Install with Argo CD
Use Argo Continuous Delivery (Argo CD) to automate the deployment and management of Gloo Mesh Enterprise and Istio in your cluster.
Argo CD is a declarative, Kubernetes-native continuous deployment tool that can read and pull code from Git repositories and deploy it to your cluster. Because of that, you can integrate Argo CD into your GitOps pipeline to automate the deployment and synchronization of your apps.
In this guide, you learn how to use Argo CD applications to deploy the following components:
- Gloo Platform CRDs
- Gloo Mesh Enterprise
- Istio control plane istiod
- Istio gateways
This guide assumes a single cluster setup for Gloo Mesh Enterprise and Istio. If you want to use Argo CD in a multicluster setup, you must configure your applications to deploy resources in either the management or workload clusters.
Before you begin
Create or use an existing Kubernetes or OpenShift cluster, and save the cluster name in an environment variable. Note: The cluster name must be alphanumeric with no special characters except a hyphen (-), lowercase, and begin with a letter (not a number).
export CLUSTER_NAME=<cluster_name>
Save your Gloo Mesh Enterprise license in an environment variable. If you do not have a license key, contact an account representative.
export GLOO_MESH_LICENSE_KEY=<license-key>
Save the Gloo Mesh Enterprise version that you want to install in an environment variable. The latest version is used as an example. You can find other versions in the Changelog documentation. Append ‘-fips’ for a FIPS-compliant image, such as ‘2.6.5-fips’. Do not include
v
before the version number.export GLOO_MESH_VERSION=2.6.5
Review Supported versions to choose the Solo distribution of Istio that you want to use, and save the version information in the following environment variables.
REPO
: The repo key for the Solo distribution of Istio that you can get by logging in to the Support Center and reviewing the Istio images built by Solo.io support article.ISTIO_IMAGE
: The version that you want to use with thesolo
tag, such as1.22.3-patch0-solo
. You can optionally append other tags of Solo distributions of Istio as needed.REVISION
: Take the Istio major and minor versions and replace the periods with hyphens, such as1-22
.
For testing environments only, you can deploy a revisionless installation. Revisionless installations permit in-place upgrades, which are quicker than the canary-based upgrades that revisioned installations require. To omit a revision, do not set a revision environment variable. Then in the following sections, you edit the sampleIstioLifecycleManager
andGatewayLifecycleManager
files that you download to remove therevision
andgatewayRevision
fields. Note that if you deploy multiple Istio installations in the same cluster, only one installation can be revisionless.ISTIO_VERSION
: The version of Istio that you want to install, such as1.22.3-patch0
.
export REPO=<repo-key> export ISTIO_IMAGE=1.22.3-patch0-solo export REVISION=1-22 export ISTIO_VERSION=1.22.3-patch0
Istio 1.22 is supported only as patch version 1.22.1-patch0
and later. Do not use patch versions 1.22.0 and 1.22.1, which contain bugs that impact several Gloo Mesh Enterprise routing features that rely on virtual destinations. Additionally, in Istio 1.22.0-1.22.3, the ISTIO_DELTA_XDS
environment variable must be set to false
. For more information, see this upstream Istio issue. Note that this issue is resolved in Istio 1.22.4.
Gloo Mesh Enterprise version 2.6 supports Istio version 1.21. However, a bug was identified when upgrading from Istio version 1.20 or lower to Istio version 1.21 and later while being on Gloo Mesh Enterprise version 2.6. This bug can lead to disabled JWT authentication and authorization policies that fail close, which means that the gateway rejects requests as unauthenticated on any route that is protected by a JWT policy. Note that this bug will be fixed in a future 2.6 patch release. Do not upgrade to Istio version 1.21 and later until this patch is available. For more information, see the release notes.
Istio 1.20 is supported only as patch version 1.20.1-patch1
and later. Do not use patch versions 1.20.0 and 1.20.1, which contain bugs that impact several Gloo Mesh Enterprise features that rely on Istio ServiceEntries.
If you have multiple external services that use the same host and plan to use Istio 1.20, 1.21, or 1.22, you must use patch versions 1.20.7, 1.21.3, or 1.22.1-patch0 or later to ensure that the Istio service entry that is created for those external services is correct.
Install Argo CD
Create the Argo CD namespace in your cluster.
kubectl create namespace argocd
Deploy Argo CD by using the non-HA YAML manifests.
until kubectl apply -k https://github.com/solo-io/gitops-library.git/argocd/deploy/default/ > /dev/null 2>&1; do sleep 2; done
Verify that the Argo CD pods are up and running.
kubectl get pods -n argocd
Example output:
NAME READY STATUS RESTARTS AGE argocd-application-controller-0 1/1 Running 0 46s argocd-applicationset-controller-6d8f595ffd-jhplp 1/1 Running 0 48s argocd-dex-server-64d4c94598-bcdzb 1/1 Running 0 48s argocd-notifications-controller-f6998b6c-pbwfc 1/1 Running 0 47s argocd-redis-b5d6bf5f5-4mj2x 1/1 Running 0 47s argocd-repo-server-5bc5469bbc-qhh4s 1/1 Running 0 47s argocd-server-d985cbf9b-s66lv 2/2 Running 0 46s
Update the default Argo CD password for the admin user to
solo.io
.# bcrypt(password)=$2a$10$79yaoOg9dL5MO8pn8hGqtO4xQDejSEVNWAGQR268JHLdrCw6UCYmy # password: solo.io kubectl -n argocd patch secret argocd-secret \ -p '{"stringData": { "admin.password": "$2a$10$79yaoOg9dL5MO8pn8hGqtO4xQDejSEVNWAGQR268JHLdrCw6UCYmy", "admin.passwordMtime": "'$(date +%FT%T%Z)'" }}'
Port-forward the Argo CD server on port 9999.
kubectl port-forward svc/argocd-server -n argocd 9999:443
Open the Argo CD UI
Log in as the admin user with the password
solo.io
.
Install Gloo Mesh Enterprise
Use Argo CD applications to deploy the Gloo Platform CRD and Gloo Mesh Enterprise Helm charts in your cluster.
Create an Argo CD application to install the Gloo Platform CRD Helm chart.
kubectl apply -f- <<EOF apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: gloo-platform-crds namespace: argocd spec: destination: namespace: gloo-mesh server: https://kubernetes.default.svc project: default source: chart: gloo-platform-crds repoURL: https://storage.googleapis.com/gloo-platform/helm-charts targetRevision: ${GLOO_MESH_VERSION} syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true retry: limit: 2 backoff: duration: 5s maxDuration: 3m0s factor: 2 EOF
Create another application to install the Gloo Mesh Enterprise Helm chart. The following application prepopulates a set of Helm values to install Gloo Mesh Enterprise components, and enable the Gloo telemetry pipeline and the built-in Prometheus server. To customize these settings, see the Helm reference.
kubectl apply -f- <<EOF apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: gloo-platform-helm namespace: argocd finalizers: - resources-finalizer.argocd.argoproj.io spec: destination: server: https://kubernetes.default.svc namespace: gloo-mesh project: default source: chart: gloo-platform helm: skipCrds: true values: | licensing: licenseKey: ${GLOO_MESH_LICENSE_KEY} common: cluster: ${CLUSTER_NAME} glooMgmtServer: enabled: true serviceType: ClusterIP registerCluster: true createGlobalWorkspace: true ports: healthcheck: 8091 prometheus: enabled: true redis: deployment: enabled: true telemetryGateway: enabled: true service: type: LoadBalancer telemetryCollector: enabled: true config: exporters: otlp: endpoint: gloo-telemetry-gateway.gloo-mesh:4317 glooUi: enabled: true serviceType: ClusterIP glooAgent: enabled: true relay: serverAddress: gloo-mesh-mgmt-server:9900 repoURL: https://storage.googleapis.com/gloo-platform/helm-charts targetRevision: ${GLOO_MESH_VERSION} syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true EOF
Verify that the Gloo Mesh Enterprise components are installed and in a healthy state.
kubectl get pods -n gloo-mesh
Example output:
NAME READY STATUS RESTARTS AGE gloo-mesh-agent-6497df4cf9-htqw4 1/1 Running 0 27s gloo-mesh-mgmt-server-6d5546757f-6fzxd 1/1 Running 0 27s gloo-mesh-redis-7c797d595d-lf9dr 1/1 Running 0 27s gloo-mesh-ui-7567bcd54f-6tvjt 2/3 Running 0 27s gloo-telemetry-collector-agent-8jvh2 1/1 Running 0 27s gloo-telemetry-collector-agent-x2brj 1/1 Running 0 27s gloo-telemetry-gateway-689cb78547-sqqgg 1/1 Running 0 27s prometheus-server-946c89d8f-zx5sf 1/2 Running 0 27s
Install Istio
With Gloo Mesh Enterprise installed in your environment, you can now install Istio. You can choose between a managed Istio installation that uses the Gloo Mesh Istio lifecycle manager resource to set up Istio in your cluster, or to install unmanaged Istio by using the Istio Helm chart directly.
Congratulations! You successfully used Argo CD to deploy Gloo Mesh Enterprise and Istio in your cluster.
Test the resilience of your setup
Managing deployments with Argo CD allows you to declare the desired state of your components in a versioned-controlled source of truth, such as Git, and to automatically sync changes to your environments whenever the source of truth is changed. This approach significantly reduces the risk of configuration drift between your environments, but also helps to detect discrepancies between the desired state in Git and the actual state in your cluster to kick off self-healing mechanisms.
Review the deployments that were created when you installed Gloo Mesh Enterprise with Argo CD.
kubectl get deployments -n gloo-mesh
Example output:
NAME READY UP-TO-DATE AVAILABLE AGE gloo-mesh-agent 1/1 1 1 3h11m gloo-mesh-mgmt-server 1/1 1 1 3h11m gloo-mesh-redis 1/1 1 1 3h11m gloo-mesh-ui 1/1 1 1 3h11m gloo-telemetry-gateway 1/1 1 1 3h11m prometheus-server 1/1 1 1 3h11m
Simulate a chaos scenario where all of your deployments in the
gloo-mesh
namespace are deleted. Without Argo CD, deleting a deployment permanently deletes all of the pods that the deployment manages. However, when your deployments are monitored and managed by Argo CD, and you enabled theselfHeal: true
andprune: true
options in your Argo CD application, Argo automatically detects that the actual state of your deployment does not match the desired state in Git, and kicks off its self-healing mechanism.kubectl delete deployments --all -n gloo-mesh
If you use self-signed TLS certificates for the relay connection between the Gloo management server and agent, you must remove the secrets in thegloo-mesh
namespace as the certificates are automaticatically rotated during a redeploy or upgrade of the management server and agent. To delete the secrets, runkubectl delete secrets --all -n gloo-mesh
.Verify that Argo CD automatically recreated all of the deployments in the
gloo-mesh
namespace.kubectl get deployments -n gloo-mesh
Example output:
NAME READY UP-TO-DATE AVAILABLE AGE gloo-mesh-agent 1/1 1 1 5m gloo-mesh-mgmt-server 1/1 1 1 5m gloo-mesh-redis 1/1 1 1 5m gloo-mesh-ui 1/1 1 1 5m gloo-telemetry-gateway 1/1 1 1 5m prometheus-server 1/1 1 1 5m
Next steps
Now that you have Gloo Mesh Enterprise and Istio up and running, check out some of the following resources to learn more about Gloo Mesh and expand your service mesh capabilities.
Gloo Mesh Enterprise:
- Enable insights to review and improve your setup’s health and security posture.
- Apply Gloo policies to manage the security and resiliency of your service mesh environment.
- Organize team resources with workspaces.
- When it’s time to upgrade Gloo Mesh Enterprise, see the upgrade guide.
Istio: Now that you have Gloo Mesh Enterprise and Istio installed, you can use Gloo to manage your Istio service mesh resources. You don’t need to directly configure any Istio resources going forward.
- Find out more about hardened Istio
n-4
version support built into Solo distributions of Istio. - Review how Gloo Mesh Enterprise custom resources are automatically translated into Istio resources.
- Monitor and observe your Istio environment with Gloo Mesh Enterprise’s built-in telemetry tools.
- When it’s time to upgrade Istio, use Gloo Mesh Enterprise to upgrade managed Istio installations.
Help and support:
- Talk to an expert to get advice or build out a proof of concept.
- Join the #gloo-mesh channel in the Solo.io community slack.
- Try out one of the Gloo workshops.
Cleanup
You can optionally remove the resources that you created as part of this guide.
kubectl delete applications istiod istio-base istio-ingressgateway istio-eastwestgateway -n argocd
kubectl delete applications gloo-platform-helm gloo-platform-crds -n argocd
kubectl delete applications istio-lifecyclemanager-deployments -n argocd
kubectl delete -k https://github.com/solo-io/gitops-library.git/argocd/deploy/default/
kubectl delete namespace argocd gloo-mesh