On this page
GatewayLifecycleManager
Use Gloo Mesh Core to install Istio ingress and egress gateways in your workload clusters.
In your GatewayLifecycleManager resource, you provide gateway settings in an IstioOperator configuration. When you create the GatewayLifecycleManager in your management cluster, Gloo Mesh Core translates the configuration into gateways in your registered workload clusters for you.
For more information about service mesh lifecycle management, see the Deploy Gloo-managed service meshes guide.
Proto: gateway_lifecycle_manager.proto
Package: admin.gloo.solo.io
Examples
Ingress
This example creates an ingress gateway named istio-ingressgateway in the gloo-mesh-gateways namespace of two workload clusters ($REMOTE_CLUSTER1 and $REMOTE_CLUSTER2). You supply the revision (gatewayRevision: $REVISION), repo key (hub: $REPO), and image tag (tag: $ISTIO_IMAGE) for a Solo distribution of Istio.
apiVersion: admin.gloo.solo.io/v2
kind: GatewayLifecycleManager
metadata:
name: istio-ingressgateway
namespace: gloo-mesh
spec:
installations:
# List all workload clusters to install Istio into
- clusters:
# If set to true, the spec for this revision is applied in the cluster
- activeGateway: true
# Name of workload cluster that you used during cluster registration
name: $REMOTE_CLUSTER1
- activeGateway: true
name: $REMOTE_CLUSTER2
# The revision for this installation, such as 1-20
gatewayRevision: $REVISION
istioOperatorSpec:
components:
ingressGateways:
# Enable the default ingress gateway
- enabled: true
k8s:
service:
# Default ports
ports:
# Port for health checks on path /healthz/ready.
# For AWS ELBs, must be listed as the first port
- name: status-port
port: 15021
targetPort: 15021
- name: http2
port: 80
targetPort: 8080
- name: https
port: 443
targetPort: 8443
- name: tls
port: 15443
targetPort: 15443
selector:
istio: ingressgateway
type: LoadBalancer
label:
app: istio-ingressgateway
# Required to ensure Gateways can select this workload
istio: ingressgateway
name: istio-ingressgateway
# Deployed to gloo-mesh-gateways by default
namespace: gloo-mesh-gateways
# Solo.io Istio distribution repository; required for Solo distributions of Istio.
# You get the repo key from your Solo Account Representative.
hub: $REPO
# No control plane components are installed
profile: empty
# The tag of a Solo distribution of Istio
tag: $ISTIO_IMAGE
Egress
This example creates an egress gateway named istio-egressgateway in the gloo-mesh-gateways namespace of two workload clusters ($REMOTE_CLUSTER1 and $REMOTE_CLUSTER2). You supply the revision (gatewayRevision: $REVISION), repo key (hub: $REPO), and image tag (tag: $ISTIO_IMAGE) for a Solo distribution of Istio.
apiVersion: admin.gloo.solo.io/v2
kind: GatewayLifecycleManager
metadata:
name: istio-egressgateway
namespace: gloo-mesh
spec:
installations:
# List all workload clusters to install Istio into
- clusters:
# If set to true, the spec for this revision is applied in the cluster
- activeGateway: true
# Name of workload cluster that you used during cluster registration
name: $REMOTE_CLUSTER1
- activeGateway: true
name: $REMOTE_CLUSTER2
# The revision for this installation, such as 1-20
gatewayRevision: $REVISION
istioOperatorSpec:
components:
egressGateways:
# Enable the default egress gateway
- enabled: true
k8s:
service:
# Default ports
ports:
# Port for health checks on path /healthz/ready.
# For AWS ELBs, must be listed as the first port
- name: status-port
port: 15021
targetPort: 15021
# Required for Istio mutual TLS
- name: https
port: 443
targetPort: 8443
# Required for Gloo egress routing
- name: tls
port: 15443
targetPort: 15443
selector:
istio: egressgateway
type: LoadBalancer
label:
app: istio-egressgateway
# Required to ensure Gateways can select this workload
istio: egressgateway
traffic: egress
meshConfig:
outboundTrafficPolicy:
mode: ALLOW_ANY
# Enable access logs
accessLogFile: /dev/stdout
defaultConfig:
proxyMetadata:
# For known hosts, enable the Istio agent to handle DNS requests
# for any custom ServiceEntry, such as non-Kubernetes services.
# Unknown hosts are automatically resolved using upstream DNS
# servers in resolv.conf (for proxy-dns)
ISTIO_META_DNS_CAPTURE: "true"
name: istio-egressgateway
# Deployed to gloo-mesh-gateways by default
namespace: gloo-mesh-gateways
# Solo.io Istio distribution repository; required for Solo distributions of Istio.
# You get the repo key from your Solo Account Representative.
hub: $REPO
# No control plane components are installed
profile: empty
# The tag of a Solo distribution of Istio
tag: $ISTIO_IMAGE
spec fields
Specifications for the GatewayLifecycleManager resource.
| Field | Description |
|---|---|
installations | (repeated installations)List of Istio gateway installations. |
installations
List of Istio gateway installations. Any components that are not related to the gateway are ignored. You can provide only one type of gateway installation per revision in a cluster. For example, in a workload cluster cluster2, you can install only one ingress gateway that runs revision 1-20.
| Field | Description |
|---|---|
clusters | (repeated clusters)A list of cluster entries to install the Istio gateways in. |
controlPlaneRevision | (string)Optional: The revision of an Istio control plane in the cluster that this gateway should also use. If a control plane installation of this revision is not found, no gateway is created. |
gatewayRevision | (string)Istio revision for this gateway installation, such as 1-20. When set to auto, Gloo installs the gateway with the default supported Solo distribution of Istio. |
istioOperatorSpec | (istioOperatorSpec)IstioOperator specification for the gateway. |
skipUpgradeValidation | (bool)When set to true, the lifecycle manager allows you to perform in-place upgrades by skipping checks that are required for canary upgrades. In production environments, canary upgrades are recommended for updating the minor version. To update the patch version or make configuration changes within the same version, you can use in-place upgrades. Be sure to test in-place upgrades in development or staging environments first. |
clusters
A list of cluster entries to install the Istio gateways in.
| Field | Description |
|---|---|
activeGateway | (bool)Defaults to false. When set to true, the gateway installation for this revision is applied as the active gateway through which primary service traffic is routed in the cluster. If the istioOperatorSpec defines a service, this field switches the service selectors to the revision specified in the gatewayRevsion. You might change this setting for gateway installations during a canary upgrade. For more info, see the [upgrade docs]( |
| /gloo-mesh-core/2.5.x//istio/mesh/ilm-upgrade/). | |
name | (string)Name of the cluster to install the gateway into. Must match the name of the cluster that you used when you registered the cluster with Gloo. |
trustDomain | (string)Optional: By default, the trustDomain value in the meshConfig section of the operator spec is automatically set by the Gloo to the name of each workload cluster. To override the trustDomain for each cluster, you can instead specify the override value by using this trustDomain field, and include the value in the list of cluster names. For example, if you specify meshConfig.trustDomain: cluster1-trust-override in your operator spec, you then specify both the cluster name (name: cluster1) and the trust domain (trustDomain: cluster1-trust-override) in this installations.clusters section. For more info, see the Istio documentation. |
Status fields
The status of the Istio gateway installations after you apply the GatewayLifecycleManager resource to your Gloo environment.
To see the statuses, you can run a command such as the following:
kubectl get GatewayLifecycleManager -n gloo-mesh istio-ingressgateway -o yaml
Example output:
status:
clusters:
cluster1:
installations:
1-20:
observedOperator:
components:
ingressGateways:
- enabled: true
k8s:
service:
ports:
- name: status-port
port: 15021
targetPort: 15021
- name: http2
port: 80
targetPort: 8080
- name: https
port: 443
targetPort: 8443
- name: tls
port: 15443
targetPort: 15443
selector:
istio: ingressgateway
type: LoadBalancer
label:
app: istio-ingressgateway
istio: ingressgateway
name: istio-ingressgateway
namespace: gloo-mesh-gateways
observedRevision: 1-20
state: HEALTHY
cluster2:
...
clusters
The list of clusters where Gloo manages Istio gateway installations.
| Field | Description |
|---|---|
key | The name of the cluster where the gateway is installed, such as cluster1 in the example. |
value | The Istio gateway installations in the cluster, listed by revision. |
installations
In one cluster, the list of Istio gateway installations.
| Field | Description |
|---|---|
key | The revision of the gateway installation, such as 1-20 in the example. |
value | The status of the gateway installation. |
Installation status
The status of the gateway installation.
| Field | Description |
|---|---|
state | (state)The current state of the gateway installation. |
message | (string)A human-readable message about the current state of the installation. |
observedRevision | (string)The observed revision of the gateway installation. |
observedOperator | (istioOperatorSpec)The IstioOperator spec that is currently deployed for this revision. |
state
The current state of the gateway installation.
| Name | Number | Description |
|---|---|---|
PENDING | 0 | Waiting for resources to be installed or updated. |
FAILED | 1 | The Gloo management server encountered a problem while attempting to install the gateway. |
NO_CONTROL_PLANE_AVAILABLE | 2 | Could not select an istiod control plane. |
INSTALLING_GATEWAY | 3 | The gateway is currently being installed. |
HEALTHY | 4 | All Istio components for the gateway are successfully installed and healthy. |
UNHEALTHY | 5 | The gateway installation is no longer healthy. |
ACTION_REQUIRED | 6 | The gateway IstioOperator resource is in an ACTION_REQUIRED state. Check the logs of the IstioOperator deployment for more info. |
UPDATING_GATEWAY | 7 | The gateway IstioOperator resource is in an UPDATING state. |
RECONCILING_GATEWAY | 8 | The gateway IstioOperator resource is in a RECONCILING state. |
UNKNOWN | 9 | The gateway installation state could not be determined. |
UNINSTALLING_GATEWAY | 10 | The gateway is currently being uninstalled. |
UNINSTALLED_GATEWAY | 11 | The gateway is uninstalled. |