Self-signed server certificate
Use Gloo Mesh Gateway self-signed certificates for the root CA and use these credentials to derive the server TLS certificate for the Gloo management server.
You can choose to use self-signed certificates for the root CA and use these credentials to derive the server TLS certificate for the Gloo management server. The Gloo management server uses this certificate to prove its identity to Gloo agents and to encrypt the traffic between the management server and the agent.
For more information about this option, see Self-signed server TLS certificate.
Do not use self-signed certs for production. This setup is recommended for testing purposes only.
Single cluster
Follow the Install with Helm guide.
In your Helm values file, add the following values.
glooMgmtServer: serviceType: ClusterIP registerCluster: true enabled: true extraEnvs: RELAY_TOKEN: value: "My token" RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION: value: "true" glooAgent: enabled: true relay: serverAddress: gloo-mesh-mgmt-server.gloo-mesh:9900 extraEnvs: RELAY_TOKEN: value: "My token" RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION: value: "true"
Helm value Description glooMgmtServer.extraEnvs.RELAY_TOKEN
Specify the relay token that the Gloo management server and agent use to establish initial trust. When you install Gloo Mesh Gateway and set RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION
to true, the connection between the Gloo management server and agent is automatically secured by using simple, server-side TLS. In a simple TLS setup, only the management server presents a certificate to authenticate its identity. The identity of the agent is not verified. To ensure that only trusted agents connect to the management server, the relay identity token is used. The relay identity token can be any string value and is stored in therelay-identity-token-secret
Kubernetes secret. You must set the same value inglooAgent.extraEnvs.RELAY_TOKEN.value
to allow the Gloo agent to connect to the Gloo management server.glooMgmtServer.extraEnvs.
RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION
Set this value to true to not require a client TLS certificate from the Gloo agent to prove the agent’s identity and establish the connection with the management server. This setting is required when you want to use simple TLS to secure the connection between the Gloo management server and agent. glooAgent.extraEnvs.RELAY_TOKEN
Use the same value that you set in glooMgmtServer.extraEnvs.RELAY_TOKEN
.glooAgent.extraEnvs.
RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION
Set to true to skip validating the server TLS certificate that the Gloo management server presents. This setting is required to configure the relay connection for TLS.
Multicluster
Follow the Install with Helm guide to set up Gloo Mesh Gateway.
In your Helm values file for the management server, add the following values.
glooMgmtServer: enabled: true extraEnvs: RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION: value: "true" RELAY_TOKEN: value: "My token"
Helm value Description RELAY_TOKEN
Specify the relay token that the Gloo management server and agent use to establish initial trust. When you install Gloo Mesh Gateway and set RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION
to true, the connection between the Gloo management server and agent is automatically secured by using simple, server-side TLS. In a simple TLS setup, only the management server presents a certificate to authenticate its identity. The identity of the agent is not verified. To ensure that only trusted agents connect to the management server, the relay identity token is used. The relay identity token can be any string value and is stored in therelay-identity-token-secret
Kubernetes secret on the management cluster. You must set the same value inglooAgent.extraEnvs.RELAY_TOKEN.value
when installing Gloo Mesh Gateway in a workload cluster to allow Gloo agents to connect to the Gloo management server.RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION
Set this value to true to not require a client TLS certificate from the Gloo agent to prove the agent’s identity and establish the connection with the management server. This setting is required when you want to use simple TLS to secure the connection between the Gloo management server and agent. In your Helm values file for the workload cluster, add the following values.
glooAgent: enabled: true extraEnvs: RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION: value: "true" RELAY_TOKEN: value: "My token" telemetryCollector: enabled: true telemetryCollectorCustomization: skipVerify: true
Helm value Description RELAY_TOKEN
The relay token to establish initial trust between the Gloo management server and the agent. The relay token is saved in memory on the Gloo agent. You must set the same value that you set in glooMgmtServer.extraEnvs.RELAY_TOKEN.value
when you installed the Gloo Mesh Gateway management plane to allow Gloo agents to connect to the Gloo management server.RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION
Set to true to skip validating the server TLS certificate that the Gloo management server presents. This setting is required to configure the relay connection for TLS. telemetryCollectorCustomization.skipVerify
Set to true to skip validation of the server certificate that the Gloo telemetry gateway presents. By default, the Gloo telemetry gateway uses the same TLS certificates that the Gloo management server uses for the relay connection. If you configure the relay connection for TLS, you must set skipVerify
to true on the telemetry collector agent.