Considerations

Before you install Istio in ambient mode, review the following considerations and requirements.

Feature maturity

Single-cluster limitation

Currently, Istio in ambient mode is supported only for single clusters. Ambient mode in a multicluster environment where apps in different clusters can communicate through east-west routing as part of a single service mesh is not supported. However, you can still deploy separate ambient service meshes to multiple, individual workload clusters.

Revision and canary upgrade limitations

Currently, revisions are supported only for the istiod control plane and Istio gateways in ambient installations. Due to an upstream ambient limitation, the ztunnel and Istio CNI pods do not support revisions, and can only be upgraded in-place. For example, if you specify a named revision in the spec.installations.revision field, you can then perform a canary upgrade to switch from the old revision of the Istio control plane and gateways to the new revision. However, ztunnel and Istio CNI pods must be upgraded in-place.

Sidecar and ambient installations

Gloo Mesh Core does not currently support multiple installations of Istio in both sidecar and ambient modes. If you already installed Istio in sidecar mode, uninstall your Istio installation before you install Istio in ambient mode.

Before you begin

  1. Install Gloo Mesh Core by following the single cluster getting started guide or the Helm single cluster setup guide. Do not install Istio as part of your setup.

  2. If you already installed Istio in sidecar mode, uninstall your Istio installation. Gloo Mesh Core does not currently support multiple installations of Istio in both sidecar and ambient modes.

Install Istio in ambient mode

  1. Install the CLI for the Solo distribution of Istio. You can find the CLI version and the repository from which to download that version in the Istio images built by Solo.io support article.

  2. Set environment variables for the Solo distribution of Istio repository and image version that you want to install. You can find these values in the Istio images built by Solo.io support article.

      export REPO=<repo-key>
    export ISTIO_IMAGE=<image-tag>-solo
      
  3. Install the Istio operator.

      istioctl operator init \
      --hub $REPO \
      --tag $ISTIO_IMAGE
      
  4. Create the istio-system namespace.

      kubectl create ns istio-system
      
  5. Create an Istio operator CRD to set up Istio with the ambient profile.

      kubectl apply -f- <<EOF
    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    metadata:
      namespace: istio-system
      name: example-istiocontrolplane
    spec:
      hub: $REPO
      tag: $ISTIO_IMAGE
      components:
        cni:
          enabled: true
          namespace: kube-system
      profile: ambient
      values:
        ztunnel:
          meshConfig:
            defaultConfig:
              proxyMetadata:
                ISTIO_META_DNS_CAPTURE: "true"
                ISTIO_META_DNS_AUTO_ALLOCATE: "false"
                DNS_PROXY_ADDR: "0.0.0.0:15053"
        meshConfig:
          defaultConfig:
            proxyMetadata:
              ISTIO_META_DNS_CAPTURE: "true"
              ISTIO_META_DNS_AUTO_ALLOCATE: "false"
              DNS_PROXY_ADDR: "0.0.0.0:15053"
          accessLogFile: /dev/stdout
    EOF
      
  6. Verify that the components of the Istio ambient mesh are successfully installed. Because the ztunnel is deployed as a daemon set, the number of ztunnel pods equals the number of nodes in your cluster. Note that it might take a few seconds for the pods to become available.

      kubectl get pods -n istio-system
      

    Example output:

      istiod-d765ff7cf-46dbm                  1/1     Running   0          2m4s
    ztunnel-648wc                           1/1     Running   0          2m8s
    ztunnel-6rhp5                           1/1     Running   0          2m8s
    ztunnel-hllxg                           1/1     Running   0          2m8s
    ztunnel-mg4w7                           1/1     Running   0          2m8s
    ztunnel-s8j5t                           1/1     Running   0          2m8s
    ztunnel-xgvnc                           1/1     Running   0          2m8s
      
  7. Verify that the Istio CNI pods are up and running. Because the Istio CNI is deployed as a daemon set, the number of Istio CNI pods equals the number of nodes in your cluster.

      kubectl get pods -n kube-system | grep istio-cni
      

    Example output:

      istio-cni-node-55kj6       2/2     Running   0          62s
    istio-cni-node-5cz2q       2/2     Running   0          62s
    istio-cni-node-cp469       2/2     Running   0          62s
    istio-cni-node-h2ckw       2/2     Running   0          62s
    istio-cni-node-mdsnt       2/2     Running   0          62s
    istio-cni-node-s7wb2       2/2     Running   0          62s
      

Next

Deploy sample apps and add them to the ambient mesh.