Custom CA

The Portal Web Application can be configured to trust an additional Certificate Authority (CA) beyond those that are trusted natively. This may be useful if using an OIDC provider that requires clients to present certificates signed by such a CA.

This guide details the process of adding an additional trusted CA to Portal.

Pre-requisites

  1. Gloo Portal installed to a Kubernetes cluster alongside either Gloo Edge or Istio.

  2. A certificate for the additional CA

    • See Gloo Edge docs for an example of how to create a CA and retrieve its certificate

Create a custom CA secret

First, let’s create a Kubernetes secret to store the CA certificate.

kubectl create secret generic custom-ca-secret --from-file=custom-ca.crt=/path/to/myCustomCA.crt -n gloo-portal

The variable components here are: - custom-ca-secret: the name of the secret can be anything; it will be passed later as a Helm value - custom-ca.crt: the name of the certificate file in the generated secret can be anything; it will be passed later as a Helm value (defaulting to custom-ca.crt) - /path/to/myCustomCA.crt: the path to your CA’s certificate - gloo-portal: the namespace to which Gloo Portal is deployed

One can use kubectl to confirm that the secret has been created correctly:

kubectl get -n gloo-portal secrets custom-ca-secret -oyaml
apiVersion: v1
data:
  custom-ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUU2RENDQXRDZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFVTVJJd0VBWURWUVFERXdsbGVHRnQKY0d4bFEwRXdIaGNOTWpFd09EQXlNVGt6T1RJMVdoY05Nak13TWpBeU1Ua3pPVEl5V2pBVU1SSXdFQVlEVlFRRApFd2xsZUdGdGNHeGxRMEV3Z2dJaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRQ3BMNk5ICjBIa014YTc4UDQ3TXNvdE1GSTFVT1l3ck5VZ2ZoMEdZRjYzSmNmRms4US9sSDZxUXFLaEpVblhOSGxwcVNaYVYKNnp1UXJySWQ3cUhNdGZaSmpNYW1tWDVkWGhyNWFGTGNMVkF5N0hCeGRQVy83UkNCQXFZcjl2MjVicnNLVm5SOQo2QnpqZzdqMFQ3L01aaFVENlF2K3RuU3lqRlY0eEJIWEE5WUUxbkxFbVpGWW90SzNONnVJM0tKSlVvSW9lMU0vCm84WTJPNjNDODhZQm5hZzJYWlZPYnJyTk9FVU41eElKUE9HUTJDb1duaXl2V1RjcGx6a0lST09hUjErdVpRTjAKZGVDZjNrY1VpeGR5KzFKWUFJZ2FkZUhPVHA5dU5wQVVvWmF6M3VkbVg5SXpJMm9vWXFZZlZOR0pIaHk0bnl6ZgpQa1FaTWthZ3ZFaEppKytBdVhWRUpJc3BDRWlScmVXWG42dGRobVM3elR4M3ZFei9CM09VdnFHMTdpdnpNUDBkCm96T1dzNHpBMGRKNDZ1aWlCWi9zOTZNU2xjNHcxbTBYUXo0TE5tRGFqNElCK3hLOVp3S0MvUXNxUnNOVmNRcTkKVUgxQnBzZnp6UXZPcmVxdnF0UFc2aldPRmUwbS9ENEtSd1R2ZjBseUVYWTczblRSam1INXNKMXFYekRqa1hpUgo2eVlhK2NCcEJMSGpuYnd3QTJmR3U0bXk4RCtGVnRESXBEcmphbUZqWHJ6K1prUUFYbmdkRlcwcElpTmJxb3BXCmE1TVByZHhLUVhHZkYyVjgxbE1yTFc3UmhRMWJJbTRnTENKNHRDVEdqcTlOcWpFOW0zRlgwU2pWL1N6dTlRaDkKZEJUNXVJWlQyWVliMW1hTVVPZnpCN3Z0eG1pUVdBNlBnalhVS1FJREFRQUJvMFV3UXpBT0JnTlZIUThCQWY4RQpCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFEQWRCZ05WSFE0RUZnUVVhTlBPbUNhb0lZbDNSUnQwClhybnRaUC9FemVjd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFJZnBCUTF4bjVlRVZFNkgvNGdQeGQzWm1vaGUKdnMvOTN2ejRYbDkrNTQ2VStJQlVNMmhVemlOS0ZPT2N6N3FJVzNCSWdSNm9BUUVIeGRmL1E2M0o2T3RSWEI2cgprQ2I2RjlTMkN6TW1Ec1pINFBjU05KSWFsait2bjV3UU9LYk9uNGdPOVprYW5UUGRqZ3JocjZtbTFLbHFhanEvCk8vQlJIUGdpdnIvd1EwbDdnMXlFc3o3bzFxSDVuVnlsWnJtdm96dmxiKzdobE1IZVc0NTdMYS9CODBpUlhFYVkKYWpLWC9LNS9SenB3S2tXdWRjMlNsMXEremM2em5nWUFuSVZZdklhOFFoRFNSVWdkUlJEQkY3eURDd3ZXNS9URgoxRjMxUjZIK1VNMHdvbS8zT3pQcU9oNUYxZmUzYVN1SktpSUkzTjAwOEl4RW1qTCtOcW9QbzZZUkVTSmhtRExHCmlpaGVyQjhibW9KaExjdlowNTVJUk9LZnRWb0RTR3lTTW1TQlVqOTBvamdIbmRYUVdDckxZUUxibmJGVFRJQTQKcWIvYjgwOGFFOHJoa2U5amo2VGZxTHdNemJ4bFVmYTkySlJ1eENzUVpycGs4R2JGaTNmNWViVVRXYTVaOHZCbApENm9NaWsyd2hKWjFpZFVWYUV0L3JuUk5ZYy9GaXNTK0krY1lpdlJGZ1dXcDRpUFFLUWRYVU1MMGhERElWTjhCClFSUHVhMjNES0NoN3h3UWZTNFo2VjlOV2IxaDRxU0hrTGlHdFVwZkJJYVhtbHZGWlJlWTFoSXl6NXpZWlAwZUEKWlZUcE9McnQvZ0V0eWtyMnloZUJXb0ViY1lQV3c4OCs1cHJSWDB5eWZJbWRjbW43Y2FYRVBJSFFFTlJCMWJMSgpOTjg1RGtKMzFkY1d6VEFLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
kind: Secret
metadata:
  creationTimestamp: "2021-08-02T20:13:39Z"
  name: custom-ca-secret
  namespace: gloo-portal
  resourceVersion: "454280"
  uid: d8b7f751-c804-4374-8b90-0c33e6ef3b40
type: Opaque

Specify the customCaSecretName Helm variable

To add the certificate to Portal Controller, specify the customCa.secretName Helm variable.

If the filename of the cert in the secret is not custom-ca.crt it is also necessary to set customCa.secretKey:

One can append the necessary lines to their values file:

cat << EOF >> gloo-values.yaml

customCa:
  secretName: my-ca-secret
  secretKey: custom-ca.crt
EOF

and then upgrade Helm:

helm upgrade gloo-portal gloo-portal/gloo-portal -n gloo-portal --values gloo-values.yaml
Release "gloo-portal" has been upgraded. Happy Helming!
NAME: gloo-portal
LAST DEPLOYED: Tue Aug  3 17:03:07 2021
NAMESPACE: gloo-portal
STATUS: deployed
REVISION: 10
TEST SUITE: None

We can verify that the deployment rolled out successfully by describing it:

kubectl describe -n gloo-portal deployments.apps gloo-portal-controller
Name:                   gloo-portal-controller
Namespace:              gloo-portal
...
Replicas:               1 desired | 1 updated | 1 total | 1 available | 0 unavailable
...
Pod Template:
...
  Containers:
...
  Volumes:
...
   ca-certs:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  service-ca-secret
    Optional:    false
...

Note that we have the desired number of replicas available and that a ca-certs volume has been created from the specified secret.

Portal will now trust the custom CA!