Gloo Mesh Gateway sets up one management plane, which includes components such as the management server, Gloo UI, external auth, and rate limiting servers. One Gloo agent is deployed to each workload cluster that is registered with the management plane. These Gloo components are shared by licensed Gloo Mesh Core, Gloo Mesh Enterprise, and Gloo Mesh Gateway products that help you secure and manage L3-L7 traffic across your apps. For more information, see Architecture.

Gloo management server and agent

By default, communication between the Gloo management server and agent is secured via mutual TLS in a relay setup. Gloo uses self-signed certificates, but you can provide your own signed certificates and use a certificate manager for production-level security. Each agent runs in a separate cluster that has its own Istio installation.

For more information, see Certificate management.

Gloo UI

Set up authentication and authorization (AuthN/AuthZ) for the Gloo UI by using OpenID Connect (OIDC) and Kubernetes role-based access control (RBAC). The Gloo API server has its own external auth service built in. This way, you can manage external auth for the Gloo UI separately from the external auth that you set up for your apps.

For more information, see Set up external auth for the Gloo UI.

External auth and rate limiting

You can optionally deploy the Gloo external auth and rate limiting servers. Instead of deploying these instances in the same namespace as your management and agent components, create a separate namespace such as gloo-mesh-addons. Then, you can enable Istio injection on that namespace so that communication is secured by mTLS.

The servers store configuration data in a Redis instance that is deployed for you by default. You can also replace the default Redis instance with your own, such as to increase the availability or to use an existing Redis.

For more information, set up rate limiting and external authentication by installing Gloo Mesh Gateway with Helm.

Gloo product versions

Solo periodically updates Gloo to provide new features as well as security updates. You can check the scan results of Gloo container images such as for compliance reports. Make sure to reguarly upgrade your Gloo installation to stay within the supported version policy.

As part of your product license, Solo also provides hardened, n-4 support for Istio, including FIPS-certified images with the latest CVE patches. You can use these images when you install or upgrade Istio.

For more information, see the following topics:

Gloo custom resources

For team access, use Gloo workspaces. Gloo simplifies sharing resources across workspaces with import and export settings. You can even enable federation and service isolation across services at the workspace level. For more information, see Multitenancy with workspaces.

For user access, use Kubernetes RBAC. For more information, see User access.

Gloo metrics and alerts

Use the Gloo operations dashboard to gain insight into the health of Gloo components and get notified about issues in your Gloo environment. For example, receive automatic alerts when the translation or reconciliation time of the Gloo management server is too high, or errors during the translation of Gloo resources occur.