Overview

Gloo Mesh (OSS APIs) deploys alongside your Istio environment in single or multicluster environments, and can discover existing Istio installations across clusters and infrastructure providers. The Gloo management plane provides visibility into your Istio environment in one or multiple clusters, such as built-in advanced observability tools, and a Gloo UI that gives you an at-a-glance view of the configuration, health, and compliance status of your Gloo Mesh (OSS APIs) setup and the workloads in your cluster. Gloo Mesh (OSS APIs) also comes with an insights engine that automatically analyzes your Istio setup for health, security, and resiliency issues. Then, Gloo shares these issues along with recommendations to harden your Istio and setup in a custom dashboard. The insights give you a checklist to address issues that might otherwise be hard to detect across your environment. For more information about these components, see Architecture.

Gloo Mesh (OSS APIs) works with community Istio out of the box, but Gloo Mesh (OSS APIs) includes more than tooling to complement an existing Istio installation. You can also replace community Istio with Solo’s hardened Istio images. The Solo distribution of Istio is a hardened Istio enterprise image, which maintains n-4 support for CVEs and other security fixes. For more information, see Solo distributions of Istio.

Enterprise support link

When you use the Solo distribution of Istio to deploy ambient or sidecar service meshes, you can also provide your Gloo Mesh (OSS APIs) license.

The Solo distribution of Istio includes numerous features that you can unlock with three levels of Solo licenses. If you provide a -solo tagged image of Istio version 1.25 or later and your Solo license in your Istio installation values, your Istio installation is automatically enabled with the features provided by your license.

• Basic features are unlocked with a Basic license. These standard features provide you with long-term and FIPS support for Istio on top of the open source offerings of Istio.
• Premium features are unlocked with a Premium license (sometimes called a Gloo Mesh (OSS APIs) license). In addition to all Basic features, a Premium license unlocks better environment visibility and analysis with the Gloo management plane, and increased Solo support.
• Enterprise features are unlocked with an Enterprise license (sometimes called a Gloo Mesh (OSS APIs) Enterprise license). In addition to all Basic and Premium features, a Premium license unlocks the most comprehensive enterprise-level features to help you build out your ideal, customized mesh setup.

If you do not already have a Basic, Premium, or Enterprise license, you can contact an account representative to obtain one. Note that if use a Premium or Enterprise license to install Istio, you can also use the same license to install the Gloo management plane for better visibility and insights into your environment.

To review the features that each the license level supports, see the Istio support plans comparison on Solo.io.

Lifecycle management link

As a service mesh, Istio solves connectivity challenges that arise with microservice architectures. Many microservices can mean many ingress and egress points. In regulated and secured environments, you might need many ingress and egress gateways. Even further, microservices split not only into many apps, but often in many clusters, requiring complex multicluster configurations too.

Gloo Mesh (OSS APIs) simplifies lifecycle management activities with three automation systems: Istio installation and upgrades, waypoint deployment, and multicluster peering (beta).

Istio installation link

Gloo Mesh (OSS APIs) supports full service mesh lifecycle management with the Gloo Operator. With Gloo Operator, you no longer need to manually install and manage the istiod control plane, Istio CNI, ztunnels, and more. Instead, you provide minimal Istio configuration to the operator in a ServiceMeshController custom resource, and the operator translates this configuration into managed installations of all necessary Istio components in your cluster for you. The operator can even detect your cluster platform, and set the appropriate fields required for that platform. The operator reduces both the amount of configuration required to deploy Istio, and the overhead required to manage the lifecycle of Istio resources in your cluster.

To get started, see the Gloo Operator installation guides for ambient or sidecar service meshes.

Waypoint deployment link

If you deploy an ambient mesh and require waypoint proxies to apply Layer 7 policies, you can use versions 1.25 and later of the Solo distribution of Istio to automate the waypoint deployment. Instead of manually creating a waypoint proxy resource, and then labeling a namespace, service, or service entry to use that waypoint, you can simply label the namespace, service, or service entry with istio.io/usewaypoint=auto. Istiod automatically creates the appropriate waypoint and applies it to your target resource.

Note that this automation currently only creates waypoints with the istio-waypoint Gateway class. For more information, see About waypoints.

Automated multicluster peering (beta) link

In multicluster setups, you can configure Gloo Mesh (OSS APIs) to automate multicluster mesh peering by including the --set featureGates.ConfigDistribution=true setting in your management plane installation. Then, you use the istioctl multicluster expose command included in the Solo distribution of Istio to quickly create east-west gateways. The Gloo management plane watches for these east-west gateways, and generates one istio-remote resource in the management cluster for each connected workload cluster. Gloo Mesh (OSS APIs) then distributes the gateway to each cluster respectively. These gateways use the istio-remote GatewayClass, which allows the istiod control plane in each cluster to discover the east-west gateway addresses of other clusters.

Note that because the istio-remote resource requirement for automated peering is lightweight, scaling automated peering up to multiple clusters has little impact on performance. When you add a cluster to the multicluster setup, Gloo Mesh (OSS APIs) must only distribute one additional istio-remote resource to each existing cluster, and distribute the existing istio-remote resources to the new cluster.

To get started, follow the Gloo Operator guides to install an ambient or sidecar multicluster mesh.

Operational observability link

Gloo Mesh (OSS APIs) uses the OpenTelemetry (OTel) project to collect telemetry data from many sources in your clusters. Some of these sources, such as Grafana and Prometheus, are built in to monitor your Gloo environment and the apps in your cluster. You might have other existing sources, too. With OTel, you can set up pipelines for these sources as needed, so that you have all your telemetry data in a single place.

The Gloo UI shows these observability details in a single pane of glass, as shown in the following figure. For more information, see Telemetry.

Insights link

Gloo Mesh (OSS APIs) comes with an insights engine that automatically analyzes your Istio setups for health issues. These issues are displayed in the UI along with recommendations to harden your Istio setups. The insights give you a checklist to address issues that might otherwise be hard to detect across your environment. For example, insights can help you identify:

• Sidecars that are orphaned from istiod but otherwise reflect a healthy, running status
• Istio CRDs that are missing
• Gateways or virtual services that are not scoped, which can lead to unpredictable routing behavior
• Opportunities to trim the Envoy proxy config to reduce overload
• Opportunities to tune istiod performance such as to improve push times and decrease throttling
• Annotations that bypass sidecars or iptable rules
• Non-ordered containers that cause race conditions with sidecars
• Better egress controls

In the following figure, an example insight warns that an AuthorizationPolicy is not enforced. For more information, see Insights.