Uninstall Gloo Mesh and Istio

If you no longer need your Gloo Mesh environment, you can uninstall Gloo Mesh from your management and remote clusters. You can also optionally uninstall Istio and the Bookinfo sample app.

Before you begin

1. Set the names of your clusters from your infrastructure provider.

   export MGMT_CLUSTER=mgmt-cluster
   export REMOTE_CLUSTER1=cluster-1
   export REMOTE_CLUSTER2=cluster-2
   

2. Save the kubeconfig contexts for your clusters. Run kubectl config get-contexts, look for your cluster in the CLUSTER column, and get the context name in the NAME column. Note: Do not use context names with underscores. The context name is used as a SAN specification in the generated certificate that connects workload clusters to the management cluster, and underscores in SAN are not FQDN compliant. You can rename a context by running kubectl config rename-context "<oldcontext>" <newcontext>.

   export MGMT_CONTEXT=<management-cluster-context>
   export REMOTE_CONTEXT1=<remote-cluster-1-context>
   export REMOTE_CONTEXT2=<remote-cluster-2-context>
   

3. Save the names and contexts for subsequent workload clusters as needed, such as REMOTE_CONTEXT3, and so on.

Uninstall Istio

Uninstall Istio from each workload cluster. Note that if you used Gloo Mesh to manage your Istio installations, you must complete this section to uninstall Istio before you uninstall any Gloo Mesh management or agent components.

1. Uninstall the Istio resources. These steps differ depending on whether you installed the Istio control plane and gateways with the managedInstallations Helm chart setting, created IstioLifecycleManager and GatewayLifecycleManager custom resources, or manually deployed the control plane and gateways with IstioOperator resources.

   • managedInstallations Helm chart setting
   • IstioLifecycleManager and GatewayLifecycleManager CRs
   • Manual IstioOperator deployments

   1. Delete the GatewayLifecycleManager resources for the gateways that you deployed.

      kubectl delete GatewayLifecycleManager istio-ingressgateway -n gloo-mesh --context $REMOTE_CONTEXT1
      kubectl delete GatewayLifecycleManager isito-eastwestgateway -n gloo-mesh --context $REMOTE_CONTEXT1
      
      kubectl delete GatewayLifecycleManager istio-ingressgateway -n gloo-mesh --context $REMOTE_CONTEXT2
      kubectl delete GatewayLifecycleManager isito-eastwestgateway -n gloo-mesh --context $REMOTE_CONTEXT2
      

   2. Delete the IstioLifecycleManager for the istiod control plane.

      kubectl delete IstioLifecycleManager gloo-mesh-agent -n gloo-mesh --context $REMOTE_CONTEXT1
      kubectl delete IstioLifecycleManager gloo-mesh-agent -n gloo-mesh --context $REMOTE_CONTEXT2
      

   3. Note: In some cases, the gm-iop-1-16 namespace in each workload cluster might be stuck in the Terminating state due to resources not being properly cleaned up. To resolve this issue:
      1. Edit the istiod-control-plane operator, and delete the finalizers section.

         kubectl edit istiooperator.install.istio.io istiod-control-plane -n gm-iop-1-16 --context $REMOTE_CONTEXT
         

      2. Edit the istio-eastwestgateway-1-16 operator, and delete the finalizers section.

         kubectl edit istiooperator.install.istio.io istio-eastwestgateway-1-16 -n gm-iop-1-16 --context $REMOTE_CONTEXT
         

      3. If you also deployed an ingress gateway, edit the istio-ingressgateway-1-16 operator, and delete the finalizers section.

         kubectl edit istiooperator.install.istio.io istio-ingressgateway-1-16 -n gm-iop-1-16 --context $REMOTE_CONTEXT
         

      4. Repeat these steps for each workload cluster.

   4. Delete the GatewayLifecycleManager resources for the gateways that you deployed.

      kubectl delete GatewayLifecycleManager istio-ingressgateway -n gloo-mesh --context $MGMT_CONTEXT
      kubectl delete GatewayLifecycleManager istio-eastwestgateway -n gloo-mesh --context $MGMT_CONTEXT
      

   5. Delete the IstioLifecycleManager for the istiod control plane.

      kubectl delete IstioLifecycleManager istiod-control-plane -n gloo-mesh --context $MGMT_CONTEXT
      

   6. Note: In some cases, the gm-iop-1-16 namespace in each workload cluster might be stuck in the Terminating state due to resources not being properly cleaned up. To resolve this issue:
      1. Edit the istiod-control-plane operator, and delete the finalizers section.

         kubectl edit istiooperator.install.istio.io istiod-control-plane -n gm-iop-1-16 --context $REMOTE_CONTEXT
         

      2. Edit the istio-eastwestgateway-1-16 operator, and delete the finalizers section.

         kubectl edit istiooperator.install.istio.io istio-eastwestgateway-1-16 -n gm-iop-1-16 --context $REMOTE_CONTEXT
         

      3. If you also deployed an ingress gateway, edit the istio-ingressgateway-1-16 operator, and delete the finalizers section.

         kubectl edit istiooperator.install.istio.io istio-ingressgateway-1-16 -n gm-iop-1-16 --context $REMOTE_CONTEXT
         

      4. Repeat these steps for each workload cluster.

   6. Delete the IstioOperator resources for the control plane, ingress gateway, and east-west gateway.

      kubectl delete IstioOperator production-istio -n istio-system --context $REMOTE_CONTEXT1
      kubectl delete IstioOperator ingress-gateway -n istio-system --context $REMOTE_CONTEXT1
      kubectl delete IstioOperator eastwest-gateway -n istio-system --context $REMOTE_CONTEXT1
      

      kubectl delete IstioOperator production-istio -n istio-system --context $REMOTE_CONTEXT2
      kubectl delete IstioOperator ingress-gateway -n istio-system --context $REMOTE_CONTEXT2
      kubectl delete IstioOperator eastwest-gateway -n istio-system --context $REMOTE_CONTEXT2
      

   7. Uninstall the control plane. sh istioctl uninstall --revision $REVISION --context $REMOTE_CONTEXT1 sh istioctl uninstall --revision $REVISION --context $REMOTE_CONTEXT2
   8. Delete the operator and the operator's ClusterIP service. sh kubectl delete deploy istio-operator-$REVISION -n istio-operator --context $REMOTE_CONTEXT1 kubectl delete svc istio-operator-$REVISION -n istio-operator --context $REMOTE_CONTEXT1 sh kubectl delete deploy istio-operator-$REVISION -n istio-operator --context $REMOTE_CONTEXT2 kubectl delete svc istio-operator-$REVISION -n istio-operator --context $REMOTE_CONTEXT2
   9. Delete the Istio namespaces. sh kubectl delete ns istio-system --context $REMOTE_CONTEXT1 kubectl delete ns istio-operator --context $REMOTE_CONTEXT1 kubectl delete ns istio-ingress --context $REMOTE_CONTEXT1 kubectl delete ns istio-eastwest --context $REMOTE_CONTEXT1 kubectl delete ns istio-config --context $REMOTE_CONTEXT1 sh kubectl delete ns istio-system --context $REMOTE_CONTEXT2 kubectl delete ns istio-operator --context $REMOTE_CONTEXT2 kubectl delete ns istio-ingress --context $REMOTE_CONTEXT2 kubectl delete ns istio-eastwest --context $REMOTE_CONTEXT2 kubectl delete ns istio-config --context $REMOTE_CONTEXT2

2. OpenShift installations: Revoke the extra permissions and resources required for OpenShift to run Istio.

   1. Revoke the Istio namespace ID permissions.

      oc --context $REMOTE_CONTEXT1 adm policy remove-scc-from-group anyuid system:serviceaccounts:istio-system
      oc --context $REMOTE_CONTEXT1 adm policy remove-scc-from-group anyuid system:serviceaccounts:istio-operator
      oc --context $REMOTE_CONTEXT1 adm policy remove-scc-from-group anyuid system:serviceaccounts:default
      oc --context $REMOTE_CONTEXT2 adm policy remove-scc-from-group anyuid system:serviceaccounts:istio-system
      oc --context $REMOTE_CONTEXT2 adm policy remove-scc-from-group anyuid system:serviceaccounts:istio-operator
      oc --context $REMOTE_CONTEXT2 adm policy remove-scc-from-group anyuid system:serviceaccounts:default
      

   2. Delete the NetworkAttachmentDefinition resources.

      oc --context $REMOTE_CONTEXT1 -n default delete network-attachment-definition istio-cni
      oc --context $REMOTE_CONTEXT2 -n default delete network-attachment-definition istio-cni
      

3. Repeat these steps for each cluster that was registered with Gloo Mesh and that ran an Istio service mesh.

Deregister workload clusters

To deregister a cluster, you must uninstall the gloo-mesh-agent that runs on the workload cluster and the corresponding KubernetesCluster resource that exists on the management cluster.

1. Uninstall the gloo-mesh-agent that runs on the workload cluster.

   • Installed with meshctl
   • Installed with Helm

   1. Deregister cluster-1.

      meshctl cluster deregister \
        --kubecontext $MGMT_CONTEXT \
        --remote-context $REMOTE_CONTEXT1 \
        $REMOTE_CLUSTER1
      

      Example output:

      Deregistering cluster: cluster-1
      Finished uninstalling release gloo-mesh-agent
      Successfully deregistered cluster: cluster-1
      

   2. Deregister cluster-2.

      meshctl cluster deregister \
        --kubecontext $MGMT_CONTEXT \
        --remote-context $REMOTE_CONTEXT2 \
        $REMOTE_CLUSTER2
      

   1. Uninstall the gloo-mesh-agent Helm chart that runs on cluster-1 and cluster-2. Note: If the release name gloo-agent is not found, your Helm release might be named gloo-mesh-agent instead.

      helm uninstall gloo-agent -n gloo-mesh --kube-context $REMOTE_CONTEXT1
      helm uninstall gloo-agent -n gloo-mesh --kube-context $REMOTE_CONTEXT2
      

   2. Delete the corresponding KubernetesCluster resources from the management cluster.

      kubectl delete kubernetescluster $REMOTE_CLUSTER1 $REMOTE_CLUSTER2 -n gloo-mesh --context $MGMT_CONTEXT
      

   3. Delete the Gloo Mesh relay secrets from each workload cluster. These secrets are not removed during the Helm installation. However, you cannot reuse the same secret if you decide to register the agent later.

      kubectl delete secret -n gloo-mesh relay-client-tls-secret --context $REMOTE_CONTEXT1
      kubectl delete secret -n gloo-mesh relay-identity-token-secret --context $REMOTE_CONTEXT1
      kubectl delete secret -n gloo-mesh relay-root-tls-secret --context $REMOTE_CONTEXT1
      

      kubectl delete secret -n gloo-mesh relay-client-tls-secret --context $REMOTE_CONTEXT1
      kubectl delete secret -n gloo-mesh relay-identity-token-secret --context $REMOTE_CONTEXT1
      kubectl delete secret -n gloo-mesh relay-root-tls-secret --context $REMOTE_CONTEXT1
      

2. Delete the Custom Resource Definitions (CRDs) that were installed on cluster-1 and cluster-2 during registration.

   for crd in $(kubectl get crd --context $REMOTE_CONTEXT1 -l app=gloo-mesh-apis | awk '{print $1}'); do kubectl --context $REMOTE_CONTEXT1 delete crd $crd; done
   for crd in $(kubectl get crd --context $REMOTE_CONTEXT2 -l app=gloo-mesh-apis | awk '{print $1}'); do kubectl --context $REMOTE_CONTEXT2 delete crd $crd; done
   

3. Delete the gloo-mesh namespace from cluster-1 and cluster-2.

   kubectl --context $REMOTE_CONTEXT1 delete namespace gloo-mesh
   kubectl --context $REMOTE_CONTEXT2 delete namespace gloo-mesh
   

4. If you installed the rate limiting and external authentication components in the gloo-mesh-addons namespace of your workload clusters, uninstall the gloo-mesh-agent Helm chart and delete the gloo-mesh-addons namespace. Note: If the release name gloo-agent-addons is not found, your Helm release might be named gloo-mesh-agent-addons instead.

   helm uninstall gloo-agent-addons -n gloo-mesh-addons --kube-context $REMOTE_CONTEXT1
   helm uninstall gloo-agent-addons -n gloo-mesh-addons --kube-context $REMOTE_CONTEXT2
   

   kubectl --context $REMOTE_CONTEXT1 delete namespace gloo-mesh-addons
   kubectl --context $REMOTE_CONTEXT2 delete namespace gloo-mesh-addons
   

5. Repeat these steps for any other cluster that is registered with Gloo Mesh. For example, if you ran the management components in a cluster that was also registered, repeat these steps for the MGMT_CLUSTER and specify the MGMT_CONTEXT. If you registered multiple workload clusters, repeat these steps for each workload cluster.

Uninstall management components

Uninstall the Gloo Mesh management components from the management cluster.

1. Uninstall the Gloo Mesh management plane components.

   • Installed with meshctl
   • Installed with Helm

   meshctl uninstall --kubecontext $MGMT_CONTEXT
   

   Example output:

   Uninstalling Helm chart
   Finished uninstalling release gloo-mesh
   

   helm uninstall gloo-mgmt -n gloo-mesh --kube-context $MGMT_CONTEXT
   

   Note: If the release name gloo-mgmt is not found, your Helm release might be named gloo-mesh-enterprise instead.

2. Delete the Gloo Mesh CRDs.

   for crd in $(kubectl get crd --context $MGMT_CONTEXT -l app=gloo-mesh-apis | awk '{print $1}'); do kubectl --context $MGMT_CONTEXT delete crd $crd; done
   

3. Delete the gloo-mesh namespace.

   kubectl --context $MGMT_CONTEXT delete namespace gloo-mesh
   

Optional: Uninstall sample apps

If you installed the Bookinfo and httpbin sample apps, run the following commands to uninstall their resources.

1. Export the Istio version that your cluster runs as an environment variable, such as 1.16.2 in the following example.

   export ISTIO_VERSION=1.16.2
   

2. Remove the Bookinfo application components and service accounts.

   • cluster-1
   • cluster-2

   kubectl -n bookinfo delete -f https://raw.githubusercontent.com/istio/istio/$ISTIO_VERSION/samples/bookinfo/platform/kube/bookinfo.yaml -l 'app,version notin (v3)' --context $REMOTE_CONTEXT1
   kubectl -n bookinfo delete -f https://raw.githubusercontent.com/istio/istio/$ISTIO_VERSION/samples/bookinfo/platform/kube/bookinfo.yaml -l 'account' --context $REMOTE_CONTEXT1
   

   kubectl --context $REMOTE_CONTEXT2 -n bookinfo delete -f https://raw.githubusercontent.com/istio/istio/$ISTIO_VERSION/samples/bookinfo/platform/kube/bookinfo.yaml -l 'service in (reviews)'
   kubectl --context $REMOTE_CONTEXT2 -n bookinfo delete -f https://raw.githubusercontent.com/istio/istio/$ISTIO_VERSION/samples/bookinfo/platform/kube/bookinfo.yaml -l 'app in (reviews),version in (v3)'
   kubectl --context $REMOTE_CONTEXT2 -n bookinfo delete -f https://raw.githubusercontent.com/istio/istio/$ISTIO_VERSION/samples/bookinfo/platform/kube/bookinfo.yaml -l 'app in (ratings)'
   kubectl --context $REMOTE_CONTEXT2 -n bookinfo delete -f https://raw.githubusercontent.com/istio/istio/$ISTIO_VERSION/samples/bookinfo/platform/kube/bookinfo.yaml -l 'account in (reviews, ratings)'
   

3. Delete the bookinfo namespace.

   kubectl delete ns bookinfo --context $REMOTE_CONTEXT1
   kubectl delete ns bookinfo --context $REMOTE_CONTEXT2
   

4. Remove the httpbin application components.

   kubectl -n httpbin delete -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/httpbin-in-mesh.yaml --context $REMOTE_CONTEXT1
   kubectl -n httpbin delete -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/httpbin-not-in-mesh.yaml --context $REMOTE_CONTEXT1
   kubectl -n httpbin delete -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/httpbin-in-mesh.yaml --context $REMOTE_CONTEXT2
   kubectl -n httpbin delete -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/httpbin-not-in-mesh.yaml --context $REMOTE_CONTEXT2
   

5. Delete the httpbin namespace.

   kubectl delete ns httpbin --context $REMOTE_CONTEXT1
   kubectl delete ns httpbin --context $REMOTE_CONTEXT2