On this page
RootTrustPolicy
RootTrustPolicy API reference.
Proto: root_trust_policy.proto
Package: admin.gloo.solo.io
RootTrustPolicySpec
RootTrustPolicy is used to designate the root of trust, including the trust domain and root certificates used by one or more service meshes. A shared RootTrustPolicy is currently required to support communication between workloads and destinations running in different meshes. In the future Gloo Mesh will support cross-mesh connectivity using a Limited Trust model (where participating meshes are permitted to use separate roots of trust).
| Field | Description |
|---|---|
applyToMeshes | (repeated common.gloo.solo.io.MeshSelector)select the meshes where the root of trust will be applied. If empty, will apply to all Meshes in the workspace. |
config | (RootTrustPolicySpec.Config)The details of the root of trust to apply to the selected meshes. |
RootTrustPolicySpec.Config
| Field | Description |
|---|---|
mgmtServerCa | (RootTrustPolicySpec.Config.MgmtServerCertificateAuthority)Configure a Root Certificate Authority which will be shared by all Meshes associated with this RootTrustPolicy. If this is not provided, a self-signed certificate will be generated by Gloo Mesh. |
agentCa | (tls.security.policy.gloo.solo.io.AgentCertificateAuthority)Configures an Intermediate Certificate Authority which selected meshes will use to generate intermediate certificates. The CA being used must be configured to generate the intermediate certificates. |
intermediateCertOptions | (tls.security.policy.gloo.solo.io.CommonCertOptions)Configuration options for generated intermediate certs. |
autoRestartPods | (bool)This setting specifies whether or not workload pods should be automatically restarted upon completion of a successful certificate issuance. |
passiveCertificateAuthorities | (repeated RootTrustPolicySpec.Config.MgmtServerCertificateAuthority)Configure a Root Certificate Authority which will be used for validating certificates, but not signing them. This CA can be used to rotate out expiring root certificates. |
RootTrustPolicySpec.Config.MgmtServerCertificateAuthority
Specify parameters for configuring the root certificate authority for a RootTrustPolicy.
| Field | Description |
|---|---|
generated | (tls.security.policy.gloo.solo.io.CommonCertOptions)Generate a self-signed root certificate with the given options. |
secretRef | (core.skv2.solo.io.ObjectRef)Name of a Kubernetes Secret in the same namespace as the RootTrustPolicy containing the root certificate authority. Provided certificates must conform to a specified format, documented here. |
RootTrustPolicyStatus
The status of the policy after it is applied to your Gloo environment.
| Field | Description |
|---|---|
observedGeneration | (int64)The most recent generation observed in the object’s metadata. If the observedGeneration does not match metadata.generation, Gloo Mesh has not processed the most recent version of this object. |
state | (common.gloo.solo.io.ApprovalState)Whether the resource has been accepted as valid and processed in the Gloo Mesh config translation. |