Greymatter Version
v1.8.0
Enable Mesh-wide mTLS
Using the greymatter operator with GitOps makes it simple to enable TLS on an edge gateway and internal sidecars. In this scenario, the edge gateway handles TLS termination while all internal communication within the mesh between sidecars is mutual TLS (mTLS). In other words, all sidecar to sidecar connections are required to authenticate via TLS in both directions.
Configuration
| Edge Encryption | Internal Encryption | defaults.edge.enable_tls | defaults.edge.require_client_certs | defaults.core_internal_tls_certs.enable | defaults.core_internal_tls_certs.require_client_certs | configs.spire |
|---|---|---|---|---|---|---|
| Plain Text | Plain Text | false | false | false | false | false |
| Plain Text | Spire | false | false | false | false | true |
| TLS | Plain Text | true | false | false | false | false |
| TLS | TLS | true | false | true | false | false |
| TLS | mTLS | true | false | true | true | false |
| TLS | Spire | true | false | false | false | true |
| mTLS | Plain Text | true | true | false | false | false |
| mTLS | TLS | true | true | true | false | false |
| mTLS | mTLS | true | true | true | true | false |
| mTLS | Spire | true | true | false | false | true |
For TLS/mTLS you must create
gm-edge-ingress-cert(see below) For Spire Internal Encryption you must have Spire deployed
Create TLS Certificates
Your enterprise operations team may issue certificates at your request but if you’d like to generate your own self-signed certificates, follow these certbot instructions.
Apply TLS Certificates to Your Mesh
Using your terminal, navigate to the directory the certificates are located in and create a Kubernetes secret referencing the certificates you created in the previous step.
kubectl create secret generic gm-edge-ingress-certs \
--from-file=ca.crt=./ca.crt \
--from-file=server.crt=./server.crt \
--from-file=server.key=./server.key \
-n greymatter
In your editor, open inputs.cue in <your-org>/greymatter-core repository. Search for enable_tls and change the value from false to true.
enable_tls: true
Once you have finished and save, commit/push your changes to <your-org>/greymatter-core repository. Your pods will be restarted by the operator once this change is detected. Because the system is eventually consistent the change may not happen immediately but it will be fast.
Retrieve your external IP from the edge LoadBalancer service with the following command:
kubectl get service -n greymatter
You should see an output like:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
edge LoadBalancer x.x.x.x x.x.x.x 10808:32021/TCP 48m
Once retrieved, navigate to https://{EXTERNAL_IP}:10808 and the greymatter.io dashboard will load through the edge gateway over TLS.
Using different certificates for internal mTLS (Optional)
By default the GitOps Core repo will re-use the Kubernetes secret defined above, containing your edge certificates, for internal mTLS; however, different certificates for internal traffic can be accommodated.
kubectl create secret generic gm-internal-certs \
--from-file=ca.crt=./ca.crt \
--from-file=server.crt=./server.crt \
--from-file=server.key=./server.key \
-n greymatter
In your editor, open inputs.cue in <your-org>/greymatter-core repository. Search for: core_internal_tls_certs and edit the cert_secret name gm-internal-certs. Once you have completed your changes, save and push your changes to <your-org>/greymatter-core repository.
Your pods will be restarted by the operator once this change is detected. Because the system is eventually consistent the change may not happen immediately but it will be fast.