Gloo Mesh dashboard
When you install Gloo Mesh Enterprise, it includes the Gloo Mesh dashboard service by default. The service provides a visual dashboard into the health and configuration of Gloo Mesh and registered clusters.
In this guide, you will learn how to connect to the Gloo Mesh dashboard and the basic layout of the portal’s contents.
About the Gloo Mesh dashboard
The Gloo Mesh dashboard runs on a pod in the Gloo Mesh Enterprise deployment and is exposed as a service. It does not have any authentication applied, so anyone with access to the Gloo Mesh dashboard can view the configuration and resources managed by the Gloo Mesh. That bears repeating:
Access to the Gloo Mesh dashboard should be restricted to only those who need to administer the Gloo Mesh. The
dashboard service is of the type ClusterIP, so it is not exposed outside of the cluster.
Connecting to the Gloo Mesh dashboard
The Gloo Mesh dashboard is served from the dashboard service on port 8090. You can connect using the
meshctl dashboard command or by using the port-forward feature of kubectl. For this guide we will use port-forwarding. The following command assumes that you have deployed the Gloo Mesh to the namespace gloo-mesh. From a command prompt, run the following to set up port-forwarding for the dashboard service.
kubectl port-forward -n gloo-mesh svc/dashboard 8090:8090
Once the port-forwarding starts, you can open your browser and connect to http://localhost:8090. You will be taken to a webpage that looks similar to this:
Now that you’re connected, let’s explore the UI.
Exploring the Gloo Mesh dashboard
The main page of the dashboard starts with an Overview of the resources under management of Gloo Mesh, such as Clusters, Workloads, and Destinations.
Across the top of the page is a navigation bar with five options.
- Overview: Provides a high-level overview of Gloo Mesh
- Meshes: Displays service meshes being managed by Gloo Mesh
- Policies: Displays defined traffic and access policies for Gloo Mesh
- Wasm: Displays WASM deployments being managed by Gloo Mesh
- Debug: Displays full configurations for service meshes.
There is also a small gear to the right of the navigation elements, which will take you to the Admin area.
From there you are able to view clusters and Role-based access configurations.
The purpose of the Gloo Mesh dashboard is to view the status of Gloo Mesh and managed resources. It is not possible to make changes to resources or the configuration. Clicking on the Register a Cluster button simply provides you with directions on using meshctl to register a cluster.
The Meshes area provides a view of virtual meshes and each service mesh that is not part of a virtual mesh. You can view the health of each mesh, as well as information about Destinations, workloads, failovers, and more.
Clicking on a details link will provide in-depth information about each category associated with the mesh, and allows you to further drill down and view the configuration and associated resources for each element.
By clicking on one of the Destinations in the list, we can see more information about the target's configuration, policies, and any associated workloads.
The Policies area allows us to explore the configured policy rules that have been created, and quickly assess what workloads, Destinations, and meshes they are associated with.
We can view additional detail about a policy rule by clicking on it.
The Debug section allows you to view and download the full configuration of any virtual meshes, as well as view details of each service mesh Gloo Mesh is aware of.
You can use this view to quickly ascertain information about a particular mesh or to capture the current configuration of a virtual mesh.
Securing the Gloo Mesh dashboard
The Gloo Mesh dashboard supports OpenID Connect (OIDC) authentication from common providers such as Google, Okta, and Auth0.
You can configure OIDC authentication for the dashboard by providing your OIDC provider details in a
oidc.yaml values file, such as the following example YAML file. For more information about customizing these dashboard settings and steps to update, see Modifying Helm chart values.
licenseKey: # License key gloo-mesh-ui: enabled: true dashboard: enabled: true auth: enabled: true backend: oidc oidc: clientId: # From the OIDC provider clientSecret: # From the OIDC provider (will be stored in secret) clientSecretRef: name: dashboard namespace: gloo-mesh issuerUrl: # The issuer URL from the OIDC provider, usually something like https://<domain>.<provider url>/ appUrl: # URL the dashboard will is available at. This will be from DNS and other ingress settings that expose the dashboard service.
You can then install Gloo Mesh Enterprise with the values file, or upgrade an existing Gloo Mesh installation by running
helm upgrade -f oidc.yaml gloo-mesh-enterprise gloo-mesh-enterprise/gloo-mesh-enterprise --namespace gloo-mesh [--install].
Storing Sessions in Redis
By default, sessions are persisted in encrypted browser cookies. If the ID tokens that the OIDC provider returns are too large to be stored in cookies, the dashboard can be configured to use a Redis instance instead to store them. The dashboard Helm chart can optionally deploy a redis instance or users can use their own Redis deployment. Incorporate the following values into the values file created in the previous section to use Redis as the session backend.
gloo-mesh-ui: redis: enabled: true # Enables the included Redis deployment. Set to false or omit to use a custom Redis instance. auth: oidc: session: backend: redis redis: host: redis-dashboard.gloo-mesh.svc.cluster.local:6379 # Points at the included Redis, can be changed as needed.
If your Gloo Mesh dashboard is looking a bit sparse, now might be a good time to walk through the Istio installation or traffic policy guides.