Deregister workload clusters, uninstall the Gloo Mesh management plane, and optionally uninstall Istio.
If you no longer need your Gloo Mesh environment, you can deregister workload clusters and uninstall the Gloo Mesh management plane from your management cluster. You can also optionally uninstall Istio and the Bookinfo sample app.
Before you begin link Save the names and contexts of the clusters you want to uninstall Gloo Mesh Enterprise from.
export MGMT_CLUSTER=<management-cluster>
export REMOTE_CLUSTER1=<remote-cluster1>
export REMOTE_CLUSTER2=<remote-cluster2>
export MGMT_CONTEXT=<management-cluster-context>
export REMOTE_CONTEXT1=<remote-cluster1-context>
export REMOTE_CONTEXT2=<remote-cluster2-context>
Uninstall Istio link Uninstall Istio from each workload cluster. Note that if you used the Istio lifecycle manager, you must complete this section to uninstall Istio before you uninstall any Gloo Mesh management or agent components.
Uninstall the Istio control plane and gateway proxies. These steps differ depending on how you installed them.
If you used the legacy Istio lifecycle manager, uninstall the Istio control plane and gateways before you uninstall Gloo Mesh Core.
Delete the GatewayLifecycleManager
resources for any gateways.
kubectl delete GatewayLifecycleManager istio-eastwestgateway -n gloo-mesh --context $MGMT_CONTEXT
kubectl delete GatewayLifecycleManager istio-ingressgateway -n gloo-mesh --context $MGMT_CONTEXT
kubectl delete GatewayLifecycleManager istio-egressgateway -n gloo-mesh --context $MGMT_CONTEXT
Verify that the gateway resources are removed before you proceed to the next step.
kubectl get all -n gloo-mesh-gateways --context $REMOTE_CONTEXT1
kubectl get all -n gloo-mesh-gateways --context $REMOTE_CONTEXT2
Delete the IstioLifecycleManager
resource for the istiod
control plane.
kubectl delete IstioLifecycleManager istiod-control-plane -n gloo-mesh --context $MGMT_CONTEXT
Verify that the Istio resources are removed before you proceed to the next step.
# Change the revision as needed
kubectl get all -n gm-iop-1-18 --context $REMOTE_CONTEXT1
kubectl get all -n istio-system --context $REMOTE_CONTEXT1
Delete the Istio namespaces from the workload clusters.
kubectl delete ns istio-system --context $REMOTE_CONTEXT1
kubectl delete ns gloo-mesh-gateways --context $REMOTE_CONTEXT1
kubectl delete ns istio-system --context $REMOTE_CONTEXT2
kubectl delete ns gloo-mesh-gateways --context $REMOTE_CONTEXT2
If you manually deployed a service mesh with Helm:
Find the name of your Istio Helm chart releases in the istio-ingress
namespace, such as istio-ingressgateway-1-18
.
helm ls -n istio-ingress --kube-context ${REMOTE_CONTEXT1}
helm ls -n istio-ingress --kube-context ${REMOTE_CONTEXT2}
Delete the Helm release for the ingress gateway.
helm uninstall istio-ingressgateway-1-18 -n istio-ingress --kube-context ${REMOTE_CONTEXT1}
helm uninstall istio-ingressgateway-1-18 -n istio-ingress --kube-context ${REMOTE_CONTEXT2}
Find the name of your Istio Helm chart releases in the istio-eastwest
namespace, such as istio-eastwestgateway-1-18
.
helm ls -n istio-eastwest --kube-context ${REMOTE_CONTEXT1}
helm ls -n istio-eastwest --kube-context ${REMOTE_CONTEXT2}
Delete the Helm release for the ingress and east-west gateways.
helm uninstall istio-eastwestgateway-1-18 -n istio-eastwest --kube-context ${REMOTE_CONTEXT1}
helm uninstall istio-eastwestgateway-1-18 -n istio-eastwest --kube-context ${REMOTE_CONTEXT2}
Find the name of your Istio Helm chart release in the istio-system
namespace, such as istiod-1-18
.
helm ls -n istio-system --kube-context ${REMOTE_CONTEXT1}
helm ls -n istio-system --kube-context ${REMOTE_CONTEXT1}
Delete the Helm release for the istiod
control plane.
helm uninstall istiod-1-18 -n istio-system --kube-context ${REMOTE_CONTEXT1}
helm uninstall istiod-1-18 -n istio-system --kube-context ${REMOTE_CONTEXT1}
Optional: Uninstall the Istio CNI.
helm uninstall -n kube-system istio-cni --kube-context ${REMOTE_CONTEXT1}
helm uninstall -n kube-system istio-cni --kube-context ${REMOTE_CONTEXT2}
Uninstall the Istio CRDs.
helm uninstall -n istio-system istio-base --kube-context ${REMOTE_CONTEXT1}
helm uninstall -n istio-system istio-base --kube-context ${REMOTE_CONTEXT2}
Optional: Delete any Helm releases for gateways that you installed.
helm uninstall -n gloo-mesh-gateways istio-ingressgateway --kube-context ${REMOTE_CONTEXT1}
helm uninstall -n gloo-mesh-gateways istio-ingressgateway --kube-context ${REMOTE_CONTEXT2}
helm uninstall -n gloo-mesh-gateways istio-eastwestgateway --kube-context ${REMOTE_CONTEXT1}
helm uninstall -n gloo-mesh-gateways istio-eastwestgateway --kube-context ${REMOTE_CONTEXT2}
Delete the Istio namespaces.
kubectl delete ns istio-system --context $REMOTE_CONTEXT1
kubectl delete ns istio-ingress --context $REMOTE_CONTEXT1
kubectl delete ns istio-eastwest --context $REMOTE_CONTEXT1
kubectl delete ns istio-config --context $REMOTE_CONTEXT1
kubectl delete ns istio-system --context $REMOTE_CONTEXT2
kubectl delete ns istio-ingress --context $REMOTE_CONTEXT2
kubectl delete ns istio-eastwest --context $REMOTE_CONTEXT2
kubectl delete ns istio-config --context $REMOTE_CONTEXT2
OpenShift installations: Revoke the extra permissions and resources required for OpenShift to run Istio.
Revoke the Istio namespace ID permissions for the Istio service accounts.
oc adm policy remove-scc-from-group anyuid system:serviceaccounts:istio-system --context $REMOTE_CONTEXT1
oc adm policy remove-scc-from-group anyuid system:serviceaccounts:gloo-mesh-gateways --context $REMOTE_CONTEXT1
# Update revision as needed
oc adm policy remove-scc-from-group anyuid system:serviceaccounts:gm-iop-1-18 --context $REMOTE_CONTEXT1
oc adm policy remove-scc-from-group anyuid system:serviceaccounts:istio-system --context $REMOTE_CONTEXT2
oc adm policy remove-scc-from-group anyuid system:serviceaccounts:gloo-mesh-gateways --context $REMOTE_CONTEXT2
# Update revision as needed
oc adm policy remove-scc-from-group anyuid system:serviceaccounts:gm-iop-1-18 --context $REMOTE_CONTEXT2
Revoke the Istio namespace ID permissions for sample app project service accounts.
oc --context $REMOTE_CONTEXT1 adm policy remove-scc-from-group anyuid system:serviceaccounts:bookinfo
oc --context $REMOTE_CONTEXT1 adm policy remove-scc-from-group anyuid system:serviceaccounts:httpbin
oc --context $REMOTE_CONTEXT1 adm policy remove-scc-from-group anyuid system:serviceaccounts:helloworld
oc --context $REMOTE_CONTEXT1 adm policy remove-scc-from-group anyuid system:serviceaccounts:gloo-mesh
oc --context $REMOTE_CONTEXT2 adm policy remove-scc-from-group anyuid system:serviceaccounts:bookinfo
oc --context $REMOTE_CONTEXT2 adm policy remove-scc-from-group anyuid system:serviceaccounts:httpbin
oc --context $REMOTE_CONTEXT2 adm policy remove-scc-from-group anyuid system:serviceaccounts:helloworld
oc --context $REMOTE_CONTEXT2 adm policy remove-scc-from-group anyuid system:serviceaccounts:gloo-mesh
Delete the NetworkAttachmentDefinition resources and the Istio namespace ID permissions for your workload projects.
oc --context $REMOTE_CONTEXT1 adm policy remove-scc-from-group anyuid system:serviceaccounts:<workload_projects>
oc --context $REMOTE_CONTEXT2 adm policy remove-scc-from-group anyuid system:serviceaccounts:<workload_projects>
oc --context $REMOTE_CONTEXT1 delete network-attachment-definition istio-cni -n <workload_projects>
oc --context $REMOTE_CONTEXT2 delete network-attachment-definition istio-cni -n <workload_projects>
Repeat these steps for each cluster that was registered with Gloo Mesh and that ran an Istio service mesh.
Deregister workload clusters link Uninstall the Gloo Mesh data plane components from the workload clusters.
Uninstall the Gloo agent that runs on each workload cluster.
Deregister cluster1
.
meshctl cluster deregister \
--kubecontext $MGMT_CONTEXT \
--remote-context $REMOTE_CONTEXT1 \
$REMOTE_CLUSTER1
Example output:
Deregistering cluster: cluster1
Finished uninstalling release gloo-mesh-agent
Successfully deregistered cluster: cluster1
Deregister cluster2
.
meshctl cluster deregister \
--kubecontext $MGMT_CONTEXT \
--remote-context $REMOTE_CONTEXT2 \
$REMOTE_CLUSTER2
If you maintained a separate gloo-agent-addons
Helm release, uninstall the release. Note that your add-ons might be installed in a different namespace, such as gloo-mesh-addons
.
helm uninstall gloo-agent-addons -n gloo-mesh --kube-context $REMOTE_CONTEXT1
helm uninstall gloo-agent-addons -n gloo-mesh --kube-context $REMOTE_CONTEXT2
Uninstall the agent Helm releases. Note that your Helm release might have a different name.
helm uninstall gloo-platform -n gloo-mesh --kube-context $REMOTE_CONTEXT1
helm uninstall gloo-platform -n gloo-mesh --kube-context $REMOTE_CONTEXT2
Delete the corresponding KubernetesCluster resources from the management cluster.
kubectl delete kubernetescluster $REMOTE_CLUSTER1 $REMOTE_CLUSTER2 -n gloo-mesh --context $MGMT_CONTEXT
Delete the relay secrets from each workload cluster, as you cannot reuse the same secret if you decide to re-register the agent later.
kubectl delete secret -n gloo-mesh relay-client-tls-secret --context $REMOTE_CONTEXT1
kubectl delete secret -n gloo-mesh relay-identity-token-secret --context $REMOTE_CONTEXT1
kubectl delete secret -n gloo-mesh relay-root-tls-secret --context $REMOTE_CONTEXT1
kubectl delete secret -n gloo-mesh relay-client-tls-secret --context $REMOTE_CONTEXT2
kubectl delete secret -n gloo-mesh relay-identity-token-secret --context $REMOTE_CONTEXT2
kubectl delete secret -n gloo-mesh relay-root-tls-secret --context $REMOTE_CONTEXT2
Uninstall the Gloo CRDs Helm releases in each workload cluster.
helm uninstall gloo-platform-crds -n gloo-mesh --kube-context $REMOTE_CONTEXT1
helm uninstall gloo-platform-crds -n gloo-mesh --kube-context $REMOTE_CONTEXT2
Delete the gloo-mesh
namespaces from each workload cluster.
kubectl --context $REMOTE_CONTEXT1 delete namespace gloo-mesh
kubectl --context $REMOTE_CONTEXT2 delete namespace gloo-mesh
Repeat these steps for any other cluster that is registered with Gloo Mesh. For example, if you ran the management plane in a cluster that was also registered, repeat these steps for the MGMT_CLUSTER
and specify the MGMT_CONTEXT
. If you registered multiple workload clusters, repeat these steps for each workload cluster.
Uninstall the management plane link Uninstall the Gloo Mesh management plane components from the management cluster.
Uninstall the Gloo Mesh management plane components.
meshctl uninstall --purge --kubecontext $MGMT_CONTEXT
Note: If you see a warning such as release gloo-platform does not exist, nothing to uninstall
, use the Helm tab instead.
meshctl uninstall --kubecontext $MGMT_CONTEXT
Note: If you see a warning such as release gloo-platform does not exist, nothing to uninstall
, use the Helm tab instead.
Note that your Helm release might have a different name.
helm uninstall gloo-platform -n gloo-mesh --kube-context $MGMT_CONTEXT
Uninstall the Gloo Mesh CRDs Helm release from the management cluster.
helm uninstall gloo-platform-crds -n gloo-mesh --kube-context $MGMT_CONTEXT
Delete the gloo-mesh
namespace, and if applicable, the gloo-mesh-config
namespace.
kubectl --context $MGMT_CONTEXT delete namespace gloo-mesh
kubectl --context $MGMT_CONTEXT delete namespace gloo-mesh-config
Optional: Uninstall sample apps link If you installed the Bookinfo and httpbin sample apps, run the following commands to uninstall their resources.
Export the Istio version that your cluster runs as an environment variable, such as 1.18.7-patch3 in the following example.
export ISTIO_VERSION=1.18.7-patch3
Remove the Bookinfo application components and service accounts.
kubectl -n bookinfo delete -f https://raw.githubusercontent.com/istio/istio/$ISTIO_VERSION/samples/bookinfo/platform/kube/bookinfo.yaml -l 'app,version notin (v3)' --context $REMOTE_CONTEXT1
kubectl -n bookinfo delete -f https://raw.githubusercontent.com/istio/istio/$ISTIO_VERSION/samples/bookinfo/platform/kube/bookinfo.yaml -l 'account' --context $REMOTE_CONTEXT1
kubectl --context $REMOTE_CONTEXT2 -n bookinfo delete -f https://raw.githubusercontent.com/istio/istio/$ISTIO_VERSION/samples/bookinfo/platform/kube/bookinfo.yaml -l 'service in (reviews)'
kubectl --context $REMOTE_CONTEXT2 -n bookinfo delete -f https://raw.githubusercontent.com/istio/istio/$ISTIO_VERSION/samples/bookinfo/platform/kube/bookinfo.yaml -l 'app in (reviews),version in (v3)'
kubectl --context $REMOTE_CONTEXT2 -n bookinfo delete -f https://raw.githubusercontent.com/istio/istio/$ISTIO_VERSION/samples/bookinfo/platform/kube/bookinfo.yaml -l 'app in (ratings)'
kubectl --context $REMOTE_CONTEXT2 -n bookinfo delete -f https://raw.githubusercontent.com/istio/istio/$ISTIO_VERSION/samples/bookinfo/platform/kube/bookinfo.yaml -l 'account in (reviews, ratings)'
Delete the bookinfo
namespace.
kubectl delete ns bookinfo --context $REMOTE_CONTEXT1
kubectl delete ns bookinfo --context $REMOTE_CONTEXT2
Remove the httpbin application components.
kubectl -n httpbin delete -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/httpbin.yaml --context $REMOTE_CONTEXT1
kubectl -n httpbin delete -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/httpbin.yaml --context $REMOTE_CONTEXT2
Delete the httpbin
namespace.
kubectl delete ns httpbin --context $REMOTE_CONTEXT1
kubectl delete ns httpbin --context $REMOTE_CONTEXT2
Remove the helloworld application components.
kubectl -n helloworld delete -l 'service=helloworld' -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/helloworld.yaml --context $REMOTE_CONTEXT1
kubectl -n helloworld delete -l 'app=helloworld,version in (v1, v2)' -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/helloworld.yaml --context $REMOTE_CONTEXT1
kubectl -n helloworld delete -l 'service=helloworld' -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/helloworld.yaml --context $REMOTE_CONTEXT2
kubectl -n helloworld delete -l 'app=helloworld,version in (v3, v4)' -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/helloworld.yaml --context $REMOTE_CONTEXT2
Delete the helloworld
namespace.
kubectl delete ns helloworld --context $REMOTE_CONTEXT1
kubectl delete ns helloworld --context $REMOTE_CONTEXT2