For more information about this setup, see Self-signed CAs with automatic client certificate rotation.

Single cluster

  1. Follow the Install with Helm guide.
  2. In your Helm values file, add the following values. Note that mTLS is the default mode in Gloo Mesh Gateway and does not require any additional configuration.
      
    glooMgmtServer: 
      enabled: true
    glooAgent: 
      enabled: true
      

Multicluster

  1. Follow the Install with Helm guide to set up Gloo Mesh Gateway.

  2. In your Helm values file for the management server, add the following values. Note that mTLS is the default mode in Gloo Mesh Gateway and does not require any additional configuration.

      
    glooMgmtServer: 
      enabled: true
      
  3. Get the value of the root CA certificate from the management cluster and create a secret in the workload cluster.

      kubectl get secret relay-root-tls-secret -n gloo-mesh --context $MGMT_CONTEXT -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
    kubectl create secret generic relay-root-tls-secret -n gloo-mesh --context $REMOTE_CONTEXT --from-file ca.crt=ca.crt
    rm ca.crt
      
  4. Get the relay identity token from the management cluster and create a secret in the workload cluster.

      kubectl get secret relay-identity-token-secret -n gloo-mesh --context $MGMT_CONTEXT -o jsonpath='{.data.token}' | base64 -d > token
    kubectl create secret generic relay-identity-token-secret -n gloo-mesh --context $REMOTE_CONTEXT --from-file token=token
    rm token
      
  5. In your Helm values file for the agent, add the following values.

      
    glooAgent: 
      enabled: true