Navigation :

Licensing

Learn about and manage Gloo Platform licenses in your environment.

Choose Gloo Platform product licenses

Before you install Gloo Gateway, decide which product and module licenses you need for your Gloo Platform environment. Gloo Platform offers separate licenses for each product, such as Gloo Gateway, Gloo Mesh Enterprise, and Gloo Network. Additionally, licenses are offered for the GraphQL module.

Licensed products

Product licenses unlock certain capabilties in Gloo Platform. For example, with a Gloo Mesh license, your Gloo Platform agent installs Mesh custom resource definitions (CRDs) in each registered cluster. With these CRDs, you can consistently manage your application networking resources across clusters.

Product	Related open source projects	Description
Gateway	Envoy, Istio	Gloo Gateway is an API gateway based on Envoy and Istio open source technologies. A gateway license unlocks custom resources such as virtual gateways, route tables, and policies so that you can control network traffic into (ingress) and out from (egress) your clusters. You get traffic manipulation features, such as Envoy filters for resilience and transformation. You can also secure ingress traffic with security filters such as web application firewall (WAF), external auth, and rate limiting. You can enhance your API gateway with additional modules, such as GraphQL, support for routing to AWS Lambdas, and a developer portal.
Mesh	Istio	Gloo Mesh manages Istio-based service meshes across clusters and infrastructure providers, and secures communication between workloads via mTLS. A mesh license unlocks hardened, FIPS-compliant Istio images with `n-4` version support. You get a simplified management experience for multitenancy, service isolation, federation, and east-west traffic management. Gloo Mesh even automatically discovers your Istio resources and translates them into the appropriate Gloo custom resources so that intelligent, multicluster failover works out of the box.
Network	eBPF, Cilium	Gloo Network is a Cilium-based container network interface (CNI) plug-in that leverages the Linux kernel technology eBPF to provide connectivity, security, and observability for containerized workloads. You can use Gloo policies to consistently apply L3 and L4 access control across all the services in your multicluster environment. If you use Network with Mesh or Gateway, you can even reuse the same access policies to add L7 access control.

Licensed modules

Modules further extend select products with licensed capabilities. The license that you use when installing or upgrading Gloo Platform can include both a product and module, instead of separate licenses. For example, you might have a Gloo Gateway with GraphQL license to use the Gateway product along with the GraphQL module.

Module	Products the module can extend	Description
GraphQL	Gateway, Mesh	GraphQL is a server-side query language and runtime you can use to expose your APIs as an alternative to REST APIs. GraphQL allows you to request only the data you want and handle any subsequent requests on the server side, saving numerous expensive origin-to-client requests by instead handling requests in your internal network. By building GraphQL capabilties into the Gloo ingress or east-west gateways, Gloo extends GraphQL with route-level networking logic. For example, the gateway might rate limit, authorize, and authenticate requests.

Get a license key

To get Gloo Platform product licenses, contact an account representative. Your account representative can help you get the right license keys for the Gloo Platform capabilities that you want for your environment. For example, depending on your needs, you might get one of the following license key combinations:

For a trial installation of all Gloo Platform products, you get a Gloo trial license key.
For a Gloo Gateway setup that supports GraphQL capabilities, you get a Gloo Gateway license key that includes the GraphQL module add-on.
For a setup that supports both Gloo Gateway and Gloo Mesh capabilities, such as ingress routing as well as east-west service mesh routing, you get a Gloo Gateway license key and a Gloo Mesh license key.

Provide license keys during installation

When you install your Gloo Platform products, you provide your license keys either directly in your meshctl install command or Helm values file, or in a secret that you pass into the command or values file.

Trial licenses

A trial license provides access to all Gloo Platform products.

Save your trial license key as an environment variable.

export GLOO_TRIAL_LICENSE_KEY=<gloo-trial-license-key>

Decide how you want to provide your trial key during installation.
- Provide trial key directly: When you install Gloo Gateway in your cluster, you can provide your trial license key in the --set licensing.glooTrialLicenseKey=$GLOO_TRIAL_LICENSE_KEY flag or directly in your Helm values file with the licensing.glooTrialLicenseKey: $GLOO_TRIAL_LICENSE_KEY setting.
- Provide trial key in a secret: You can specify your trial license key by creating a secret before you install Gloo Gateway.
  1. Create a secret with your trial key in the gloo-mesh namespace of your cluster.
```
cat << EOF | kubectl apply -n gloo-mesh -f -
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: license-secret
  namespace: gloo-mesh
data:
  gloo-trial-license-key: "$GLOO_TRIAL_LICENSE_KEY"
EOF
```
  2. When you install Gloo Gateway in your cluster, provide the licensing.licenseSecretName: license-secret setting in your Helm values file.

Product licenses

You must have one license for each Gloo Platform product that you want to install, such as Gloo Mesh and Gloo Gateway. If you also purchased a module add-on such as GraphQL, this module is included in the product license (you do not need a separate license).

Save your license keys as environment variables. The following steps and examples use Gloo Gateway, but you might have separate license keys for Gloo Gateway, Gloo Mesh, and Gloo Network.
```
export GLOO_GATEWAY_LICENSE_KEY=<gloo-gateway-license-key>
```
Decide how you want to provide your license keys during installation.
- Provide license keys directly: When you install Gloo Gateway in your cluster, you can provide your license key in the --set licensing.glooGatewayLicenseKey=$GLOO_GATEWAY_LICENSE_KEY flag or directly in your Helm values file with the licensing.glooGatewayLicenseKey: $GLOO_GATEWAY_LICENSE_KEY setting.
- Provide license keys in a secret: You can specify your license keys by creating a secret before you install Gloo Gateway.
  1. Create a secret with your license keys in the gloo-mesh namespace of your management cluster. For example, to provide your Gloo Gateway license key in a secret:
```
cat << EOF | kubectl apply -n gloo-mesh -f -
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: license-secret
  namespace: gloo-mesh
data:
  gloo-mesh-license-key: ""
  gloo-network-license-key: ""
  gloo-gateway-license-key: "$GLOO_GATEWAY_LICENSE_KEY"
EOF
```
  2. When you install Gloo Gateway in your cluster, provide the licensing.licenseSecretName: license-secret setting in your Helm values file.

Monitor licenses

You can check your licenses, including your license expiration dates, in multiple ways.

CLI

To check your current licenses with the meshctl CLI, run the following command. In the output, you can see your license status in the License status section.

meshctl check

In this example output, the Gloo Gateway license is current and valid, and no GraphQL module is added to the license. The expiration date is listed so that you can update your license before it expires.

🟢 License status

INFO  gloo-gateway enterprise license expiration is 25 Aug 24 10:38 CDT
INFO  No GraphQL license module found for any product

In this example output, the Gloo Gateway license with a GraphQL module is expired. You can update your license in your Gloo environment.

🔴 License status

ERROR A license is expired. To update, see https://docs.solo.io/gloo-mesh-enterprise/main/setup/prepare/licensing/#update-licenses
INFO  gloo-gateway enterprise license expiration is 06 Feb 23 13:05 CDT
INFO  Valid GraphQL license module found

UI

To check your current licenses with the Gloo UI:

Open the Gloo UI.
In the header navigation bar, click the gear icon.
Review the status of your licenses. In the following example, the Gloo Gateway license is current and valid, and no GraphQL module is added to the license. You can also check the expiration date so that you can update your license before it expires.

Product license statuses in the Gloo UI.

Metrics

Gloo Platform includes license metrics that you can view by using the UI of the built-in Prometheus server. These metrics give you the number of minutes until the license expires, which you can optionally use to set up alerts in Prometheus.

Open the Prometheus UI.
Query one of the following metrics:
- solo_io_gloo_gateway_license
- solo_io_gloo_mesh_license
- solo_io_gloo_network_license

In the output, check the the value of the metric, which is the number of minutes until the license expires. For example, in this output, the Gloo Gateway license expires in 247,649 minutes, which equals 171 days, 23 hours, and 29 minutes.

Metric	Value
solo_io_gloo_gateway_license{app="gloo-mesh-mgmt-server”, instance="10.xx.x.x:9091”, job="gloo-mesh-mgmt-server”, namespace="gloo-mesh”, pod="gloo-mesh-mgmt-server-65bd557b95-v8qq6”, pod_template_hash="65bd557b95”}	247649.2563652057

Optional: If you want to add alerts for these license metrics, such as to remind you to update your license before it expires, you can add alerts to your Helm values file and apply the file during a Gloo upgrade. To get your current Helm values and upgrade Gloo, see Upgrade Gloo Gateway.

For example, if you installed Gloo Gateway, you might add the following alert to your values file to remind you to update your Gloo Gateway license 30 days before it expires. You can also add similar alerts for other Gloo product licenses, or alerts for other timeframes (such as using expr: solo_io_gloo_gateway_license < 0 in the case that a license expires). You can review these alerts in the operations dashboard or in the /alerts page of the Prometheus UI.

...
serverFiles:
    alerting_rules.yml:
        groups:
            - name: GlooPlatformAlerts
              rules:
                ...
                - alert: GlooGatewayLicenseExpiresSoon
                  annotations:
                    runbook: https://docs.solo.io/gloo-mesh-enterprise/main/setup/prepare/licensing/#update-licenses
                    summary: The Gloo Gateway license expires in 30 days.
                  expr: solo_io_gloo_gateway_license < 1440 * 30
                  labels:
                    severity: warning

Update licenses

Before your Gloo license expires, you can update the license by performing a Helm upgrade. If you use Gloo Gateway along with other Gloo products such as Gloo Mesh and Gloo Network, you can also update those licenses.

For example, if you notice that your Gloo control plane deployments are in a crash loop, your Gloo license might be expired. You can check the logs for one of the deployments, such as the management server, to look for an error message similar to the following:

meshctl logs mgmt

{"level":"fatal","ts":1628879186.1552186,"logger":"gloo-mesh-mgmt-server","caller":"cmd/main.go:24","msg":"License is invalid or expired, crashing - license expired", ...

To update your license, see the upgrade guide.