Install Gloo-managed ambient meshes (alpha)
Use the Gloo operator to install and manage ambient service meshes in your clusters.
By using the Gloo operator to manage your service meshes, you no longer need to manually install and manage the istiod control plane. Instead, you provide minimal Istio configuration to the operator in a ServiceMeshController custom resource, and the operator translates this configuration into a managed istiod control plane in your cluster for you. The operator reduces both the amount of configuration required to deploy Istio, and the overhead required to manage the lifecycle of Istio resources in your cluster.
In Gloo Mesh Core version 2.7, the Gloo operator is an alpha feature. Alpha features are likely to change, are not fully tested, and are not supported for production. For more information, see Gloo feature maturity.
Before you begin
Save the patch version of the Solo distribution of Istio that you want to install. For supported Istio versions in Gloo Mesh Core, see the Ambient section of the Istio images built by Solo.io support article.
export ISTIO_VERSION=1.24.2Be sure to review the following known Istio version restrictions.
In Istio 1.22.0-1.22.3, the
Istio 1.20 is supported only as patch versionISTIO_DELTA_XDSenvironment variable must be set tofalse. For more information, see this upstream Istio issue. Note that this issue is resolved in Istio 1.22.4.
In Gloo Mesh Core version 2.6, ambient mode requires the Solo distribution of Istio version 1.22.3 or later (1.22.3-solo).1.20.1-patch1and later. Do not use patch versions 1.20.0 and 1.20.1, which contain bugs that impact several Gloo Mesh Core features that rely on Istio ServiceEntries.If you use Google Kubernetes Engine (GKE) clusters, create the following
ResourceQuotain theistio-systemnamespace. For more information about this requirement, see the community Istio documentation.kubectl create namespace istio-system kubectl -n istio-system apply -f - <<EOF apiVersion: v1 kind: ResourceQuota metadata: name: gcp-critical-pods namespace: istio-system spec: hard: pods: 1000 scopeSelector: matchExpressions: - operator: In scopeName: PriorityClass values: - system-node-critical EOF
Single cluster
Install an ambient service mesh with the Gloo operator in a single-cluster Gloo Mesh Core environment.
Install the Gloo operator to the
gloo-meshnamespace. This operator deploys and manages your Istio installation.helm install gloo-operator oci://us-docker.pkg.dev/solo-public/gloo-operator-helm/gloo-operator \ --version 0.1.0-beta.2 \ -n gloo-mesh \ --create-namespaceVerify that the operator pod is running.
kubectl get pods -n gloo-mesh | grep operatorExample output:
gloo-operator-78d58d5c7b-lzbr5 1/1 Running 0 48sCreate a ServiceMeshController custom resource to configure an Istio installation. For a description of each configurable field, see the ServiceMeshController reference.
kubectl apply -n gloo-mesh -f -<<EOF apiVersion: operator.gloo.solo.io/v1 kind: ServiceMeshController metadata: name: managed-istio labels: app.kubernetes.io/name: managed-istio spec: dataplaneMode: Ambient installNamespace: istio-system version: ${ISTIO_VERSION} EOFVerify that the ServiceMeshController is ready. In the
Statussection of the output, make sure that all statuses areTrue, and that the phase isSUCCEEDED.kubectl describe servicemeshcontroller -n gloo-mesh managed-istioExample output:
Name: managed-istio Namespace: Labels: app.kubernetes.io/name=managed-istio istio.io/rev=test Annotations: <none> API Version: operator.gloo.solo.io/v1 Kind: ServiceMeshController Metadata: Creation Timestamp: 2024-12-27T20:46:23Z Generation: 1 Resource Version: 60452302 UID: 1335ca57-2ca2-4f3d-8e00-a56dec1aa0c5 Spec: Dataplane Mode: Sidecar Distribution: Standard Image: Repository: <repo> Install Namespace: istio-system On Conflict: Abort Traffic Capture Mode: Auto Version: 1.24.1-patch1 Status: Conditions: Last Transition Time: 2024-12-27T20:47:01Z Message: Manifests initialized Observed Generation: 1 Reason: ManifestsInitialized Status: True Type: Initialized Last Transition Time: 2024-12-27T20:47:02Z Message: CRDs installed Observed Generation: 1 Reason: CRDInstalled Status: True Type: CRDInstalled Last Transition Time: 2024-12-27T20:47:02Z Message: Deployment succeeded Observed Generation: 1 Reason: DeploymentSucceeded Status: True Type: ControlPlaneDeployed Last Transition Time: 2024-12-27T20:47:02Z Message: Deployment succeeded Observed Generation: 1 Reason: DeploymentSucceeded Status: True Type: CNIDeployed Last Transition Time: 2024-12-27T20:47:02Z Message: Deployment succeeded Observed Generation: 1 Reason: DeploymentSucceeded Status: True Type: WebhookDeployed Last Transition Time: 2024-12-27T20:47:02Z Message: All conditions are met Observed Generation: 1 Reason: SystemReady Status: True Type: Ready Phase: SUCCEEDED Events: <none>Verify that the istiod control plane, Istio CNI, and ztunnel pods are running.
kubectl get pods -n istio-systemIf you plan to use L7 traffic policies, be sure to apply the CRDs for the Kubernetes Gateway API to your cluster, which are required to create waypoint proxies.
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v/standard-install.yaml
ServiceMeshController reference
Review the following configurable fields for the ServiceMeshController custom resource.
| Setting | Description | Supported values | Default |
|---|---|---|---|
cluster | The name of the cluster to install Istio into. This value is required to set the trust domain field in multicluster environments. | ||
dataplaneMode | The dataplane mode to use. | Ambient or Sidecar | Ambient |
distribution | Optional: A specific distribution of the Istio version, such as the standard or FIPS image distribution. | Standard or FIPS | Standard |
image.repository | Optional: An Istio image repository, such as to use an image from a private registry. | ||
image.secrets | Optional: A list of secrets to use for pulling images from a container registry. The secret list must be of type kubernetes.io/dockerconfigjson and exist in the installNamespace that you install Istio in. | ||
installNamespace | Namespace to install the service mesh components into. | istio-system | |
network | The default network where workload endpoints exist. A network is a logical grouping of workloads that exist in the same Layer 3 domain. Workloads in the same network can directly communicate with each other, while workloads in different networks require an east-west gateway to establish connectivity. This value is required in multi-network environments. | ||
onConflict | Optional: How to resolve conflicting Istio configuration, if the configuration in this ServiceMeshController conflicts with existing Istio resources in the cluster.
| Force or Abort | Abort |
repository.secrets | Optional: A list of secrets to use for pulling manifests from an artifact registry. The secret list must be of type kubernetes.io/dockerconfigjson and can exist in any namespace, such as the same namespace that you create the ServiceMeshController in. | ||
repository.insecureSkipVerify | Optional: If set to true, the repository server’s certificate chain and host name are not verified. | true or false | |
scalingProfile | Optional: The istiod control plane scaling settings to use. In large environments, set to Large.
| Default or Large | Default |
trafficCaptureMode | Optional: Traffic capture mode to use.
| Auto or InitContainer | Auto |
trustDomain | The trustDomain for Istio workloads. | If cluster is set, defaults to that value. If cluster is unset, defaults to cluster.local. | |
version | The Istio patch version to install. For more information, see Supported Solo distributions of Istio. | Any Istio version supported for your Gloo version |