Proto: ca_options.proto



Specify parameters for configuring the root certificate authority for a VirtualMesh.


Use vault as the intermediate CA source


CertificateRotationCondition represents a timesptamped snapshot of the certificate rotation workflow. This is used to keep track of the steps which have been completed thus far.


The time at which this condition was recorded

The current state of the cert rotation

A human readable message related to the current condition
errors(repeated string)

Any errors which occurred during the current rotation stage



Verification not enabled. NOTE: This setting is only recommended for testing. When enabled rotation will continue from step to step without any kind of verification. For information about the value format, see the Google protocol buffer documentation.

Verification must be completed manually. This involves using our certificate verification endpoint when the certificates are in a VERIFYING state For information about the value format, see the Google protocol buffer documentation.


Configuration for generating a self-signed intermediate or root certificate. Uses the X.509 format, RFC5280.


Number of days before the certificate expires. Defaults to 365.

Size in bytes of the certificate’s private key. Defaults to 4096.

The organization name of the certificate. Defaults to “gloo-mesh”.

The ratio of the certificate lifetime to when Gloo starts the certificate rotation process. The ratio must be between 0 and 1 (exclusive). For example, if a certificate is valid for 1 day (or 24 hours), and you specify a ratio of 0.1, Gloo starts the certificate rotation process 2.4 hours before it expires (24x0.1).


State of Certificate Rotation Possible states in which a CertificateRotation can exist.

NOT_ROTATING0No Certificate rotation is currently happening
PREVIOUS_CA1Signing the certificate using the previously applied CA. This step is mostly used when ADDING_NEW_ROOT fails, and the rotation has to be ROLLED_BACK
ADDING_NEW_ROOT2The CertificateRotation is underway, both roots are set, and the new root is being propagated
PROPAGATING_NEW_INTERMEDIATE3The CertificateRotation is underway again. The initial verification is over, the traffic continues to work with both roots present. Now the old root is being removed, and the new root is being propagated alone to the data-plane clusters
DELETING_OLD_ROOT4The CertificateRotation is underway again. Removing the old-root from all data-plane clusters
VERIFYING5Verifying connectivity between workloads, the workflow will not progress until connectivity has been verified. This can either be manual or in the future automated
VERIFIED6The connectivity has been verified.
ROLLING_BACK7The connectivity has been deemed to not be functioning properly, rolling back to the last known good state.
FINISHED8The rotation has finished, the new root has been propagated to all data-plane clusters, and traffic has been verified successfully.
FAILED9Processing the certificate rotation workflow failed.


MULTI_ROOT0The default certificate rotation strategy. This strategy involves three steps which ensure that traffic in the mesh will experience no downtime. For an in depth explination of how this strategy works in Istio see the following blog The steps are as follows: 1. ADDING_NEW_ROOT During this step the new root-cert will be appended to the old root-cert, and then distributed. The intermediate will continue to be signed by the original root. 2. PROPAGATING_NEW_INTERMEDIATE During this step both root-certs will still be distributed. In addition the intermediate will now be signed by the new root key. 3. DELETING_OLD_ROOT During this step the old root is no longer included, and the intermediate will continue to be signed by the new root key.
NONE1Do not use any rotation strategy. NOTE: This can lead to downtime while workloads transition from one root of trust to another