Install Istio and Gloo Mesh Core in ambient mode
Install Istio and Gloo Mesh Core in ambient mode.
Introduction
You have two options to install Istio in ambient mode with Gloo Mesh Core.
- Istio Lifecycle Manager: Manage your Istio installations and upgrades more easily with this Gloo-managed service mesh approach.
- Manual: Use the Solo build of
istioctlto create your own Istio operator to set up ambient mode. This way, you have more responsibility but also more control over your installation.
Ambient is a beta feature. For more information, see Gloo feature maturity.
Before you begin
Create or use an existing Kubernetes cluster, and save the cluster name in an environment variable. Note: The cluster name must be alphanumeric with no special characters except a hyphen (-), lowercase, and begin with a letter (not a number).
export CLUSTER_NAME=<cluster_name>Install the following command-line (CLI) tools.
kubectl, the Kubernetes command line tool. Download thekubectlversion that is within one minor version of the Kubernetes clusters you plan to use.meshctl, the Solo command line tool.curl -sL https://run.solo.io/meshctl/install | GLOO_MESH_VERSION=v2.5.11 sh - export PATH=$HOME/.gloo-mesh/bin:$PATH
Set your Gloo Mesh Core license key as an environment variable. If you do not have one, contact an account representative. If you prefer to specify license keys in a secret instead, see Licensing. To check your license’s validity, you can run
meshctl license check --key $(echo ${GLOO_MESH_CORE_LICENSE_KEY} | base64 -w0).export GLOO_MESH_CORE_LICENSE_KEY=<license_key>Set environment variables for the Istio repository and image version that you want to install. You can find both values in the Istio images built by Solo.io support article.
export REPO=<repo-key> export ISTIO_IMAGE=<image-tag>Istio 1.20 is supported only as patch version
1.20.1-patch1and later. Do not use patch versions 1.20.0 and 1.20.1, which contain bugs that impact several Gloo Mesh Core features that rely on Istio ServiceEntries.Optional: If you already installed Istio in sidecar mode, uninstall your Istio installation. Gloo Mesh Core does not currently support multiple installations of Istio in both sidecar and ambient modes.
Install Istio and Gloo Mesh Core in ambient mode
You can either use an IstioLifecycleManager resource to manage the Istio installations across clusters more easily, or manually install Istio and Gloo Mesh Core in ambient mode.
Istio Lifecycle Manager
Install Gloo Mesh Core.
meshctl install --profiles gloo-core-single-cluster \ --set common.cluster=$CLUSTER_NAME \ --set licensing.glooMeshCoreLicenseKey=$GLOO_MESH_CORE_LICENSE_KEYVerify that Gloo Mesh Core is correctly installed. This check might take a few seconds to verify that:
- Your Gloo Mesh Core product license is valid and current.
- The Gloo CRDs are installed at the correct version.
- The Gloo pods are running and healthy.
- The Gloo agent is running and connected to the management server.
meshctl checkCreate an
IstioLifecycleManagerresource in your cluster to install Istio in ambient mode. For more information about service mesh lifecycle management with Gloo, check out Service mesh lifecycle and Solo distributions of Istio.kubectl apply -f- <<EOF apiVersion: admin.gloo.solo.io/v2 kind: IstioLifecycleManager metadata: name: istiod-control-plane namespace: gloo-mesh spec: installations: - clusters: - name: $CLUSTER_NAME defaultRevision: false istioOperatorSpec: profile: ambient hub: $REPO tag: $ISTIO_IMAGE namespace: istio-system meshConfig: defaultConfig: holdApplicationUntilProxyStarts: true proxyMetadata: ISTIO_META_DNS_CAPTURE: "true" ISTIO_META_DNS_AUTO_ALLOCATE: "false" DNS_PROXY_ADDR: "0.0.0.0:15053" accessLogFile: /dev/stdout rootNamespace: istio-system components: cni: enabled: true namespace: kube-system pilot: k8s: env: - name: PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES value: "false" - name: PILOT_SKIP_VALIDATE_TRUST_DOMAIN value: "true" values: ztunnel: meshConfig: defaultConfig: proxyMetadata: ISTIO_META_DNS_CAPTURE: "true" ISTIO_META_DNS_AUTO_ALLOCATE: "false" DNS_PROXY_ADDR: "0.0.0.0:15053" EOFVerify that the components of the Istio ambient mesh are successfully installed. Because the ztunnel is deployed as a daemon set, the number of ztunnel pods equals the number of nodes in your cluster. Note that it might take a few seconds for the pods to become available.
kubectl get pods -n istio-systemExample output:
istiod-d765ff7cf-46dbm 1/1 Running 0 2m4s ztunnel-648wc 1/1 Running 0 2m8s ztunnel-6rhp5 1/1 Running 0 2m8s ztunnel-hllxg 1/1 Running 0 2m8s ztunnel-mg4w7 1/1 Running 0 2m8s ztunnel-s8j5t 1/1 Running 0 2m8s ztunnel-xgvnc 1/1 Running 0 2m8sVerify that the Istio CNI pods are up and running. Because the Istio CNI is deployed as a daemon set, the number of Istio CNI pods equals the number of nodes in your cluster.
kubectl get pods -n kube-system | grep istio-cniExample output:
istio-cni-node-6q26l 1/1 Running 0 3m18s istio-cni-node-7gg8k 1/1 Running 0 3m18s istio-cni-node-lcrcd 1/1 Running 0 3m18s istio-cni-node-lws52 1/1 Running 0 3m18s istio-cni-node-v4fjf 1/1 Running 0 3m18s istio-cni-node-v7bdc 1/1 Running 0 3m18sOptional: Review the
ClusterIstioInstallationresources in your workload cluster. For example, you might describe one of the resources to the check the status of your Istio installations. Gloo Mesh Core translates input Istio configuration into these internal resources, which represent the state of the Istio installations in each workload cluster.kubectl get ClusterIstioInstallation -A
Manual installation
Install the CLI for the Solo distribution of Istio. You can find the CLI version and the repository from which to download that version in the Istio images built by Solo.io support article.
Install the Istio operator.
istioctl operator init \ --hub $REPO \ --tag $ISTIO_IMAGECreate the
istio-systemnamespace.kubectl create ns istio-systemCreate an Istio operator CRD to set up Istio with the ambient profile.
kubectl apply -f- <<EOF apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: namespace: istio-system name: example-istiocontrolplane spec: hub: $REPO tag: $ISTIO_IMAGE components: cni: enabled: true namespace: kube-system profile: ambient values: ztunnel: meshConfig: defaultConfig: proxyMetadata: ISTIO_META_DNS_CAPTURE: "true" ISTIO_META_DNS_AUTO_ALLOCATE: "false" DNS_PROXY_ADDR: "0.0.0.0:15053" meshConfig: defaultConfig: proxyMetadata: ISTIO_META_DNS_CAPTURE: "true" ISTIO_META_DNS_AUTO_ALLOCATE: "false" DNS_PROXY_ADDR: "0.0.0.0:15053" accessLogFile: /dev/stdout EOFVerify that the components of the Istio ambient mesh are successfully installed. Because the ztunnel is deployed as a daemon set, the number of ztunnel pods equals the number of nodes in your cluster. Note that it might take a few seconds for the pods to become available.
kubectl get pods -n istio-systemExample output:
istiod-d765ff7cf-46dbm 1/1 Running 0 2m4s ztunnel-648wc 1/1 Running 0 2m8s ztunnel-6rhp5 1/1 Running 0 2m8s ztunnel-hllxg 1/1 Running 0 2m8s ztunnel-mg4w7 1/1 Running 0 2m8s ztunnel-s8j5t 1/1 Running 0 2m8s ztunnel-xgvnc 1/1 Running 0 2m8sVerify that the Istio CNI pods are up and running. Because the Istio CNI is deployed as a daemon set, the number of Istio CNI pods equals the number of nodes in your cluster.
kubectl get pods -n kube-system | grep istio-cniExample output:
istio-cni-node-55kj6 2/2 Running 0 62s istio-cni-node-5cz2q 2/2 Running 0 62s istio-cni-node-cp469 2/2 Running 0 62s istio-cni-node-h2ckw 2/2 Running 0 62s istio-cni-node-mdsnt 2/2 Running 0 62s istio-cni-node-s7wb2 2/2 Running 0 62sInstall Gloo Mesh Core.
meshctl install --profiles gloo-core-single-cluster \ --set common.cluster=$CLUSTER_NAME \ --set licensing.glooMeshCoreLicenseKey=$GLOO_MESH_CORE_LICENSE_KEYVerify that Gloo Mesh Core is correctly installed. This check might take a few seconds to verify that:
- Your Gloo Mesh Core product license is valid and current.
- The Gloo CRDs are installed at the correct version.
- The Gloo pods are running and healthy.
- The Gloo agent is running and connected to the management server.
meshctl check