Migrate to Gloo-managed service meshes
Switch from your existing, unmanaged Istio installations to Gloo-managed service meshes.
In Gloo Mesh Core version 2.7, the Gloo operator is an alpha feature. Alpha features are likely to change, are not fully tested, and are not supported for production. For more information, see Gloo feature maturity.
Migrate from revisioned Helm installations
If you currently install Istio by using Helm and use revisions to manage your installations, you can migrate from your community Istio revision, such as 1-24, to the gloo revision. The Gloo operator uses the gloo revision by default to manage Istio installations in your cluster.
Install the Gloo operator and deploy a managed istiod control plane.
Install the Gloo operator to the
gloo-meshnamespace.helm install gloo-operator oci://us-docker.pkg.dev/solo-public/gloo-operator-helm/gloo-operator \ --version 0.1.0-beta.2 \ -n gloo-mesh \ --create-namespaceVerify that the operator pod is running.
kubectl get pods -n gloo-mesh | grep operatorExample output:
gloo-operator-78d58d5c7b-lzbr5 1/1 Running 0 48sCreate a ServiceMeshController custom resource to configure an Istio installation.
If you currently install the `istio-cni` plugin by using Helm, you must directly replace the CNI to avoid downtime by setting `onConflict: Force`.kubectl apply -n gloo-mesh -f -<<EOF apiVersion: operator.gloo.solo.io/v1 kind: ServiceMeshController metadata: name: managed-istio labels: app.kubernetes.io/name: managed-istio spec: cluster: $CLUSTER_NAME dataplaneMode: Sidecar version: 1.24.2 # Uncomment if you installed the istio-cni # onConflict: Force EOFVerify that the ServiceMeshController is ready. In the
Statussection of the output, make sure that all statuses areTrue, and that the phase isSUCCEEDED.kubectl describe servicemeshcontroller -n gloo-mesh managed-istioExample output:
Name: managed-istio Namespace: Labels: app.kubernetes.io/name=managed-istio Annotations: <none> API Version: operator.gloo.solo.io/v1 Kind: ServiceMeshController Metadata: Creation Timestamp: 2024-12-27T20:46:23Z Generation: 1 Resource Version: 60452302 UID: 1335ca57-2ca2-4f3d-8e00-a56dec1aa0c5 Spec: Dataplane Mode: Sidecar Distribution: Standard Image: Repository: <repo> Install Namespace: istio-system On Conflict: Abort Traffic Capture Mode: Auto Version: 1.24.2 Status: Conditions: Last Transition Time: 2024-12-27T20:47:01Z Message: Manifests initialized Observed Generation: 1 Reason: ManifestsInitialized Status: True Type: Initialized Last Transition Time: 2024-12-27T20:47:02Z Message: CRDs installed Observed Generation: 1 Reason: CRDInstalled Status: True Type: CRDInstalled Last Transition Time: 2024-12-27T20:47:02Z Message: Deployment succeeded Observed Generation: 1 Reason: DeploymentSucceeded Status: True Type: ControlPlaneDeployed Last Transition Time: 2024-12-27T20:47:02Z Message: Deployment succeeded Observed Generation: 1 Reason: DeploymentSucceeded Status: True Type: CNIDeployed Last Transition Time: 2024-12-27T20:47:02Z Message: Deployment succeeded Observed Generation: 1 Reason: DeploymentSucceeded Status: True Type: WebhookDeployed Last Transition Time: 2024-12-27T20:47:02Z Message: All conditions are met Observed Generation: 1 Reason: SystemReady Status: True Type: Ready Phase: SUCCEEDED Events: <none>
Migrate your Istio-managed workloads to the managed
gloocontrol plane.Label each namespace where you run Istio-managed workloads with the
gloorevision label.kubectl label namespace istio.io/rev=gloo --overwrite <namespace>Restart the workloads in each labeled namespace so that they are managed by the Gloo operator Istio installation.
kubectl rollout restart deployment -n <namespace> <deployment>Verify that the workloads are successfully migrated.
istioctl proxy-statusExample output:
TODO
Update any existing Istio gateways to the
gloorevision.Get the current values for the gateway Helm release in your cluster.
helm get values <gateway_release> -n <namespace> -o yaml > gateway.yamlUpgrade your gateway Helm release.
helm upgrade -i <gateway_release> istio/gateway \ --version <istio_version> \ --namespace <namespace> \ --set "revision=gloo" \ -f gateway.yamlVerify that the gateway is successfully migrated.
istioctl proxy-status
Uninstall the unmanaged control plane.
helm uninstall <istiod_release> -n istio-systemOptional: If you previously installed the Istio CNI pods with a Helm chart, uninstall the release and delete the secret stored by Helm.
helm uninstall <cni_release> -n istio-system kubectl delete secret "sh.helm.release.v1.istio-cni.v1" -n istio-systemVerify that Istio still correctly routes traffic requests to apps in your mesh. For example, if you deployed the Bookinfo sample app, you can send a curl request to the product page.
kubectl port-forward -n istio-ingress svc/istio-ingressgateway 8080:80 curl -v http://localhost:8080/productpage
Migrate from revisionless Helm installations
If you currently install Istio by using Helm and do not use revisions to manage your installations, such as by labeling namespaces with istio-injection: enabled, you can migrate the management of the MutatingWebhookConfiguration to the Gloo operator. The Gloo operator uses the gloo revision by default to manage Istio installations in your cluster.
Install the Gloo operator and deploy a managed istiod control plane.
Install the Gloo operator to the
gloo-meshnamespace.helm install gloo-operator oci://us-docker.pkg.dev/solo-public/gloo-operator-helm/gloo-operator \ --version 0.1.0-beta.2 \ -n gloo-mesh \ --create-namespaceVerify that the operator pod is running.
kubectl get pods -n gloo-mesh | grep operatorExample output:
gloo-operator-78d58d5c7b-lzbr5 1/1 Running 0 48sCreate a ServiceMeshController custom resource to configure an Istio installation. For more information about the configurable fields, see the installation guide.
If you currently install the `istio-cni` plugin by using Helm, you must directly replace the CNI to avoid downtime by setting `onConflict: Force`.kubectl apply -n gloo-mesh -f -<<EOF apiVersion: operator.gloo.solo.io/v1 kind: ServiceMeshController metadata: name: managed-istio labels: app.kubernetes.io/name: managed-istio spec: cluster: $CLUSTER_NAME dataplaneMode: Sidecar version: 1.24.2 # Uncomment if you installed the istio-cni # onConflict: Force EOFDescribe the ServiceMeshController and note that it cannot take over the
istio-injection: enabledlabel until the webhook is deleted.kubectl describe ServiceMeshController -n gloo-mesh managed-istioExample output:
- lastTransitionTime: "2024-12-12T19:41:52Z" message: MutatingWebhookConfiguration istio-sidecar-injector references default Istio revision istio-system/istiod; must be deleted before migration observedGeneration: 1 reason: ErrorConflictDetected status: "False" type: WebhookDeployedDelete the existing webhook.
kubectl delete mutatingwebhookconfiguration istio-sidecar-injector -n istio-systemVerify that the ServiceMeshController is now healthy.
kubectl describe ServiceMeshController -n gloo-mesh managed-istio
Migrate your Istio-managed workloads to the managed control plane.
Restart your workloads so that they are managed by the Gloo operator Istio installation.
kubectl rollout restart deploy -n <namespace> <deployment>Verify that the workloads are successfully migrated.
istioctl proxy-statusExample output:
TODO
Migrate any existing Istio gateways to the managed control plane.
Update each Istio gateway by restarting it.
kubectl rollout restart deploy -n <namespace> <gateway_name>Verify that the gateway is successfully migrated.
istioctl proxy-status
Uninstall the unmanaged control plane.
helm uninstall <istiod_release> -n istio-systemVerify that Istio still correctly routes traffic requests to apps in your mesh. For example, if you deployed the Bookinfo sample app, you can send a curl request to the product page.
kubectl port-forward -n istio-ingress svc/istio-ingressgateway 8080:80 curl -v http://localhost:8080/productpage