Choose Gloo product licenses

Before you install Gloo Mesh Enterprise, decide which Gloo product licenses you need for your environment. Gloo offers separate licenses for each product, such as Gloo Mesh Enterprise and Gloo Mesh Gateway.

Product licenses unlock certain capabilities in your Gloo environment. Gloo products are built on hardened Solo images of related open source projects.

ProductOSS projectsDescription
Gloo Mesh CoreIstioGloo Mesh Core deploys alongside your Istio environment in single or multicluster environments, and can discover existing Istio installations across clusters and infrastructure providers. A Gloo Mesh Core license also unlocks hardened FIPS-compliant Istio images with n-4 version support, as well as Istio lifecycle management, in which Gloo Mesh Core deploys and manages the lifecycle of Istio installations across clusters. Gloo Mesh Core comes with an insights engine that automatically analyzes your Istio setup for health, security, and resiliency issues. Then, Gloo shares these issues along with recommendations to harden your Istio and setup in a custom dashboard. The insights give you a checklist to address issues that might otherwise be hard to detect across your environment.
Gloo Mesh EnterpriseIstioGloo Mesh Enterprise manages Istio-based service meshes across clusters and infrastructure providers, and secures communication between workloads via mTLS. A Gloo Mesh Enterprise license unlocks hardened, FIPS-compliant Istio images with n-4 version support. You get a simplified management experience for multitenancy, service isolation, federation, and east-west traffic management. Gloo Mesh Enterprise even automatically discovers your Istio resources and translates them into the appropriate Gloo custom resources (CRs) so that intelligent, multicluster failover works out of the box. You also get Gloo CRs to manage internal mesh routing, including virtual gateways, route tables, and policies such as external auth and rate limiting. Keep in mind that for advanced ingress routing features, you need a Gloo Mesh Gateway license alongside Gloo Mesh Enterprise. For example, without a Gloo Mesh Gateway license, you cannot use cloud resources or AWS Lambda; advanced listener configuration such as TLS for ingress routes; add-ons such as external auth, rate limiting, or the developer portal for non-mesh ingress use cases; or policies that apply to ingress routes such as Web Application Firewall (WAF).
Gloo Mesh GatewayEnvoy, IstioGloo Mesh Gateway is an API gateway based on Envoy and Istio open source technologies. A Gloo Mesh Gateway license unlocks Gloo CRs such as virtual gateways, route tables, and policies so that you can control network traffic into (ingress) and out from (egress) your clusters. You get traffic manipulation features, such as Envoy filters for resilience and transformation. You can also secure ingress traffic with security filters such as web application firewall (WAF), external auth, and rate limiting. You can enhance your API gateway, such as with support for routing to AWS Lambdas or adding a developer portal. Keep in mind that for internal service mesh traffic management, you need a Gloo Mesh Enterprise license alongside Gloo Mesh Gateway. For example, without a mesh license, you cannot use workload selectors on route tables; route tables without a virtual gateway; or access, access log, or failover.

Get a license key

To get Gloo product licenses, contact an account representative. Your account representative can help you get the right license keys for the Gloo capabilities that you want for your environment. For example, depending on your needs, you might get one of the following license key combinations:

  • For a trial installation of all Gloo products, you get a Gloo trial license key.
  • For a Gloo Mesh Gateway setup, you get a Gloo Mesh Gateway license key.
  • For a setup that supports both Gloo Mesh Gateway and Gloo Mesh Enterprise capabilities, such as ingress routing as well as east-west service mesh routing, you get a Gloo Mesh Gateway license key and a Gloo Mesh Enterprise license key.

Provide your license key during installation

When you install Gloo products in your management cluster, you provide your license keys either directly in your meshctl install command or Helm values file, or in a secret that you pass into the command or values file.

Trial license

A trial license provides access to all Gloo products.

  1. Save your trial license key as an environment variable.
      export GLOO_TRIAL_LICENSE_KEY=<gloo-trial-license-key>
  2. Decide how you want to provide your trial key during installation.

    When you install Gloo Mesh Enterprise in your management cluster, you can provide your trial license key in either of the following ways:

    • In the --set licensing.glooTrialLicenseKey=$GLOO_TRIAL_LICENSE_KEY flag of your install command.
    • In the licensing.glooTrialLicenseKey: $GLOO_TRIAL_LICENSE_KEY setting of your Helm values file.

    You can specify your trial license key by creating a secret before you install Gloo Mesh Enterprise.

    1. Create the gloo-mesh namespace.
        kubectl create ns gloo-mesh
    2. Create a secret with your trial key in the gloo-mesh namespace.
        cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: license-secret
  namespace: gloo-mesh
data:
  gloo-trial-license-key: "$GLOO_TRIAL_LICENSE_KEY"
EOF
    3. When you install Gloo Mesh Enterprise in your management cluster, provide your secret in either of the following ways:
      • In the --set licensing.licenseSecretName=license-secret flag of your install command.
      • In the licensing.licenseSecretName: license-secret setting of your Helm values file.

Standard license

You must have one license for each Gloo product that you want to install, such as Gloo Mesh Enterprise and Gloo Mesh Gateway.

  1. Save your standard license key as an environment variables.
      export GLOO_MESH_LICENSE_KEY=<gloo-mesh-license-key>
  2. Decide how you want to provide your license key during installation.

    When you install Gloo Mesh Enterprise in your management cluster, you can provide your license key in either of the following ways:

    • In the --set licensing.glooMeshLicenseKey=$GLOO_MESH_LICENSE_KEY flag of your install command.
    • In the licensing.glooMeshLicenseKey: $GLOO_MESH_LICENSE_KEY setting of your Helm values file.

    You can specify your license key by creating a secret before you install Gloo Mesh Enterprise.

    1. Create the gloo-mesh namespace.
        kubectl create ns gloo-mesh
    2. Create a secret with your license key in the gloo-mesh namespace.
        cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: license-secret
  namespace: gloo-mesh
data:
  gloo-mesh-license-key: "$GLOO_MESH_LICENSE_KEY"
EOF
    3. When you install Gloo Mesh Enterprise in your management cluster, provide your secret in either of the following ways:
      • In the --set licensing.licenseSecretName=license-secret flag of your install command.
      • In the licensing.licenseSecretName: license-secret setting of your Helm values file.

Monitor licenses

You can check your licenses, including your license expiration dates, in multiple ways.

CLI

To check your current licenses with the meshctl CLI, run the following command. In the output, you can see your license status in the License status section.

  meshctl check

In this example output, the Gloo Mesh license is current and valid. The expiration date is listed so that you can update your license before it expires.

  🟢 License status

INFO  gloo-mesh enterprise license expiration is 25 Aug 24 10:38 CDT

In this example output, the Gloo Mesh Enterprise license is expired. You can update your license in your Gloo environment.

  🔴 License status

ERROR A license is expired. To update, see https://docs.solo.io/gloo-mesh-enterprise/main/setup/prepare/licensing/#update-licenses
INFO  gloo-mesh enterprise license expiration is 06 Feb 23 13:05 CDT

UI

To check your current licenses with the Gloo UI:

  1. Open the Gloo UI. The Gloo UI is served from the gloo-mesh-ui service on port 8090. You can connect by using the meshctl or kubectl CLIs.

    • meshctl: For more information, see the CLI documentation.
        meshctl dashboard
    • kubectl:
      1. Port-forward the gloo-mesh-ui service on 8090.
          kubectl port-forward -n gloo-mesh svc/gloo-mesh-ui 8090:8090
      2. Open your browser and connect to http://localhost:8090.
  2. In the header navigation bar, click the gear icon.
  3. Review the status of your licenses. In the following example, the Gloo Mesh Gateway license is current and valid, and no module is added to the license. You can also check the expiration date so that you can update your license before it expires.

Product license statuses in the Gloo UI.
Figure: Product license statuses in the Gloo UI.
Product license statuses in the Gloo UI.
Figure: Product license statuses in the Gloo UI.

Metrics

Gloo includes license metrics that you can view by using the UI of the built-in Prometheus server. These metrics give you the number of minutes until the license expires, which you can optionally use to set up alerts in Prometheus.

  1. Open the Prometheus UI.

  2. Query one of the following metrics:

    • solo_io_gloo_gateway_license
    • solo_io_gloo_mesh_license
    • solo_io_gloo_core_license
    • solo_io_gloo_network_license

  3. In the output, check the value of the metric, which is the number of minutes until the license expires. For example, in this output, the Gloo Mesh Enterprise license expires in 247,649 minutes, which equals 171 days, 23 hours, and 29 minutes.

    MetricValue
    solo_io_gloo_mesh_license{app=“gloo-mesh-mgmt-server”, instance=“10.xx.x.x:9091”, job=“gloo-mesh-mgmt-server”, namespace=“gloo-mesh”, pod=“gloo-mesh-mgmt-server-65bd557b95-v8qq6”, pod_template_hash=“65bd557b95”}247649.2563652057

  4. Optional: If you want to add alerts for these license metrics, such as to remind you to update your license before it expires, you can add alerts to your Helm values file and apply the file during a Gloo upgrade. To get your current Helm values and upgrade Gloo, see Upgrade Gloo Mesh Enterprise.

    For example, if you installed Gloo Mesh Enterprise, you might add the following alert to your values file to remind you to update your Gloo Mesh Enterprise license 30 days before it expires. You can also add similar alerts for other Gloo product licenses, or alerts for other timeframes (such as using expr: solo_io_gloo_mesh_license < 0 in the case that a license expires). You can review these alerts in the operations dashboard or in the /alerts page of the Prometheus UI.

      ...
serverFiles:
    alerting_rules.yml:
        groups:
            - name: GlooPlatformAlerts
              rules:
                ...
                - alert: GlooMeshLicenseExpiresSoon
                  annotations:
                    runbook: https://docs.solo.io/gloo-mesh-enterprise/latest/setup/prepare/licensing/#update-licenses
                    summary: The Gloo Mesh Enterprise license expires in 30 days.
                  expr: solo_io_gloo_mesh_license < 1440 * 30
                  labels:
                    severity: warning

Update licenses

Before your Gloo license expires, you can update the license by performing a Helm upgrade. If you use Gloo Mesh Enterprise along with other Gloo products such as Gloo Mesh Gateway, you can also update those licenses.

For example, if you notice that your Gloo management plane deployments are in a crash loop, your Gloo license might be expired. You can check the logs for one of the deployments, such as the management server, to look for an error message similar to the following:

  meshctl logs mgmt --kubecontext ${MGMT_CONTEXT}
  
  {"level":"fatal","ts":1628879186.1552186,"logger":"gloo-mesh-mgmt-server","caller":"cmd/main.go:24","msg":"License is invalid or expired, crashing - license expired", ...

To update your license, see the upgrade guide.