On this page

Install Gloo-managed service meshes

Use the Gloo operator to install and manage sidecar service meshes in your clusters.

warning

In Gloo Mesh Enterprise version 2.7, the Gloo operator is an alpha feature. Alpha features are likely to change, are not fully tested, and are not supported for production. For more information, see Gloo feature maturity.

By using the Gloo operator to manage your service meshes, you no longer need to manually install and manage the istiod control plane. Instead, you provide minimal Istio configuration to the operator in a ServiceMeshController custom resource, and the operator translates this configuration into a managed istiod control plane in your cluster for you. The operator reduces both the amount of configuration required to deploy Istio, and the overhead required to manage the lifecycle of Istio resources in your cluster.

Prepare the cluster environment

Set your Gloo Mesh Enterprise license key as an environment variable. If you do not have one, contact an account representative. If you prefer to specify license keys in a secret instead, see Licensing. To check your license’s validity, you can run meshctl license check --key $(echo ${GLOO_MESH_LICENSE_KEY} | base64 -w0).
```
  export GLOO_MESH_LICENSE_KEY=<license_key>
  
```
Save the patch version of the Solo distribution of Istio that you want to install. For supported Istio versions in Gloo Mesh Enterprise, see the Istio images built by Solo.io support article.
```
  # Solo distrubution of Istio patch version
# in the format 1.x.x, with no tags
export ISTIO_VERSION=1.24.2
  
```
Be sure to review the following known Istio version restrictions.
warning
Istio 1.22 is supported only as patch version 1.22.1-patch0 and later. Do not use patch versions 1.22.0 and 1.22.1, which contain bugs that impact several Gloo Mesh Enterprise routing features that rely on virtual destinations. Additionally, in Istio 1.22.0-1.22.3, the ISTIO_DELTA_XDS environment variable must be set to false. For more information, see this upstream Istio issue. Note that this issue is resolved in Istio 1.22.4.

Istio 1.20 is supported only as patch version 1.20.1-patch1 and later. Do not use patch versions 1.20.0 and 1.20.1, which contain bugs that impact several Gloo Mesh Enterprise features that rely on Istio ServiceEntries.

If you have multiple external services that use the same host and plan to use Istio 1.20, 1.21, or 1.22, you must use patch versions 1.20.7, 1.21.3, or 1.22.1-patch0 or later to ensure that the Istio service entry that is created for those external services is correct.

Install istioctl, the Istio CLI tool.

  curl -L https://istio.io/downloadIstio | ISTIO_VERSION=${ISTIO_VERSION} sh -
cd istio-${ISTIO_VERSION}
export PATH=$PWD/bin:$PATH

Install Istio with the Gloo operator

Save the name and kubeconfig context of a workload cluster in the following environment variables. Each time you repeat the steps in this guide, you change these variables to the next workload cluster’s name and context.
```
  export CLUSTER_NAME=<cluster-name>
export CLUSTER_CONTEXT=<cluster-context>
  
```
Install the Gloo operator to the gloo-mesh namespace. This operator deploys and manages your Istio installation.
```
  helm install gloo-operator oci://us-docker.pkg.dev/solo-public/gloo-operator-helm/gloo-operator \
  --version 0.1.0 \
  -n gloo-mesh \
  --create-namespace \ 
  --kube-context ${CLUSTER_CONTEXT} \ 
  --set manager.env.SOLO_ISTIO_LICENSE_KEY=$GLOO_MESH_LICENSE_KEY
  
```
info
If you already installed Gloo Mesh, you can optionally reference the secret that Gloo Mesh automatically creates for your license in the --set manager.env.SOLO_ISTIO_LICENSE_KEY_SECRET_REF=gloo-mesh/license-keys flag instead.

Verify that the operator pod is running.

  kubectl get pods -n gloo-mesh --context ${CLUSTER_CONTEXT} | grep operator

Example output:

  gloo-operator-78d58d5c7b-lzbr5     1/1     Running   0          48s

Create a ServiceMeshController custom resource to configure an Istio installation. For a description of each configurable field, see the ServiceMeshController reference.

  kubectl apply -n gloo-mesh --context ${CLUSTER_CONTEXT} -f -<<EOF
apiVersion: operator.gloo.solo.io/v1
kind: ServiceMeshController
metadata:
  name: managed-istio
  labels:
    app.kubernetes.io/name: managed-istio
spec:
  # required for multicluster setups
  cluster: ${CLUSTER_NAME}
  dataplaneMode: Sidecar
  installNamespace: istio-system
  version: ${ISTIO_VERSION}
EOF

Verify that the ServiceMeshController is ready. In the Status section of the output, make sure that all statuses are True, and that the phase is SUCCEEDED.

  kubectl describe servicemeshcontroller --context ${CLUSTER_CONTEXT} -n gloo-mesh managed-istio

Example output:

  ...
Status:
  Conditions:
    Last Transition Time:  2024-12-27T20:47:01Z
    Message:               Manifests initialized
    Observed Generation:   1
    Reason:                ManifestsInitialized
    Status:                True
    Type:                  Initialized
    Last Transition Time:  2024-12-27T20:47:02Z
    Message:               CRDs installed
    Observed Generation:   1
    Reason:                CRDInstalled
    Status:                True
    Type:                  CRDInstalled
    Last Transition Time:  2024-12-27T20:47:02Z
    Message:               Deployment succeeded
    Observed Generation:   1
    Reason:                DeploymentSucceeded
    Status:                True
    Type:                  ControlPlaneDeployed
    Last Transition Time:  2024-12-27T20:47:02Z
    Message:               Deployment succeeded
    Observed Generation:   1
    Reason:                DeploymentSucceeded
    Status:                True
    Type:                  CNIDeployed
    Last Transition Time:  2024-12-27T20:47:02Z
    Message:               Deployment succeeded
    Observed Generation:   1
    Reason:                DeploymentSucceeded
    Status:                True
    Type:                  WebhookDeployed
    Last Transition Time:  2024-12-27T20:47:02Z
    Message:               All conditions are met
    Observed Generation:   1
    Reason:                SystemReady
    Status:                True
    Type:                  Ready
  Phase:                   SUCCEEDED
Events:                    <none>

Verify that the istiod control plane and Istio CNI pods are running.

  kubectl get pods -n istio-system --context ${CLUSTER_CONTEXT}

Example output:

  NAME                          READY   STATUS    RESTARTS   AGE
istio-cni-node-6s5nk          1/1     Running   0          2m53s
istio-cni-node-blpz4          1/1     Running   0          2m53s
istiod-gloo-bb86b959f-msrg7   1/1     Running   0          2m45s
istiod-gloo-bb86b959f-w29cm   1/1     Running   0          3m

Multicluster setups: Repeat steps 1 - 6 for each cluster that you want to install Istio into. Be sure to change the values of the $CLUSTER_NAME and $CLUSTER_CONTEXT environment variables for each cluster.

Add apps to the service mesh.
For multicluster environments, deploy east-west gateways to your clusters.

ServiceMeshController reference

Review the following configurable fields for the ServiceMeshController custom resource.

Setting	Description	Supported values	Default
`cluster`	The name of the cluster to install Istio into. This value is required to set the trust domain field in multicluster environments.
`dataplaneMode`	The dataplane mode to use.	`Sidecar`
`distribution`	Optional: A specific distribution of the Istio version, such as the standard or FIPS image distribution.	`Standard` or `FIPS`	`Standard`
`image.repository`	Optional: An Istio image repository, such as to use an image from a private registry.		The Solo distribution of Istio repo for the Istio minor version.
`image.secrets`	Optional: A list of secrets to use for pulling images from a container registry. The secret list must be of type `kubernetes.io/dockerconfigjson` and exist in the `installNamespace` that you install Istio in.
`installNamespace`	Namespace to install the service mesh components into.		`istio-system`
`network`	The default network where workload endpoints exist. A network is a logical grouping of workloads that exist in the same Layer 3 domain. Workloads in the same network can directly communicate with each other, while workloads in different networks require an east-west gateway to establish connectivity. This value is required in multi-network environments. For example, an easy way to identify the network of in-mesh workloads in one cluster is to simply use the cluster’s name for the network, such as `cluster1`.
`onConflict`	Optional: How to resolve conflicting Istio configuration, if the configuration in this ServiceMeshController conflicts with existing Istio resources in the cluster. `Force`: The existing resources are updated with the new configuration. `Abort`: The installation configured in this ServiceMeshController is aborted, and the existing resources remain unchanged.	`Force` or `Abort`	`Abort`
`repository.secrets`	Optional: A list of secrets to use for pulling manifests from an artifact registry. The secret list must be of type `kubernetes.io/dockerconfigjson` and can exist in any namespace, such as the same namespace that you create the ServiceMeshController in.
`repository.insecureSkipVerify`	Optional: If set to true, the repository server’s certificate chain and hostname are not verified.	`true` or `false`
`scalingProfile`	Optional: The istiod control plane scaling settings to use. In large environments, set to `Large`. `Default` sets the following scaling values: resources.requests.cpu=1000m resources.requests.memory=1Gi resources.limits.cpu=2000m resources.limits.memory=2Gi autoscaleEnabled=true autoscaleMin=2 autoscaleMax=25 cpu.targetAverageUtilization=80 `Large` sets the following scaling values: resources.requests.cpu=4000m resources.requests.memory=4Gi resources.limits.cpu=4000m resources.limits.memory=4Gi autoscaleEnabled=true autoscaleMin=4 autoscaleMax=50 cpu.targetAverageUtilization=75	`Default` or `Large`	`Default`
`trafficCaptureMode`	Optional: Traffic capture mode to use. `Auto`: The most suitable traffic capture mode is automatically selected based on the environment, such as using a CNI to capture traffic. `InitContainer`: An init container is used for the traffic capture. This setting can only be used when the `dataplaneMode` is `Sidecar`.	`Auto` or `InitContainer`	`Auto`
`trustDomain`	The trustDomain for Istio workloads.		If `cluster` is set, defaults to that value. If `cluster` is unset, defaults to `cluster.local`.
`version`	The Istio patch version to install. For more information, see Supported Solo distributions of Istio.	Any Istio version supported for your Gloo version

Install Gloo-managed service meshes

Prepare the cluster environment link

Install Istio with the Gloo operator link

Next link

ServiceMeshController reference link

Prepare the cluster environment

Install Istio with the Gloo operator

Next

ServiceMeshController reference