You can choose to use self-signed certificates for the root CA and use these credentials to derive the server TLS certificate for the Gloo management server. The Gloo management server uses this certificate to prove its identity to Gloo agents and to encrypt the traffic between the management server and the agent.

For more information about this option, see Self-signed server TLS certificate.

Single cluster

  1. Follow the Install with Helm guide.

  2. In your Helm values file, add the following values.

      
    glooMgmtServer:
      serviceType: ClusterIP
      registerCluster: true
      enabled: true
      extraEnvs: 
        RELAY_TOKEN: 
          value: "My token"
        RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION: 
          value: "true" 
    glooAgent:
      enabled: true
      relay:
        serverAddress: gloo-mesh-mgmt-server.gloo-mesh:9900
      extraEnvs:
        RELAY_TOKEN: 
          value: "My token"
        RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION: 
          value: "true"
      

    Helm valueDescription
    glooMgmtServer.extraEnvs.RELAY_TOKENSpecify the relay token that the Gloo management server and agent use to establish initial trust. When you install Gloo Mesh Gateway and set RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION to true, the connection between the Gloo management server and agent is automatically secured by using simple, server-side TLS. In a simple TLS setup, only the management server presents a certificate to authenticate its identity. The identity of the agent is not verified. To ensure that only trusted agents connect to the management server, the relay identity token is used. The relay identity token can be any string value and is stored in the relay-identity-token-secret Kubernetes secret. You must set the same value in glooAgent.extraEnvs.RELAY_TOKEN.value to allow the Gloo agent to connect to the Gloo management server.
    glooMgmtServer.extraEnvs.
    RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION
    Set this value to true to not require a client TLS certificate from the Gloo agent to prove the agent’s identity and establish the connection with the management server. This setting is required when you want to use simple TLS to secure the connection between the Gloo management server and agent.
    glooAgent.extraEnvs.RELAY_TOKENUse the same value that you set in glooMgmtServer.extraEnvs.RELAY_TOKEN.
    glooAgent.extraEnvs.
    RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION
    Set to true to skip validating the server TLS certificate that the Gloo management server presents. This setting is required to configure the relay connection for TLS.

Multicluster

  1. Follow the Install with Helm guide to set up Gloo Mesh Gateway.

  2. In your Helm values file for the management server, add the following values.

      
    glooMgmtServer:
      enabled: true
      extraEnvs:
        RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION:
          value: "true"  
        RELAY_TOKEN: 
          value: "My token"
      

    Helm valueDescription
    RELAY_TOKENSpecify the relay token that the Gloo management server and agent use to establish initial trust. When you install Gloo Mesh Gateway and set RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION to true, the connection between the Gloo management server and agent is automatically secured by using simple, server-side TLS. In a simple TLS setup, only the management server presents a certificate to authenticate its identity. The identity of the agent is not verified. To ensure that only trusted agents connect to the management server, the relay identity token is used. The relay identity token can be any string value and is stored in the relay-identity-token-secret Kubernetes secret on the management cluster. You must set the same value in glooAgent.extraEnvs.RELAY_TOKEN.value when installing Gloo Mesh Gateway in a workload cluster to allow Gloo agents to connect to the Gloo management server.
    RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATIONSet this value to true to not require a client TLS certificate from the Gloo agent to prove the agent’s identity and establish the connection with the management server. This setting is required when you want to use simple TLS to secure the connection between the Gloo management server and agent.
  3. In your Helm values file for the workload cluster, add the following values.

      
    glooAgent:
      enabled: true
      extraEnvs:
        RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION:
          value: "true"  
        RELAY_TOKEN: 
          value: "My token"
    telemetryCollector:
      enabled: true
    telemetryCollectorCustomization:
      skipVerify: true
      

    Helm valueDescription
    RELAY_TOKENThe relay token to establish initial trust between the Gloo management server and the agent. The relay token is saved in memory on the Gloo agent. You must set the same value that you set in glooMgmtServer.extraEnvs.RELAY_TOKEN.value when you installed the Gloo Mesh Gateway management plane to allow Gloo agents to connect to the Gloo management server.
    RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATIONSet to true to skip validating the server TLS certificate that the Gloo management server presents. This setting is required to configure the relay connection for TLS.
    telemetryCollectorCustomization.skipVerifySet to true to skip validation of the server certificate that the Gloo telemetry gateway presents. By default, the Gloo telemetry gateway uses the same TLS certificates that the Gloo management server uses for the relay connection. If you configure the relay connection for TLS, you must set skipVerify to true on the telemetry collector agent.