Light Dark Auto

Enabling Mesh mTLS

Greymatter Version

  • v1.8.0

Enable Mesh Wide mTLS

Using the greymatter.io operator with GitOps makes it simple to enable TLS on your edge gateway and mTLS between internal mesh components. In this scenario, we're using a greymatter.io data plane proxy running in your Kubernetes cluster to handle TLS termination. Additionally, internal connections are also upgraded to mTLS.

Create TLS Certificates

Your enterprise operations team may issue certificates at your request but if you'd like to generate your own self-signed certificates, follow these certbot instructions.

Apply TLS Certificates to Your Mesh

Using your terminal, navigate to the directory the certificates are located in and create a Kubernetes secret referencing the certificates you created in the previous step.

kubectl create secret generic gm-edge-ingress-certs \
    --from-file=ca.crt=./ca.crt \
    --from-file=server.crt=./server.crt \
    --from-file=server.key=./server.key \
    -n greymatter

In your editor, open inputs.cue in <your-org>/gitops-core repository. Search for enable_tls and change the value from false to true.

enable_tls: true

Once you have finished and save, commit/push your changes to <your-org>/gitops-core repository. Your pods will be restarted by the operator once this change is detected. Because the system is eventually consistent the change may not happen immediately but it will be fast.

Retrieve your external IP from the edge LoadBalancer service with the following command:

kubectl get service -n greymatter

You should see an output like:

NAME   TYPE           CLUSTER-IP   EXTERNAL-IP     PORT(S)           AGE
edge   LoadBalancer   x.x.x.x      x.x.x.x         10808:32021/TCP   48m

Once retrieved, navigate to https://{EXTERNAL_IP}:10808 and the greymatter.io dashboard will load through the edge gateway over TLS.

Using different certificates for internal mTLS (Optional)

By default the GitOps Core repo will re-use the Kubernetes secret defined above, containing your edge certificates, for internal mTLS; however, different certificates for internal traffic can be accommodated.

kubectl create secret generic gm-internal-certs \
    --from-file=ca.crt=./ca.crt \
    --from-file=server.crt=./server.crt \
    --from-file=server.key=./server.key \
    -n greymatter

In your editor, open inputs.cue in <your-org>/gitops-core repository. Search for: core_internal_tls_certs and edit the cert_secret name gm-internal-certs. Once you have completed your changes, save and push your changes to <your-org>/gitops-core repository.

Your pods will be restarted by the operator once this change is detected. Because the system is eventually consistent the change may not happen immediately but it will be fast.