By using the Gloo operator to manage your service meshes, you no longer need to manually install and manage the istiod control plane. Instead, you provide minimal Istio configuration to the operator in a ServiceMeshController custom resource, and the operator translates this configuration into a managed istiod control plane in your cluster for you. The operator reduces both the amount of configuration required to deploy Istio, and the overhead required to manage the lifecycle of Istio resources in your cluster.

Prepare the cluster environment

  1. Set your Gloo Mesh Enterprise license key as an environment variable. If you do not have one, contact an account representative. If you prefer to specify license keys in a secret instead, see Licensing. To check your license’s validity, you can run meshctl license check --key $(echo ${GLOO_MESH_LICENSE_KEY} | base64 -w0).

      export GLOO_MESH_LICENSE_KEY=<license_key>
      
  2. Save the patch version of the Solo distribution of Istio that you want to install. For supported Istio versions in Gloo Mesh Enterprise, see the Istio images built by Solo.io support article.

      # Solo distrubution of Istio patch version
    # in the format 1.x.x, with no tags
    export ISTIO_VERSION=1.24.2
      

    Be sure to review the following known Istio version restrictions.

  3. Install istioctl, the Istio CLI tool.

      curl -L https://istio.io/downloadIstio | ISTIO_VERSION=${ISTIO_VERSION} sh -
    cd istio-${ISTIO_VERSION}
    export PATH=$PWD/bin:$PATH
      

Install Istio with the Gloo operator

  1. Save the name and kubeconfig context of a workload cluster in the following environment variables. Each time you repeat the steps in this guide, you change these variables to the next workload cluster’s name and context.

      export CLUSTER_NAME=<cluster-name>
    export CLUSTER_CONTEXT=<cluster-context>
      
  2. Install the Gloo operator to the gloo-mesh namespace. This operator deploys and manages your Istio installation.

      helm install gloo-operator oci://us-docker.pkg.dev/solo-public/gloo-operator-helm/gloo-operator \
      --version 0.1.0 \
      -n gloo-mesh \
      --create-namespace \ 
      --kube-context ${CLUSTER_CONTEXT} \ 
      --set manager.env.SOLO_ISTIO_LICENSE_KEY=$GLOO_MESH_LICENSE_KEY
      
  3. Verify that the operator pod is running.

      kubectl get pods -n gloo-mesh --context ${CLUSTER_CONTEXT} | grep operator
      

    Example output:

      gloo-operator-78d58d5c7b-lzbr5     1/1     Running   0          48s
      
  4. Create a ServiceMeshController custom resource to configure an Istio installation. For a description of each configurable field, see the ServiceMeshController reference.

      kubectl apply -n gloo-mesh --context ${CLUSTER_CONTEXT} -f -<<EOF
    apiVersion: operator.gloo.solo.io/v1
    kind: ServiceMeshController
    metadata:
      name: managed-istio
      labels:
        app.kubernetes.io/name: managed-istio
    spec:
      # required for multicluster setups
      cluster: ${CLUSTER_NAME}
      dataplaneMode: Sidecar
      installNamespace: istio-system
      version: ${ISTIO_VERSION}
    EOF
      
  5. Verify that the ServiceMeshController is ready. In the Status section of the output, make sure that all statuses are True, and that the phase is SUCCEEDED.

      kubectl describe servicemeshcontroller --context ${CLUSTER_CONTEXT} -n gloo-mesh managed-istio
      

    Example output:

      ...
    Status:
      Conditions:
        Last Transition Time:  2024-12-27T20:47:01Z
        Message:               Manifests initialized
        Observed Generation:   1
        Reason:                ManifestsInitialized
        Status:                True
        Type:                  Initialized
        Last Transition Time:  2024-12-27T20:47:02Z
        Message:               CRDs installed
        Observed Generation:   1
        Reason:                CRDInstalled
        Status:                True
        Type:                  CRDInstalled
        Last Transition Time:  2024-12-27T20:47:02Z
        Message:               Deployment succeeded
        Observed Generation:   1
        Reason:                DeploymentSucceeded
        Status:                True
        Type:                  ControlPlaneDeployed
        Last Transition Time:  2024-12-27T20:47:02Z
        Message:               Deployment succeeded
        Observed Generation:   1
        Reason:                DeploymentSucceeded
        Status:                True
        Type:                  CNIDeployed
        Last Transition Time:  2024-12-27T20:47:02Z
        Message:               Deployment succeeded
        Observed Generation:   1
        Reason:                DeploymentSucceeded
        Status:                True
        Type:                  WebhookDeployed
        Last Transition Time:  2024-12-27T20:47:02Z
        Message:               All conditions are met
        Observed Generation:   1
        Reason:                SystemReady
        Status:                True
        Type:                  Ready
      Phase:                   SUCCEEDED
    Events:                    <none>
      
  6. Verify that the istiod control plane and Istio CNI pods are running.

      kubectl get pods -n istio-system --context ${CLUSTER_CONTEXT}
      

    Example output:

      NAME                          READY   STATUS    RESTARTS   AGE
    istio-cni-node-6s5nk          1/1     Running   0          2m53s
    istio-cni-node-blpz4          1/1     Running   0          2m53s
    istiod-gloo-bb86b959f-msrg7   1/1     Running   0          2m45s
    istiod-gloo-bb86b959f-w29cm   1/1     Running   0          3m
      
  7. Multicluster setups: Repeat steps 1 - 6 for each cluster that you want to install Istio into. Be sure to change the values of the $CLUSTER_NAME and $CLUSTER_CONTEXT environment variables for each cluster.

Next

ServiceMeshController reference

Review the following configurable fields for the ServiceMeshController custom resource.

SettingDescriptionSupported valuesDefault
clusterThe name of the cluster to install Istio into. This value is required to set the trust domain field in multicluster environments.
dataplaneModeThe dataplane mode to use.Sidecar
distributionOptional: A specific distribution of the Istio version, such as the standard or FIPS image distribution.Standard or FIPSStandard
image.repositoryOptional: An Istio image repository, such as to use an image from a private registry.The Solo distribution of Istio repo for the Istio minor version.
image.secretsOptional: A list of secrets to use for pulling images from a container registry. The secret list must be of type kubernetes.io/dockerconfigjson and exist in the installNamespace that you install Istio in.
installNamespaceNamespace to install the service mesh components into.istio-system
networkThe default network where workload endpoints exist. A network is a logical grouping of workloads that exist in the same Layer 3 domain. Workloads in the same network can directly communicate with each other, while workloads in different networks require an east-west gateway to establish connectivity. This value is required in multi-network environments. For example, an easy way to identify the network of in-mesh workloads in one cluster is to simply use the cluster’s name for the network, such as cluster1.
onConflictOptional: How to resolve conflicting Istio configuration, if the configuration in this ServiceMeshController conflicts with existing Istio resources in the cluster.
  • Force: The existing resources are updated with the new configuration.
  • Abort: The installation configured in this ServiceMeshController is aborted, and the existing resources remain unchanged.
Force or AbortAbort
repository.secretsOptional: A list of secrets to use for pulling manifests from an artifact registry. The secret list must be of type kubernetes.io/dockerconfigjson and can exist in any namespace, such as the same namespace that you create the ServiceMeshController in.
repository.insecureSkipVerifyOptional: If set to true, the repository server’s certificate chain and hostname are not verified.true or false
scalingProfileOptional: The istiod control plane scaling settings to use. In large environments, set to Large.
  • Default sets the following scaling values:
    • resources.requests.cpu=1000m
    • resources.requests.memory=1Gi
    • resources.limits.cpu=2000m
    • resources.limits.memory=2Gi
    • autoscaleEnabled=true
    • autoscaleMin=2
    • autoscaleMax=25
    • cpu.targetAverageUtilization=80
  • Large sets the following scaling values:
    • resources.requests.cpu=4000m
    • resources.requests.memory=4Gi
    • resources.limits.cpu=4000m
    • resources.limits.memory=4Gi
    • autoscaleEnabled=true
    • autoscaleMin=4
    • autoscaleMax=50
    • cpu.targetAverageUtilization=75
Default or LargeDefault
trafficCaptureModeOptional: Traffic capture mode to use.
  • Auto: The most suitable traffic capture mode is automatically selected based on the environment, such as using a CNI to capture traffic.
  • InitContainer: An init container is used for the traffic capture. This setting can only be used when the dataplaneMode is Sidecar.
Auto or InitContainerAuto
trustDomainThe trustDomain for Istio workloads.If cluster is set, defaults to that value. If cluster is unset, defaults to cluster.local.
versionThe Istio patch version to install. For more information, see Supported Solo distributions of Istio.Any Istio version supported for your Gloo version