Experimental: Install Istio by using Gloo Mesh
Streamline the Istio installation process by using Gloo Mesh to install Istio in your remote clusters.
With a Gloo Mesh-managed installation, you no longer need to use
istioctl to individually install Istio in each remote cluster. Instead, Gloo Mesh translates your
IstioOperator configuration into Istio control planes and resources in your remote clusters for you. Gloo Mesh can currently manage the Istio installation for Istio version 1.8 or greater.
This feature does not currently support upgrading Istio installations or managing existing Istio installations. Until management of the full lifecycle of Istio is supported, do not use this feature in production.
Before you begin
- Install Gloo Mesh Enterprise into a management cluster.
- Register each remote cluster with Gloo Mesh.
Step 1: Prepare the Istio operator
IstioOperator resource that you want to use to configure your Istio installations. For example Istio install profiles, see Installing Istio.
Keep in mind the following changes that Gloo Mesh applies to the Istio operator configuration when it is used:
- Revision: A revision based on the specified Istio tag and hub is automatically generated for the Istio operator. For example, if you use version 1.11.4 of the Solo FIPs tag (
tag: 1.11.4-solo-fips), a
solo-1-11revision is generated. Note that this generated revision overrides any revision that you specify in the
- Namespace: If you do not specify a namespace, the root namespace for the installed Istio resources in remote clusters is set to
- Cluster name values: In typical Istio operator configuration, you specify the name of the remote cluster in the
values.global.multiCluster.clusterNamefields. With the Istio installer, you can leave these fields blank, because for each remote cluster, the installer automatically sets these fields to the cluster name that was specified during cluster registration.
- Trust domain: By default, the
trustDomainvalue is automatically set by the installer to the name of each remote cluster. To override the
trustDomainfor each cluster, you can instead specify the override value in the
trustDomainfield, and include the value in the list of cluster names when you create the installer resource in step 3. For example, if you specify
trustDomain: cluster-1-trust-overridein the Istio operator, you then specify the cluster name and the trust domain in the list of cluster names:
cluster-1,cluster-1-trust-override. Additionally, because Gloo Mesh requires multiple trust domains for east-west routing, the
PILOT_SKIP_VALIDATE_TRUST_DOMAINfield is set to
Step 2: Install the Istio operator with Gloo Mesh
Get the names of the remote clusters that are registered with Gloo Mesh.
kubectl get kubernetescluster -n gloo-mesh --context $MGMT_CONTEXT
NAME AGE cluster-1 27s cluster-2 23s
Create the Gloo Mesh-managed installation resource in your management cluster by using the
meshctlcommand or by creating and applying the
Specify the comma-separated list of registered cluster names and your Istio operator configuration in the following command. For more information, see the
meshctl istio install reference documentation.
meshctl istio install --kubecontext $MGMT_CONTEXT --clusters <cluster_list> --file <istio_operator_spec> --name <installation_name>
meshctl istio install --kubecontext $MGMT_CONTEXT --clusters cluster-1,cluster-2 --file operator-1-11-4.yaml --name managed-installation
- Create an
IstioInstallationresource and save the file as
managed-installation.yaml. Specify the registered cluster names in the
spec.clusterssection and your Istio operator configuration in the
apiVersion: admin.enterprise.mesh.gloo.solo.io/v1alpha1 kind: IstioInstallation metadata: name: managed-installation namespace: gloo-mesh spec: clusters: - name: cluster-1 - name: cluster-2 istioOperatorSpec: profile: minimal hub: gcr.io/istio-enterprise tag: 1.11.4-solo namespace: istio-system [...]
- Apply the
IstioInstallationresource to your management cluster.
kubectl apply -f managed-installation.yaml --context $MGMT_CONTEXT
Step 3: Verify the Istio installation
In each remote cluster, check the status of the
IstioInstallationInstance, which is created with the same name and in the same namespace as the
IstioInstallationresource. The Istio installation instance contains the Istio operator configuration and information on the status of the installation.
kubectl get IstioInstallationInstance -n gloo-mesh --context $REMOTE_CONTEXT1
In this example output, the
stateof the installation is
HEALTHY. If there are issues with your installation, the status includes additional details in the message. You can also inspect the logs of the controller and the operator that are listed in the status section.
apiVersion: admin.agent.enterprise.mesh.gloo.solo.io/v1alpha1 kind: IstioInstallationInstance metadata: name: managed-installation namespace: gloo-mesh spec: istioOperatorSpec: [...] status: state: HEALTHY generatedRevision: 1-11 istioOperator: name: gloo-mesh-istio-operator-1-11 namespace: istio-system-1-11 istioOperatorController: name: istio-operator-1-11 namespace: gloo-mesh-iop-1-11
In each remote cluster, verify that the Istio resources that you specified in your Istio operator configuration are successfully installing. For example, verify that the Istio control plane pods are running.
kubectl get pods -n istio-system --context $REMOTE_CONTEXT1
NAME READY STATUS RESTARTS AGE istiod-7795ccf9dc-vr4cq 1/1 Running 0 5d22h