For more information about this option, see Bring your own server TLS certificate.

Single cluster

To generate and store your own root CA certificate and key, you typically use your preferred PKI provider, such as Vault, Google Cloud CA, or AWS Private CA. If you do not have a PKI provider, you can use tools, such as OpenSSL to generate the certificate and key for the root CA as described in this guide.

Create the root CA credentials

  1. Create a self-signed root CA certificate and key.
      openssl req -new -newkey rsa:4096 -x509 -sha256 \
     -days 3650 -nodes -out relay-root-ca.crt -keyout relay-root-ca.key \
     -subj "/CN=relay-root-ca" \
     -addext "keyUsage = keyCertSign"
      

Create the server TLS certificate and certificate chain

  1. Create the configuration for the server TLS certificate.

      cat >"relay-server.conf" <<EOF
    [req]
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    [req_distinguished_name]
    [ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage = clientAuth, serverAuth
    subjectAltName = @alt_names
    [alt_names]
    DNS = *.gloo-mesh
    EOF
      
  2. Generate the private key for the Gloo management server.

      openssl genrsa -out "relay-server.key" 2048
      
  3. Generate the certificate signing request for the Gloo management server.

      openssl req -new -key "relay-server.key" -out "relay-server.csr" -subj "/CN=*.gloo-mesh" -config "relay-server.conf"
      
  4. Use the root CA credentials that you created earlier to sign the certificate signing request and create the server TLS certificate.

      openssl x509 -req \
     -days 3650 \
     -CA relay-root-ca.crt -CAkey relay-root-ca.key \
     -set_serial 0 \
     -in relay-server.csr -out relay-server.crt \
     -extensions v3_req -extfile "relay-server.conf"
      
  5. If it doesn’t already exist, create the gloo-mesh namespace.

      kubectl create namespace gloo-mesh 
      
  6. Store the server TLS certificate, private key, and root CA in the relay-server-tls-secret-custom Kubernetes secret. You can use a different name for the secret, but make sure to not use relay-server-tls-secret as this name is reserved by the Gloo management server when creating self-signed root CAs and server TLS certificates.

      kubectl create secret generic relay-server-tls-secret-custom -n gloo-mesh \
     --from-file=tls.crt=relay-server.crt \
     --from-file=tls.key=relay-server.key \
     --from-file=ca.crt=relay-root-ca.crt 
      
  7. Store the root CA certificate in the telemetry-root-secret Kubernetes secret.

      kubectl create secret generic telemetry-root-secret \
     --from-file=ca.crt=relay-root-ca.crt \
     --namespace gloo-mesh
      

Install Gloo Network

  1. Follow the Install with Helm guide.
  2. In your Helm values file, add the following values.
      
    glooMgmtServer:
      serviceType: ClusterIP
      registerCluster: true
      enabled: true
      relay: 
        tlsSecret:
          name: relay-server-tls-secret-custom
      extraEnvs: 
        RELAY_TOKEN: 
          value: "My token"
        RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION: 
          value: "true" 
    glooAgent:
      enabled: true
      relay:
        serverAddress: gloo-mesh-mgmt-server.gloo-mesh:9900
      extraEnvs:
        RELAY_TOKEN: 
          value: "My token"
        RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION: 
          value: "true"
    telemetryCollector: 
      enabled: true
      extraVolumes: 
        - name: root-ca
          secret:
            defaultMode: 420
            optional: true
            secretName: telemetry-root-secret
        - configMap:
            items:
              - key: relay
                path: relay.yaml
            name: gloo-telemetry-collector-config
          name: telemetry-configmap
        - hostPath:
            path: /var/run/cilium
            type: DirectoryOrCreate
          name: cilium-run
      
    Helm valueDescription
    glooMgmtServer.relay.tlsSecret.nameThe name and namespace of the Kubernetes secret where you stored your custom server TLS certificate.
    glooMgmtServer.extraEnvs.RELAY_TOKENSpecify the relay token that the Gloo management server and agent use to establish initial trust. When you install Gloo Network and set RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION to true, the connection between the Gloo management server and agent is automatically secured by using simple, server-side TLS. In a simple TLS setup, only the management server presents a certificate to authenticate its identity. The identity of the agent is not verified. To ensure that only trusted agents connect to the management server, the relay identity token is used. The relay identity token can be any string value and is stored in the relay-identity-token-secret Kubernetes secret. You must set the same value in glooAgent.extraEnvs.RELAY_TOKEN.value to allow the Gloo agent to connect to the Gloo management server.
    glooMgmtServer.extraEnvs.
    RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION
    Set this value to true to not require a client TLS certificate from the Gloo agent to prove the agent’s identity and establish the connection with the management server.
    glooAgent.extraEnvs.
    RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION
    Set to true to skip validating the server TLS certificate that the Gloo management server presents. This setting is required to configure the relay connection for TLS.
    telemetryCollector.extraVolumesAdd the telemetry-root-secret Kubernetes secret that you created earlier to the root-ca volume. Make sure that you also add the other volumes to your telemetry collector configuration.

Multicluster

To generate and store your own root CA certificate and key, you typically use your preferred PKI provider, such as Vault, Google Cloud CA, or AWS Private CA. If you do not have a PKI provider, you can use tools, such as OpenSSL to generate the certificate and key for the root CA as described in this guide.

Create the root CA credentials

  1. Create a self-signed root CA certificate and key.
      openssl req -new -newkey rsa:4096 -x509 -sha256 \
     -days 3650 -nodes -out relay-root-ca.crt -keyout relay-root-ca.key \
     -subj "/CN=relay-root-ca" \
     -addext "keyUsage = keyCertSign"
      

Create the server TLS certificate

  1. Create the configuration for the server TLS certificate.

      cat >"relay-server.conf" <<EOF
    [req]
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    [req_distinguished_name]
    [ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage = clientAuth, serverAuth
    subjectAltName = @alt_names
    [alt_names]
    DNS = *.gloo-mesh
    EOF
      
  2. Generate the private key for the Gloo management server.

      openssl genrsa -out "relay-server.key" 2048
      
  3. Generate the certificate signing request for the Gloo management server.

      openssl req -new -key "relay-server.key" -out "relay-server.csr" -subj "/CN=*.gloo-mesh" -config "relay-server.conf"
      
  4. Use the root CA credentials that you created earlier to sign the certificate signing request and create the server TLS certificate.

      openssl x509 -req \
     -days 3650 \
     -CA relay-root-ca.crt -CAkey relay-root-ca.key \
     -set_serial 0 \
     -in relay-server.csr -out relay-server.crt \
     -extensions v3_req -extfile "relay-server.conf"
      
  5. If it doesn’t already exist, create the gloo-mesh namespace in the management cluster.

      kubectl create namespace gloo-mesh --context $MGMT_CONTEXT
      
  6. Store the server TLS certificate, private key, and root CA in the relay-server-tls-secret-custom Kubernetes secret. You can use a different name for the secret, but make sure to not use relay-server-tls-secret as this name is reserved by the Gloo management server when creating self-signed root CAs and server TLS certificates.

      kubectl create secret generic relay-server-tls-secret-custom -n gloo-mesh \
     --from-file=tls.crt=relay-server.crt \
     --from-file=tls.key=relay-server.key \
     --from-file=ca.crt=relay-root-ca.crt \
     --context ${MGMT_CONTEXT} 
      

Create the telemetry pipeline credentials

  1. Use the same credentials for the Gloo telemetry gateway and store them in the gloo-telemetry-gateway-tls-secret-custom Kubernetes secret.

      kubectl create secret generic gloo-telemetry-gateway-tls-secret-custom -n gloo-mesh \
     --from-file=tls.crt=relay-server.crt \
     --from-file=tls.key=relay-server.key \
     --from-file=ca.crt=relay-root-ca.crt \
     --context ${MGMT_CONTEXT} 
      
  2. Store the root CA certificate in the telemetry-root-secret Kubernetes secret on the management and each workload cluster so that the Gloo telemetry collector agent can verify the identity of the Gloo telemetry gateway.

      kubectl create secret generic telemetry-root-secret \
     --from-file=ca.crt=relay-root-ca.crt \
     --namespace gloo-mesh \
     --context ${MGMT_CONTEXT} 
      
      kubectl create secret generic telemetry-root-secret \
     --from-file=ca.crt=relay-root-ca.crt \
     --namespace gloo-mesh \
     --context ${REMOTE_CONTEXT1} 
      

Install Gloo Network

  1. Follow the Install with Helm guide to set up Gloo Network.

  2. In your Helm values file for the management server, add the following values.

      
    glooMgmtServer:
      enabled: true
      relay:
        tlsSecret:
          name: relay-server-tls-secret-custom
      extraEnvs:
        RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION:
          value: "true"  
        RELAY_TOKEN: 
          value: "My token"
    telemetryCollector: 
      enabled: true
      extraVolumes: 
        - name: root-ca
          secret:
            defaultMode: 420
            optional: true
            secretName: telemetry-root-secret
        - configMap:
            items:
              - key: relay
                path: relay.yaml
            name: gloo-telemetry-collector-config
          name: telemetry-configmap
        - hostPath:
            path: /var/run/cilium
            type: DirectoryOrCreate
          name: cilium-run
    telemetryGateway:
      enabled: true
      extraVolumes:
      - name: tls-keys
        secret:
          secretName:  gloo-telemetry-gateway-tls-secret-custom
          defaultMode: 420
      - name: telemetry-configmap
        configMap:
          name: gloo-telemetry-gateway-config
          items:
            - key: relay
              path: relay.yaml
    telemetryGatewayCustomization:
      disableCertGeneration: true
      
    Helm valueDescription
    relay.tlsSecret.nameAdd the name of the Kubernetes secret with the custom server TLS secret that you created earlier.
    RELAY_TOKENSpecify the relay token that the Gloo management server and agent use to establish initial trust. When you install Gloo Network and set RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION to true, the connection between the Gloo management server and agent is automatically secured by using simple, server-side TLS. In a simple TLS setup, only the management server presents a certificate to authenticate its identity. The identity of the agent is not verified. To ensure that only trusted agents connect to the management server, the relay identity token is used. The relay identity token can be any string value and is stored in the relay-identity-token-secret Kubernetes secret on the management cluster. You must set the same value in glooAgent.extraEnvs.RELAY_TOKEN.value when you install the Gloo agent to allow the Gloo agent to connect to the Gloo management server.
    RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATIONSet this value to true to not require a client TLS certificate from the Gloo agent to prove the agent’s identity and establish the connection with the management server. This setting is required when you want to use simple TLS to secure the connection between the Gloo management server and agent.
    telemetryGateway.extraVolumesAdd the gloo-telemetry-gateway-tls-secret-custom Kubernetes secret that you created earlier to the tls-keys volume. Make sure that you also add the other volumes to your telemetry gateway configuration.
    telemetryCollector.extraVolumesAdd the telemetry-root-secret Kubernetes secret that you created earlier to the root-ca volume. Make sure that you also add the other volumes to your telemetry collector configuration.
  3. In your Helm values file for the workload cluster, add the following values.

      
    glooAgent:
      enabled: true
      extraEnvs:
        RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION:
          value: "true"  
        RELAY_TOKEN: 
          value: "My token"
    telemetryCollector: 
      enabled: true
      extraVolumes: 
        - name: root-ca
          secret:
            defaultMode: 420
            optional: true
            secretName: telemetry-root-secret
        - configMap:
            items:
              - key: relay
                path: relay.yaml
            name: gloo-telemetry-collector-config
          name: telemetry-configmap
        - hostPath:
            path: /var/run/cilium
            type: DirectoryOrCreate
          name: cilium-run
    telemetryCollectorCustomization:
      skipVerify: true
      
    Helm valueDescription
    RELAY_TOKENThe relay token to establish initial trust between the Gloo management server and the agent. The relay token is saved in memory on the Gloo agent. You must set the same value that you set in glooMgmtServer.extraEnvs.RELAY_TOKEN.value when you installed the Gloo Network management plane to allow Gloo agents to connect to the Gloo management server.
    RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATIONSet to true to skip validating the server TLS certificate that the Gloo management server presents. This setting is required to configure the relay connection for TLS.
    telemetryCollector.extraVolumesAdd the telemetry-root-secret Kubernetes secret that you created earlier to the root-ca volume. Make sure that you also add the other volumes to your telemetry collector configuration.
    telemetryCollectorCustomization.skipVerifySet to true to skip validation of the server certificate that the Gloo telemetry gateway presents. By default, the Gloo telemetry gateway uses the same TLS certificates that the Gloo management server uses for the relay connection. If you configure the relay connection for TLS, you must set skipVerify to true on the telemetry collector agent.