Service mesh options
Decide on the mode, image, and lifecycle of Istio service mesh to install in Gloo Mesh Core clusters.
Istio mode
Gloo Mesh Core supports Istio service meshes that run either in ambient or sidecar mode. Review the following table to help you choose your Istio mode.
| Istio mode | Maturity | Lifecycle options | Solo distributions of Istio? | Feature highlights |
|---|---|---|---|---|
| Ambient | Production | Gloo-managed | Yes (required) | Simplify your service mesh with a sidecarless approach. You get quicker onboarding, easier app lifecycle ops, and simpler network traffic with Layer 4 along with Layer 7. For more information, see About ambient mesh. |
| Sidecar | Production | Gloo-managed, manual | Yes | Deploy your service mesh with the standard sidecar approach. Although this approach is more resource-intensive, you get more observability data because all network traffic stays on Layer 7. To get started, see Deploy Gloo-managed service meshes. |
Istio image
Gloo Mesh Core supports Istio service meshes that run either community Istio images or Solo distributions of Istio. The Solo distribution of Istio is a hardened Istio enterprise image, which maintains n-4 support for CVEs and other security fixes. The image support timeline is longer than the community Istio support timeline, which provides n-1 support with an additional 6 weeks of extended time to upgrade the n-2 version to n-1. For more about the added benefits of Solo distributions of Istio and to review the available image distributions, see Solo distributions of Istio.
Lifecycle management
Gloo Mesh Core supports full service mesh lifecycle management with the Istio Lifecycle Manager. By using Gloo-managed service meshes, you no longer need to manually install and manage the istiod control plane. Instead, you provide the Istio configuration in a Gloo custom resource (CR), and Gloo translates this configuration into managed istiod control plane and gateways in each workload cluster for you. For more information, see Lifecycle management.
Updates to the Istio lifecycle manager in version 2.6 and later
In version 2.6 and later of Gloo Mesh Core, the Istio lifecycle manager is automatically updated with the following improvements.
Istio lifecycle agent
The Gloo agent that runs on each registered workload cluster now leverages a feature called the Istio lifecycle agent. This Istio lifecycle agent now deploys and manages the Istio installations in your clusters, instead of the Gloo agent directly.
Values translation
The Istio lifecycle agent now translates the IstioOperator configuration in your IstioLifecycleManager and GatewayLifecycleManager resources into Istio Helm chart values to deploy the installations, instead of deploying installations based on the IstoOperator configuration directly. The agent writes the translated values into internal resources, ClusterIstioInstallation, which represent the state of the Istio installations in each workload cluster.
Important gateway translation differences
By default, upsteam Istio translates IstioOperator configuration into values for the deprecated gateways/istio-ingress and gateways/istio-egress Helm charts. The lifecycle agent in Gloo Mesh Core translates configuration into the supported gateway Helm chart instead. If you use GatewayLifecycleManager CRs in version 2.6 and later, note the following differences that are implemented so that your IstioOperator configuration can be translated into supported gateway Helm chart values:
- The same chart is used for both ingress and egress gateways. The only difference is the service type, which defaults to
ClusterIPfor egress gateways. - The
gatewaychart always uses injection of thegatewaytemplate, which means that:- Deployments always use an injection template, regardless of the
IstioOperatorsetting. - Specifying an injection template other than
gatewayresults in an error. - The gateway’s namespace, such as
gloo-mesh-gateways, must not have annotations to disable injection. - The
hubandtagvalues in theIstioOperatordetermine only the Solo Helm chart to use. The image version in thedeploymentis alwaysauto, and is injected based on which Istio control plane provides sidecar injection.
- Deployments always use an injection template, regardless of the
- The default target ports for the gateway service are now
80and443, as opposed to the default values of8080and8443in the deprecated Helm charts. - Review the required changes for specifying Helm
valuessettings directly.- Do not specify
values.gatewayssettings. These settings were inherently defined for the deprecated charts only, and are not compatible with the currently-supportedgatewaychart. The only exception is thevalues.global.imagePullSecretsfield, which is supported. - To specify
valuessettings from the currently-supportedgatewaychart, use theunvalidatedValuesfield. This is necessary because thevaluessettings are not currently supported by upstream Istio as part of theIstioOperator. For example, the gateway chart supports akindsetting that determines whether the gateway is created as a deployment or a daemonset. To deploy a gateway as a daemonset, you can specify thekindsetting in anunvalidatedValuessection of yourGatewayLifecycleManager:istioOperatorSpec: components: ... unvalidatedValues: gateway: kind: DaemonSet
- Do not specify
- The following
k8ssettings that you might set incomponents.ingressgateway.k8s, for example, are either unsupported or supported for certain values:ownerNameis not applicable because it is used for anistio-operator-specificannotation.strategy(such as to define rolling update settings) is not available in thegatewaychart, but can be specified in an overlay.envonly supports explicit values. To specifyValsFromorEnvFrom, you must use an overlay.
Upgrading to 2.6
- If you use the Istio lifecycle manager in Gloo Mesh Core version 2.5, your Istio installations are unchanged when you upgrade Gloo Mesh Core to 2.6. The new translation system is only implemented when you make a change to your
IstioLifecycleManagerorGatewayLifecycleManagerresources. To preview any changes to how your gateway values might be translated, you can run a canary upgrade to compare two Istio installations. - Because of the updates to the Istio lifecycle manager in version 2.6, you currently cannot use the lifecycle manager alongside unmanaged Istio service meshes that you install by using Helm,
istioctl, or anIstioOperator. To use the Istio lifecycle manager, remove any existing Istio installations, and create managed Istio installations by following the steps in this guide. Note that this limitation will be addressed in future releases.