Certificates and custom CA

Review the following ways that you can secure connections for Gloo Portal with TLS certificates or a custom certificate authority (CA).

Use TLS certificates

You can configure Gloo Portal to use TLS certificates when the Portal is exposed by Gloo Edge. For example, you might want to enable an HTTPS connection for users to access your developer portal or APIs. For more information, see the Gloo Edge SslConfig API reference.

Before you begin:

  1. Install Gloo Portal in a Kubernetes cluster alongside Gloo Edge or Gloo Mesh Gateway.
  2. Get your TLS certificate and key.

Configure Gloo Portal to use the TLS certificates:

  1. Create a secret for the TLS certificate. You must create a secret for each domain, such as described in the Gloo Edge server TLS docs.

    kubectl create secret tls upstream-tls --key tls.key \
    --cert tls.crt --namespace gloo-system
  2. For each Portal resource that you have, configure the tls field as described in the PortalSpec API reference. Now, when Gloo Portal generates a VirtualService for the Portal, the VirtualService is configured to use TLS.

    kind: Portal
    spec: 
     tls:
       secretRef:
         name: upstream-tls
         namespace: gloo-system   
  3. For each Environment resource that you have, configure the config field as described in the EnvironmentSpec.TlsConfig API reference. Now, when the gateway creates a route for the Environment, the route uses TLS.

    kind: Environment
    spec:
     gatewayConfig:
       disableRoutes: false
       tlsConfig:
         enabled: true
         config:
           secretRef: 
             name: upstream-tls
             namespace: gloo-system   

Use a custom certificate authority

Configure the Gloo Portal web app to trust a custom Certificate Authority (CA) beyond the CAs that are trusted by default. For example, your OIDC provider might require clients to present certificates signed by the custom CA.

The following steps show how to modify your Helm values file so that the Gloo Portal pod loads your custom CA at installation.

Before you begin

  1. Install Gloo Portal in a Kubernetes cluster alongside Gloo Edge or Gloo Mesh Gateway.
  2. Get a certificate for the CA. For an example of how to create a CA and retrieve its certificate, see the Gloo Edge docs.

Step 1: Create a custom CA secret

  1. Create a Kubernetes secret to store the CA certificate, replacing the following variables if yours differ.

    • custom-ca-secret: Enter a name for the secret of the CA certificate. Later, you pass in this name as a Helm value.
    • custom-ca.crt: Provide the name of the certificate file for the secret to use. Later, you use this file name as a Helm value, which defaults to the name custom-ca.crt.
    • /path/to/myCustomCA.crt: Enter the file path to your CA certificate.
    • gloo-portal: Enter the namespace where Gloo Portal is deployed.

      kubectl create secret generic custom-ca-secret --from-file=custom-ca.crt=/path/to/myCustomCA.crt -n gloo-portal
  2. Confirm that the secret is created.

    kubectl get -n gloo-portal secrets custom-ca-secret -oyaml
    apiVersion: v1
    data:
     custom-ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUU2RENDQXRDZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFVTVJJd0VBWURWUVFERXdsbGVHRnQKY0d4bFEwRXdIaGNOTWpFd09EQXlNVGt6T1RJMVdoY05Nak13TWpBeU1Ua3pPVEl5V2pBVU1SSXdFQVlEVlFRRApFd2xsZUdGdGNHeGxRMEV3Z2dJaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRQ3BMNk5ICjBIa014YTc4UDQ3TXNvdE1GSTFVT1l3ck5VZ2ZoMEdZRjYzSmNmRms4US9sSDZxUXFLaEpVblhOSGxwcVNaYVYKNnp1UXJySWQ3cUhNdGZaSmpNYW1tWDVkWGhyNWFGTGNMVkF5N0hCeGRQVy83UkNCQXFZcjl2MjVicnNLVm5SOQo2QnpqZzdqMFQ3L01aaFVENlF2K3RuU3lqRlY0eEJIWEE5WUUxbkxFbVpGWW90SzNONnVJM0tKSlVvSW9lMU0vCm84WTJPNjNDODhZQm5hZzJYWlZPYnJyTk9FVU41eElKUE9HUTJDb1duaXl2V1RjcGx6a0lST09hUjErdVpRTjAKZGVDZjNrY1VpeGR5KzFKWUFJZ2FkZUhPVHA5dU5wQVVvWmF6M3VkbVg5SXpJMm9vWXFZZlZOR0pIaHk0bnl6ZgpQa1FaTWthZ3ZFaEppKytBdVhWRUpJc3BDRWlScmVXWG42dGRobVM3elR4M3ZFei9CM09VdnFHMTdpdnpNUDBkCm96T1dzNHpBMGRKNDZ1aWlCWi9zOTZNU2xjNHcxbTBYUXo0TE5tRGFqNElCK3hLOVp3S0MvUXNxUnNOVmNRcTkKVUgxQnBzZnp6UXZPcmVxdnF0UFc2aldPRmUwbS9ENEtSd1R2ZjBseUVYWTczblRSam1INXNKMXFYekRqa1hpUgo2eVlhK2NCcEJMSGpuYnd3QTJmR3U0bXk4RCtGVnRESXBEcmphbUZqWHJ6K1prUUFYbmdkRlcwcElpTmJxb3BXCmE1TVByZHhLUVhHZkYyVjgxbE1yTFc3UmhRMWJJbTRnTENKNHRDVEdqcTlOcWpFOW0zRlgwU2pWL1N6dTlRaDkKZEJUNXVJWlQyWVliMW1hTVVPZnpCN3Z0eG1pUVdBNlBnalhVS1FJREFRQUJvMFV3UXpBT0JnTlZIUThCQWY4RQpCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFEQWRCZ05WSFE0RUZnUVVhTlBPbUNhb0lZbDNSUnQwClhybnRaUC9FemVjd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFJZnBCUTF4bjVlRVZFNkgvNGdQeGQzWm1vaGUKdnMvOTN2ejRYbDkrNTQ2VStJQlVNMmhVemlOS0ZPT2N6N3FJVzNCSWdSNm9BUUVIeGRmL1E2M0o2T3RSWEI2cgprQ2I2RjlTMkN6TW1Ec1pINFBjU05KSWFsait2bjV3UU9LYk9uNGdPOVprYW5UUGRqZ3JocjZtbTFLbHFhanEvCk8vQlJIUGdpdnIvd1EwbDdnMXlFc3o3bzFxSDVuVnlsWnJtdm96dmxiKzdobE1IZVc0NTdMYS9CODBpUlhFYVkKYWpLWC9LNS9SenB3S2tXdWRjMlNsMXEremM2em5nWUFuSVZZdklhOFFoRFNSVWdkUlJEQkY3eURDd3ZXNS9URgoxRjMxUjZIK1VNMHdvbS8zT3pQcU9oNUYxZmUzYVN1SktpSUkzTjAwOEl4RW1qTCtOcW9QbzZZUkVTSmhtRExHCmlpaGVyQjhibW9KaExjdlowNTVJUk9LZnRWb0RTR3lTTW1TQlVqOTBvamdIbmRYUVdDckxZUUxibmJGVFRJQTQKcWIvYjgwOGFFOHJoa2U5amo2VGZxTHdNemJ4bFVmYTkySlJ1eENzUVpycGs4R2JGaTNmNWViVVRXYTVaOHZCbApENm9NaWsyd2hKWjFpZFVWYUV0L3JuUk5ZYy9GaXNTK0krY1lpdlJGZ1dXcDRpUFFLUWRYVU1MMGhERElWTjhCClFSUHVhMjNES0NoN3h3UWZTNFo2VjlOV2IxaDRxU0hrTGlHdFVwZkJJYVhtbHZGWlJlWTFoSXl6NXpZWlAwZUEKWlZUcE9McnQvZ0V0eWtyMnloZUJXb0ViY1lQV3c4OCs1cHJSWDB5eWZJbWRjbW43Y2FYRVBJSFFFTlJCMWJMSgpOTjg1RGtKMzFkY1d6VEFLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    kind: Secret
    metadata:
     creationTimestamp: "2021-08-02T20:13:39Z"
     name: custom-ca-secret
     namespace: gloo-portal
     resourceVersion: "454280"
     uid: d8b7f751-c804-4374-8b90-0c33e6ef3b40
    type: Opaque

Step 2: Add the certificate to your Gloo Portal configuration

To add the certificate to the Gloo Portal controller, specify the customCa.secretName Helm variable.

If the filename of the cert in the secret is not custom-ca.crt, you must also set customCa.secretKey.

  1. Append the following lines to your Helm chart configuration file.

    cat << EOF >> gloo-values.yaml
       
    customCa:
     secretName: my-ca-secret
     secretKey: custom-ca.crt
    EOF
  2. Upgrade your Gloo Portal Helm chart installation.

    helm upgrade gloo-portal gloo-portal/gloo-portal -n gloo-portal --values gloo-values.yaml
    Release "gloo-portal" has been upgraded. Happy Helming!
    NAME: gloo-portal
    LAST DEPLOYED: Tue Aug  3 17:03:07 2021
    NAMESPACE: gloo-portal
    STATUS: deployed
    REVISION: 10
    TEST SUITE: None
  3. Verify that the deployment rolled out successfully. Make sure that the desired and available number of Replicas match, and that a ca-certs volume is now created with your custom CA certificate.

    kubectl describe -n gloo-portal deployments.apps gloo-portal-controller
    Name:                   gloo-portal-controller
    Namespace:              gloo-portal
    ...
    Replicas:               1 desired | 1 updated | 1 total | 1 available | 0 unavailable
    ...
    Pod Template:
    ...
     Containers:
    ...
     Volumes:
    ...
      ca-certs:
       Type:        Secret (a volume populated by a Secret)
       SecretName:  service-ca-secret
       Optional:    false
    ...

Gloo Portal now trusts the custom CA!