Learn about your options for installing Gloo Mesh Gateway in your environment.
Deployment modes link Choose whether you want to deploy Gloo Mesh Gateway in one cluster, or across multiple clusters.
Single cluster link Gloo Mesh Gateway is fully functional when the management plane (management server) and data plane (agent and service mesh) both run within the same cluster. You can easily install both the control and data plane components by using one installation process. If you choose to install the components in separate processes, ensure that you use the same name for the cluster during both processes.
Multicluster link A multicluster Gloo Mesh Gateway setup consists of one management cluster that you install the Gloo management plane (management server) in, and one or more workload clusters that serve as the data plane (agent and service mesh). By running the management plane in a dedicated management cluster, you can ensure that no workload pods consume cluster resources that might impede management processes. Many guides throughout the documentation use one management cluster and two workload clusters as an example setup.
Installation methods link After you decide on a single or multicluster environment, choose whether to use the meshctl CLI or Helm charts to install Gloo Mesh Gateway.
CLI install profiles link Gloo packages profiles in the meshctl CLI for quick Gloo Mesh Gateway installations. Profiles provide basic Helm settings for a minimum installation, and are suitable for testing setups. Because the profiles provide standard setups, they can also be useful starting points for building a customized and robust set of Helm installation values.
In your meshctl install and meshctl cluster register commands, you can specify one or more profiles in the --profile flag. Multiple profiles can be applied in a comma-delimited list, in which merge priority is left to right. Note that any values you specify in --set or --gloo-mesh-agent-chart-values flags have highest merge priority.
The following profiles are supported. You can review the Helm settings in a profile by running curl https://storage.googleapis.com/gloo-platform/helm-profiles/2.4.17/<profile>.yaml > profile-values.yaml.
You can also check out Gloo Mesh Enterprise-specific profiles in the Gloo Mesh Enterprise setup documentation .
Demo profiles link The following profiles provide “all-in-one” setups that are suitable for demo environments. To set up Gloo Mesh Gateway with these profiles, see the single-cluster or multicluster getting started guides.
<a class="nav-link active"
id="fdbcaeTab" data-bs-toggle="tab" data-bs-target="#fdbcae"
type="button" role="tab" aria-controls="fdbcae" aria-selected="true">Kubernetes</a>
<a class="nav-link "
id="cfabdeTab" data-bs-toggle="tab" data-bs-target="#cfabde"
type="button" role="tab" aria-controls="cfabde" aria-selected="true">OpenShift</a>
</div>
<table>
Profile Use case Deployed components gloo-gateway-demoSet up a Gloo Mesh Gateway demo environment in a single-cluster Kubernetes setup. Gloo management server, Gloo agent, Gloo external auth server, Gloo rate limiting server, Gloo UI, Prometheus, Redis, Gloo OpenTelemetry (OTel) collector agents, managed gateway proxy <table>
Profile Use case Deployed components gloo-gateway-demo-openshiftSet up a Gloo Mesh Gateway demo environment in a single-cluster OpenShift setup. Includes required settings for Istio functionality in OpenShift. Gloo management server, Gloo agent, Gloo external auth server, Gloo rate limiting server, Gloo UI, Prometheus, Redis, Gloo OTel collector agents, managed gateway proxy Standard profiles link The following profiles provide standard setups, which can be useful starting points for building a customized and robust set of Helm installation values. To set up Gloo Mesh Gateway with these profiles, see the get started guides.
<a class="nav-link active"
id="fbadceTab" data-bs-toggle="tab" data-bs-target="#fbadce"
type="button" role="tab" aria-controls="fbadce" aria-selected="true">Kubernetes</a>
<a class="nav-link "
id="acdbfeTab" data-bs-toggle="tab" data-bs-target="#acdbfe"
type="button" role="tab" aria-controls="acdbfe" aria-selected="true">OpenShift</a>
</div>
<table>
Profile Use case Deployed components mgmt-serverSet up the Gloo Mesh Gateway control plane in the management cluster of a multicluster Kubernetes setup. Default profile for meshctl install. Gloo management server, Gloo UI, Prometheus, Redis, Gloo OpenTelemetry (OTel) gateway agentRegister a workload cluster in a multicluster Kubernetes setup. Default profile for meshctl cluster register. Gloo agent, Gloo OTel collector agents gloo-gateway-singleSet up all Gloo Mesh Gateway components in a single-cluster Kubernetes setup. Gloo management server, Gloo agent, Gloo UI, Prometheus, Redis, Gloo OTel collector agents, managed gateway proxy <table>
Profile Use case Deployed components mgmt-server-openshiftSet up the Gloo Mesh Gateway control plane in the management cluster of a multicluster OpenShift setup. Includes required settings for Istio functionality in OpenShift. Gloo management server, Gloo UI, Prometheus, Redis, Gloo OTel gateway agent-openshiftRegister a workload cluster in a multicluster OpenShift setup. Includes required settings for Istio functionality in OpenShift. Gloo agent, Gloo OpenTelemetry (OTel) collector agents gloo-gateway-single-openshiftSet up all Gloo Mesh Gateway components in a single-cluster OpenShift setup. Includes required settings for Istio proxy functionality in OpenShift. Gloo management server, Gloo agent, Gloo UI, Prometheus, Redis, Gloo OTel collector agents, managed gateway proxy Add-on profiles link The following profiles install Gloo add-ons, which are often used additively with standard profiles. To set up add-ons with these profiles, see the rate limiting and external authentication or portal setup guides.
<a class="nav-link active"
id="ebfacdTab" data-bs-toggle="tab" data-bs-target="#ebfacd"
type="button" role="tab" aria-controls="ebfacd" aria-selected="true">Kubernetes</a>
<a class="nav-link "
id="fdebcaTab" data-bs-toggle="tab" data-bs-target="#fdebca"
type="button" role="tab" aria-controls="fdebca" aria-selected="true">OpenShift</a>
</div>
<table>
Profile Use case Deployed components extauthUse external authentication in a single-cluster setup or in a workload cluster in a multicluster setup. Gloo external auth server portalDeploy Gloo Portal in a single-cluster setup or in a workload cluster in a multicluster Kubernetes setup. Uses the local Redis instance as the backing storage. Gloo Portal server, Gloo external auth server, Gloo rate limiting server ratelimitUse rate limiting in a single-cluster setup or in a workload cluster in a multicluster setup. Gloo rate limiting server <table>
Profile Use case Deployed components extauthUse external authentication in a single-cluster setup or in a workload cluster in a multicluster setup. Gloo external auth server portal-openshiftDeploy Gloo Portal in a single-cluster setup or in a workload cluster in a multicluster OpenShift setup. Uses the local Redis instance as the backing storage. Gloo Portal server, Gloo external auth server, Gloo rate limiting server ratelimitUse rate limiting in a single-cluster setup or in a workload cluster in a multicluster setup. Gloo rate limiting server Helm charts link To extensively customize the settings of your Gloo Mesh Gateway installation, you can use the gloo-platform and gloo-platform-crds Helm charts.
Installation Helm chart
All components for a full Gloo Mesh Gateway installation are available in the gloo-platform Helm chart.
Helm installations allow for extensive customization of Gloo settings, and are suitable for proof-of-concept or production setups. Within the gloo-platform chart, you can find the configuration options for all components in the following sections.
Component section Description clickhouseConfiguration for the Clickhouse deployment, which stores logs from Gloo telemetry collector agents. See the Bitnami Clickhouse Helm chart for the complete set of values. commonCommon values shared across components. When applicable, these can be overridden in specific components. demoDemo-specific features that improve quick setups. Do not use in production. experimentalExperimental features for Gloo Mesh Gateway. Disabled by default. Do not use in production. extAuthServiceConfiguration for the Gloo external authentication service. glooAgentConfiguration for the Gloo agent. glooAnalyzerConfiguration for the Gloo analyzer, which gathers data on Gloo and Istio components. glooInsightsEngineConfiguration for the Gloo insights engine, which creates Solo insights. glooMgmtServerConfiguration for the Gloo management server. glooNetworkGloo Network agent configuration options. glooPortalServerConfiguration for the Gloo Portal server deployment. glooSpireServerConfiguration for the Gloo Spire server deployment. glooUiConfiguration for the Gloo UI. istioInstallationsConfiguration for deploying managed Istio control plane and gateway installations by using the Istio lifecycle manager. The istioInstallations Helm settings can be helpful for simple use cases to set up Istio quickly, such as single cluster Gloo Mesh Gateway demos. Otherwise, in version 2.7 and later, install Istio by using the Gloo Operator or by using Istio Helm charts . jaegerConfiguration for the Gloo Jaeger instance. licensingGloo product licenses. postgresqlConfiguration for Gloo PostgreSQL instance. prometheusHelm values for configuring Prometheus. See the Prometheus Helm chart for the complete set of values. rateLimiterConfiguration for the Gloo rate limiting service. redisConfiguration for the default Redis instance. telemetryCollectorConfiguration for the Gloo telemetry collector agents. See the OpenTelemetry Helm chart for the complete set of values. telemetryCollectorCustomizationOptional customization for the Gloo telemetry collector agents. telemetryGatewayConfiguration for the Gloo telemetry gateway. See the OpenTelemetry Helm chart for the complete set of values. telemetryGatewayCustomizationOptional customization for the Gloo telemetry gateway.
You can see all possible fields that you can set for the chart by running the following command.
helm show values gloo-platform/gloo-platform --version v2.4.17 > all-values.yaml
For more information about each field, see the Helm values documentation . To set up Gloo Mesh Gateway with Helm, see the advanced installation guide .
CRD Helm chart
All CRDs that are required for a Gloo Mesh Gateway installation are available in the gloo-platform-crds Helm chart. To see all CRD installation options, see the Helm values documentation . If you already installed the chart, you can run kubectl get crds -A | grep gloo.solo.io to see the installed CRDs.
You can install Gloo Mesh Gateway on Kubernetes or OpenShift clusters. For more information about the requirements for clusters on each platform, see the System requirements .
Kubernetes link Gloo Mesh Gateway and Istio are fully supported on Kubernetes clusters. Throughout the installation guides, use installation commands that are labeled for use with Kubernetes.
OpenShift link Gloo Mesh Gateway is fully supported on OpenShift clusters. However, there are some changes you must make to allow Gloo Mesh Gateway and Istio to run on an OpenShift cluster. To make these changes, use commands throughout the installation guides that are labeled for use with OpenShift. For more information about the required changes, see the Istio on OpenShift documentation .
Gloo settings link Dynamic user ID : The pods of all the Gloo components’ deployments must be assigned a dynamic user ID for the Istio sidecar to use. However, this user ID is not permitted in OpenShift by default. In the installation guides, follow the OpenShift commands to use OpenShift-specific install profiles or Helm commands, which include the floatingUserId=true installation setting for each Gloo component.
Istio settings link Helm chart settings : If you install Istio by using the Istio Helm charts, your Helm settings must include profile=openshift.Service account permissions : For any pods that require an Istio sidecar, such as your workload pods, you must elevate the permissions of the service account for that namespace.For example, in Gloo Mesh Gateway, the ingress gateway proxy requires an Istio sidecar. If you also use Gloo Mesh Enterprise, your workload pods also require sidecars to be included in your service mesh. These elevated permissions allow the pods to make use of a user ID that is normally restricted by OpenShift. In theinstallation guides
, you follow the OpenShift commands to elevate the service account permissions for the Istio projects.Network attachment definition : The CNI on OpenShift requires a NetworkAttachmentDefinition in each workload project in order to invoke the istio-cni plug-in. For each workload project where you deploy applications in your service mesh, you must create a NetworkAttachmentDefinition resource.For example, in Gloo Mesh Gateway, you must create a NetworkAttachmentDefinition in the ingress gateway namespace.