Navigation :

Updating Enterprise Licenses

Gloo Edge Enterprise requires a time-limited license key in order to fully operate. You initially provide this license at installation time, as described here.

The license key is stored as a Kubernetes secret in the cluster. When the key expires, the pods that mount the secret might crash. To update the license key, patch the secret and restart the Gloo Edge deployments. During the upgrade, the data plane continues to run, but you might not be able to modify the configurations for Gloo custom resources through the management plane.

When you first install Gloo Edge in your cluster, confirm the license key expiration date with your Account Representative, such as in 30 days. Then, set a reminder for before the license key expires, and complete these steps, such as on Day 30, so that your Gloo Edge pods do not crash.

Confirm that your license expired

Whether you’re a prospective user using a trial license or a full Gloo Edge subscriber, this license can expire. When it does, you may see certain Gloo Edge pods start to display errors that are new to you.

For example, from the following k9s display, you can see that certain gloo-system pods fall into a CrashLoopBackoff state.

k9s Display with Expired License

Next, you can use glooctl check to confirm that the deployments have errors.

% glooctl check
Checking deployments... 3 Errors!
Checking pods... 6 Errors!
Checking upstreams... OK
Checking upstream groups... OK
Checking auth configs... OK
Checking rate limit configs... OK
Checking VirtualHostOptions... OK
Checking RouteOptions... OK
Checking secrets... OK
Checking virtual services... OK
Checking gateways... OK
Checking proxies... Skipping due to an error in checking deployments
Skipping due to an error in checking deployments
Error: 11 errors occurred:
	* Deployment gloo-fed in namespace gloo-system is not available! Message: Deployment does not have minimum availability.
	* Deployment gloo-fed-console in namespace gloo-system is not available! Message: Deployment does not have minimum availability.
	* Deployment observability in namespace gloo-system is not available! Message: Deployment does not have minimum availability.
	* Pod gloo-fed-6f58b97cb6-5qktr in namespace gloo-system is not ready! Message: containers with unready status: [gloo-fed]
	* Not all containers in pod gloo-fed-6f58b97cb6-5qktr in namespace gloo-system are ready! Message: containers with unready status: [gloo-fed]
	* Pod gloo-fed-console-845767f58-tvl4k in namespace gloo-system is not ready! Message: containers with unready status: [apiserver]
	* Not all containers in pod gloo-fed-console-845767f58-tvl4k in namespace gloo-system are ready! Message: containers with unready status: [apiserver]
	* Pod observability-958575cf6-fkhsw in namespace gloo-system is not ready! Message: containers with unready status: [observability]
	* Not all containers in pod observability-958575cf6-fkhsw in namespace gloo-system are ready! Message: containers with unready status: [observability]
	* proxy check was skipped due to an error in checking deployments
* xds metrics check was skipped due to an error in checking deployments

Finally, to get a more precise diagnosis, look at the logs for the failing observability deployment.

% kubectl logs deploy/observability -n gloo-system
{"level":"fatal","ts":1628879186.1552186,"logger":"observability","caller":"cmd/main.go:24","msg":"License is invalid or expired, crashing - license expired","version":"1.8.0","stacktrace":"main.main\n\t/workspace/solo-projects/projects/observability/cmd/main.go:24\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:225"}

You can confirm that the license key is expired by copying and pasting your current license key into the jwt.io debugger. Note that the date indicated by the exp header is in the past.

jwt.io Confirms Expired License

Replace the Expired License

If you’re a new user whose trial license has expired, contact your Solo.io Account Representative for a new license key, or fill out this form. Make sure to note the expiration date so that you can later replace this new license key before it expires.

The Gloo Edge Enterprise license is installed by default into a Kubernetes Secret named license in the gloo-system namespace. If that is the case for your installation, then you can use a simple bash script to replace the expired key by patching the license secret:

  1. Save the new license key in an environment variable.

    export GLOO_LICENSE_KEY=<your-new-enterprise-key-string>

  2. Update the license secret with the new key.

    kubectl create secret generic --save-config -n gloo-system license --from-literal=license-key=$GLOO_LICENSE_KEY --dry-run=client -o yaml | kubectl apply -f -

  3. Restart the Gloo deployment to pick up the license secret changes.

    kubectl -n gloo-system rollout restart deploy/gloo

Verify the New License

To quickly test whether the new license has resolved your problem, try restarting all the deployments that were stuck in CrashLoopBackoff state, like this:

% kubectl rollout restart deployment observability -n gloo-system
deployment.apps/observability restarted
% kubectl rollout restart deployment gloo-fed-console -n gloo-system
deployment.apps/gloo-fed-console restarted
% kubectl rollout restart deployment gloo-fed -n gloo-system
deployment.apps/
gloo-fed restarted

Taking a fresh look at the k9s console shows us that all three of the failing pods have recently restarted – see the AGE attribute – and are now in a healthy state.

k9s Display with Refreshed License

Congratulations! You have successfully replaced your Gloo Edge Enterprise license key.