Manually install Istio

Manually deploy Istio to workload clusters in your Gloo Mesh Enterprise environment.

For a production-level Istio setup, separate your Istio resources across different namespaces for the different personas that need access to the Istio resources. The following diagram depicts the suggested setup for the namespaces and Istio resources.

Figure of a production-level Istio architecture

For more information about these recommended namespaces and the resources that are deployed to them, see Plan namespaces and resource management.

Configuration management

Additionally, by spreading resources across several namespaces, you can more easily allow each persona in your organization to manage the configurations that are applicable to the workloads they are responsible for. For example, cluster admins can set mesh-wide policies that set defaults and limits across the cluster, while still allowing individual microservice owners to create the configurations and policies necessary for their workloads.

For more information, see Persona-driven configuration management.

Certificate management

In a production-level Gloo Mesh Enterprise setup, you might want to automatically generate, store, and manage the required certificates outside of Gloo Mesh, such as by using Amazon Certificate Manager (ACM). For Istio, you must be able to sign intermediate CA certificates in your Gloo Mesh setup so that each Istio deployment can issue certificates to workload pods in its mesh. For more information, see Certificate management.


For production, deploy the Istio Helm charts that declare how to set up the istiod control plane and Istio gateways across your clusters. For the full set of steps on how to deploy the control plane and gateways, see Deploy Istio in production.

Upgrading Istio

To manage the complexity of upgrading Istio and to prevent downtime, the deployment profiles for the control plane and gateways in the installation steps include revisions. When you need to upgrade to a newer Istio version, you can deploy separate Helm releases for the newer control plane and gateway revisions in a canary upgrade model.

For more information, see Upgrading Istio.