Proto: gateway_lifecycle_manager.proto

Package: admin.gloo.solo.io

Use Gloo Platform to install Istio ingress, egress, and east-west gateways in your workload clusters, as part of the Istio lifecycle management. In your GatewayLifecycleManager resource, you provide gateway settings in an IstioOperator configuration. When you create the GatewayLifecycleManager in your management cluster, Gloo translates the configuration into gateways in your registered workload clusters for you.

For more information, see the Install Istio by using the Istio Lifecycle Manager guide.

Examples:

East-west: This example creates an east-west gateway named istio-eastwestgateway in the gloo-mesh-gateways namespace of two workload clusters ($REMOTE_CLUSTER1 and $REMOTE_CLUSTER2). You supply the repo key for the Solo distribution of Istio (hub: $REPO), image tag (tag: $ISTIO_IMAGE), and revision (revision: $REVISION). Note that for advanced east-west traffic routing across multiple clusters, you need a Gloo Mesh Enterprise license.

  apiVersion: admin.gloo.solo.io/v2
kind: GatewayLifecycleManager
metadata:
  name: istio-eastwestgateway
  namespace: gloo-mesh
spec:
  installations:
  # The revision for this installation
  - gatewayRevision: $REVISION
    # List all workload clusters to install Istio into
    clusters:
    - name: $REMOTE_CLUSTER1
      # If set to true, the spec for this revision is applied in the cluster
      activeGateway: true
    - name: $REMOTE_CLUSTER2
      activeGateway: true
    istioOperatorSpec:
      # No control plane components are installed
      profile: empty
      # Solo.io Istio distribution repository; required for the Solo distribution of Istio.
      # You get the repo key from your Solo Account Representative.
      hub: $REPO
      # The Solo.io Gloo Istio version
      tag: $ISTIO_IMAGE
      components:
        ingressGateways:
        # Enable the default east-west gateway
        - name: istio-eastwestgateway
          # Deployed to gloo-mesh-gateways by default
          namespace: gloo-mesh-gateways
          enabled: true
          label:
            # Set a unique label for the gateway. This is required to
            # ensure Gateways can select this workload.
            istio: eastwestgateway
            app: istio-eastwestgateway
          k8s:
            env:
              # 'sni-dnat' enables AUTO_PASSTHROUGH mode for east-west communication through the gateway.
              # The default value ('standard') does not set up a passthrough cluster.
              # Required for multi-cluster communication and to preserve SNI.
              - name: ISTIO_META_ROUTER_MODE
                value: "sni-dnat"
            service:
              type: LoadBalancer
              selector:
                istio: eastwestgateway
              # Default ports
              ports:
                # Port for health checks on path /healthz/ready.
                # For AWS ELBs, this port must be listed first.
                - name: status-port
                  port: 15021
                  targetPort: 15021
                # Port for multicluster mTLS passthrough
                # Gloo looks for this default name 'tls' on a gateway
                # Required for Gloo east/west routing
                - name: tls
                  port: 15443
                  targetPort: 15443
  

Ingress: This example creates an ingress gateway named istio-ingressgateway in the gloo-mesh-gateways namespace of two workload clusters ($REMOTE_CLUSTER1 and $REMOTE_CLUSTER2). You supply the repo key for the Solo distribution of Istio (hub: $REPO), image tag (tag: $ISTIO_IMAGE), and revision (revision: $REVISION). Note that for advanced ingress routing features such as AWS Lambda, Portal, or ingress-specific policies, you need a Gloo Mesh Gateway license.

  apiVersion: admin.gloo.solo.io/v2
kind: GatewayLifecycleManager
metadata:
  name: istio-ingressgateway
  namespace: gloo-mesh
spec:
  installations:
  # The revision for this installation
  - gatewayRevision: $REVISION
    # List all workload clusters to install Istio into
    clusters:
    - name: $REMOTE_CLUSTER1
      # If set to true, the spec for this revision is applied in the cluster
      activeGateway: true
    - name: $REMOTE_CLUSTER2
      activeGateway: true
    istioOperatorSpec:
      # No control plane components are installed
      profile: empty
      # Solo.io Istio distribution repository; required for the Solo distribution of Istio.
      # You get the repo key from your Solo Account Representative.
      hub: $REPO
      # Any tag for the Solo distribution of Istio
      tag: $ISTIO_IMAGE
      components:
        ingressGateways:
        # Enable the default ingress gateway
        - name: istio-ingressgateway
          # Deployed to gloo-mesh-gateways by default
          namespace: gloo-mesh-gateways
          enabled: true
          label:
            # Set a unique label for the gateway. This is required to
            # ensure Gateways can select this workload
            istio: ingressgateway
            app: istio-ingressgateway
          k8s:
            service:
              type: LoadBalancer
              selector:
                istio: ingressgateway
              # Default ports
              ports:
                # Port for health checks on path /healthz/ready.
                # For AWS ELBs, this port must be listed first.
                - name: status-port
                  port: 15021
                  targetPort: 15021
                # Main HTTP ingress port
                - name: http2
                  port: 80
                  targetPort: 8080
                # Main HTTPS ingress port
                - name: https
                  port: 443
                  targetPort: 8443
                - name: tls
                  port: 15443
                  targetPort: 15443
  

Egress: This example creates an egress gateway named istio-egressgateway in the gloo-mesh-gateways namespace of two workload clusters, ($REMOTE_CLUSTER1 and $REMOTE_CLUSTER2). You supply the repo key for the Solo distribution of Istio (hub: $REPO), image tag (tag: $ISTIO_IMAGE), and revision (revision: $REVISION). For more information, see the Block egress traffic with an egress gateway guide.

  apiVersion: admin.gloo.solo.io/v2
kind: GatewayLifecycleManager
metadata:
  name: istio-egressgateway
  namespace: gloo-mesh
spec:
  installations:
      # The revision for this installation
    - gatewayRevision: $REVISION
      # List all workload clusters to install Istio into
      clusters:
      - name: $REMOTE_CLUSTER1
        # If set to true, the spec for this revision is applied in the cluster
        activeGateway: true
      - name: $REMOTE_CLUSTER2
        activeGateway: true
      istioOperatorSpec:
        # No control plane components are installed
        profile: minimal
        # Solo.io Istio distribution repository; required for Gloo Istio.
        # You get the repo key from your Solo Account Representative.
        hub: $REPO
        # The Solo.io Gloo Istio version
        tag: $ISTIO_IMAGE
        meshConfig:
          outboundTrafficPolicy:
            mode: REGISTRY_ONLY
            # Enable access logs
          accessLogFile: /dev/stdout
          defaultConfig:
            proxyMetadata:
              # For known hosts, enable the Istio agent to handle DNS requests
              # for any custom ServiceEntry, such as non-Kubernetes services.
              # Unknown hosts are automatically resolved using upstream DNS
              # servers in resolv.conf (for proxy-dns)
              ISTIO_META_DNS_CAPTURE: "true"
        components:
          egressGateways:
          # Enable the egress gateway
            - name: istio-egressgateway
              # Deployed to gloo-mesh-gateways by default
              namespace: gloo-mesh-gateways
              enabled: true
              label:
                # Set a unique label for the gateway. This is required to
                # ensure Gateways can select this workload.
                istio: egressgateway
                app: istio-egressgateway
                traffic: egress
              k8s:
                affinity:
                   nodeAffinity:
                     requiredDuringSchedulingIgnoredDuringExecution:
                       nodeSelectorTerms:
                         - matchExpressions:
                             - key: kubernetes.io/arch
                               operator: In
                               values:
                                 - arm64
                                 - amd64
                env:
                  # 'sni-dnat' enables AUTO_PASSTHROUGH mode for east-west communication through the gateway.
                  # The default value ('standard') does not set up a passthrough cluster.
                  # Required for multi-cluster communication and to preserve SNI.
                  - name: ISTIO_META_ROUTER_MODE
                    value: "sni-dnat"
                  - name: AUTO_RELOAD_PLUGIN_CERTS
                    value: "true"
                podAnnotations:
                  proxy.istio.io/config: |
                    proxyStatsMatcher:
                      inclusionRegexps:
                      - .*ext_authz.*
                service:
                  type: LoadBalancer
                  selector:
                    istio: egressgateway
                  # Default ports
                  ports:
                    # Port for health checks on path /healthz/ready.
                    # For AWS ELBs, this port must be listed first.
                    - port: 15021
                      targetPort: 15021
                      name: status-port
                    # Port for multicluster mTLS passthrough
                    # Required for Gloo egress routing
                    - port: 15443
                      targetPort: 15443
                      # Gloo looks for this default name 'tls' on a gateway
                      name: tls
                    # Required for Istio mutual TLS
                    - port: 443
                      targetPort: 8443
                      name: https
  

Types:

GatewayClusterSelector

Clusters to install the Istio gateways in.

FieldDescription
name(string)

Name of the cluster to install the gateway into. Must match the name of the cluster that you used when you registered the cluster with Gloo.
activeGateway(bool)

Optional: Defaults to false. When set to true, the gateway installation for this revision is applied as the active gateway through which primary service traffic is routed in the cluster. If the istioOperatorSpec defines a service, this field switches the service selectors to the revision specified in the gatewayRevsion. You might change this setting for gateway installations during a canary upgrade. For more info, see the upgrade docs.
trustDomain(string)

Optional: By default, the trustDomain value in the meshConfig section of the operator spec is automatically set by the Gloo to the name of each workload cluster. To override the trustDomain for each cluster, you can instead specify the override value by using this trustDomain field, and include the value in the list of cluster names. For example, if you specify meshConfig.trustDomain: cluster1-trust-override in your operator spec, you then specify both the cluster name (name: cluster1) and the trust domain (trustDomain: cluster1-trust-override) in this installations.clusters section. Additionally, because Gloo requires multiple trust domains for east-west routing, the PILOT_SKIP_VALIDATE_TRUST_DOMAIN field is set to "true" by default. For more info, see the Istio documentation.

GatewayInstallation

List of Istio gateway installations. Any components that are not related to the gateway are ignored. You can provide only one type of gateway installation per revision in a cluster. For example, in a workload cluster cluster2, you can install only one east-west gateway that runs revision 1-19-5.

FieldDescription
controlPlaneRevision(string)

Optional: The revision of an Istio control plane in the cluster that this gateway should also use. If a control plane installation of this revision is not found, no gateway is created.
gatewayRevision(string)

Istio revision for this gateway installation. When set to auto, Gloo installs the gateway with the default supported version of the Solo distribution of Istio.
clusters(repeated GatewayClusterSelector)

Clusters to install the Istio gateways in.
istioOperatorSpec(common.gloo.solo.io.IstioOperatorSpec)

IstioOperator specification for the gateway. For more info, see the Istio documentation.
skipUpgradeValidation(bool)

When set to true, the lifecycle manager allows you to perform in-place upgrades by skipping checks that are required for canary upgrades. In production environments, canary upgrades are recommended for updating the minor version. To update the patch version or make configuration changes within the same version, you can use in-place upgrades. Be sure to test in-place upgrades in development or staging environments first.

GatewayLifecycleManagerSpec

Specifications for the GatewayLifecycleManager resource.

FieldDescription
installations(repeated GatewayInstallation)

List of Istio gateway installations.
helmGlobal(common.gloo.solo.io.IstioLifecycleHelmGlobals)

Optional default configuration applicable to all installations

GatewayLifecycleManagerStatus

The status of the GatewayLifecycleManager resource after you apply it to your Gloo environment.

FieldDescription
clusters(repeated GatewayLifecycleManagerStatus.ClustersEntry)

The list of clusters where Gloo manages Istio gateway installations.

GatewayLifecycleManagerStatus.ClusterStatuses

The list of clusters where Gloo manages Istio gateway installations.

FieldDescription
installations(repeated GatewayLifecycleManagerStatus.ClusterStatuses.InstallationsEntry)

The Istio gateway installations in the cluster, listed by revision.

GatewayLifecycleManagerStatus.ClusterStatuses.InstallationStatus

The status of the gateway installation.

FieldDescription
state(GatewayLifecycleManagerStatus.ClusterStatuses.InstallationStatus.State)

The current state of the gateway installation.
message(string)

A human-readable message about the current state of the installation.
observedRevision(string)

The observed revision of the gateway installation.
observedOperator(common.gloo.solo.io.IstioOperatorSpec)

The IstioOperator spec that is currently deployed for this revision.

GatewayLifecycleManagerStatus.ClusterStatuses.InstallationsEntry

FieldDescription
key(string)

value(GatewayLifecycleManagerStatus.ClusterStatuses.InstallationStatus)

GatewayLifecycleManagerStatus.ClustersEntry

FieldDescription
key(string)

value(GatewayLifecycleManagerStatus.ClusterStatuses)

GatewayLifecycleManagerStatus.ClusterStatuses.InstallationStatus.State

The current state of the gateway installation.

NameNumberDescription
PENDING0Waiting for resources to be installed or updated.
FAILED1The Gloo management server encountered a problem while attempting to install the gateway.
NO_CONTROL_PLANE_AVAILABLE2Could not select a istiod control plane.
INSTALLING_GATEWAY3The gateway is currently being installed.
HEALTHY4All Istio components for the gateway are successfully installed and healthy.
UNHEALTHY5The gateway installation is no longer healthy.
ACTION_REQUIRED6The gateway IstioOperator resource is in an ‘ACTION_REQUIRED’ state. Check the logs of the IstioOperator deployment for more info.
UPDATING_GATEWAY7The gateway IstioOperator resource is in an ‘UPDATING’ state.
RECONCILING_GATEWAY8The gateway IstioOperator resource is in a ‘RECONCILING’ state.
UNKNOWN9The gateway installation state could not be determined.
UNINSTALLING_GATEWAY10The gateway is currently being uninstalled.
UNINSTALLED_GATEWAY11The gateway is uninstalled.