Review the following information about supported release versions for Gloo Platform, including dependencies on open source projects like Istio.
n-3 versions for Gloo Platform. Within each Gloo Platform version, different open source project versions are supported, including Solo Istio
n-4 version support.
The following versions of Gloo Platform are supported with the compatible open source project versions of Istio and Kubernetes. Later versions of the open source projects that are released after Gloo Platform might also work, but are not tested as part of the Gloo Platform release.
|Gloo Platform||Release date||Supported Solo Istio versions and related Kubernetes versions tested by Solo|
|2.4||28 Aug 2023||
|2.3||17 Apr 2023||
|2.2||20 Jan 2023||
|2.1||21 Oct 2022||
Keep in mind that Gloo Platform offers
n-4 security patching support only with Solo Istio versions, not community Istio versions. Solo Istio versions support the same patch versions as community Istio. You can review community Istio patch versions in the Istio release documentation. You must run the latest Gloo Platform patch version to get the backported Istio support.
Supported Istio versions by Kubernetes or OpenShift version
The supported version of Istio, and Kubernetes or OpenShift are dependent on each other. For example, if you plan to use Gloo Platform with Istio 1.18, you must make sure that you use a Kubernetes or OpenShift version that is compatible with Istio 1.18. The same is true if you decided on a specific Kubernetes or OpenShift version, and you must find an Istio version that is compatible.
To find a list of supported Kubernetes versions in Istio, see the Istio docs. For supported OpenShift, go to the OpenShift knowledgebase (requires login).
Known Istio issues
WasmDeploymentPolicyGloo CR is currently unsupported in Istio version 1.18.
- Istio versions 1.17 and later and Gloo Platform 2.4 and later do not support the Gloo legacy metrics pipeline. If you run the legacy metrics pipeline, be sure that you set up the Gloo OpenTelemetry (OTel) pipeline instead in your new or existing Gloo Gateway installation.
- For FIPS-compliant builds of Istio 1.17.2 and 1.16.4, you must use the
-patch1versions of the latest Istio builds published by Solo, such as
1.17.2-patch1-solo-fipsfor Solo Istio version 1.17. These patch versions fix a FIPS-related issue introduced in the upstream Envoy code. In 1.17.3 and later, FIPS compliance is available in the
-fipstags of regular Solo Istio builds, such as
- Istio versions 1.14.0 - 1.14.3 have a known issue about unused endpoints failing to be deleted. Additionally, version 1.14.4 has a known issue about short hostnames causing Kubernetes service and ServiceEntry conflicts. Both issues are resolved in Istio 1.14.5.
Additionally, the following Gloo Platform features require specific versions.
|Gloo Platform feature||Required versions|
|Gloo-managed Istio installations (Istio and gateway lifecycle manager)||Gloo Platform 2.1.0 or later, and Istio version 1.15.4 or later|
|Verification of Gloo Platform Helm charts||Gloo Platform 2.3.1 or later|
|GraphQL add-on||Gloo Platform version 2.1.0 or later, and Istio version 1.16.1 or later|
|AWS Lambda default request and response transformations||Istio version 1.15.1 or later|
The upgrade process depends on which software you need to upgrade and your infrastructure provider.
Consider the following rules before you plan your Gloo Gateway upgrade. For steps on how to perform the upgrade, see the Upgrading guide.
General: Always upgrade the Gloo management server first. Then, roll out the upgrade to the Gloo agents in your workload clusters. For more information, see the version skew policy for management and remote clusters.
Patch version upgrades: You can skip patch versions within the same minor release. For example, you can upgrade from version 2.2.0 to 2.2.5 directly, and skip the patch versions in between.
Minor version upgrades:
- Always upgrade to the latest patch version of the target minor release. For example, if you want to upgrade from version 2.1.x to 2.2.x, and 2.2.5 is the latest patch version, upgrade to that version and skip any previous patch versions for that minor release. Do not upgrade to a lower patch version, such as 2.2.0 or 2.2.1.
- Do not skip minor versions during your upgrade. Upgrade minor release versions one at a time. For example, if you currently run version 2.0.x and want to upgrade to version 2.2.x, you must first upgrade to the latest patch version of the 2.1.x minor release. After you upgraded to 2.1.x, you can then plan your upgrade to the latest patch version of the 2.2.x release.
Version skew policy for management and remote clusters
Plan to always upgrade your Gloo management server and agents to the same target version. During the upgrade process, your management server and agents can be one minor version apart. For example, let's say you currently run version 2.3.x and want to upgrade to version 2.4.x. Start by upgrading your management server to the latest patch version of the 2.4 minor release. Your management server and agent are still compliant as they are one minor version apart. Then, roll out the 2.4 minor release upgrade to the agents in your workload clusters.
If you plan to upgrade more than one minor releases, you must perform one minor release upgrade at a time. For example, to upgrade your management server and agent from 2.2.x to 2.4.x, you upgrade your management server to the latest patch version of the 2.3 minor release first. Your management server and agent are compliant because they are one minor version apart. Then, you upgrade your agents to the 2.3 minor release. After you verify the 2.3 upgrade, use the same approach to upgrade the management server and agents from 2.3 to the target 2.4 minor release.
If both your management server and agent run the same minor version, the agent can run any patch version that is equal or lower than the management server's patch version.
Consider the following example version skew scenarios:
|Supported?||Server version||Agent version||Requirement|
|✅||2.3.4||2.3.2||The management server and agents run the same minor version. The agent patch version is equal to or lower than the management server.|
|❌||2.3.4||2.3.5||The agent runs the same minor version as the server, but has a patch version greater than the server.|
|✅||2.3.4||2.2.4||The agent runs a minor version no greater than n-1 behind the server.|
|❌||2.3.4||2.1.9||The agent runs a minor version that is greater than n-1 behind the server.|
The process for updating Istio depends on how you installed Istio. If you used the Istio lifecycle manager, follow the Upgrade managed gateway proxies guide. If you manually installed Istio in your clusters, see Upgrade Istio ingress gateways.
Kubernetes or OpenShift
Consult your infrastructure provider's upgrade process. For example, you might use Amazon Elastic Kubernetes Service (EKS), Google Kubernetes Engine (GKE), or Microsoft Azure Kubernetes Service (AKS).
Solo Istio distributions
For information about Solo Istio, see the Solo Istio version reference.
Download a specific image
You can download a particular image for Gloo Platform and Solo Istio, such as for the following use cases.
- To download and transfer these images if your environment does not have public network access or cannot pull public images, for an air-gapped installation.
- To run an older Istio version that the community no longer supports while still receiving security patches.
- To use a custom build that aligns with compliance standards such as Federal Information Processing Standards (FIPS).
Get the Gloo Platform version that you want to use
- Find the version tag in the changelog, such as 2.4.5.
- To download the package for all Gloo components that you deploy in your management and workload clusters, append the
<version_tag>to the following URL.
- Optional: For FIPS-compliant images, open the
values.yamlfile in the downloaded package, search for the
imagesection, and append
-fipsto the tag, such as in the following example.
... enterpriseNetworking: image: pullPolicy: IfNotPresent registry: gcr.io/gloo-mesh repository: gloo-mesh-mgmt-server tag: 2.4.5-fips
- Optional: If you need to pull the images locally, such as for an air-gapped installation, you can use the information you retrieved from the
imagessection in the
values.yamlfile to pull the image. For example, you might use the following
docker pullcommand for a FIPS image. Repeat this step for each image that you want to build locally and push to a private repository.
docker pull gcr.io/gloo-mesh/gloo-mesh-mgmt-server:2.4.5-fips
- Use these packages when you install Gloo Platform.
Get the Solo Istio version that you want to use
To download Solo Istio images, you must be a registered user and log in to the Solo Support Center.
Open the Istio images built by Solo.io support article. When prompted, log in to the Support Center with your Solo account credentials.
Find the repo key for the Istio version that you want to use in the support article, such as the repo key for
Save the repo key that your account representative gave you as an environment variable.
Decide on the specific tag of Istio image, such as the
solo-fips-distroless, that you want for your environment. For more information, see Solo Istio distributions.
Save the Istio version, including any specific tags, as an environment variable. The following example is for the latest patch version of the Solo Istio FIPS image.
Pull the Istio images that you want to use with the repo key.
docker pull $REPO/pilot:$ISTIO_IMAGE docker pull $REPO/proxyv2:$ISTIO_IMAGE docker pull $REPO/operator:$ISTIO_IMAGE
Install Istio with these images. Istio provides several installation methods, such as using
istioctlor Helm. When you install Istio, make sure to replace any images with the Gloo Platform images that you want to use. For more information, see the Istio documentation. For examples that set the
tagvalues to Solo Istio, see one of the following installation guides.
After installing Istio, you can verify that the version is compatible with your Kubernetes environment by running
istioctl x precheck.
istioctl x precheck ✔ No issues found when checking the cluster. Istio is safe to install or upgrade! To get started, check out https://istio.io/latest/docs/setup/getting-started/
n-3 for Gloo Platform and
n-4 for Solo Istio versions.
Typically, Gloo Platform releases a new minor version,
n, each quarter. When the new minor version is released, the previous
n-4 for Gloo Platform or
n-5 for Solo Istio becomes unsupported. Make sure that you run a supported version for production environments, and keep that version upgraded to the latest patch version so that you have the latest security fixes. For more information, see Upgrading Gloo Platform.
||Yes||Latest||The latest stable version is the default version when you view the documentation. New features are typically not developed for the latest version, but the version is actively maintained for security patches, bugs, and documentation.|
|Yes||Stable||Supported versions up to
||No||Beta||Active feature development happens on the
|No||Unsupported||Versions that are
Gloo feature maturity
Solo periodically provides new features in minor releases of Gloo versions. To receive feedback and improve functionality for real use cases, these features are often released according to a feature maturity model. As the features are improved and stabilized, they are gradually moved through the stages of alpha, beta, and general availability (GA) support. Review the following table for the comparison points between each stage of feature maturity. To see the maturity of a feature, check the feature's documentation.
|API||Can and will likely change||Unlikely to change||No change|
|Implementation||Can and will likely change||Can change, but user experience is maintained||No changes that affect user experience|
|Upgrade paths||No guaranteed||No guaranteed||Provided and tested|
|Requests for enhancement (RFEs) and bug fixes||RFEs and bug fixes prioritized||RFEs and bug fixes prioritized||Fully supported|
|Documentation||Not guaranteed and supplied with warnings||Supplied with warnings||Fully supplied|
|Automated testing||Internal testing, but little testing with real use cases||Internal testing and some testing with real use cases||Fully tested and validated with real use cases|
|Suggested usage||Exploration and feedback||Testing setups, demos, and POCs||Production setups|
Open source packages in Gloo Platform
For specific versions of open sources packages that are bundled with Gloo Platform, see the entries in the Open Source Attribution topic. For more information on where these open source packages are retrieved from, see the go.mod documentation.
Help me choose which version to run
- Consider your container platform environment, particularly which cloud provider and version of Kubernetes that you want to run. Compare the version against the table of supported versions for Gloo Platform.
- Review the features that are available in a particular version of the software.
- Decide if you need to run a specific image, such as the FIPS version of Solo Istio for FedRAMP compliance.
- Follow the Setup guides, modifying the steps to install the particular versions that you want to use.