Single cluster
Deploy Gloo Mesh to gain valuable insights into your Istio service mesh.
Gloo Mesh deploys alongside your Istio installation in a single-cluster environment, and gives you instant insights into your Istio service mesh through a custom dashboard. You can follow this guide to quickly get started with Gloo Mesh. To learn more about the benefits and architecture, see About. To customize your installation with Helm instead, see the advanced installation guide.
Before you begin
Install the following command-line (CLI) tools.
kubectl, the Kubernetes command line tool. Download thekubectlversion that is within one minor version of the Kubernetes clusters you plan to use.meshctl, the Solo command line tool.curl -sL https://run.solo.io/meshctl/install | GLOO_MESH_VERSION=v2.8.0-rc1 sh - export PATH=$HOME/.gloo-mesh/bin:$PATHhelm, the Kubernetes package manager.
Create or use an existing Kubernetes cluster, and save the cluster name in an environment variable. Note: The cluster name must be alphanumeric with no special characters except a hyphen (-), lowercase, and begin with a letter (not a number).
export CLUSTER_NAME=<cluster_name>Set your Gloo Mesh license key as an environment variable. If you do not have one, contact an account representative. If you prefer to specify license keys in a secret instead, see Licensing. To check your license’s validity, you can run
meshctl license check --key $(echo ${GLOO_MESH_LICENSE_KEY} | base64 -w0).export GLOO_MESH_LICENSE_KEY=<license_key>
Install Gloo Mesh
Install all Gloo Mesh components in the same cluster as your Istio service mesh.
Install Gloo Mesh in your cluster. This command uses a basic profile to create a
gloo-meshnamespace and install the Gloo control and data plane components. For more information, check out the CLI install profiles.meshctl install --profiles gloo-mesh-single-cluster \ --set common.cluster=$CLUSTER_NAME \ --set licensing.glooMeshCoreLicenseKey=$GLOO_MESH_LICENSE_KEYVerify that your Gloo Mesh setup is correctly installed. If not, try debugging the relay connection. Note that this check might take a few seconds to verify that:
- Your Gloo product license is valid and current.
- The Gloo CRDs are installed at the correct version.
meshctl checkExample output:
🟢 License status INFO gloo-mesh enterprise license expiration is 25 Aug 26 10:38 CDT 🟢 CRD version check 🟢 Gloo deployment status Namespace | Name | Ready | Status gloo-mesh | gloo-mesh-ui | 1/1 | Healthy gloo-mesh | gloo-telemetry-collector-agent | 3/3 | Healthy gloo-mesh | prometheus-server | 1/1 | Healthy
Deploy Istio
Check whether an Istio control plane already exists.
kubectl get pods -n istio-system
If an istiod pod exists, such as in this example output, you already installed an Istio control plane. Continue to the next step.
NAME READY STATUS RESTARTS AGE
istiod-b65676555-g2vmr 1/1 Running 0 57s
If no istiod pod exists, you can use the Solo distribution of Istio to install a sidecar or ambient service mesh. For more information, check out Solo distributions of Istio.
Ambient mode
Simplify your service mesh with a sidecarless approach by installing Istio in ambient mode. For more information, see About ambient mesh.
Apply the CRDs for the Kubernetes Gateway API to your cluster, which are required to create components such as waypoint proxies for L7 traffic policies, gateways with the
Gatewayresource, and more.kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/standard-install.yamlInstall the Gloo Operator to the
gloo-meshnamespace. This operator deploys and manages your Istio installation.helm install gloo-operator oci://us-docker.pkg.dev/solo-public/gloo-operator-helm/gloo-operator \ --version 0.2.3 \ -n gloo-mesh \ --create-namespace \ --set manager.env.SOLO_ISTIO_LICENSE_KEY=${GLOO_MESH_LICENSE_KEY}Verify that the operator pod is running.
kubectl get pods -n gloo-mesh | grep operatorExample output:
gloo-operator-78d58d5c7b-lzbr5 1/1 Running 0 48s- Create a ServiceMeshController custom resource to configure an Istio installation. For a description of each configurable field, see the ServiceMeshController reference. If you need to set more advanced Istio configuration, you can also create a gloo-extensions-config configmap.
kubectl apply -n gloo-mesh -f -<<EOF apiVersion: operator.gloo.solo.io/v1 kind: ServiceMeshController metadata: name: managed-istio labels: app.kubernetes.io/name: managed-istio spec: dataplaneMode: Ambient installNamespace: istio-system version: 1.25.2 EOFNote that the operator detects your cloud provider and cluster platform, and configures the necessary settings required for that platform for you. For example, if you create an ambient mesh in an OpenShift cluster, no OpenShift-specific settings are required in the ServiceMeshController, because the operator automatically sets the appropriate settings for OpenShift and your specific cloud provider accordingly.If you set theinstallNamespaceto a namespace other thangloo-system,gloo-mesh, oristio-system, you must include the–set manager.env.WATCH_NAMESPACES=<namespace>setting. Verify that the components of the Istio control and data plane are successfully installed. Because the ztunnel and the CNI are deployed as daemon sets, the number of ztunnel pods and CNI pods each equal the number of nodes in your cluster. Note that it might take a few seconds for the pods to become available.
kubectl get pods -n istio-systemExample output:
NAME READY STATUS RESTARTS AGE istio-cni-node-6s5nk 1/1 Running 0 2m53s istio-cni-node-blpz4 1/1 Running 0 2m53s istiod-gloo-bb86b959f-msrg7 1/1 Running 0 2m45s istiod-gloo-bb86b959f-w29cm 1/1 Running 0 3m ztunnel-mx8nw 1/1 Running 0 2m52s ztunnel-w8r6c 1/1 Running 0 2m52s
Sidecar mode
Use the Gloo Operator to deploy your service mesh with the standard sidecar approach. Note that this installs a minimal service mesh setup to get you started. For a more advanced Istio sidecar installation, check out the sidecar mesh installation guides.
Install the Gloo Operator to the
gloo-meshnamespace. This operator deploys and manages your Istio installation.helm install gloo-operator oci://us-docker.pkg.dev/solo-public/gloo-operator-helm/gloo-operator \ --version 0.2.3 \ -n gloo-mesh \ --create-namespace \ --set manager.env.SOLO_ISTIO_LICENSE_KEY=${GLOO_MESH_LICENSE_KEY}Verify that the operator pod is running.
kubectl get pods -n gloo-mesh | grep operatorExample output:
gloo-operator-78d58d5c7b-lzbr5 1/1 Running 0 48s- Create a ServiceMeshController custom resource to configure an Istio installation. For a description of each configurable field, see the ServiceMeshController reference. If you need to set more advanced Istio configuration, you can also create a gloo-extensions-config configmap.
kubectl apply -n gloo-mesh -f -<<EOF apiVersion: operator.gloo.solo.io/v1 kind: ServiceMeshController metadata: name: managed-istio labels: app.kubernetes.io/name: managed-istio spec: dataplaneMode: Sidecar installNamespace: istio-system version: 1.25.2 EOFNote that the operator detects your cloud provider and cluster platform, and configures the necessary settings required for that platform for you. For example, if you create an ambient mesh in an OpenShift cluster, no OpenShift-specific settings are required in the ServiceMeshController, because the operator automatically sets the appropriate settings for OpenShift and your specific cloud provider accordingly.If you set theinstallNamespaceto a namespace other thangloo-system,gloo-mesh, oristio-system, you must include the–set manager.env.WATCH_NAMESPACES=<namespace>setting. Verify that the istiod control plane and Istio CNI pods are running. Because the CNI are deployed as daemon sets, the number of CNI pods each equal the number of nodes in your cluster. Note that it might take a few seconds for the pods to become available.
kubectl get pods -n istio-systemExample output:
NAME READY STATUS RESTARTS AGE istio-cni-node-6s5nk 1/1 Running 0 2m53s istio-cni-node-blpz4 1/1 Running 0 2m53s istiod-gloo-bb86b959f-msrg7 1/1 Running 0 2m45s istiod-gloo-bb86b959f-w29cm 1/1 Running 0 3m
Deploy a sample app
To analyze your service mesh with Gloo Mesh, be sure to include your services in the mesh.
Optional: Expose apps with an ingress gateway
You can optionally deploy an ingress gateway to send requests to sample apps from outside the service mesh. To review your options, such as deploying Gloo Gateway as an ingress gateway, see the ingress gateway guide for an ambient or sidecar mesh.
Explore the UI
Use the Gloo UI to evaluate the health and efficiency of your service mesh. You can review the analysis and insights for your service mesh, such as recommendations to harden your Istio environment and steps to implement them in your environment.
Launch the dashboard
Open the Gloo UI. The Gloo UI is served from the
gloo-mesh-uiservice on port 8090. You can connect by using themeshctlorkubectlCLIs.- meshctl: For more information, see the CLI documentation.
meshctl dashboard - kubectl:
- Port-forward the
gloo-mesh-uiservice on 8090.kubectl port-forward -n gloo-mesh svc/gloo-mesh-ui 8090:8090 - Open your browser and connect to http://localhost:8090.
- Port-forward the
- meshctl: For more information, see the CLI documentation.
Review your Dashboard for an at-a-glance overview of your Gloo Mesh environment. Environment insights, health, status, inventories, security, and more are summarized in the following cards:
- Analysis and Insights: Gloo Mesh recommendations for how to improve your Istio setup.
- Gloo and Istio health: A status check of the Gloo Mesh and Istio installations in your cluster.
- Certificates Expiry: Validity timelines for your root and intermediate Istio certificates.
- Cluster Services: Inventory of services in your Gloo Mesh setup, and whether those services are in a service mesh or not.
- Istio FIPS: FIPS compliance checks for the
istiodcontrol plane and Istio data plane workloads. - Zero Trust: Number of service mesh workloads that receive only mutual TLS (mTLS)-encrypted traffic, and number of external services that are accessed from the mesh.
Figure: Gloo UI dashboard Figure: Gloo UI dashboard
Check insights
Review the insights for your environment. Gloo Mesh comes with an insights engine that automatically analyzes your Istio setups for health issues. These issues are displayed in the UI along with recommendations to harden your Istio setups. The insights give you a checklist to address issues that might otherwise be hard to detect across your environment.
From the Dashboard, click on any of the insights cards to open the Insights page, or go to the Home > Insights page directly.
On the Insights page, you can view recommendations to harden your Istio setup, and steps to implement them in your environment. Gloo Mesh analyzes your setup, and returns individual insights that contain information about errors and warnings in your environment, best practices you can use to improve your configuration and security, and more.
Figure: Insights page Figure: Insights page Select the insight that you want to resolve. The details modal shows more data about the insight, such as the time when it was last observed in your environment, and if applicable, the extended settings or configuration that the insight applies to.
Figure: Example insight Figure: Example insight Click the Target YAML tab to see the resource file that the insight references, and click the View Resolution Steps tab to see guidance such as steps for fixing warnings and errors in your resource configuration or recommendations for improving your security and setup.
Next steps
Now that you have Gloo Mesh and Istio up and running, check out some of the following resources to learn more about Gloo Mesh and expand your service mesh capabilities.
Istio:
- Find out more about hardened Istio
n-4version support built into Solo distributions of Istio. - Check out the Istio docs to configure and deploy Istio routing resources.
- Monitor and observe your Istio environment with Gloo Mesh’s built-in telemetry tools.
- When it’s time to upgrade Istio, check out
For ambient installations, see Upgrade Gloo-managed ambient meshes or Upgrade ambient service meshes with Helm.
Gloo Mesh:
- Customize your Gloo Mesh installation with a Helm-based setup.
Help and support:
- Talk to an expert to get advice or build out a proof of concept.
- Join the #gloo-mesh channel in the Solo.io community slack.
- Try out one of the Gloo workshops.
Cleanup
If you no longer need this quick-start Gloo Mesh environment, you can follow the steps in the uninstall guide.