Choose Gloo product licenses

Before you install Gloo Network for Cilium, decide which Gloo product and module licenses you need for your environment. Gloo offers separate licenses for each product, such as Gloo Network for Cilium and Gloo Mesh Core. Additionally, the GraphQL module is offered as an add-on to the Gloo Mesh Gateway license.

Licensed products

Product licenses unlock certain capabilities in your Gloo environment. Gloo products are built on hardened Solo images of related open source projects.

ProductOSS projectsDescription
Gloo Mesh CoreIstio, eBPF, CiliumGloo Mesh Core deploys alongside your Istio environment in single or multicluster environments, and can discover existing Istio installations across clusters and infrastructure providers. A Gloo Mesh Core license also unlocks hardened FIPS-compliant Istio images with n-4 version support, as well as Istio lifecycle management, in which Gloo Mesh Core deploys and manages the lifecycle of Istio installations across clusters. Gloo Mesh Core comes with an insights engine that automatically analyzes your Istio setup for health, security, and resiliency issues. Then, Gloo shares these issues along with recommendations to harden your Istio and setup in a custom dashboard. The insights give you a checklist to address issues that might otherwise be hard to detect across your environment.

Gloo Mesh Core includes support for Solo distributions of Cilium images to provide connectivity, security, and observability for containerized workloads. Cilium is an open source technology and a highly scalable Kubernetes Container Network Interface (CNI) that provides cloud-native networking connectivity, security, and observability for container-based workloads, such as in Kubernetes and Docker. The Solo distribution of Cilium is a hardened Cilium enterprise image, which maintains support for security patches to address Common Vulnerabilities and Exposures (CVEs) and other security fixes. Additionally, Gloo Mesh Core generates Cilium insights to help you evaluate the health and configuration of your Cilium setup.
Gloo Mesh EnterpriseIstio, eBPF, CiliumGloo Mesh Enterprise manages Istio-based service meshes across clusters and infrastructure providers, and secures communication between workloads via mTLS. A Gloo Mesh Enterprise license unlocks hardened, FIPS-compliant Istio images with n-4 version support. You get a simplified management experience for multitenancy, service isolation, federation, and east-west traffic management. Gloo Mesh Enterprise even automatically discovers your Istio resources and translates them into the appropriate Gloo custom resources (CRs) so that intelligent, multicluster failover works out of the box. You also get Gloo CRs to manage internal mesh routing, including virtual gateways, route tables, and policies such as external auth and rate limiting. Keep in mind that for advanced ingress routing features, you need a Gloo Mesh Gateway license alongside Gloo Mesh Enterprise. For example, without a Gloo Mesh Gateway license, you cannot use cloud resources or AWS Lambda; advanced listener configuration such as TLS for ingress routes; add-ons such as external auth, rate limiting, or the developer portal for non-mesh ingress use cases; or policies that apply to ingress routes such as Web Application Firewall (WAF).

Gloo Mesh Enterprise also includes support for Solo distributions of Cilium. Cilium is an open source technology and a highly scalable Kubernetes Container Network Interface (CNI) that provides cloud-native networking connectivity, security, and observability for container-based workloads, such as in Kubernetes and Docker. To provide advanced networking and security controls, Cilium leverages the Linux kernel technology eBPF, and you can even reuse the same access policies for both L3/L4 and L7 access control. With a Gloo Mesh Enterprise license, you can deploy the Cilium CNI to your clusters, and create Gloo custom resources, such as access policies. The Gloo management server then automatically translates these CRs into Cilium network policies to allow or drop packages between apps on layer 3 and 4 of the OSI Networking model.
Gloo Mesh GatewayEnvoy, IstioGloo Mesh Gateway is an API gateway based on Envoy and Istio open source technologies. A Gloo Mesh Gateway license unlocks Gloo CRs such as virtual gateways, route tables, and policies so that you can control network traffic into (ingress) and out from (egress) your clusters. You get traffic manipulation features, such as Envoy filters for resilience and transformation. You can also secure ingress traffic with security filters such as web application firewall (WAF), external auth, and rate limiting. You can enhance your API gateway with additional modules, such as GraphQL, support for routing to AWS Lambdas, and a developer portal. Keep in mind that for internal service mesh traffic management, you need a Gloo Mesh Enterprise license alongside Gloo Mesh Gateway. For example, without a mesh license, you cannot use workload selectors on route tables; route tables without a virtual gateway; or access, access log, failover, or WebAssembly (Wasm) policies.
Gloo Network for CiliumeBPF, CiliumGloo Network provides support for Solo distributions of Cilium. Cilium is an open source technology and a highly scalable Kubernetes Container Network Interface (CNI) that provides cloud-native networking connectivity, security, and observability for container-based workloads, such as in Kubernetes and Docker. To provide advanced networking and security controls, Cilium leverages the Linux kernel technology eBPF, and you can even reuse the same access policies for both L3/L4 and L7 access control. Gloo Network additionally analyzes your Cilium setup in your Gloo environment, and provides insights through a custom dashboard that can help you improve the security and scalability of your environment. In the gloo UI, you can also use Gloo Network's Hubble UI integration to visualize the Cilium flow logs and requests between endpoints in your network.

Licensed modules

You can extend the capabilities of Gloo products with modules. Modules are typically bundled together in the same license as the product license.

ModuleCompatible productsDescription
GraphQLGloo Mesh Gateway, Gloo Mesh EnterpriseGraphQL is a server-side query language and runtime you can use to expose your APIs as an alternative to REST APIs. GraphQL allows you to request only the data you want and handle any subsequent requests on the server side, saving numerous expensive origin-to-client requests by instead handling requests in your internal network. By building GraphQL capabilties into the Gloo ingress or east-west gateways, Gloo extends GraphQL with route-level networking logic. For example, the gateway might rate limit, authorize, and authenticate requests. To set up GraphQL in your Gloo environment, check out the GraphQL guides in the Gloo Mesh Gateway documentation. Note: The GraphQL module is available as an add-on to the Gloo Mesh Gateway license. To use GraphQL capabilities for your east-west gateways in Gloo Mesh Enterprise, you must also have a Gloo Mesh Gateway license with the GraphQL add-on.

Get a license key

To get Gloo Network for Cilium license, contact an account representative.

Provide your license key during installation

When you install Gloo Network for Cilium in your management cluster, you provide your license keys either directly in your meshctl install command or Helm values file, or in a secret that you pass into the command or values file.

Trial license

  1. Save your trial license key as an environment variable.
      export GLOO_TRIAL_LICENSE_KEY=<gloo-trial-license-key>
      
  2. Decide how you want to provide your trial key during installation.

Standard license

  1. Save your standard license key as an environment variables.
      export GLOO_NETWORK_LICENSE_KEY=<gloo-network-license-key>
      
  2. Decide how you want to provide your license key during installation.

Monitor your license

You can check your license, including your license expiration date, in multiple ways.

CLI

To check your current licenses with the meshctl CLI, you can use the meshctl license check command.

  • To pass in a license key directly, encode the key to base64 and pass it in the --key flag. For example, to check your Gloo Network license key, you can run the following command:
      meshctl license check --key $(echo ${GLOO_NETWORK_LICENSE_KEY} | base64 -w0)
      
  • If you store your license keys in a Kubernetes secret, you can pass the secret YAML file in the --secrets-file flag instead.
      meshctl license check --secrets-file license-keys.yaml
      

In this example output, the Gloo Network license is current and valid. The expiration date is listed so that you can update your license before it expires.

  INFO  License key gloo-network-license-key for product gloo-gateway is valid. Expires at 08 Oct 24 12:31 CEST
SUCCESS  Licenses are valid
  

In this example output, the Gloo Network license is invalid. Check your license to ensure you entered it correctly, and if you pass the license key in the --key flag, be sure to encode it in base64.

  WARNING  License key gloo-network-license-key is not valid. Make sure that the license is correct. For help or to request a new license, contact Solo Support. See https://docs.solo.io/gloo-mesh-enterprise/main/support/support-ticket/
ERROR  Invalid licenses found
  

In this example output, the Gloo Network license is valid but is expired. You can update your license in your Gloo environment.

  WARNING  Your gloo-network license expired on 2024-01-24 19:30:53 +0100 CET. To get a new license, contact Support.
ERROR  License is expired. For more info, see https://docs.solo.io/gloo-mesh-enterprise/latest/setup/prepare/licensing/#update-licenses
  

UI

To check your current license with the Gloo UI:

  1. Open the Gloo UI. The Gloo UI is served from the gloo-mesh-ui service on port 8090. You can connect by using the meshctl or kubectl CLIs.

    • meshctl: For more information, see the CLI documentation.
        meshctl dashboard
        
    • kubectl:
      1. Port-forward the gloo-mesh-ui service on 8090.
          kubectl port-forward -n gloo-mesh svc/gloo-mesh-ui 8090:8090
          
      2. Open your browser and connect to http://localhost:8090.
  2. In the header navigation bar, click the gear icon.
  3. Review the status of your license. You can also check the expiration date so that you can update your license before it expires.

Metrics

Gloo Network for Cilium includes license metrics that you can view by using the UI of the built-in Prometheus server. These metrics give you the number of minutes until the license expires, which you can optionally use to set up alerts in Prometheus.

  1. Open the Prometheus UI.

  2. Query the solo_io_gloo_network_license metric.

  3. In the output, check the value of the metric, which is the number of minutes until the license expires. For example, in this output, the Gloo Network license expires in 247,649 minutes, which equals 171 days, 23 hours, and 29 minutes.

    MetricValue
    solo_io_gloo_network_license{app=“gloo-mesh-mgmt-server”, instance=“10.xx.x.x:9091”, job=“gloo-mesh-mgmt-server”, namespace=“gloo-mesh”, pod=“gloo-mesh-mgmt-server-65bd557b95-v8qq6”, pod_template_hash=“65bd557b95”}247649.2563652057
  4. Optional: If you want to add alerts for these license metrics, such as to remind you to update your license before it expires, you can add alerts to your Helm values file and apply the file during a Gloo upgrade. To get your current Helm values and upgrade Gloo, see Upgrade. For example, you might add the following alert to your values file to remind you to update your Gloo Network license 30 days before it expires. You can also add similar alerts for other Gloo product licenses, or alerts for other timeframes (such as using expr: solo_io_gloo_network_license < 0 in the case that a license expires). You can review these alerts in the /alerts page of the Prometheus UI.

      ...
    serverFiles:
      alerting_rules.yml:
        groups:
          - name: GlooNetworkAlerts
            rules:
              ...
              - alert: GlooNetworkLicenseExpiresSoon
                annotations:
                  runbook: https://docs.solo.io/gloo-network/main/setup/upgrade/#update-licenses
                  summary: The Gloo Network for Cilium license expires in 30 days.
                expr: solo_io_gloo_network_license < 1440 * 30
                labels:
                  severity: warning
      

Update licenses

Before your Gloo Network for Cilium license expires, you can update the license by performing a Helm upgrade.

For example, if you notice that your Gloo management plane deployments are in a crash loop, your license might be expired. You can check the logs for one of the deployments, such as the management server, to look for an error message like the following:

  meshctl logs mgmt
  
  {"level":"fatal","ts":1628879186.1552186,"logger":"gloo-mesh-mgmt-server","caller":"cmd/main.go:24","msg":"License is invalid or expired, crashing - license expired", ...
  

To update your license, see the upgrade guide.