IstioLifecycleManager
Use Gloo Mesh Core to install Istio control planes in your workload clusters.
In your IstioLifecycleManager
resource, you provide istiod
settings in an IstioOperator
configuration. When you create the IstioLifecycleManager
in your management cluster, Gloo translates the configuration into istiod
control planes in your registered workload clusters for you.
For more information about service mesh lifecycle management, see the Deploy Gloo-managed service meshes guide.
Proto: istio_lifecycle_manager.proto
Package: admin.gloo.solo.io
Example
This example creates an istiod
control plane in the istio-system
namespace of two workload clusters ($REMOTE_CLUSTER1
and $REMOTE_CLUSTER2
). You supply the repo key for the Solo distribution of Istio (hub: $REPO
), image tag (tag: $ISTIO_IMAGE
), and revision (revision: $REVISION
).
apiVersion: admin.gloo.solo.io/v2
kind: IstioLifecycleManager
metadata:
name: istiod-control-plane
namespace: gloo-mesh
spec:
installations:
# List all workload clusters to install Istio into
- clusters:
# If set to true, the spec for this revision is applied in the cluster
- defaultRevision: true
# Name of workload cluster that you used during cluster registration
name: $REMOTE_CLUSTER1
- defaultRevision: true
name: $REMOTE_CLUSTER2
istioOperatorSpec:
components:
pilot:
k8s:
env:
# Skip the validation step for mTLS within the cluster.
# This approach is not recommended if you integrate Istio
# with your own CA, but is useful for PoCs or demos
# in which you use self-signed certificates.
- name: PILOT_SKIP_VALIDATE_TRUST_DOMAIN
value: "true"
# Solo.io Istio distribution repository; required for Solo distributions of Istio.
# You get the repo key from your Solo Account Representative.
hub: $REPO
meshConfig:
# Enable access logging.
accessLogFile: /dev/stdout
defaultConfig:
# Wait for the istio-proxy to start before starting application pods
holdApplicationUntilProxyStarts: true
proxyMetadata:
# For known hosts, enable the Istio agent to handle DNS requests
# for any custom ServiceEntry, such as non-Kubernetes services.
# Unknown hosts are automatically resolved using upstream DNS
# servers in resolv.conf (for proxy-dns)
ISTIO_META_DNS_CAPTURE: "true"
# Set the default behavior of the sidecar for handling outbound
# traffic from the application
outboundTrafficPolicy:
mode: ALLOW_ANY
namespace: istio-system
# Only the control plane components are installed
# (https://istio.io/latest/docs/setup/additional-setup/config-profiles/)
profile: minimal
# The tag of a Solo distribution of Istio
tag: $ISTIO_IMAGE
# The revision for this installation, such as 1-23
revision: $REVISION
spec
fields
Specifications for the IstioLifecycleManager
resource.
Field | Description |
---|---|
installations | (repeated installations )List of Istio control plane installations. |
installations
List of Istio control plane installations. Any components that are not related to the control plane are ignored.
Field | Description |
---|---|
clusters | (repeated clusters )A list of cluster entries to install the Istio control planes in. |
istioController | (istioController )Optional configuration to tune the IstioOperator controller deployed to each workload cluster. |
istioOperatorSpec | (istioOperatorSpec )IstioOperator specification for the control plane. |
revision | (string )Istio revision for this installation, such as 1-23 . Label workload resources with istio.io/rev=$REVISION to use this installation. When set to auto , Gloo installs the control plane with the default supported Solo distribution of Istio.**Configuration constraints: This value can be a maximum of 63 characters. |
skipUpgradeValidation | (bool )When set to true, the lifecycle manager allows you to perform in-place upgrades by skipping checks that are required for canary upgrades. In production environments, canary upgrades are recommended for updating the minor version. To update the patch version or make configuration changes within the same version, you can use in-place upgrades. Be sure to test in-place upgrades in development or staging environments first. |
clusters
A list of clusters to install the Istio control planes in.
Field | Description |
---|---|
defaultRevision | (bool )Optional: Defaults to false. When set to true, the installation for this revision is applied as the active Istio installation in the cluster. Resources with the istio-injection=true label entry use this revision. You might change this setting for Istio installations during a canary upgrade. For more info, see the [upgrade docs]( |
/gloo-mesh-core/main//istio/mesh/ilm-upgrade/). | |
name | (string )Name of the cluster to install the control plane into. Must match the name of the cluster that you used when you registered the cluster with Gloo. |
trustDomain | (string )Optional: By default, the trustDomain value in the meshConfig section of the operator spec is automatically set by the Gloo to the name of each workload cluster. To override the trustDomain for each cluster, you can instead specify the override value by using this trustDomain field, and include the value in the list of cluster names. For example, if you specify meshConfig.trustDomain: cluster1-trust-override in your operator spec, you then specify both the cluster name (name: cluster1 ) and the trust domain (trustDomain: cluster1-trust-override ) in this installations.clusters section. For more info, see the Istio documentation. |
istioController
Optional configuration to tune the IstioOperator controller deployed to each workload cluster.
Field | Description |
---|---|
annotations | (repeated key-value string pairs) Kubernetes pod/deployment/service annotations. |
envVars | (repeated k8s.io.api.core.v1.EnvVar )Deployment environment variables. For more info, see the Kubernetes docs. |
imagePullSecrets | (repeated k8s.io.api.core.v1.LocalObjectReference )Names of image pull secrets to use to deploy the Istio controller. For more info, see the Kubernetes docs. |
labels | (repeated key-value string pairs) Kubernetes pod/deployment/service labels. |
resources | (k8s.io.api.core.v1.ResourceRequirements )Override for resources allocated to the Istio controller deployment. For more info, see the Kubernetes docs. |
securityContext | (k8s.io.api.core.v1.SecurityContext )Override for the pod’s security context. For more info, see the Kubernetes documentation. |
waitForResourcesTimeout | (string )The amount of time to wait for resources in a component to become ready before giving up. Configured using a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. |
Status fields
The status of the Istio control plane installations after you apply the IstioLifecycleManager
resource to your Gloo environment.
To see the statuses, you can run a command such as the following:
kubectl get IstioLifecycleManager -n gloo-mesh istiod-control-plane -o yaml
Example output:
status:
clusters:
cluster1:
installations:
1-23:
observedOperator:
components:
pilot:
k8s:
env:
- name: PILOT_SKIP_VALIDATE_TRUST_DOMAIN
value: "true"
meshConfig:
accessLogFile: /dev/stdout
holdApplicationUntilProxyStarts: true
proxyMetadata:
ISTIO_META_DNS_CAPTURE: "true"
outboundTrafficPolicy:
mode: ALLOW_ANY
rootNamespace: istio-system
namespace: istio-system
profile: minimal
observedRevision: 1-23
state: HEALTHY
cluster2:
...
clusters
The list of clusters where Gloo manages Istio control plane installations.
Field | Description |
---|---|
key | The name of the cluster where the control plane is installed, such as cluster1 in the example. |
value | The Istio control plane installations in the cluster, listed by revision. |
installations
In one cluster, the list of Istio control plane installations.
Field | Description |
---|---|
key | The revision of the control plane installation, such as 1-23 in the example. |
value | The status of the control plane installation. |
Installation status
The status of the Istio control plane installation.
Field | Description |
---|---|
state | (state )The current state of the control plane installation. |
message | (string )A human-readable message about the current state of the installation. |
observedRevision | (string )The observed revision of the control plane installation. |
observedOperator | (istioOperatorSpec )The IstioOperator spec that is currently deployed for this revision. |
state
The current state of the Istio control plane installation.
Name | Number | Description |
---|---|---|
PENDING | 0 | Waiting for resources to be installed or updated. |
FAILED | 1 | The Gloo management server encountered a problem while attempting to install Istio. |
INSTALLING_CONTROLLER | 2 | The controller is currently being installed. |
CONTROLLER_INSTALL_FAILED | 3 | The controller failed to install. |
INSTALLING_CONTROL_PLANE | 4 | The Istio control plane is currently being installed. |
CONTROL_PLANE_INSTALL_FAILED | 5 | The Istio control plane failed to install. |
HEALTHY | 6 | All Istio components are successfully installed and healthy. |
UNHEALTHY | 7 | The Istio installation is no longer healthy. |
ACTION_REQUIRED | 8 | The control plane IstioOperator resource is in an ‘ACTION_REQUIRED’ state. Check the logs of the IstioOperator deployment for more info. |
UPDATING_CONTROL_PLANE | 9 | The control plane IstioOperator resource is in an ‘UPDATING’ state. |
RECONCILING_CONTROL_PLANE | 10 | The control plane IstioOperator resource is in a ‘RECONCILING’ state. |
UNKNOWN | 11 | The control plane installation state could not be determined. |
UNINSTALLING_CONTROL_PLANE | 12 | The Istio control plane is currently being uninstalled. |
UNINSTALLED_CONTROL_PLANE | 13 | The Istio control plane is uninstalled. |
INSTALL_PENDING | 14 | Successfully translated but not installing yet |