Certificates and Custom CA

Review the following ways that you can secure connections for Gloo Portal with TLS certificates or a custom certificate authority (CA).

• Use TLS certificates to set up secured HTTPS connections for your developer portal or APIs.
• Use a custom Certificate Authority so that Gloo Portal can send HTTPS requests to an external service that requires a certificate that is signed custom CA, such as an OIDC provider that you integrate with.

Use TLS certificates

You can configure Gloo Portal to use TLS certificates when the Portal is exposed by Gloo Edge. For example, you might want to enable an HTTPS connection for users to access your developer portal or APIs. For more information, see the Gloo Edge SslConfig API reference.

Before you begin:

1. Install Gloo Portal in a Kubernetes cluster alongside Gloo Edge.
2. Get your TLS certificate and key.

Configure Gloo Portal to use the TLS certificates:

1. Create a secret for the TLS certificate. You must create a secret for each domain, such as described in the Gloo Edge server TLS docs.

   kubectl create secret tls upstream-tls --key tls.key \
   --cert tls.crt --namespace gloo-system
   

2. For each Portal resource that you have, configure the tls field as described in the PortalSpec API reference. Now, when Gloo Portal generates a VirtualService for the Portal, the VirtualService is configured to use TLS.

   kind: Portal
   spec: 
     tls:
       secretRef:
         name: upstream-tls
         namespace: gloo-system   
   

3. For each Environment resource that you have, configure the config field as described in the EnvironmentSpec.TlsConfig API reference. Now, when the gateway creates a route for the Environment, the route uses TLS.

   kind: Environment
   spec:
     gatewayConfig:
       disableRoutes: false
       tls:
         enabled: true
         config:
           secretRef: 
             name: upstream-tls
             namespace: gloo-system   
   

Use a custom certificate authority

Configure the Gloo Portal web app to trust a custom Certificate Authority (CA) beyond the CAs that are trusted by default. For example, your OIDC provider might require clients to present certificates signed by the custom CA.

The following steps show how to modify your Helm values file so that the Gloo Portal pod loads your custom CA at installation.

Before you begin

1. Install Gloo Portal in a Kubernetes cluster alongside Gloo Edge.
2. Get a certificate for the CA. For an example of how to create a CA and retrieve its certificate, see the Gloo Edge docs.

Step 1: Create a custom CA secret

1. Create a Kubernetes secret to store the CA certificate, replacing the following variables if yours differ.

   • custom-ca-secret: Enter a name for the secret of the CA certificate. Later, you pass in this name as a Helm value.
   • custom-ca.crt: Provide the name of the certificate file for the secret to use. Later, you use this file name as a Helm value, which defaults to the name custom-ca.crt.
   • /path/to/myCustomCA.crt: Enter the file path to your CA certificate.
   • gloo-portal: Enter the namespace where Gloo Portal is deployed.

   kubectl create secret generic custom-ca-secret --from-file=custom-ca.crt=/path/to/myCustomCA.crt -n gloo-portal
   

2. Confirm that the secret is created.

   kubectl get -n gloo-portal secrets custom-ca-secret -oyaml
   

   apiVersion: v1
   data:
     custom-ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUU2RENDQXRDZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFVTVJJd0VBWURWUVFERXdsbGVHRnQKY0d4bFEwRXdIaGNOTWpFd09EQXlNVGt6T1RJMVdoY05Nak13TWpBeU1Ua3pPVEl5V2pBVU1SSXdFQVlEVlFRRApFd2xsZUdGdGNHeGxRMEV3Z2dJaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRQ3BMNk5ICjBIa014YTc4UDQ3TXNvdE1GSTFVT1l3ck5VZ2ZoMEdZRjYzSmNmRms4US9sSDZxUXFLaEpVblhOSGxwcVNaYVYKNnp1UXJySWQ3cUhNdGZaSmpNYW1tWDVkWGhyNWFGTGNMVkF5N0hCeGRQVy83UkNCQXFZcjl2MjVicnNLVm5SOQo2QnpqZzdqMFQ3L01aaFVENlF2K3RuU3lqRlY0eEJIWEE5WUUxbkxFbVpGWW90SzNONnVJM0tKSlVvSW9lMU0vCm84WTJPNjNDODhZQm5hZzJYWlZPYnJyTk9FVU41eElKUE9HUTJDb1duaXl2V1RjcGx6a0lST09hUjErdVpRTjAKZGVDZjNrY1VpeGR5KzFKWUFJZ2FkZUhPVHA5dU5wQVVvWmF6M3VkbVg5SXpJMm9vWXFZZlZOR0pIaHk0bnl6ZgpQa1FaTWthZ3ZFaEppKytBdVhWRUpJc3BDRWlScmVXWG42dGRobVM3elR4M3ZFei9CM09VdnFHMTdpdnpNUDBkCm96T1dzNHpBMGRKNDZ1aWlCWi9zOTZNU2xjNHcxbTBYUXo0TE5tRGFqNElCK3hLOVp3S0MvUXNxUnNOVmNRcTkKVUgxQnBzZnp6UXZPcmVxdnF0UFc2aldPRmUwbS9ENEtSd1R2ZjBseUVYWTczblRSam1INXNKMXFYekRqa1hpUgo2eVlhK2NCcEJMSGpuYnd3QTJmR3U0bXk4RCtGVnRESXBEcmphbUZqWHJ6K1prUUFYbmdkRlcwcElpTmJxb3BXCmE1TVByZHhLUVhHZkYyVjgxbE1yTFc3UmhRMWJJbTRnTENKNHRDVEdqcTlOcWpFOW0zRlgwU2pWL1N6dTlRaDkKZEJUNXVJWlQyWVliMW1hTVVPZnpCN3Z0eG1pUVdBNlBnalhVS1FJREFRQUJvMFV3UXpBT0JnTlZIUThCQWY4RQpCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFEQWRCZ05WSFE0RUZnUVVhTlBPbUNhb0lZbDNSUnQwClhybnRaUC9FemVjd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFJZnBCUTF4bjVlRVZFNkgvNGdQeGQzWm1vaGUKdnMvOTN2ejRYbDkrNTQ2VStJQlVNMmhVemlOS0ZPT2N6N3FJVzNCSWdSNm9BUUVIeGRmL1E2M0o2T3RSWEI2cgprQ2I2RjlTMkN6TW1Ec1pINFBjU05KSWFsait2bjV3UU9LYk9uNGdPOVprYW5UUGRqZ3JocjZtbTFLbHFhanEvCk8vQlJIUGdpdnIvd1EwbDdnMXlFc3o3bzFxSDVuVnlsWnJtdm96dmxiKzdobE1IZVc0NTdMYS9CODBpUlhFYVkKYWpLWC9LNS9SenB3S2tXdWRjMlNsMXEremM2em5nWUFuSVZZdklhOFFoRFNSVWdkUlJEQkY3eURDd3ZXNS9URgoxRjMxUjZIK1VNMHdvbS8zT3pQcU9oNUYxZmUzYVN1SktpSUkzTjAwOEl4RW1qTCtOcW9QbzZZUkVTSmhtRExHCmlpaGVyQjhibW9KaExjdlowNTVJUk9LZnRWb0RTR3lTTW1TQlVqOTBvamdIbmRYUVdDckxZUUxibmJGVFRJQTQKcWIvYjgwOGFFOHJoa2U5amo2VGZxTHdNemJ4bFVmYTkySlJ1eENzUVpycGs4R2JGaTNmNWViVVRXYTVaOHZCbApENm9NaWsyd2hKWjFpZFVWYUV0L3JuUk5ZYy9GaXNTK0krY1lpdlJGZ1dXcDRpUFFLUWRYVU1MMGhERElWTjhCClFSUHVhMjNES0NoN3h3UWZTNFo2VjlOV2IxaDRxU0hrTGlHdFVwZkJJYVhtbHZGWlJlWTFoSXl6NXpZWlAwZUEKWlZUcE9McnQvZ0V0eWtyMnloZUJXb0ViY1lQV3c4OCs1cHJSWDB5eWZJbWRjbW43Y2FYRVBJSFFFTlJCMWJMSgpOTjg1RGtKMzFkY1d6VEFLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
   kind: Secret
   metadata:
     creationTimestamp: "2021-08-02T20:13:39Z"
     name: custom-ca-secret
     namespace: gloo-portal
     resourceVersion: "454280"
     uid: d8b7f751-c804-4374-8b90-0c33e6ef3b40
   type: Opaque
   

Step 2: Add the certificate to your Gloo Portal configuration

To add the certificate to the Gloo Portal controller, specify the customCa.secretName Helm variable.

If the filename of the cert in the secret is not custom-ca.crt, you must also set customCa.secretKey.

1. Append the following lines to your Helm chart configuration file.

   cat << EOF >> gloo-values.yaml
      
   customCa:
     secretName: custom-ca-secret
     secretKey: custom-ca.crt
   EOF
   

2. Upgrade your Gloo Portal Helm chart installation.

   helm upgrade gloo-portal gloo-portal/gloo-portal -n gloo-portal --values gloo-values.yaml
   

   Release "gloo-portal" has been upgraded. Happy Helming!
   NAME: gloo-portal
   LAST DEPLOYED: Tue Aug  3 17:03:07 2021
   NAMESPACE: gloo-portal
   STATUS: deployed
   REVISION: 10
   TEST SUITE: None
   

3. Verify that the deployment rolled out successfully. Make sure that the desired and available number of Replicas match, and that a ca-certs volume is now created with your custom CA certificate.

   kubectl describe -n gloo-portal deployments.apps gloo-portal-controller
   

   Name:                   gloo-portal-controller
   Namespace:              gloo-portal
   ...
   Replicas:               1 desired | 1 updated | 1 total | 1 available | 0 unavailable
   ...
   Pod Template:
   ...
     Containers:
   ...
     Volumes:
   ...
      ca-certs:
       Type:        Secret (a volume populated by a Secret)
       SecretName:  service-ca-secret
       Optional:    false
   ...
   

Gloo Portal now trusts the custom CA!