BYO server certificate with managed client certificate
Instead of using Gloo Mesh Enterprise self-signed certificates for the root CA certificate, you can generate your own relay root CA certificate and key with the certificate management tool of your choice.
You then use these credentials to create an intermediate CA certificate and key that can be used by Gloo Mesh Enterprise to automatically sign and issue client TLS certificates for the workload clusters.
For more information about this approach, see Bring your own CAs with automatic client TLS certificate rotation.
To generate and store your own CA certificates and keys, you typically use your preferred PKI provider, such as Vault, Google Cloud CA, or AWS Private CA. If you do not have a PKI provider, you can use tools such as OpenSSL to generate the certificate and key as described in this guide.
Single cluster
Use the steps in this guide to generate custom TLS certificates with OpenSSL.
Create the root CA credentials
Create root CA credentials that are stored in the cluster. Note that for security purposes, you might store the root CA credentials separately from the cluster. Then, you use the root CA to sign a subsequent intermediate CA certificate and key that are stored in the cluster. These intermediate CA certificate and key become the “root” CA certificate and key in the subsequent steps.
- Create a self-signed root CA certificate and key.
- If it doesn’t already exist, create the
gloo-mesh
namespace. - Store the root CA certificate in the
relay-root-tls-secret
Kubernetes secret.
Create the intermediate CA credentials
Use the root CA key to generate an intermediate CA certificate and key. These credentials are later used to sign client TLS certificates for the Gloo agent.
Create the configuration for the intermediate CA.
Generate the private key for the intermediate CA.
Generate the certificate signing request (CSR).
Sign the CSR with the root CA key.
Save the intermediate CA certificate and key in the
relay-tls-signing-secret
Kubernetes secret.
Create the server TLS certificate
Use the root CA credentials to generate a TLS certificate for the Gloo management server.
- Create the configuration for the server TLS certificate.
- Generate the private key for the Gloo management server.
- Generate the certificate signing request for the Gloo management server.
- Use the root CA credentials that you created earlier to sign the certificate signing request and create the server TLS certificate.
- Store the server TLS certificate, private key, and root CA in the
relay-server-tls-secret
Kubernetes secret.
Create the certificate chain for the telemetry collector
- Store the root CA certificate in the
telemetry-root-secret
Kubernetes secret.
Create relay identity tokens
To establish initial trust between the Gloo management server and agent, you must set up your own relay identity tokens.
Create an environment variable with your identity token. The token can be any string value.
Store the token in the
relay-identity-token-secret
Kubernetes secret.
Install Gloo Mesh
- Follow the Install with Helm guide.
- In your Helm values file, add the following values.
Helm value Description glooMgmtServer.relay.disableCaCertGeneration
Disable the generation of self-signed certificates to secure the relay connection between the Gloo management server and agent. glooMgmtServer.relay.signingTlsSecret
Add the name and namespace of the Kubernetes secret that holds the intermediate CA credentials that you created earlier. glooMgmtServer.relay.tlsSecret
Add the name and namespace of the Kubernetes secret that holds the server TLS certificate for the Gloo management server that you created earlier. glooMgmtServer.relay.tokenSecret
Add the name, namespace, and key of the Kubernetes secret that holds the relay identity token that you created earlier. glooAgent.relay.rootTlsSecret
Add the name and namespace of the Kubernetes secret that holds the root CA credentials that you created earlier. glooAgent.relay.tokenSecret
Add the name, namespace, and key of the Kubernetes secret that holds the relay identity token that you created earlier. telemetryCollector.extraVolumes
Add the telemetry-root-secret
Kubernetes secret that you created earlier to theroot-ca
volume. Make sure that you also add the other volumes to your telemetry collector configuration.
Multicluster
Use the steps in this guide to generate custom TLS certificates with OpenSSL.
Create the root CA credentials
Create root CA credentials that are stored in the management cluster. Note that for security purposes, you might store the root CA credentials separately from the cluster. Then, you use the root CA to sign a subsequent intermediate CA certificate and key that are stored in the cluster. These intermediate CA certificate and key become the “root” CA certificate and key in the subsequent steps.
Create a self-signed root CA certificate and key.
If it doesn’t already exist, create the
gloo-mesh
namespace in each cluster.Store the root CA certificate in the
relay-root-tls-secret
Kubernetes secret on the management cluster.Copy the root CA certificate to each workload cluster.
Create the intermediate CA credentials
Use the root CA key to generate an intermediate CA certificate and key. These credentials are later used to sign client TLS certificates for the Gloo agents on each workload cluster.
Create the configuration for the intermediate CA.
Generate the private key for the intermediate CA.
Generate the certificate signing request (CSR).
Sign the CSR with the root CA key.
Save the intermediate CA certificate and key in the
relay-tls-signing-secret
Kubernetes secret on the management cluster.
Create the server TLS certificate
Use the root CA credentials to generate a TLS certificate for the Gloo management server.
- Create the configuration for the server TLS certificate with the
*.gloo-mesh
wildcard DNS name. Because a wildcard is used, the same certificate can later be used to configure the Gloo telemetry gateway. - Generate the private key for the Gloo management server.
- Generate the certificate signing request for the Gloo management server.
- Use the root CA credentials that you created earlier to sign the certificate signing request and create the server TLS certificate.
- Store the server TLS certificate, private key, and root CA in the
relay-server-tls-secret
Kubernetes secret.
Create the telemetry pipeline credentials
- Use the same credentials for the Gloo telemetry gateway and store them in the
gloo-telemetry-gateway-tls-secret
Kubernetes secret. Using the same credentials is possible, because the configuration for the Gloo management server (relay-server.conf
) used a wildcard for the DNS name. - Store the root CA certificate in the
telemetry-root-secret
Kubernetes secret on the management and each workload cluster so that the Gloo telemetry collector agent can verify the identity of the Gloo telemetry gateway.
Create relay identity tokens
To establish initial trust between the Gloo management server and agent, you must set up your own relay identity tokens.
Create an environment variable with your identity token. The token can be any string value.
Store the token in the
relay-identity-token-secret
Kubernetes secret on the management cluster.Copy the identity token to each workload cluster that you want to register.
Install Gloo Mesh
- Follow the Install with Helm guide to set up Gloo Mesh.
- In your Helm values file for the management server, add the following values. Note that mTLS is the default mode in Gloo Mesh and does not require any additional configuration.
Helm value Description glooMgmtServer.relay.disableCaCertGeneration
Disable the generation of self-signed certificates to secure the relay connection between the Gloo management server and agent. glooMgmtServer.relay.signingTlsSecret
Add the name and namespace of the Kubernetes secret that holds the intermediate CA credentials that you created earlier. glooMgmtServer.relay.tlsSecret
Add the name and namespace of the Kubernetes secret that holds the server TLS certificate for the Gloo management server that you created earlier. glooMgmtServer.relay.tokenSecret
Add the name, namespace, and key of the Kubernetes secret that holds the relay identity token that you created earlier. telemetryGateway.extraVolumes
Add the gloo-telemetry-gateway-tls-secret-custom
Kubernetes secret that you created earlier to thetls-keys
volume. Make sure that you also add the other volumes to your telemetry gateway configuration.telemetryCollector.extraVolumes
Add the telemetry-root-secret
Kubernetes secret that you created earlier to theroot-ca
volume. Make sure that you also add the other volumes to your telemetry collector configuration. - In your Helm values file for the agent, add the following values.
Helm value Description glooAgent.relay.rootTlsSecret
Add the name and namespace of the Kubernetes secret that holds the root CA credentials that you copied from the management cluster to the workload cluster. glooAgent.relay.tokenSecret
Add the name, namespace, and key of the Kubernetes secret that holds the relay identity token that you copied from the management cluster to the workload cluster.