IstioLifecycleManager

Proto: istio_lifecycle_manager.proto

Package: admin.gloo.solo.io

Use Gloo Platform to install Istio control planes in your workload clusters, as part of the Istio lifecycle management. In your IstioLifecycleManager resource, you provide istiod settings in an IstioOperator configuration. When you create the IstioLifecycleManager in your management cluster, Gloo translates the configuration into istiod control planes in your registered workload clusters for you.

For more information, see the Install Istio by using the Istio Lifecycle Manager guide.

Example: This example creates an istiod control plane in the istio-system namespace of two workload clusters ($REMOTE_CLUSTER1 and $REMOTE_CLUSTER2). You supply the Solo Istio revision ($REVISION), image tag ($ISTIO_IMAGE), and repo key ($REPO).

apiVersion: admin.gloo.solo.io/v2
kind: IstioLifecycleManager
metadata:
  name: istiod-control-plane
  namespace: gloo-mesh
spec:
  installations:
  # The revision for this installation, such as 1-18-3
  - revision: $REVISION
    # List all workload clusters to install Istio into
    clusters:
    - name: $REMOTE_CLUSTER1
      # If set to true, the spec for this revision is applied in the cluster
      defaultRevision: true
    - name: $REMOTE_CLUSTER2
      defaultRevision: true
    istioOperatorSpec:
      # Only the control plane components are installed
      # (https://istio.io/latest/docs/setup/additional-setup/config-profiles/)
      profile: minimal
      # Solo.io Istio distribution repository; required for Solo Istio.
      # You get the repo key from your Solo Account Representative.
      hub: $REPO
      # Any Solo Istio tag
      tag: $ISTIO_IMAGE
      namespace: istio-system
      # Mesh configuration
      meshConfig:
        # Enable access logging only if using.
        accessLogFile: /dev/stdout
        # Encoding for the proxy access log (TEXT or JSON). Default value is TEXT.
        accessLogEncoding: JSON
        # Enable span tracing only if using.
        enableTracing: true
        defaultConfig:
          # Wait for the istio-proxy to start before starting application pods
          holdApplicationUntilProxyStarts: true
          # Legacy metrics pipeline only, in Gloo Istio 1.17 and earlier:
          # Enable the legacy Gloo metrics service. For more info, see https://docs.solo.io/gloo-mesh/latest/observability/pipeline/.
          envoyMetricsService:
            address: gloo-mesh-agent.gloo-mesh:9977
          # Legacy metrics pipeline only, in Gloo Istio 1.17 and earlier: Enable Gloo access logging.
          envoyAccessLogService:
            address: gloo-mesh-agent.gloo-mesh:9977
          proxyMetadata:
            # For known hosts, enable the Istio agent to handle DNS requests for any custom ServiceEntry, such as non-Kubernetes services.
            # Unknown hosts are automatically resolved using upstream DNS servers in resolv.conf (for proxy-dns)
            ISTIO_META_DNS_CAPTURE: "true"
        # Set the default behavior of the sidecar for handling outbound traffic
        # from the application
        outboundTrafficPolicy:
          mode: ALLOW_ANY
        # The administrative root namespace for Istio configuration
        rootNamespace: istio-system
        # Set to the cluster name by default.
        trustDomain: ${CLUSTER_NAME}
      # Traffic management
      components:
        pilot:
          k8s:
            env:
            # Disable selecting workload entries for local service routing, so that Kubernetes 
            # will not automatically match services to workload entries with matching selector labels.
            # Required for Gloo Mesh VirtualDestination functionality.
            # For more info, see https://istio.io/latest/docs/reference/commands/pilot-discovery/
            - name: PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES
              value: "false"
            # Skip the validation step for mTLS within the cluster.
            # This approach is not recommended if you integrated Istio with your own CA,
            # but is useful for PoCs or demos in which you use self-signed certificates.
            - name: PILOT_SKIP_VALIDATE_TRUST_DOMAIN
              value: "true"
      # Helm values overrides
      values:
        global:
          multiCluster:
            # Set to the cluster name by default.
            clusterName: $CLUSTER_NAME

Types:

IstioClusterSelector

Clusters to install the Istio control planes in.

Field Description
name (string)

Name of the cluster to install Istio into. Must match the name of the cluster that you used when you registered the cluster with Gloo.
defaultRevision (bool)

Optional: Defaults to false. When set to true, the installation for this revision is applied as the active Istio installation in the cluster. Resources with the istio-injection=true label entry use this revision. You might change this setting for Istio installations during a canary upgrade. For more info, see the upgrade docs.
trustDomain (string)

Optional: By default, the trustDomain value in the meshConfig section of the operator spec is automatically set by the Gloo to the name of each workload cluster. To override the trustDomain for each cluster, you can instead specify the override value by using this trustDomain field, and include the value in the list of cluster names. For example, if you specify meshConfig.trustDomain: cluster1-trust-override in your operator spec, you then specify both the cluster name (name: cluster1) and the trust domain (trustDomain: cluster1-trust-override) in this installations.clusters section. Additionally, because Gloo requires multiple trust domains for east-west routing, the PILOT_SKIP_VALIDATE_TRUST_DOMAIN field is set to "true" by default. For more info, see the Istio documentation.

IstioController

Field Description
waitForResourcesTimeout (string)

The amount of time to wait for resources in a component to become ready before giving up. Configured using a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms” or “2h45m”. Valid time units are “ns”, “us” (or “┬Ás”), “ms”, “s”, “m”, “h”.
imagePullSecrets (repeated k8s.io.api.core.v1.LocalObjectReference)

Names of image pull secrets to use to deploy the Istio controller. For more info, see the Kubernetes docs.
resources (common.gloo.solo.io.Resources)

Override for resources allocated to the Istio controller deployment. For more info, see the Kubernetes docs.
securityContext (k8s.io.api.core.v1.SecurityContext)

Override for the pod's security context. For more info, see the Kubernetes documentation.
labels (repeated IstioController.LabelsEntry)

Kubernetes pod/deployment/service labels.
annotations (repeated IstioController.AnnotationsEntry)

Kubernetes pod/deployment/service annotations.
envVars (repeated k8s.io.api.core.v1.EnvVar)

Deployment environment variables. For more info, see the Kubernetes docs.

IstioController.AnnotationsEntry

Field Description
key (string)

value (string)

IstioController.LabelsEntry

Field Description
key (string)

value (string)

IstioInstallation

List of Istio control plane installations. Any components that are NOT related to the control plane are ignored.

Field Description
revision (string)

Istio revision for this installation, such as ‘1-18-2’. Label workload resources with ‘istio.io/rev=$REVISION’ to use this installation. When set to auto, Gloo installs the control plane with the default supported version of Solo Istio.
clusters (repeated IstioClusterSelector)

Clusters to install the Istio control planes in.
istioOperatorSpec (common.gloo.solo.io.IstioOperatorSpec)

IstioOperator specification for the control plane. For more info, see the Istio documentation.
istioController (IstioController)

Optional configuration to tune the deployment of the IstioOperator controller deployed to each workload cluster.
skipUpgradeValidation (bool)

When set to true, the lifecycle manager allows you to perform in-place upgrades by skipping checks that are required for canary upgrades. In production environments, canary upgrades are recommended for updating the minor version. To update the patch version or make configuration changes within the same version, you can use in-place upgrades. Be sure to test in-place upgrades in development or staging environments first.

IstioLifecycleManagerSpec

Specifications for the IstioLifecycleManager resource.

Field Description
installations (repeated IstioInstallation)

List of Istio control plane installations.

IstioLifecycleManagerStatus

The status of the IstioLifecycleManager resource after you apply it to your Gloo environment.

Field Description
clusters (repeated IstioLifecycleManagerStatus.ClustersEntry)

The list of clusters where Gloo manages Istio installations.

IstioLifecycleManagerStatus.ClusterStatuses

The list of clusters where Gloo manages Istio installations.

Field Description
installations (repeated IstioLifecycleManagerStatus.ClusterStatuses.InstallationsEntry)

The Istio installations in the cluster, listed by revision.

IstioLifecycleManagerStatus.ClusterStatuses.InstallationStatus

The status of the installation.

Field Description
state (IstioLifecycleManagerStatus.ClusterStatuses.InstallationStatus.State)

The current state of the Istio installation.
message (string)

A human readable message about the current state of the installation.
observedRevision (string)

The observed revision of the Istio installation.
observedOperator (common.gloo.solo.io.IstioOperatorSpec)

The IstioOperator spec that is currently deployed for this revision.

IstioLifecycleManagerStatus.ClusterStatuses.InstallationsEntry

Field Description
key (string)

value (IstioLifecycleManagerStatus.ClusterStatuses.InstallationStatus)

IstioLifecycleManagerStatus.ClustersEntry

Field Description
key (string)

value (IstioLifecycleManagerStatus.ClusterStatuses)

IstioLifecycleManagerStatus.ClusterStatuses.InstallationStatus.State

The current state of the Istio installation.

Name Number Description
PENDING 0 Waiting for resources to be installed or updated.
FAILED 1 The Gloo management server encountered a problem while attempting to install Istio.
INSTALLING_CONTROLLER 2 The controller is currently being installed.
CONTROLLER_INSTALL_FAILED 3 The controller failed to install.
INSTALLING_CONTROL_PLANE 4 The Istio control plane is currently being installed.
CONTROL_PLANE_INSTALL_FAILED 5 The Istio control plane failed to install.
HEALTHY 6 All Istio components are successfully installed and healthy.
UNHEALTHY 7 The Istio installation is no longer healthy.
ACTION_REQUIRED 8 The control plane IstioOperator resource is in an ‘ACTION_REQUIRED’ state. Check the logs of the IstioOperator deployment for more info.
UPDATING_CONTROL_PLANE 9 The control plane IstioOperator resource is in an ‘UPDATING’ state.
RECONCILING_CONTROL_PLANE 10 The control plane IstioOperator resource is in a ‘RECONCILING’ state.
UNKNOWN 11 The control plane installation state could not be determined.