On this page
GatewayLifecycleManager
Use Gloo Mesh Core to install Istio ingress and egress gateways in your workload clusters.
In your GatewayLifecycleManager resource, you provide gateway settings in an IstioOperator configuration. When you create the GatewayLifecycleManager in your management cluster, Gloo Mesh Core translates the configuration into gateways in your registered workload clusters for you.
For more information about service mesh lifecycle management, see the Deploy Gloo-managed service meshes guide.
Proto: gateway_lifecycle_manager.proto
Package: admin.gloo.solo.io
Examples
Ingress
This example creates an ingress gateway named istio-ingressgateway in the gloo-mesh-gateways namespace of two workload clusters ($REMOTE_CLUSTER1 and $REMOTE_CLUSTER2). You supply the repo key for the Solo distribution of Istio (hub: $REPO), image tag (tag: $ISTIO_IMAGE), and revision (revision: $REVISION).
apiVersion: admin.gloo.solo.io/v2
kind: GatewayLifecycleManager
metadata:
name: istio-ingressgateway
namespace: gloo-mesh
spec:
installations:
# The revision for this installation
- gatewayRevision: $REVISION
# List all workload clusters to install Istio into
clusters:
- name: $REMOTE_CLUSTER1
# If set to true, the spec for this revision is applied in the cluster
activeGateway: true
- name: $REMOTE_CLUSTER2
activeGateway: true
istioOperatorSpec:
# No control plane components are installed
profile: empty
# Solo.io Istio distribution repository; required for the Solo distribution of Istio.
# You get the repo key from your Solo Account Representative.
hub: $REPO
# Any tag for the Solo distribution of Istio
tag: $ISTIO_IMAGE
components:
ingressGateways:
# Enable the default ingress gateway
- name: istio-ingressgateway
# Deployed to gloo-mesh-gateways by default
namespace: gloo-mesh-gateways
enabled: true
label:
# Set a unique label for the gateway. This is required to
# ensure Gateways can select this workload
istio: ingressgateway
app: istio-ingressgateway
k8s:
service:
type: LoadBalancer
selector:
istio: ingressgateway
# Default ports
ports:
# Port for health checks on path /healthz/ready.
# For AWS ELBs, this port must be listed first.
- name: status-port
port: 15021
targetPort: 15021
# Main HTTP ingress port
- name: http2
port: 80
targetPort: 8080
# Main HTTPS ingress port
- name: https
port: 443
targetPort: 8443
- name: tls
port: 15443
targetPort: 15443
Egress
This example creates an egress gateway named istio-egressgateway in the gloo-mesh-gateways namespace of two workload clusters ($REMOTE_CLUSTER1 and $REMOTE_CLUSTER2). You supply the repo key for the Solo distribution of Istio (hub: $REPO), image tag (tag: $ISTIO_IMAGE), and revision (revision: $REVISION).
apiVersion: admin.gloo.solo.io/v2
kind: GatewayLifecycleManager
metadata:
name: istio-egressgateway
namespace: gloo-mesh
spec:
installations:
# The revision for this installation
- gatewayRevision: $REVISION
# List all workload clusters to install Istio into
clusters:
- name: $REMOTE_CLUSTER1
# If set to true, the spec for this revision is applied in the cluster
activeGateway: true
- name: $REMOTE_CLUSTER2
activeGateway: true
istioOperatorSpec:
# No control plane components are installed
profile: minimal
# Solo.io Istio distribution repository; required for Gloo Istio.
# You get the repo key from your Solo Account Representative.
hub: $REPO
# The Solo.io Gloo Istio version
tag: $ISTIO_IMAGE
meshConfig:
outboundTrafficPolicy:
mode: REGISTRY_ONLY
# Enable access logs
accessLogFile: /dev/stdout
defaultConfig:
proxyMetadata:
# For known hosts, enable the Istio agent to handle DNS requests
# for any custom ServiceEntry, such as non-Kubernetes services.
# Unknown hosts are automatically resolved using upstream DNS
# servers in resolv.conf (for proxy-dns)
ISTIO_META_DNS_CAPTURE: "true"
components:
egressGateways:
# Enable the egress gateway
- name: istio-egressgateway
# Deployed to gloo-mesh-gateways by default
namespace: gloo-mesh-gateways
enabled: true
label:
# Set a unique label for the gateway. This is required to
# ensure Gateways can select this workload.
istio: egressgateway
app: istio-egressgateway
traffic: egress
k8s:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- arm64
- amd64
env:
- name: AUTO_RELOAD_PLUGIN_CERTS
value: "true"
podAnnotations:
proxy.istio.io/config: |
proxyStatsMatcher:
inclusionRegexps:
- .*ext_authz.*
service:
type: LoadBalancer
selector:
istio: egressgateway
# Default ports
ports:
# Port for health checks on path /healthz/ready.
# For AWS ELBs, this port must be listed first.
- port: 15021
targetPort: 15021
name: status-port
# Port for multicluster mTLS passthrough
# Required for Gloo egress routing
- port: 15443
targetPort: 15443
# Gloo looks for this default name 'tls' on a gateway
name: tls
# Required for Istio mutual TLS
- port: 443
targetPort: 8443
name: https
spec fields
Specifications for the GatewayLifecycleManager resource.
| Field | Description |
|---|---|
installations | (repeated installations)List of Istio gateway installations. |
helmGlobal | (common.gloo.solo.io.IstioLifecycleHelmGlobals)Optional default configuration applicable to all installations. |
installations
List of Istio gateway installations. Any components that are not related to the gateway are ignored. You can provide only one type of gateway installation per revision in a cluster. For example, in a workload cluster cluster2, you can install only one ingress gateway that runs revision 1-22.
| Field | Description |
|---|---|
clusters | (repeated clusters)A list of cluster entries to install the Istio gateways in. |
controlPlaneRevision | (string)Optional: The revision of an Istio control plane in the cluster that this gateway should also use. If a control plane installation of this revision is not found, no gateway is created. |
gatewayRevision | (string)Istio revision for this gateway installation, such as 1-22. When set to auto, Gloo installs the gateway with the default supported Solo distribution of Istio. |
istioOperatorSpec | (istioOperatorSpec)IstioOperator specification for the gateway. |
skipUpgradeValidation | (bool)When set to true, the lifecycle manager allows you to perform in-place upgrades by skipping checks that are required for canary upgrades. In production environments, canary upgrades are recommended for updating the minor version. To update the patch version or make configuration changes within the same version, you can use in-place upgrades. Be sure to test in-place upgrades in development or staging environments first. |
clusters
A list of cluster entries to install the Istio gateways in.
| Field | Description |
|---|---|
activeGateway | (bool)Defaults to false. When set to true, the gateway installation for this revision is applied as the active gateway through which primary service traffic is routed in the cluster. If the istioOperatorSpec defines a service, this field switches the service selectors to the revision specified in the gatewayRevsion. You might change this setting for gateway installations during a canary upgrade. For more info, see the [upgrade docs]( |
| /gloo-mesh-core/main//istio/mesh/ilm-upgrade/). | |
name | (string)Name of the cluster to install the gateway into. Must match the name of the cluster that you used when you registered the cluster with Gloo. |
trustDomain | (string)Optional: By default, the trustDomain value in the meshConfig section of the operator spec is automatically set by the Gloo to the name of each workload cluster. To override the trustDomain for each cluster, you can instead specify the override value by using this trustDomain field, and include the value in the list of cluster names. For example, if you specify meshConfig.trustDomain: cluster1-trust-override in your operator spec, you then specify both the cluster name (name: cluster1) and the trust domain (trustDomain: cluster1-trust-override) in this installations.clusters section. For more info, see the Istio documentation. |
Status fields
The status of the Istio gateway installations after you apply the GatewayLifecycleManager resource to your Gloo environment.
To see the statuses, you can run a command such as the following:
kubectl get GatewayLifecycleManager -n gloo-mesh istio-ingressgateway -o yaml
Example output:
status:
clusters:
cluster1:
installations:
1-22:
observedOperator:
components:
ingressGateways:
- enabled: true
k8s:
service:
ports:
- name: status-port
port: 15021
targetPort: 15021
- name: http2
port: 80
targetPort: 8080
- name: https
port: 443
targetPort: 8443
- name: tls
port: 15443
targetPort: 15443
selector:
istio: ingressgateway
type: LoadBalancer
label:
app: istio-ingressgateway
istio: ingressgateway
name: istio-ingressgateway
namespace: gloo-mesh-gateways
observedRevision: 1-22
state: HEALTHY
cluster2:
...
clusters
The list of clusters where Gloo manages Istio gateway installations.
| Field | Description |
|---|---|
key | The name of the cluster where the gateway is installed, such as cluster1 in the example. |
value | The Istio gateway installations in the cluster, listed by revision. |
installations
In one cluster, the list of Istio gateway installations.
| Field | Description |
|---|---|
key | The revision of the gateway installation, such as 1-22 in the example. |
value | The status of the gateway installation. |
Installation status
The status of the gateway installation.
| Field | Description |
|---|---|
state | (state)The current state of the gateway installation. |
message | (string)A human-readable message about the current state of the installation. |
observedRevision | (string)The observed revision of the gateway installation. |
observedOperator | (istioOperatorSpec)The IstioOperator spec that is currently deployed for this revision. |
state
The current state of the gateway installation.
| Name | Number | Description |
|---|---|---|
PENDING | 0 | Waiting for resources to be installed or updated. |
FAILED | 1 | The Gloo management server encountered a problem while attempting to install the gateway. |
NO_CONTROL_PLANE_AVAILABLE | 2 | Could not select an istiod control plane. |
INSTALLING_GATEWAY | 3 | The gateway is currently being installed. |
HEALTHY | 4 | All Istio components for the gateway are successfully installed and healthy. |
UNHEALTHY | 5 | The gateway installation is no longer healthy. |
ACTION_REQUIRED | 6 | The gateway IstioOperator resource is in an ACTION_REQUIRED state. Check the logs of the IstioOperator deployment for more info. |
UPDATING_GATEWAY | 7 | The gateway IstioOperator resource is in an UPDATING state. |
RECONCILING_GATEWAY | 8 | The gateway IstioOperator resource is in a RECONCILING state. |
UNKNOWN | 9 | The gateway installation state could not be determined. |
UNINSTALLING_GATEWAY | 10 | The gateway is currently being uninstalled. |
UNINSTALLED_GATEWAY | 11 | The gateway is uninstalled. |
INSTALL_PENDING | 12 | Successfully translated but not installing yet |