In your GatewayLifecycleManager resource, you provide gateway settings in an IstioOperator configuration. When you create the GatewayLifecycleManager in your management cluster, Gloo Mesh Core translates the configuration into gateways in your registered workload clusters for you.

For more information about service mesh lifecycle management, see the Deploy Gloo-managed service meshes guide.

Proto: gateway_lifecycle_manager.proto

Package: admin.gloo.solo.io

Examples

Ingress

This example creates an ingress gateway named istio-ingressgateway in the gloo-mesh-gateways namespace of two workload clusters ($REMOTE_CLUSTER1 and $REMOTE_CLUSTER2). You supply the revision (gatewayRevision: $REVISION), repo key (hub: $REPO), and image tag (tag: $ISTIO_IMAGE) for a Solo distribution of Istio.

  apiVersion: admin.gloo.solo.io/v2
kind: GatewayLifecycleManager
metadata:
  name: istio-ingressgateway
  namespace: gloo-mesh
spec:
  installations:
    # List all workload clusters to install Istio into
  - clusters:
        # If set to true, the spec for this revision is applied in the cluster
      - activeGateway: true
        # Name of workload cluster that you used during cluster registration
        name: $REMOTE_CLUSTER1
      - activeGateway: true
        name: $REMOTE_CLUSTER2
    # The revision for this installation, such as 1-20
    gatewayRevision: $REVISION
    istioOperatorSpec:
      components:
        ingressGateways:
          # Enable the default ingress gateway
        - enabled: true
          k8s:
            service:
              # Default ports
              ports:
                # Port for health checks on path /healthz/ready.
                # For AWS ELBs, must be listed as the first port
                - name: status-port
                  port: 15021
                  targetPort: 15021
                - name: http2
                  port: 80
                  targetPort: 8080
                - name: https
                  port: 443
                  targetPort: 8443
                - name: tls
                  port: 15443
                  targetPort: 15443
              selector:
                istio: ingressgateway
              type: LoadBalancer
          label:
            app: istio-ingressgateway
            # Required to ensure Gateways can select this workload
            istio: ingressgateway
          name: istio-ingressgateway
          # Deployed to gloo-mesh-gateways by default
          namespace: gloo-mesh-gateways
      # Solo.io Istio distribution repository; required for Solo distributions of Istio.
      # You get the repo key from your Solo Account Representative.
      hub: $REPO
      # No control plane components are installed
      profile: empty
      # The tag of a Solo distribution of Istio
      tag: $ISTIO_IMAGE

Egress

This example creates an egress gateway named istio-egressgateway in the gloo-mesh-gateways namespace of two workload clusters ($REMOTE_CLUSTER1 and $REMOTE_CLUSTER2). You supply the revision (gatewayRevision: $REVISION), repo key (hub: $REPO), and image tag (tag: $ISTIO_IMAGE) for a Solo distribution of Istio.

  apiVersion: admin.gloo.solo.io/v2
kind: GatewayLifecycleManager
metadata:
  name: istio-egressgateway
  namespace: gloo-mesh
spec:
  installations:
    # List all workload clusters to install Istio into
  - clusters:
        # If set to true, the spec for this revision is applied in the cluster
      - activeGateway: true
        # Name of workload cluster that you used during cluster registration
        name: $REMOTE_CLUSTER1
      - activeGateway: true
        name: $REMOTE_CLUSTER2
      # The revision for this installation, such as 1-20
    gatewayRevision: $REVISION
    istioOperatorSpec:
      components:
        egressGateways:
          # Enable the default egress gateway
        - enabled: true
          k8s:
            service:
              # Default ports
              ports:
                # Port for health checks on path /healthz/ready.
                # For AWS ELBs, must be listed as the first port
                - name: status-port
                  port: 15021
                  targetPort: 15021
                # Required for Istio mutual TLS
                - name: https
                  port: 443
                  targetPort: 8443
                # Required for Gloo egress routing
                - name: tls
                  port: 15443
                  targetPort: 15443
              selector:
                istio: egressgateway
              type: LoadBalancer
          label:
            app: istio-egressgateway
            # Required to ensure Gateways can select this workload
            istio: egressgateway
            traffic: egress
          meshConfig:
            outboundTrafficPolicy:
              mode: ALLOW_ANY
              # Enable access logs
            accessLogFile: /dev/stdout
            defaultConfig:
              proxyMetadata:
                # For known hosts, enable the Istio agent to handle DNS requests
                # for any custom ServiceEntry, such as non-Kubernetes services.
                # Unknown hosts are automatically resolved using upstream DNS
                # servers in resolv.conf (for proxy-dns)
                ISTIO_META_DNS_CAPTURE: "true"
          name: istio-egressgateway
          # Deployed to gloo-mesh-gateways by default
          namespace: gloo-mesh-gateways
      # Solo.io Istio distribution repository; required for Solo distributions of Istio.
      # You get the repo key from your Solo Account Representative.
      hub: $REPO
      # No control plane components are installed
      profile: empty
      # The tag of a Solo distribution of Istio
      tag: $ISTIO_IMAGE

spec fields

Specifications for the GatewayLifecycleManager resource.

FieldDescription
installations(repeated installations)

List of Istio gateway installations.

installations

List of Istio gateway installations. Any components that are not related to the gateway are ignored. You can provide only one type of gateway installation per revision in a cluster. For example, in a workload cluster cluster2, you can install only one ingress gateway that runs revision 1-20.

FieldDescription
clusters(repeated clusters)

A list of cluster entries to install the Istio gateways in.
controlPlaneRevision(string)

Optional: The revision of an Istio control plane in the cluster that this gateway should also use. If a control plane installation of this revision is not found, no gateway is created.
gatewayRevision(string)

Istio revision for this gateway installation, such as 1-20. When set to auto, Gloo installs the gateway with the default supported Solo distribution of Istio.
istioOperatorSpec(istioOperatorSpec)

IstioOperator specification for the gateway.
skipUpgradeValidation(bool)

When set to true, the lifecycle manager skips checks that are required for canary upgrades. This way, you can perform an in-place upgrade instead of a canary upgrade. Canary upgrades are recommended for updating minor versions in production. However, you might want to use in-place upgrades for patch versions or changes within the same minor version. Be sure to test in-place upgrades in development or staging environments first. Instead, use canary upgrades.

clusters

A list of cluster entries to install the Istio gateways in.

FieldDescription
activeGateway(bool)

Defaults to false. When set to true, the gateway installation for this revision is applied as the active gateway through which primary service traffic is routed in the cluster. If the istioOperatorSpec defines a service, this field switches the service selectors to the revision specified in the gatewayRevsion. You might change this setting for gateway installations during a canary upgrade. For more info, see the [upgrade docs](
/gloo-mesh-core/main//istio/mesh/ilm-upgrade/).
name(string)

Name of the cluster to install the gateway into. Must match the name of the cluster that you used when you registered the cluster with Gloo.
trustDomain(string)

Optional: By default, the trustDomain value in the meshConfig section of the operator spec is automatically set by the Gloo to the name of each workload cluster. To override the trustDomain for each cluster, you can instead specify the override value by using this trustDomain field, and include the value in the list of cluster names. For example, if you specify meshConfig.trustDomain: cluster1-trust-override in your operator spec, you then specify both the cluster name (name: cluster1) and the trust domain (trustDomain: cluster1-trust-override) in this installations.clusters section. For more info, see the Istio documentation.

Status fields

The status of the Istio gateway installations after you apply the GatewayLifecycleManager resource to your Gloo environment.

To see the statuses, you can run a command such as the following:

  kubectl get GatewayLifecycleManager -n gloo-mesh istio-ingressgateway -o yaml

Example output:

  status:
    clusters:
      cluster1:
        installations:
          1-20:
            observedOperator:
              components:
                ingressGateways:
                - enabled: true
                  k8s:
                    service:
                      ports:
                        - name: status-port
                          port: 15021
                          targetPort: 15021
                        - name: http2
                          port: 80
                          targetPort: 8080
                        - name: https
                          port: 443
                          targetPort: 8443
                        - name: tls
                          port: 15443
                          targetPort: 15443
                      selector:
                        istio: ingressgateway
                      type: LoadBalancer
                  label:
                    app: istio-ingressgateway
                    istio: ingressgateway
                  name: istio-ingressgateway
                  namespace: gloo-mesh-gateways
            observedRevision: 1-20
            state: HEALTHY
      cluster2:
        ...

clusters

The list of clusters where Gloo manages Istio gateway installations.

FieldDescription
keyThe name of the cluster where the gateway is installed, such as cluster1 in the example.
valueThe Istio gateway installations in the cluster, listed by revision.

installations

In one cluster, the list of Istio gateway installations.

FieldDescription
keyThe revision of the gateway installation, such as 1-20 in the example.
valueThe status of the gateway installation.

Installation status

The status of the gateway installation.

FieldDescription
state(state)

The current state of the gateway installation.
message(string)

A human-readable message about the current state of the installation.
observedRevision(string)

The observed revision of the gateway installation.
observedOperator(istioOperatorSpec)

The IstioOperator spec that is currently deployed for this revision.

state

The current state of the gateway installation.

NameNumberDescription
PENDING0Waiting for resources to be installed or updated.
FAILED1The Gloo management server encountered a problem while attempting to install the gateway.
NO_CONTROL_PLANE_AVAILABLE2Could not select an istiod control plane.
INSTALLING_GATEWAY3The gateway is currently being installed.
HEALTHY4All Istio components for the gateway are successfully installed and healthy.
UNHEALTHY5The gateway installation is no longer healthy.
ACTION_REQUIRED6The gateway IstioOperator resource is in an ACTION_REQUIRED state. Check the logs of the IstioOperator deployment for more info.
UPDATING_GATEWAY7The gateway IstioOperator resource is in an UPDATING state.
RECONCILING_GATEWAY8The gateway IstioOperator resource is in a RECONCILING state.
UNKNOWN9The gateway installation state could not be determined.
UNINSTALLING_GATEWAY10The gateway is currently being uninstalled.
UNINSTALLED_GATEWAY11The gateway is uninstalled.