Learn more about the Gloo components that you install to manage your environment, and how those components communicate with each other. After, you can dive deeper into the management server and agent relay architecture or check the default Kubernetes RBAC permissions of Gloo components.

Gloo Platform components

When you install Gloo Platform in your cluster environment, you can set up Gloo, optional addons, and Gloo-supported Istio components as described in the following diagram and tables.

Figure: Gloo Platform core, addon, and managed Istio components for your cluster environment.
Figure: Gloo Platform core, addon, and managed Istio components for your cluster environment.

Required Gloo components

By default, Gloo Platform installs the following required components to manage your environment.

ComponentProducts that use componentDescription
Gloo agentGloo Mesh Core, Gloo Mesh Enterprise, Gloo Mesh Gateway, Gloo Network for CiliumThe agents send snapshots of the Gloo resources from each workload cluster to the management server.
Gloo management serverGloo Mesh Core, Gloo Mesh Enterprise, Gloo Mesh Gateway, Gloo Network for CiliumThe management server maintains the desired state of your environment based on the configurations that you create. The server translates Gloo custom resources to the appropriate open source custom resources (such as Istio, Envoy, or Cilium). Then, the server pushes config changes to the agents to apply in the workload clusters.
RedisGloo Mesh Core, Gloo Mesh Enterprise, Gloo Mesh Gateway, Gloo Network for CiliumRedis®* 1 instances are used to store state data for several Gloo components, including the management server, and the state of the custom resources in each registered cluster. You can optionally bring your own Redis instance. If you see state reconciliation errors, you can try restarting Redis.

Optional Gloo Platform addons

Install optional Gloo Platform addons to extend the capabilities, such as with rate limiting and external authentication servers.

ComponentProducts that use componentDescription
External auth serverGloo Mesh Enterprise, Gloo Mesh GatewaySet up an external authentication and authorization to protect the workloads in your cluster. For example, you can set up basic, passthrough, API key, OAuth, OPA, or LDAP authentication.
Gloo UIGloo Mesh Core, Gloo Mesh Enterprise, Gloo Mesh Gateway, Gloo Network for CiliumWith the UI, you can review the health and configuration of Gloo custom resources, including registered clusters, workspaces, networking, policies, and more. You can even set up external authentication that is synchronized with Kubernetes role-based access control to manage how your users access the UI.
OTel pipelineGloo Mesh Core, Gloo Mesh Enterprise, Gloo Mesh Gateway, Gloo Network for CiliumYou can set up the Gloo OpenTelemetry (OTel) pipeline to collect metrics for your ingress gateway, service mesh, or Cilium CNI.
PortalGloo Mesh GatewayWith Gloo Portal, you can bundle and secure access to your APIs through a customizable developer portal. The portal supports the OpenAPI specification (OAS), also known as Swagger. Because the APIs must be available externally, Portal works only with Gloo Mesh Gateway.
PrometheusGloo Mesh Core, Gloo Mesh Enterprise, Gloo Mesh Gateway, Gloo Network for CiliumThe default Prometheus deployment scrapes metrics from the Gloo telemetry gateway. You can also bring your own instance.
Rate limit serverGloo Mesh Enterprise, Gloo Mesh GatewayControl the rate of requests to destinations within the service mesh.
RedisGloo Mesh Core, Gloo Mesh Enterprise, Gloo Mesh Gateway, Gloo Network for CiliumRedis instances are used to store state data for several Gloo components. You can optionally bring your own Redis instance.
  • Dashboard: The Gloo UI (dashboard) uses the data in Redis to display resources in the UI.
  • External auth (Gloo Mesh Enterprise, Gloo Mesh Gateway): The external auth server stores its configuration data in a Redis instance that is separate from the one that the management server and dashboard use.
  • Rate limiting (Gloo Mesh Enterprise, Gloo Mesh Gateway): The rate limiting server stores its configuration data in a Redis instance that is separate from the one that the management server and dashboard use.

Gloo-supported Istio components

With Solo’s Istio Lifecycle Manager, you can also use Gloo Platform to manage several open source Istio components. When you use Solo distributions of Istio, these Istio components are part of your Solo support. If you want to customize these installations, you might lose some of the managed benefits. For more information, review the Istio Lifecycle Manager guide.

ComponentProducts that use componentDescription
IstiodGloo Mesh Core, Gloo Mesh Enterprise, Gloo Mesh GatewayIstiod is the control plane for the Istio service mesh on each workload cluster. For multicluster environments, Gloo federates trust by using a unified root trust policy across clusters.
OperatorGloo Mesh Core, Gloo Mesh Enterprise, Gloo Mesh GatewayWhen you use Solo’s Istio Lifecycle Manager, an Istio operator is created to manage the other installed Istio components.
Ingress gatewayGloo Mesh Core, Gloo Mesh GatewayBased on Envoy, the Istio ingress gateway is deployed to manage traffic into and out of the service mesh. Depending on your security requirements, you might set up an ingress gateway per environment, per cluster, or in other ways.
East-west gatewayGloo Mesh Enterprise, Gloo Mesh GatewayBased on Envoy, the Istio east-west gateway is deployed in each workload cluster to manage traffic internal to the service mesh, even across clusters.

Note: When Gloo Mesh Gateway routes incoming requests across clusters through the east-west gateway, the communication from Gloo Mesh Gateway to the east-west gateway is secured with mTLS. However, when your app is deployed without Istio sidecars, the east-west gateway uses plaintext to route the request to your app. To secure communications to your apps with mTLS instead, consider using Gloo Mesh Enterprise alongside Gloo Mesh Gateway to set up an Istio service mesh for your workloads.

Additionally, cross-cluster routing through the east-west gateway in Gloo Mesh Gateway is supported only for incoming requests from a client that is external to your cluster environment. You can use Gloo Mesh Enterprise to also route from service-to-service within your cluster environment by using mTLS connections through the east-west gateway.
Workload proxyGloo Mesh Core, Gloo Mesh Enterprise, Gloo Mesh GatewayBased on Envoy, Istio workload proxies manage network communication between the workload and other microservices. In sidecar mode, each workload has its own Istio sidecar proxy for more fine-grained control.

Networking architecture

Now that you know more about the Gloo core components, optional addons, and managed Istio components that help manage your environment, review how these components communicate with each other in the following diagram.

Figure: Networking flow across Gloo Platform core, optional addon, and managed Istio components in your cluster environment.
Figure: Networking flow across Gloo Platform core, optional addon, and managed Istio components in your cluster environment.

  1. * Redis is a registered trademark of Redis Ltd. Any rights therein are reserved to Redis Ltd. Any use by Solo.io, Inc. is for referential purposes only and does not indicate any sponsorship, endorsement or affiliation between Redis and Solo.io. ↩︎