Light Dark Auto

Enable mTLS for Mesh

Greymatter Version

  • v1.8.0

Enable Mesh-wide mTLS

Using the greymatter operator with GitOps makes it simple to enable TLS on an edge gateway and internal sidecars. In this scenario, the edge gateway handles TLS termination while all internal communication within the mesh between sidecars is mutual TLS (mTLS). In other words, all sidecar to sidecar connections are required to authenticate via TLS in both directions.

Configuration

Edge EncryptionInternal Encryptiondefaults.edge.enable_tlsdefaults.edge.require_client_certsdefaults.core_internal_tls_certs.enabledefaults.core_internal_tls_certs.require_client_certsconfigs.spire
Plain TextPlain Textfalsefalsefalsefalsefalse
Plain TextSpirefalsefalsefalsefalsetrue
TLSPlain Texttruefalsefalsefalsefalse
TLSTLStruefalsetruefalsefalse
TLSmTLStruefalsetruetruefalse
TLSSpiretruefalsefalsefalsetrue
mTLSPlain Texttruetruefalsefalsefalse
mTLSTLStruetruetruefalsefalse
mTLSmTLStruetruetruetruefalse
mTLSSpiretruetruefalsefalsetrue

For TLS/mTLS you must create gm-edge-ingress-cert (see below) For Spire Internal Encryption you must have Spire deployed

Create TLS Certificates

Your enterprise operations team may issue certificates at your request but if you’d like to generate your own self-signed certificates, follow these certbot instructions.

Apply TLS Certificates to Your Mesh

Using your terminal, navigate to the directory the certificates are located in and create a Kubernetes secret referencing the certificates you created in the previous step.

kubectl create secret generic gm-edge-ingress-certs \
    --from-file=ca.crt=./ca.crt \
    --from-file=server.crt=./server.crt \
    --from-file=server.key=./server.key \
    -n greymatter

In your editor, open inputs.cue in <your-org>/greymatter-core repository. Search for enable_tls and change the value from false to true.

enable_tls: true

Once you have finished and save, commit/push your changes to <your-org>/greymatter-core repository. Your pods will be restarted by the operator once this change is detected. Because the system is eventually consistent the change may not happen immediately but it will be fast.

Retrieve your external IP from the edge LoadBalancer service with the following command:

kubectl get service -n greymatter

You should see an output like:

NAME   TYPE           CLUSTER-IP   EXTERNAL-IP     PORT(S)           AGE
edge   LoadBalancer   x.x.x.x      x.x.x.x         10808:32021/TCP   48m

Once retrieved, navigate to https://{EXTERNAL_IP}:10808 and the greymatter.io dashboard will load through the edge gateway over TLS.

Using different certificates for internal mTLS (Optional)

By default the GitOps Core repo will re-use the Kubernetes secret defined above, containing your edge certificates, for internal mTLS; however, different certificates for internal traffic can be accommodated.

kubectl create secret generic gm-internal-certs \
    --from-file=ca.crt=./ca.crt \
    --from-file=server.crt=./server.crt \
    --from-file=server.key=./server.key \
    -n greymatter

In your editor, open inputs.cue in <your-org>/greymatter-core repository. Search for: core_internal_tls_certs and edit the cert_secret name gm-internal-certs. Once you have completed your changes, save and push your changes to <your-org>/greymatter-core repository.

Your pods will be restarted by the operator once this change is detected. Because the system is eventually consistent the change may not happen immediately but it will be fast.