Single cluster
Deploy an ambient service mesh with the Solo distribution of Istio.
The Solo distribution of Istio is a hardened Istio enterprise image, which maintains n-4 support for CVEs and other security fixes. Along with extra support, the Solo distribution of Istio includes numerous features on top of the open source offerings of Istio that you can unlock with three levels of Solo licenses. For example, a license can enable features such as long-term and FIPS support for Istio, observability support with the Gloo Mesh (OSS APIs) management plane and UI, increased support from Solo, and enterprise-level features, such as multicluster ambient mesh support. For more information, check out the Solo distributions of Istio overview.
This guide uses the Gloo Operator to quickly deploy Istio in ambient mode. The Gloo Operator translates minimal Istio configuration into a managed istiod control plane in your cluster for you. The operator reduces both the amount of configuration required to deploy Istio, and the overhead required to manage the lifecycle of Istio resources in your cluster. For more information about ambient mesh or the ambient components that are installed in these steps, see About ambient mesh. For a more advanced ambient mesh installation, see the Helm installation guide.
Before you begin
Create or use an existing Kubernetes or OpenShift cluster, and save the cluster name in an environment variable. Note: The cluster name must be alphanumeric with no special characters except a hyphen (-), lowercase, and begin with a letter (not a number) to follow the Kubernetes DNS label standard.
export CLUSTER_NAME=<cluster_name>Install the following command-line (CLI) tools.
Save your Solo license key in an environment variable. If you do not already have a license, decide on the level of licensed features that you want, and contact an account representative to obtain the license.
export SOLO_LICENSE_KEY=<license_key>
Install an ambient mesh
Apply the CRDs for the Kubernetes Gateway API to your cluster, which are required to create components such as waypoint proxies for L7 traffic policies, gateways with the
Gatewayresource, and more.kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard-install.yamlInstall the Gloo Operator to the
gloo-meshnamespace. This operator deploys and manages your Istio installation.helm install gloo-operator oci://us-docker.pkg.dev/solo-public/gloo-operator-helm/gloo-operator \ --version 0.4.2 \ -n gloo-mesh \ --create-namespace \ --set manager.env.SOLO_ISTIO_LICENSE_KEY=${SOLO_LICENSE_KEY}Verify that the operator pod is running.
kubectl get pods -n gloo-mesh -l app.kubernetes.io/name=gloo-operatorExample output:
gloo-operator-78d58d5c7b-lzbr5 1/1 Running 0 48sApply a ServiceMeshController custom resource with the following Solo distribution of Istio version and ambient data plane mode. The Gloo Operator automatically installs Istio for you.
kubectl apply -n gloo-mesh -f -<<EOF apiVersion: operator.gloo.solo.io/v1 kind: ServiceMeshController metadata: name: managed-istio labels: app.kubernetes.io/name: managed-istio spec: dataplaneMode: Ambient installNamespace: istio-system version: 1.28.1-patch0 EOFNote that the operator detects your cloud provider and cluster platform, and configures the necessary settings required for that platform for you. For example, if you create an ambient mesh in an OpenShift cluster, no OpenShift-specific settings are required in the ServiceMeshController, because the operator automatically sets the appropriate settings for OpenShift and your specific cloud provider accordingly.If you set theinstallNamespaceto a namespace other thangloo-system,gloo-mesh, oristio-system, you must include the‐‐set manager.env.WATCH_NAMESPACES=<namespace>setting.Verify that the components of the Istio control and data plane are successfully installed. Because the ztunnel and the CNI are deployed as daemon sets, the number of ztunnel pods and CNI pods each equal the number of nodes in your cluster. Note that it might take a few seconds for the pods to become available.
kubectl get pods -n istio-systemExample output:
NAME READY STATUS RESTARTS AGE istio-cni-node-6s5nk 1/1 Running 0 2m53s istio-cni-node-blpz4 1/1 Running 0 2m53s istiod-gloo-bb86b959f-msrg7 1/1 Running 0 2m45s istiod-gloo-bb86b959f-w29cm 1/1 Running 0 3m ztunnel-mx8nw 1/1 Running 0 2m52s ztunnel-w8r6c 1/1 Running 0 2m52s
Deploy a sample app
If you already deployed apps that you want to include in the mesh, you can run the following command to add all pods in the service namespace to the ambient mesh.
kubectl label ns <namespace> istio.io/dataplane-mode=ambient
If you don’t have any apps yet, you can deploy Bookinfo, the Istio sample app.
Create the
bookinfonamespace and label it so that the services become part of the ambient service mesh.kubectl create ns bookinfo kubectl label ns bookinfo istio.io/dataplane-mode=ambientDeploy the Bookinfo app.
# deploy bookinfo application components for all versions kubectl -n bookinfo apply -f https://raw.githubusercontent.com/istio/istio/1.28.1/samples/bookinfo/platform/kube/bookinfo.yaml -l 'app' # deploy an updated product page with extra container utilities such as 'curl' and 'netcat' kubectl -n bookinfo apply -f https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/policy-demo/productpage-with-curl.yaml # deploy all bookinfo service accounts kubectl -n bookinfo apply -f https://raw.githubusercontent.com/istio/istio/1.28.1/samples/bookinfo/platform/kube/bookinfo.yaml -l 'account'Verify that the Bookinfo app deployed successfully.
kubectl get pods,svc -n bookinfo
Optional: Expose apps with an ingress gateway
You can optionally deploy an ingress gateway to send requests to sample apps from outside the service mesh. To review your options, such as deploying Gloo Gateway as an ingress gateway, see the ingress gateway guide for an ambient mesh.
Optional: Analyze your mesh with Gloo UI observability
If you have a Premium or Enterprise Solo license for Gloo Mesh (OSS APIs), you can install the Gloo UI to evaluate the health and efficiency of your service mesh. The Gloo UI provides analysis and insights for your service mesh, such as recommendations to harden your Istio environment and steps to implement them in your environment. Additionally, you can use observability features such as the Gloo UI Graph to visualize the network traffic flows to and within your service mesh.
To get started, deploy the Gloo management plane in your cluster.
Next steps
Now that you have an ambient mesh up and running, check out some of the following resources to learn more and expand your service mesh capabilities.
Istio:
- Find out more about hardened Istio
n-4version support built into Solo distributions of Istio. - Check out the Ambient Mesh docs to configure and deploy Istio routing resources.
- Monitor and observe your Istio environment with Gloo Mesh’s built-in telemetry tools.
- When it’s time to upgrade Istio, check out the upgrade guide for ambient meshes.
Gloo Mesh (OSS APIs):
- Learn about how you can enhance your Istio setup with Gloo Mesh (OSS APIs).
- Install the Gloo UI to evaluate the health and efficiency of your service mesh.
Help and support:
- Talk to an expert to get advice or build out a proof of concept.
- Join the #gloo-mesh channel in the Solo.io community slack.
- Try out one of the Gloo workshops.
Cleanup
If you no longer need this quick-start ambient mesh environment, you can follow the steps in the uninstall guide.