Certificates and Custom CA
Review the following ways that you can secure connections for Gloo Portal with TLS certificates or a custom certificate authority (CA).
- Use TLS certificates to set up secured HTTPS connections for your developer portal or APIs.
- Use a custom Certificate Authority so that Gloo Portal can send HTTPS requests to an external service that requires a certificate that is signed custom CA, such as an OIDC provider that you integrate with.
Use TLS certificates
You can configure Gloo Portal to use TLS certificates when the Portal is exposed by Gloo Edge. For example, you might want to enable an HTTPS connection for users to access your developer portal or APIs. For more information, see the Gloo Edge SslConfig API reference.
Before you begin:
- Install Gloo Portal in a Kubernetes cluster alongside Gloo Edge.
- Get your TLS certificate and key.
Configure Gloo Portal to use the TLS certificates:
-
Create a secret for the TLS certificate. You must create a secret for each domain, such as described in the Gloo Edge server TLS docs.
kubectl create secret tls upstream-tls --key tls.key \ --cert tls.crt --namespace gloo-system
-
For each Portal resource that you have, configure the
tls
field as described in the PortalSpec API reference. Now, when Gloo Portal generates a VirtualService for the Portal, the VirtualService is configured to use TLS.kind: Portal spec: tls: secretRef: name: upstream-tls namespace: gloo-system
-
For each Environment resource that you have, configure the
config
field as described in the EnvironmentSpec.TlsConfig API reference. Now, when the gateway creates a route for the Environment, the route uses TLS.kind: Environment spec: gatewayConfig: disableRoutes: false tls: enabled: true config: secretRef: name: upstream-tls namespace: gloo-system
Use a custom certificate authority
Configure the Gloo Portal web app to trust a custom Certificate Authority (CA) beyond the CAs that are trusted by default. For example, your OIDC provider might require clients to present certificates signed by the custom CA.
The following steps show how to modify your Helm values file so that the Gloo Portal pod loads your custom CA at installation.
Before you begin
- Install Gloo Portal in a Kubernetes cluster alongside Gloo Edge.
- Get a certificate for the CA. For an example of how to create a CA and retrieve its certificate, see the Gloo Edge docs.
Step 1: Create a custom CA secret
-
Create a Kubernetes secret to store the CA certificate, replacing the following variables if yours differ.
custom-ca-secret
: Enter a name for the secret of the CA certificate. Later, you pass in this name as a Helm value.custom-ca.crt
: Provide the name of the certificate file for the secret to use. Later, you use this file name as a Helm value, which defaults to the namecustom-ca.crt
./path/to/myCustomCA.crt
: Enter the file path to your CA certificate.gloo-portal
: Enter the namespace where Gloo Portal is deployed.
kubectl create secret generic custom-ca-secret --from-file=custom-ca.crt=/path/to/myCustomCA.crt -n gloo-portal
-
Confirm that the secret is created.
kubectl get -n gloo-portal secrets custom-ca-secret -oyaml
apiVersion: v1 data: custom-ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUU2RENDQXRDZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFVTVJJd0VBWURWUVFERXdsbGVHRnQKY0d4bFEwRXdIaGNOTWpFd09EQXlNVGt6T1RJMVdoY05Nak13TWpBeU1Ua3pPVEl5V2pBVU1SSXdFQVlEVlFRRApFd2xsZUdGdGNHeGxRMEV3Z2dJaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRQ3BMNk5ICjBIa014YTc4UDQ3TXNvdE1GSTFVT1l3ck5VZ2ZoMEdZRjYzSmNmRms4US9sSDZxUXFLaEpVblhOSGxwcVNaYVYKNnp1UXJySWQ3cUhNdGZaSmpNYW1tWDVkWGhyNWFGTGNMVkF5N0hCeGRQVy83UkNCQXFZcjl2MjVicnNLVm5SOQo2QnpqZzdqMFQ3L01aaFVENlF2K3RuU3lqRlY0eEJIWEE5WUUxbkxFbVpGWW90SzNONnVJM0tKSlVvSW9lMU0vCm84WTJPNjNDODhZQm5hZzJYWlZPYnJyTk9FVU41eElKUE9HUTJDb1duaXl2V1RjcGx6a0lST09hUjErdVpRTjAKZGVDZjNrY1VpeGR5KzFKWUFJZ2FkZUhPVHA5dU5wQVVvWmF6M3VkbVg5SXpJMm9vWXFZZlZOR0pIaHk0bnl6ZgpQa1FaTWthZ3ZFaEppKytBdVhWRUpJc3BDRWlScmVXWG42dGRobVM3elR4M3ZFei9CM09VdnFHMTdpdnpNUDBkCm96T1dzNHpBMGRKNDZ1aWlCWi9zOTZNU2xjNHcxbTBYUXo0TE5tRGFqNElCK3hLOVp3S0MvUXNxUnNOVmNRcTkKVUgxQnBzZnp6UXZPcmVxdnF0UFc2aldPRmUwbS9ENEtSd1R2ZjBseUVYWTczblRSam1INXNKMXFYekRqa1hpUgo2eVlhK2NCcEJMSGpuYnd3QTJmR3U0bXk4RCtGVnRESXBEcmphbUZqWHJ6K1prUUFYbmdkRlcwcElpTmJxb3BXCmE1TVByZHhLUVhHZkYyVjgxbE1yTFc3UmhRMWJJbTRnTENKNHRDVEdqcTlOcWpFOW0zRlgwU2pWL1N6dTlRaDkKZEJUNXVJWlQyWVliMW1hTVVPZnpCN3Z0eG1pUVdBNlBnalhVS1FJREFRQUJvMFV3UXpBT0JnTlZIUThCQWY4RQpCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFEQWRCZ05WSFE0RUZnUVVhTlBPbUNhb0lZbDNSUnQwClhybnRaUC9FemVjd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFJZnBCUTF4bjVlRVZFNkgvNGdQeGQzWm1vaGUKdnMvOTN2ejRYbDkrNTQ2VStJQlVNMmhVemlOS0ZPT2N6N3FJVzNCSWdSNm9BUUVIeGRmL1E2M0o2T3RSWEI2cgprQ2I2RjlTMkN6TW1Ec1pINFBjU05KSWFsait2bjV3UU9LYk9uNGdPOVprYW5UUGRqZ3JocjZtbTFLbHFhanEvCk8vQlJIUGdpdnIvd1EwbDdnMXlFc3o3bzFxSDVuVnlsWnJtdm96dmxiKzdobE1IZVc0NTdMYS9CODBpUlhFYVkKYWpLWC9LNS9SenB3S2tXdWRjMlNsMXEremM2em5nWUFuSVZZdklhOFFoRFNSVWdkUlJEQkY3eURDd3ZXNS9URgoxRjMxUjZIK1VNMHdvbS8zT3pQcU9oNUYxZmUzYVN1SktpSUkzTjAwOEl4RW1qTCtOcW9QbzZZUkVTSmhtRExHCmlpaGVyQjhibW9KaExjdlowNTVJUk9LZnRWb0RTR3lTTW1TQlVqOTBvamdIbmRYUVdDckxZUUxibmJGVFRJQTQKcWIvYjgwOGFFOHJoa2U5amo2VGZxTHdNemJ4bFVmYTkySlJ1eENzUVpycGs4R2JGaTNmNWViVVRXYTVaOHZCbApENm9NaWsyd2hKWjFpZFVWYUV0L3JuUk5ZYy9GaXNTK0krY1lpdlJGZ1dXcDRpUFFLUWRYVU1MMGhERElWTjhCClFSUHVhMjNES0NoN3h3UWZTNFo2VjlOV2IxaDRxU0hrTGlHdFVwZkJJYVhtbHZGWlJlWTFoSXl6NXpZWlAwZUEKWlZUcE9McnQvZ0V0eWtyMnloZUJXb0ViY1lQV3c4OCs1cHJSWDB5eWZJbWRjbW43Y2FYRVBJSFFFTlJCMWJMSgpOTjg1RGtKMzFkY1d6VEFLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K kind: Secret metadata: creationTimestamp: "2021-08-02T20:13:39Z" name: custom-ca-secret namespace: gloo-portal resourceVersion: "454280" uid: d8b7f751-c804-4374-8b90-0c33e6ef3b40 type: Opaque
Step 2: Add the certificate to your Gloo Portal configuration
To add the certificate to the Gloo Portal controller, specify the customCa.secretName
Helm variable.
If the filename of the cert in the secret is not custom-ca.crt
, you must also set customCa.secretKey
.
-
Append the following lines to your Helm chart configuration file.
cat << EOF >> gloo-values.yaml customCa: secretName: custom-ca-secret secretKey: custom-ca.crt EOF
-
Upgrade your Gloo Portal Helm chart installation.
helm upgrade gloo-portal gloo-portal/gloo-portal -n gloo-portal --values gloo-values.yaml
Release "gloo-portal" has been upgraded. Happy Helming! NAME: gloo-portal LAST DEPLOYED: Tue Aug 3 17:03:07 2021 NAMESPACE: gloo-portal STATUS: deployed REVISION: 10 TEST SUITE: None
-
Verify that the deployment rolled out successfully. Make sure that the desired and available number of Replicas match, and that a ca-certs volume is now created with your custom CA certificate.
kubectl describe -n gloo-portal deployments.apps gloo-portal-controller
Name: gloo-portal-controller Namespace: gloo-portal ... Replicas: 1 desired | 1 updated | 1 total | 1 available | 0 unavailable ... Pod Template: ... Containers: ... Volumes: ... ca-certs: Type: Secret (a volume populated by a Secret) SecretName: service-ca-secret Optional: false ...
Gloo Portal now trusts the custom CA!