In your GatewayLifecycleManager resource, you provide gateway settings in an IstioOperator configuration. When you create the GatewayLifecycleManager in your management cluster, Gloo Mesh Core translates the configuration into gateways in your registered workload clusters for you.

For more information about service mesh lifecycle management, see the Deploy Gloo-managed service meshes guide.

Proto: gateway_lifecycle_manager.proto

Package: admin.gloo.solo.io

Examples

Ingress

This example creates an ingress gateway named istio-ingressgateway in the gloo-mesh-gateways namespace of two workload clusters ($REMOTE_CLUSTER1 and $REMOTE_CLUSTER2). You supply the repo key for the Solo distribution of Istio (hub: $REPO), image tag (tag: $ISTIO_IMAGE), and revision (revision: $REVISION).

  apiVersion: admin.gloo.solo.io/v2
kind: GatewayLifecycleManager
metadata:
  name: istio-ingressgateway
  namespace: gloo-mesh
spec:
  installations:
  # The revision for this installation
  - gatewayRevision: $REVISION
    # List all workload clusters to install Istio into
    clusters:
    - name: $REMOTE_CLUSTER1
      # If set to true, the spec for this revision is applied in the cluster
      activeGateway: true
    - name: $REMOTE_CLUSTER2
      activeGateway: true
    istioOperatorSpec:
      # No control plane components are installed
      profile: empty
      # Solo.io Istio distribution repository; required for the Solo distribution of Istio.
      # You get the repo key from your Solo Account Representative.
      hub: $REPO
      # Any tag for the Solo distribution of Istio
      tag: $ISTIO_IMAGE
      components:
        ingressGateways:
        # Enable the default ingress gateway
        - name: istio-ingressgateway
          # Deployed to gloo-mesh-gateways by default
          namespace: gloo-mesh-gateways
          enabled: true
          label:
            # Set a unique label for the gateway. This is required to
            # ensure Gateways can select this workload
            istio: ingressgateway
            app: istio-ingressgateway
          k8s:
            service:
              type: LoadBalancer
              selector:
                istio: ingressgateway
              # Default ports
              ports:
                # Port for health checks on path /healthz/ready.
                # For AWS ELBs, this port must be listed first.
                - name: status-port
                  port: 15021
                  targetPort: 15021
                # Main HTTP ingress port
                - name: http2
                  port: 80
                  targetPort: 8080
                # Main HTTPS ingress port
                - name: https
                  port: 443
                  targetPort: 8443
                - name: tls
                  port: 15443
                  targetPort: 15443
  

Egress

This example creates an egress gateway named istio-egressgateway in the gloo-mesh-gateways namespace of two workload clusters ($REMOTE_CLUSTER1 and $REMOTE_CLUSTER2). You supply the repo key for the Solo distribution of Istio (hub: $REPO), image tag (tag: $ISTIO_IMAGE), and revision (revision: $REVISION).

  apiVersion: admin.gloo.solo.io/v2
kind: GatewayLifecycleManager
metadata:
  name: istio-egressgateway
  namespace: gloo-mesh
spec:
  installations:
      # The revision for this installation
    - gatewayRevision: $REVISION
      # List all workload clusters to install Istio into
      clusters:
      - name: $REMOTE_CLUSTER1
        # If set to true, the spec for this revision is applied in the cluster
        activeGateway: true
      - name: $REMOTE_CLUSTER2
        activeGateway: true
      istioOperatorSpec:
        # No control plane components are installed
        profile: minimal
        # Solo.io Istio distribution repository; required for Gloo Istio.
        # You get the repo key from your Solo Account Representative.
        hub: $REPO
        # The Solo.io Gloo Istio version
        tag: $ISTIO_IMAGE
        meshConfig:
          outboundTrafficPolicy:
            mode: REGISTRY_ONLY
            # Enable access logs
          accessLogFile: /dev/stdout
          defaultConfig:
            proxyMetadata:
              # For known hosts, enable the Istio agent to handle DNS requests
              # for any custom ServiceEntry, such as non-Kubernetes services.
              # Unknown hosts are automatically resolved using upstream DNS
              # servers in resolv.conf (for proxy-dns)
              ISTIO_META_DNS_CAPTURE: "true"
        components:
          egressGateways:
          # Enable the egress gateway
            - name: istio-egressgateway
              # Deployed to gloo-mesh-gateways by default
              namespace: gloo-mesh-gateways
              enabled: true
              label:
                # Set a unique label for the gateway. This is required to
                # ensure Gateways can select this workload.
                istio: egressgateway
                app: istio-egressgateway
                traffic: egress
              k8s:
                affinity:
                   nodeAffinity:
                     requiredDuringSchedulingIgnoredDuringExecution:
                       nodeSelectorTerms:
                         - matchExpressions:
                             - key: kubernetes.io/arch
                               operator: In
                               values:
                                 - arm64
                                 - amd64
                env:
                  - name: AUTO_RELOAD_PLUGIN_CERTS
                    value: "true"
                podAnnotations:
                  proxy.istio.io/config: |
                    proxyStatsMatcher:
                      inclusionRegexps:
                      - .*ext_authz.*
                service:
                  type: LoadBalancer
                  selector:
                    istio: egressgateway
                  # Default ports
                  ports:
                    # Port for health checks on path /healthz/ready.
                    # For AWS ELBs, this port must be listed first.
                    - port: 15021
                      targetPort: 15021
                      name: status-port
                    # Port for multicluster mTLS passthrough
                    # Required for Gloo egress routing
                    - port: 15443
                      targetPort: 15443
                      # Gloo looks for this default name 'tls' on a gateway
                      name: tls
                    # Required for Istio mutual TLS
                    - port: 443
                      targetPort: 8443
                      name: https
  

spec fields

Specifications for the GatewayLifecycleManager resource.

FieldDescription
installations(repeated installations)

List of Istio gateway installations.
helmGlobal(common.gloo.solo.io.IstioLifecycleHelmGlobals)

Optional default configuration applicable to all installations.

installations

List of Istio gateway installations. Any components that are not related to the gateway are ignored. You can provide only one type of gateway installation per revision in a cluster. For example, in a workload cluster cluster2, you can install only one ingress gateway that runs revision 1-24.

FieldDescription
clusters(repeated clusters)

A list of cluster entries to install the Istio gateways in.
controlPlaneRevision(string)

Optional: The revision of an Istio control plane in the cluster that this gateway should also use. If a control plane installation of this revision is not found, no gateway is created.
gatewayRevision(string)

Istio revision for this gateway installation, such as 1-24. When set to auto, Gloo installs the gateway with the default supported Solo distribution of Istio.
istioOperatorSpec(istioOperatorSpec)

IstioOperator specification for the gateway.
skipUpgradeValidation(bool)

When set to true, the lifecycle manager allows you to perform in-place upgrades by skipping checks that are required for canary upgrades. In production environments, canary upgrades are recommended for updating the minor version. To update the patch version or make configuration changes within the same version, you can use in-place upgrades. Be sure to test in-place upgrades in development or staging environments first.

clusters

A list of cluster entries to install the Istio gateways in.

FieldDescription
activeGateway(bool)

Defaults to false. When set to true, the gateway installation for this revision is applied as the active gateway through which primary service traffic is routed in the cluster. If the istioOperatorSpec defines a service, this field switches the service selectors to the revision specified in the gatewayRevsion. You might change this setting for gateway installations during a canary upgrade. For more info, see the [upgrade docs](
/gloo-mesh-core/main//istio/mesh/ilm-upgrade/).
name(string)

Name of the cluster to install the gateway into. Must match the name of the cluster that you used when you registered the cluster with Gloo.
trustDomain(string)

Optional: By default, the trustDomain value in the meshConfig section of the operator spec is automatically set by the Gloo to the name of each workload cluster. To override the trustDomain for each cluster, you can instead specify the override value by using this trustDomain field, and include the value in the list of cluster names. For example, if you specify meshConfig.trustDomain: cluster1-trust-override in your operator spec, you then specify both the cluster name (name: cluster1) and the trust domain (trustDomain: cluster1-trust-override) in this installations.clusters section. For more info, see the Istio documentation.

Status fields

The status of the Istio gateway installations after you apply the GatewayLifecycleManager resource to your Gloo environment.

To see the statuses, you can run a command such as the following:

  kubectl get GatewayLifecycleManager -n gloo-mesh istio-ingressgateway -o yaml
  

Example output:

  status:
    clusters:
      cluster1:
        installations:
          1-24:
            observedOperator:
              components:
                ingressGateways:
                - enabled: true
                  k8s:
                    service:
                      ports:
                        - name: status-port
                          port: 15021
                          targetPort: 15021
                        - name: http2
                          port: 80
                          targetPort: 8080
                        - name: https
                          port: 443
                          targetPort: 8443
                        - name: tls
                          port: 15443
                          targetPort: 15443
                      selector:
                        istio: ingressgateway
                      type: LoadBalancer
                  label:
                    app: istio-ingressgateway
                    istio: ingressgateway
                  name: istio-ingressgateway
                  namespace: gloo-mesh-gateways
            observedRevision: 1-24
            state: HEALTHY
      cluster2:
        ...
  

clusters

The list of clusters where Gloo manages Istio gateway installations.

FieldDescription
keyThe name of the cluster where the gateway is installed, such as cluster1 in the example.
valueThe Istio gateway installations in the cluster, listed by revision.

installations

In one cluster, the list of Istio gateway installations.

FieldDescription
keyThe revision of the gateway installation, such as 1-24 in the example.
valueThe status of the gateway installation.

Installation status

The status of the gateway installation.

FieldDescription
state(state)

The current state of the gateway installation.
message(string)

A human-readable message about the current state of the installation.
observedRevision(string)

The observed revision of the gateway installation.
observedOperator(istioOperatorSpec)

The IstioOperator spec that is currently deployed for this revision.

state

The current state of the gateway installation.

NameNumberDescription
PENDING0Waiting for resources to be installed or updated.
FAILED1The Gloo management server encountered a problem while attempting to install the gateway.
NO_CONTROL_PLANE_AVAILABLE2Could not select an istiod control plane.
INSTALLING_GATEWAY3The gateway is currently being installed.
HEALTHY4All Istio components for the gateway are successfully installed and healthy.
UNHEALTHY5The gateway installation is no longer healthy.
ACTION_REQUIRED6The gateway IstioOperator resource is in an ACTION_REQUIRED state. Check the logs of the IstioOperator deployment for more info.
UPDATING_GATEWAY7The gateway IstioOperator resource is in an UPDATING state.
RECONCILING_GATEWAY8The gateway IstioOperator resource is in a RECONCILING state.
UNKNOWN9The gateway installation state could not be determined.
UNINSTALLING_GATEWAY10The gateway is currently being uninstalled.
UNINSTALLED_GATEWAY11The gateway is uninstalled.
INSTALL_PENDING12Successfully translated but not installing yet