh
    telemetryCollector:
      enabled: true
      extraVolumes: 
        - name: root-ca
          secret:
            defaultMode: 420
            optional: true
            secretName: telemetry-root-secret
        - configMap:
            items:
              - key: relay
                path: relay.yaml
            name: gloo-telemetry-collector-config
          name: telemetry-configmap
        - hostPath:
            path: /var/run/cilium
            type: DirectoryOrCreate
          name: cilium-run
      
    Helm valueDescription
    glooAgent.relay.clientTlsSecretAdd the name and namespace of the Kubernetes secret that holds the client TLS certificate for the Gloo agent that you created earlier.
    glooAgent.relay.tokenSecretSet all values to null to instruct the Gloo agent to not use identity tokens to establish initial trust with the Gloo management server.
    telemetryCollector.extraVolumesAdd the name of the Kubernetes secret that holds the Gloo telemetry gateway certificate that you created earlier to the root-ca volume. Make sure that you also add the configMap and hostPath volumes to your configuration.