Overview
Learn about the Solo Enterprise for Istio management plane and how it enhances your Istio environment.
Solo Enterprise for Istio deploys alongside your Istio environment in single or multicluster environments, and can discover existing Istio installations across clusters and infrastructure providers. The management plane works with both ambient and sidecar service meshes, whether you use community Istio images or Solo distributions of Istio.
What is the management plane?
The Solo Enterprise for Istio management plane is an optional set of components you deploy to gain enhanced observability, lifecycle management, and insights into your Istio environment. The management plane includes:
- Management server: Receives and stores snapshots of resources from agents in registered clusters
- Solo UI: Provides an at-a-glance view of configuration, health, and compliance status
- Agents: Deployed to each registered cluster to send resource snapshots to the management server
- Telemetry pipeline: OpenTelemetry collectors and gateway for metrics collection
- Insights engine: Automatically analyzes your Istio setup for health, security, and resiliency issues
For detailed component architecture, see Architecture and Multicluster relay architecture.
Lifecycle management
Solo Enterprise for Istio provides several features to simplify, automate, and manage the lifecycle of your Istio installation.
Istio installation
Solo Enterprise for Istio supports full service mesh lifecycle management with the Gloo Operator. With Gloo Operator, you no longer need to manually install and manage the istiod control plane, Istio CNI, ztunnels, and more. Instead, you provide minimal Istio configuration to the operator in a ServiceMeshController custom resource, and the operator translates this configuration into managed installations of all necessary Istio components in your cluster for you. The operator can even detect your cluster platform, and set the appropriate fields required for that platform. The operator reduces both the amount of configuration required to deploy Istio, and the overhead required to manage the lifecycle of Istio resources in your cluster.
To get started, see the Gloo Operator installation guides for ambient or sidecar service meshes.
Waypoint deployment
If you deploy an ambient mesh and require waypoint proxies to apply Layer 7 policies, you can use versions 1.25 and later of the Solo distribution of Istio to automate the waypoint deployment. Instead of manually creating a waypoint proxy resource, and then labeling a namespace, service, or service entry to use that waypoint, you can simply label the namespace, service, or service entry with istio.io/use-waypoint=auto. Istiod automatically creates the appropriate waypoint and applies it to your target resource.
Note that this automation currently only creates waypoints with the istio-waypoint Gateway class. For more information, see About waypoints.
Automated multicluster peering (beta)
Automated multicluster peering is a beta feature. Do not use this feature in production deployments. For more information, see Solo feature maturity.
Multicluster mesh capabilities require an Enterprise level license for Solo Enterprise for Istio. If you do not have one, contact an account representative.Automated peering requires Istio to be installed in the same cluster that the Gloo management plane is deployed to.
In multicluster setups, you can configure Solo Enterprise for Istio to automate multicluster mesh peering by including the --set featureGates.ConfigDistribution=true setting in your management plane installation. Then, you use the istioctl multicluster expose command included in the Solo distribution of Istio to quickly create east-west gateways. The Gloo management plane watches for these east-west gateways, and generates one istio-remote resource in the management cluster for each connected workload cluster. Solo Enterprise for Istio then distributes the gateway to each cluster respectively. These gateways use the istio-remote GatewayClass, which allows the istiod control plane in each cluster to discover the east-west gateway addresses of other clusters.
Note that because the istio-remote resource requirement for automated peering is lightweight, scaling automated peering up to multiple clusters has little impact on performance. When you add a cluster to the multicluster setup, Solo Enterprise for Istio must only distribute one additional istio-remote resource to each existing cluster, and distribute the existing istio-remote resources to the new cluster.
To get started, follow the Gloo Operator guides to install an ambient or sidecar multicluster mesh.
Operational observability
The Solo Enterprise for Istio management plane uses the OpenTelemetry (OTel) project to collect telemetry data from many sources in your clusters. Some of these sources, such as Prometheus, are built in to monitor your Solo Enterprise for Istio installation and the apps in your mesh. You might have other existing sources, too. With OTel, you can set up pipelines for these sources as needed, so that you have all your telemetry data in a single place.
The Solo UI shows these observability details in a single pane of glass, as shown in the following figure. For more information, see Telemetry.
Insights
Solo Enterprise for Istio comes with an insights engine that automatically analyzes your Istio setups for health issues. These issues are displayed in the UI along with recommendations to harden your Istio setups. The insights give you a checklist to address issues that might otherwise be hard to detect across your environment. For example, insights can help you identify:
- Sidecars that are orphaned from istiod but otherwise reflect a healthy, running status
- Istio CRDs that are missing
- Gateways or virtual services that are not scoped, which can lead to unpredictable routing behavior
- Opportunities to trim the Envoy proxy config to reduce overload
- Opportunities to tune istiod performance such as to improve push times and decrease throttling
- Annotations that bypass sidecars or iptable rules
- Non-ordered containers that cause race conditions with sidecars
- Better egress controls
In the following figure, an example insight warns that an AuthorizationPolicy is not enforced. For more information, see Insights.
When to use the management plane
Deploy the management plane when you want:
- Enhanced observability: Centralized view of your Istio environment across single or multiple clusters
- Automated insights: Proactive identification of health, security, and resiliency issues
- Simplified lifecycle management: Operator-based Istio installation and upgrades
- Multicluster management: Unified management server for registered workload clusters
The management plane is optional and works with any Istio installation, whether you use community Istio or Solo distributions of Istio.