Manually install Istio

Manually deploy Istio to workload clusters in your Gloo Mesh Enterprise environment.

For a production-level Istio setup, separate your Istio resources across different namespaces for the different personas that need access to the Istio resources. The following diagram depicts the suggested setup for the namespaces and Istio resources.

Figure of a production-level Istio architecture

For more information about these recommended namespaces and the resources that are deployed to them, see Plan namespaces and resource management.

Configuration management

Additionally, by spreading resources across several namespaces, you can more easily allow each persona in your organization to manage the configurations that are applicable to the workloads they are responsible for. For example, cluster admins can set mesh-wide policies that set defaults and limits across the cluster, while still allowing individual microservice owners to create the configurations and policies necessary for their workloads.

For more information, see Persona-driven configuration management.

Certificate management

In a production-level Gloo Mesh Enterprise setup, you might want to automatically generate, store, and manage the required certificates outside of Gloo Mesh, such as by using Amazon Certificate Manager (ACM). For Istio, you must be able to sign intermediate CA certificates in your Gloo Mesh setup so that each Istio deployment can issue certificates to workload pods in its mesh. For more information, see Certificate management.


For production, configure an Istio operator with IstioOperator resources that declare how to set up the istiod control plane and Istio gateways across your clusters. If you use a Helm-based deployment model, you can still deploy the operator with the Helm chart provided by Istio.

For the full set of steps on how to deploy an operator, the control plane, and gateways, see Deploy Istio in production.

Upgrading Istio

To manage the complexity of upgrading Istio and to prevent downtime, the deployment profiles for the control plane and gateways in the installation steps include revisions. When you need to upgrade to a newer Istio version, you can use the Istio operator to update the revisions for both the control plane and gateways in a blue/green upgrade model.

For more information, see Upgrading Istio.