Uninstall

If you no longer need your Gloo Gateway environment, you can uninstall Gloo Gateway components, such as the control plane, agent, gateway proxies, and sample apps.

• Uninstall Gloo Gateway in a single-cluster setup
• Uninstall Gloo Gateway in a multicluster setup

Single-cluster setups

1. Uninstall the Istio control plane and gateway proxies. Note: For demo installations, skip to the next step.

   • Managed gateway proxies
   • Manual Helm deployments

   1. Delete the GatewayLifecycleManager resource for the gateway proxy.

      kubectl delete GatewayLifecycleManager istio-ingressgateway -n gloo-mesh
      

   2. Delete the IstioLifecycleManager for the istiod control plane. Note that your resource might be named gloo-mesh-enterprise if you migrated from the legacy Helm charts, or istiod-control-plane if you manually created the IstioLifecycleManager resource.

      kubectl delete IstioLifecycleManager gloo-platform -n gloo-mesh
      

   3. Delete the Istio namespaces.

      kubectl delete ns istio-system
      kubectl delete ns gloo-mesh-gateways
      

   4. Find the name of your Istio Helm chart release in the gloo-mesh-gateways namespace, such as istio-ingressgateway-1-17-2.

      helm ls -n gloo-mesh-gateways
      

   5. Delete the Helm release for the ingress gateway.

      helm delete istio-ingressgateway-1-17-2 -n gloo-mesh-gateways
      

   6. Find the name of your Istio Helm chart release in the istio-system namespace, such as istiod-1-17-2.

      helm ls -n istio-system
      

   7. Delete the Helm release for the istiod control plane.

      helm delete istiod-1-17-2 -n istio-system
      

   8. Delete the Istio namespaces.

      kubectl delete ns istio-system
      kubectl delete ns gloo-mesh-gateways
      kubectl delete ns istio-config
      

2. Uninstall Gloo Gateway.

   • Demo setups
   • meshctl
   • Helm

   meshctl uninstall --purge
   

   Note: If you see a warning such as release gloo-platform does not exist, nothing to uninstall, use the Helm tab instead.

   meshctl uninstall
   

   Note: If you see a warning such as release gloo-platform does not exist, nothing to uninstall, use the Helm tab instead.

   1. Delete the KubernetesCluster resource from the cluster.

      kubectl delete kubernetescluster $CLUSTER_NAME -n gloo-mesh
      

   2. Uninstall the main Gloo Gateway release. Note that if you migrated from the legacy Helm charts, your Helm release might be named gloo-mgmt or gloo-mesh-enterprise instead.

      helm uninstall gloo-platform -n gloo-mesh
      

   3. If you maintained a separate gloo-agent-addons Helm release, uninstall the release.

      helm uninstall gloo-agent-addons -n gloo-mesh-addons
      

3. Uninstall the Gloo Gateway CRDs Helm release.

   helm uninstall gloo-platform-crds -n gloo-mesh
   

4. Delete the gloo-mesh and gloo-mesh-addons namespaces.

   kubectl delete namespace gloo-mesh
   kubectl delete namespace gloo-mesh-addons
   

5. Optional: If you installed the Bookinfo and httpbin sample apps, run the following commands to uninstall their resources.

   1. Export the Istio version that your cluster runs as an environment variable, such as 1.17.2 in the following example.

      export ISTIO_VERSION=1.17.2
      

   2. Remove the Bookinfo application components and service accounts.

      kubectl -n bookinfo delete -f https://raw.githubusercontent.com/istio/istio/$ISTIO_VERSION/samples/bookinfo/platform/kube/bookinfo.yaml -l 'app,version notin (v3)'
      kubectl -n bookinfo delete -f https://raw.githubusercontent.com/istio/istio/$ISTIO_VERSION/samples/bookinfo/platform/kube/bookinfo.yaml -l 'account'
      

   3. Delete the bookinfo namespace.

      kubectl delete ns bookinfo
      

   4. Remove the httpbin application components.

      kubectl -n httpbin delete -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/httpbin.yaml
      

   5. Delete the httpbin namespace.

      kubectl delete ns httpbin
      

6. OpenShift installations: Revoke the extra permissions and resources required for OpenShift to run Istio.

   1. Revoke the Istio namespace ID permissions for the Istio service accounts.

      oc adm policy remove-scc-from-group anyuid system:serviceaccounts:istio-system
      oc adm policy remove-scc-from-group anyuid system:serviceaccounts:gloo-mesh-gateways
      # Update revision as needed
      oc adm policy remove-scc-from-group anyuid system:serviceaccounts:gm-iop-1-17-2
      

   2. Revoke the Istio namespace ID permissions for sample app project service accounts.

      oc adm policy remove-scc-from-group anyuid system:serviceaccounts:bookinfo
      oc adm policy remove-scc-from-group anyuid system:serviceaccounts:httpbin
      oc adm policy remove-scc-from-group anyuid system:serviceaccounts:gloo-mesh-addons
      

   3. Delete the NetworkAttachmentDefinition resources and the Istio namespace ID permissions for your workload projects.

      oc adm policy remove-scc-from-group anyuid system:serviceaccounts:<workload_projects>
      

      oc delete network-attachment-definition istio-cni -n <workload_projects>
      

Multicluster setups

1. Save the names of your clusters from your infrastructure provider as environment variables.

   export REMOTE_CLUSTER1=cluster1
   export REMOTE_CLUSTER2=cluster2
   ...
   

2. Save the kubeconfig contexts for your clusters as environment variables. Run kubectl config get-contexts, look for your cluster in the CLUSTER column, and get the context name in the NAME column.

   export MGMT_CONTEXT=<management-cluster-context>
   export REMOTE_CONTEXT1=<remote-cluster1-context>
   export REMOTE_CONTEXT2=<remote-cluster2-context>
   ...
   

3. Uninstall the Istio control plane and gateway proxies. These steps differ depending on how you installed them.

   • Managed gateway proxies
   • Manual Helm deployments

   1. Delete the GatewayLifecycleManager resources for the gateway proxies.

      kubectl delete GatewayLifecycleManager istio-ingressgateway -n gloo-mesh --context $MGMT_CONTEXT
      kubectl delete GatewayLifecycleManager istio-eastwestgateway -n gloo-mesh --context $MGMT_CONTEXT
      

   2. Delete the IstioLifecycleManager for the istiod control plane. Note that your resource might be named gloo-mesh-enterprise if you migrated from the legacy Helm charts, or istiod-control-plane if you manually created the IstioLifecycleManager resource.

      kubectl delete IstioLifecycleManager gloo-platform -n gloo-mesh --context $MGMT_CONTEXT
      

   3. Delete the Istio namespaces from the workload clusters.

      kubectl delete ns istio-system --context $REMOTE_CONTEXT1
      kubectl delete ns gloo-mesh-gateways --context $REMOTE_CONTEXT1
      

      kubectl delete ns istio-system --context $REMOTE_CONTEXT2
      kubectl delete ns gloo-mesh-gateways --context $REMOTE_CONTEXT2
      

   4. Find the name of your Istio Helm chart releases in the gloo-mesh-gateways namespace, such as istio-ingressgateway-1-17-2 and istio-eastwestgateway-1-17-2.

      helm ls -n gloo-mesh-gateways
      

   5. Delete the Helm release for the ingress and east-west gateways.

      helm delete istio-ingressgateway-1-17-2 -n gloo-mesh-gateways
      helm delete istio-eastwestgateway-1-17-2 -n gloo-mesh-gateways
      

   6. Find the name of your Istio Helm chart release in the istio-system namespace, such as istiod-1-17-2.

      helm ls -n istio-system
      

   7. Delete the Helm release for the istiod control plane.

      helm delete istiod-1-17-2 -n istio-system
      

   8. Delete the Istio namespaces.

      kubectl delete ns istio-system --context $REMOTE_CONTEXT1
      kubectl delete ns gloo-mesh-gateways --context $REMOTE_CONTEXT1
      kubectl delete ns istio-config --context $REMOTE_CONTEXT1
      

      kubectl delete ns istio-system --context $REMOTE_CONTEXT2
      kubectl delete ns gloo-mesh-gateways --context $REMOTE_CONTEXT2
      kubectl delete ns istio-config --context $REMOTE_CONTEXT2
      

4. OpenShift installations: Revoke the extra permissions and resources required for OpenShift to run Istio.

   1. Revoke the Istio namespace ID permissions for the Istio service accounts.

      oc adm policy remove-scc-from-group anyuid system:serviceaccounts:istio-system --context $REMOTE_CONTEXT1
      oc adm policy remove-scc-from-group anyuid system:serviceaccounts:gloo-mesh-gateways --context $REMOTE_CONTEXT1
      # Update revision as needed
      oc adm policy remove-scc-from-group anyuid system:serviceaccounts:gm-iop-1-17-2 --context $REMOTE_CONTEXT1
      

      oc adm policy remove-scc-from-group anyuid system:serviceaccounts:istio-system --context $REMOTE_CONTEXT2
      oc adm policy remove-scc-from-group anyuid system:serviceaccounts:gloo-mesh-gateways --context $REMOTE_CONTEXT2
      # Update revision as needed
      oc adm policy remove-scc-from-group anyuid system:serviceaccounts:gm-iop-1-17-2 --context $REMOTE_CONTEXT2
      

   2. Revoke the Istio namespace ID permissions for sample app project service accounts.

      oc --context $REMOTE_CONTEXT1 adm policy remove-scc-from-group anyuid system:serviceaccounts:bookinfo
      oc --context $REMOTE_CONTEXT1 adm policy remove-scc-from-group anyuid system:serviceaccounts:httpbin
      oc --context $REMOTE_CONTEXT1 adm policy remove-scc-from-group anyuid system:serviceaccounts:gloo-mesh-addons
      

      oc --context $REMOTE_CONTEXT2 adm policy remove-scc-from-group anyuid system:serviceaccounts:bookinfo
      oc --context $REMOTE_CONTEXT2 adm policy remove-scc-from-group anyuid system:serviceaccounts:httpbin
      oc --context $REMOTE_CONTEXT2 adm policy remove-scc-from-group anyuid system:serviceaccounts:gloo-mesh-addons
      

   3. Delete the NetworkAttachmentDefinition resources and the Istio namespace ID permissions for your workload projects.

      oc --context $REMOTE_CONTEXT1 adm policy remove-scc-from-group anyuid system:serviceaccounts:<workload_projects>
      oc --context $REMOTE_CONTEXT2 adm policy remove-scc-from-group anyuid system:serviceaccounts:<workload_projects>
      

      oc --context $REMOTE_CONTEXT1 delete network-attachment-definition istio-cni -n <workload_projects>
      oc --context $REMOTE_CONTEXT2 delete network-attachment-definition istio-cni -n <workload_projects>
      

5. Uninstall the Gloo agent that runs on each workload cluster.

   • Installed with meshctl
   • Installed with Helm

   1. Deregister cluster1.

      meshctl cluster deregister \
        --kubecontext $MGMT_CONTEXT \
        --remote-context $REMOTE_CONTEXT1 \
        $REMOTE_CLUSTER1
      

      Example output:

      Deregistering cluster: cluster1
      Finished uninstalling release gloo-mesh-agent
      Successfully deregistered cluster: cluster1
      

   2. Deregister cluster2.

      meshctl cluster deregister \
        --kubecontext $MGMT_CONTEXT \
        --remote-context $REMOTE_CONTEXT2 \
        $REMOTE_CLUSTER2
      

   3. If you maintained a separate gloo-agent-addons Helm release, uninstall the release.

      helm uninstall gloo-agent-addons -n gloo-mesh-addons --kube-context $REMOTE_CONTEXT1
      helm uninstall gloo-agent-addons -n gloo-mesh-addons --kube-context $REMOTE_CONTEXT2
      

   4. Uninstall the agent Helm releases. Note that if you migrated from the legacy Helm charts, your Helm releases might be named gloo-agent or gloo-mesh-agent instead.

      helm uninstall gloo-platform -n gloo-mesh --kube-context $REMOTE_CONTEXT1
      helm uninstall gloo-platform -n gloo-mesh --kube-context $REMOTE_CONTEXT2
      

   5. Delete the corresponding KubernetesCluster resources from the management cluster.

      kubectl delete kubernetescluster $REMOTE_CLUSTER1 $REMOTE_CLUSTER2 -n gloo-mesh --context $MGMT_CONTEXT
      

   6. Delete the relay secrets from each workload cluster, as you cannot reuse the same secret if you decide to re-register the agent later.

      kubectl delete secret -n gloo-mesh relay-client-tls-secret --context $REMOTE_CONTEXT1
      kubectl delete secret -n gloo-mesh relay-identity-token-secret --context $REMOTE_CONTEXT1
      kubectl delete secret -n gloo-mesh relay-root-tls-secret --context $REMOTE_CONTEXT1
      

      kubectl delete secret -n gloo-mesh relay-client-tls-secret --context $REMOTE_CONTEXT2
      kubectl delete secret -n gloo-mesh relay-identity-token-secret --context $REMOTE_CONTEXT2
      kubectl delete secret -n gloo-mesh relay-root-tls-secret --context $REMOTE_CONTEXT2
      

6. Uninstall the Gloo Gateway CRDs Helm releases in each workload cluster.

   helm uninstall gloo-platform-crds -n gloo-mesh --kube-context $REMOTE_CONTEXT1
   helm uninstall gloo-platform-crds -n gloo-mesh --kube-context $REMOTE_CONTEXT2
   

7. Delete the gloo-mesh and gloo-mesh-addons namespaces from each workload cluster.

   kubectl --context $REMOTE_CONTEXT1 delete namespace gloo-mesh
   kubectl --context $REMOTE_CONTEXT1 delete namespace gloo-mesh-addons
   kubectl --context $REMOTE_CONTEXT2 delete namespace gloo-mesh
   kubectl --context $REMOTE_CONTEXT2 delete namespace gloo-mesh-addons
   

8. Repeat steps 3 - 7 for any other cluster that is registered with Gloo Gateway.

9. Uninstall the Gloo Gateway control plane components.

   • Installed with meshctl
   • Installed with Helm

   meshctl uninstall --kubecontext $MGMT_CONTEXT
   

   Note: If you see a warning such as release gloo-platform does not exist, nothing to uninstall, use the Helm tab instead.

   Note that if you migrated from the legacy Helm charts, your Helm release might be named gloo-mgmt or gloo-mesh-enterprise instead.

   helm uninstall gloo-platform -n gloo-mesh --kube-context $MGMT_CONTEXT
   

10. Uninstall the Gloo Gateway CRDs Helm release from the management cluster.

    helm uninstall gloo-platform-crds -n gloo-mesh --kube-context $MGMT_CONTEXT
    

11. Delete the gloo-mesh namespace.

    kubectl --context $MGMT_CONTEXT delete namespace gloo-mesh
    

12. Optional: If you installed the Bookinfo and httpbin sample apps, run the following commands to uninstall their resources.

    1. Export the Istio version that your cluster runs as an environment variable, such as 1.17.2 in the following example.

       export ISTIO_VERSION=1.17.2
       

    2. Remove the Bookinfo application components and service accounts.

       kubectl -n bookinfo delete -f https://raw.githubusercontent.com/istio/istio/$ISTIO_VERSION/samples/bookinfo/platform/kube/bookinfo.yaml -l 'app,version notin (v3)' --context $REMOTE_CONTEXT1
       kubectl -n bookinfo delete -f https://raw.githubusercontent.com/istio/istio/$ISTIO_VERSION/samples/bookinfo/platform/kube/bookinfo.yaml -l 'app,version notin (v3)' --context $REMOTE_CONTEXT2
       kubectl -n bookinfo delete -f https://raw.githubusercontent.com/istio/istio/$ISTIO_VERSION/samples/bookinfo/platform/kube/bookinfo.yaml -l 'account' --context $REMOTE_CONTEXT1
       kubectl -n bookinfo delete -f https://raw.githubusercontent.com/istio/istio/$ISTIO_VERSION/samples/bookinfo/platform/kube/bookinfo.yaml -l 'account' --context $REMOTE_CONTEXT2
       

    3. Delete the bookinfo namespace.

       kubectl delete ns bookinfo --context $REMOTE_CONTEXT1
       kubectl delete ns bookinfo --context $REMOTE_CONTEXT2
       

    4. Remove the httpbin application components.

       kubectl -n httpbin delete -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/httpbin.yaml --context $REMOTE_CONTEXT1
       kubectl -n httpbin delete -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/httpbin.yaml --context $REMOTE_CONTEXT2
       

    5. Delete the httpbin namespace.

       kubectl delete ns httpbin --context $REMOTE_CONTEXT1
       kubectl delete ns httpbin --context $REMOTE_CONTEXT2