Best practices for production installations

Basic Gateway features are available to anyone with a Gloo Mesh Enterprise license. Some advanced features require a Gloo Mesh Gateway license.

Dashboard Authentication

We recommend securing the Gloo Mesh Enterprise Dashboard by requiring authentication with an OpenID Connect identity provider. Users accessing the dashboard will be required to authenticate with the OIDC provider and all requests to retrieve data from the API will also be authenticated.

Manage Certs

We recommend you do not utilize Gloo Mesh to issue certificates or manage Istio CA certificates in production and instead add automation so that the certificates can be rotated easily in the future as described in the certificate management guide.

When certificates are issued, Istio-controlled pods need to be bounced (restarted) to ensure they pick up the new certificates. The certificate issuer will create a PodBounceDirective containing the namespaces and labels of the pods that need to be bounced in order to pick up the new certs. We recommend the PodBounceDirective feature is turned off by setting the autoRestartPods field to false in the VirtualMesh as shown in this example:

apiVersion: networking.mesh.gloo.solo.io/v1
kind: VirtualMesh
metadata:
  name: virtual-mesh
  namespace: gloo-mesh
spec:
  mtlsConfig:
    autoRestartPods: false # disable autoRestartPods in production
    shared:
      rootCertificateAuthority:
        generated: {}
  federation:
    # federate all Destinations to all external meshes
    selectors:
    - {}
  meshes:
  - name: istiod-istio-system-cluster1
    namespace: gloo-mesh

Setting Up Ratelimiting and External Authentication

In the getting started guide we provided a simple setup to demonstrate a simple Gloo Mesh setup with Ratelimit and Extauth features enabled. This document describes the best practice method for installing the Gloo Mesh Enterprise management plane components and data plane components via Helm. Helm is the recommended method of installing Gloo Mesh to your production environment as it offers rich customization.

In a typical deployment, Gloo Mesh Enterprise uses a single Kubernetes cluster to host the management plane. To enable mTLS with Ratelimiting and Extauth, we need to add an injection directive for those components. An injection directive on the gloo-mesh namespace itself makes the management plane components dependent on the functionality of Istio’s mutating webhook, which may be a fragile coupling and is not recommended as best practice.

Instead, we want to separate the management plane and data plane components into two separate namespaces and label only our data plane components with the injection directive. This requires three separate steps:

Setup

First, let's set a variable for the license key.

GLOO_MESH_LICENSE_KEY=<your_key_here> # You'll need to supply your own key

For this guide we will use mgmt.cluster as the management cluster where Gloo Mesh Enterprise is installed and no agents. We will have two worker clusters, cluster-1 and cluster-2 which will be registered with the managment plane.

Install Gloo Mesh Enterprise via Helm

First install the Gloo Mesh Gateway chart with only the enterprise-agent enabled to gloo-mesh namespace:

  1. Add the Helm repo
helm repo add gloo-mesh-enterprise https://storage.googleapis.com/gloo-mesh-enterprise/gloo-mesh-enterprise
  1. (optional) View available versions
helm search repo gloo-mesh-enterprise
  1. (optional) View Helm values
helm show values gloo-mesh-enterprise/gloo-mesh-enterprise
  1. Install
helm install gloo-mesh-enterprise gloo-mesh-enterprise/gloo-mesh-enterprise --create-namespace --namespace gloo-mesh \
  --set licenseKey=${GLOO_MESH_LICENSE_KEY}

Once you've installed Gloo Mesh, verify what components were installed:

kubectl get pods -n gloo-mesh
NAME                                     READY   STATUS    RESTARTS   AGE
dashboard-6d6b944cdb-jcpvl               3/3     Running   0          4m2s
enterprise-networking-84fc9fd6f5-rrbnq   1/1     Running   0          4m2s
  1. Register cluster-1 and cluster-2 using the gloo-mesh namespace.

Follow the enterprise cluster registration guide to create the enterprise-agent. You will only need to do this for the gloo-mesh namespace.

Now you should have the Gloo Mesh Enterprise management plane installed along with the enterprise-agent setup.

Install Extauth and RateLimit

The RateLimit and Extauth are part of the Gloo Mesh Enterprise enterprise-agent helm chart. This chart is installed to the gloo-mesh namespace when you register a cluster. We will now install just the Extauth and Ratelimit to the gloo-mesh-addons namespace with just the data plane components enabled.

RateLimit and ExtAuth are disabled by default on installation. They can be enabled via helm as follows:

rate-limiter: 
  enabled: true
ext-auth-service: 
  enabled: true

The Enterprise Agent is enabled by default. The Enterprise Agent should be disabled via helm with:

enterpriseAgent:
  enabled: false

Create a new namespace and install the RateLimit and Extauth, without the enterprise-agent using helm on the worker clusters cluster-1 and cluster-2:

helm install enterprise-agent-addons enterprise-agent/enterprise-agent --create-namespace --namespace 
gloo-mesh-addons \
  --set licenseKey=${GLOO_MESH_LICENSE_KEY} --set rate-limiter.enabled=true --set ext-auth-service.enabled=true --set enterpriseAgent.enabled=false

Now you should have the Ratelimit and Extauth data plane components installed in the gloo-mesh-addons namespace.

Finally, we need to add the label to enable istio-injection for the data plane components. To label the gloo-mesh-addons namespace for istio injection, run the following on both worker clusters, cluster-2 and cluster-3:

kubectl --context cluster-2 label ns gloo-mesh-addons istio-injection=enabled --overwrite
kubectl --context cluster-3 label ns gloo-mesh-addons istio-injection=enabled --overwrite

Remember you will need to label the gloo-mesh-addons namespace for all clusters with ExtAuth or RateLimiter deployments . Check that the injection label has been applied:

kubectl get pods -n gloo-mesh-addons

The output should contain the Ratelimit and Extauth components successfully installed and injected:

NAME                                     READY   STATUS    RESTARTS   AGE
rate-limit-3d62244cdb-fcrvd              2/2     Running   0          4m2s
ext-auth-service-3d62244cdb-fcrvd        2/2     Running   0          4m2s

Next Steps

Great! Ratelimit and ExtAuth are up and running. Check out the guides for ratelimiting and external authentication to use these features.

If you have any questions about running Gloo Mesh in production or need help setting up Gloo Mesh join us on our Slack channel.