A Technical Dive into Gloo Mesh GA
Announcing the GA of Gloo Mesh Enterprise–A Modern Management Plane for Istio Service Mesh
Today, I am super excited to announce the general availability (GA) of Gloo Mesh Enterprise based on upstream Istio. At Solo.io we are focused on helping organizations manage, secure, and expose their APIs in a highly decentralized, cloud-native approach. Gloo Mesh Enterprise lays the foundational pieces to support this effort.
Gloo Mesh Enterprise simplifies service mesh adoption and day-two operations for single cluster, multi-cluster and multi-cloud environments. Gloo Mesh Enterprise facilitates mesh onboarding with its simplified role-based APIs, unifies identity across multiple domains, and safely orchestrates configurations for multi-cluster policy and tenancy enforcement. Gloo Mesh Enterprise also allows you to extend your mesh data plane with WebAssembly.
How Gloo Mesh Enterprise Works
Typically, starting with Gloo Mesh starts with supported Istio. Gloo Mesh Istio is upstream-based Istio with Long Term Support (LTS of N-3, while community is N-1), enterprise SLAs, FIPS compliant-builds, and security patches.
Once Istio is installed, potentially across multiple clusters, Gloo Mesh provides a management plane to oversee the Istio installation across clusters, zones, and geographies. This management plane is deployed as a set of controllers on a dedicated Kubernetes cluster and is configured/driven by a set of declarative Custom Resources.
Gloo Mesh communicates with the meshes under management via a push or pull model, depending on the organization’s desired security and operations model. In a push model, Gloo Mesh management plane connects directly to each of the clusters/meshes under management, discovers mesh resources, and then pushes configurations to the individual mesh control planes. If your organization requires a tightened security model where credentials must reside within their own clusters, pull model is recommended. In the pull model, each cluster under management deploys an agent that connects to the management plane, presents its credentials, and then shares discovery information. In the pull model, agents in each cluster pull the configuration intended for that cluster. This gives users management of remote clusters while keeping credentials localized.
For multi-cluster environments, you can combine different service mesh deployments across clusters, even clusters in different regions or data centers, into a single “virtual mesh.” You then define your traffic and access policies to that single virtual mesh at the mesh level which greatly simplifies management.
New Features in Gloo Mesh Enterprise 1.0:
Since the Beta announcement back in December, we have been working on a number of exciting new features:
Centralized management and CONTROL:
- Virtual Destinations with Locality Based Routing / Failover – Gloo Mesh solves the difficult problem of global service discovery, routing, and availability. VirtualDestinations use locality and priority information to ensure maximum uptime and reduced latency. With Gloo Mesh, cluster outages are solved by routing to service in the next closest cluster. For example, if a cluster in the us-east cluster region is the next closest cluster that runs the target service, Gloo Mesh will direct traffic to that cluster.
- Improved Plugin Workflow – Cloud Native developers and architects are accustomed to tools like kubectl’s krew, which allows users to extend the CLI to fit their use case. With this release Gloo Mesh now includes a streamlined way to download plugins including our first of many: Gloo Mesh Wasm. Below is a demo of new workflow from solo’s engineer Ryan King:
- Flat Networking Support – Some Kubernetes users have a flat network that reduces the overhead of ingress and allows direct service-to-service connectivity across clusters. In addition to multi-network support Gloo Mesh Enterprise now supports a “flat network” topology.
- Large-scale Production Testing – We’ve tested Gloo Mesh across 100s of clusters to ensure that Gloo Mesh can meet the requirements of enterprise scale, both large and small, we tested deployments up to 100 clusters, emulating organizations’ real world production environments.
Enhanced SECURITY for improved compliance:
- Fully FIPS Compliant Istio Build – Gloo Mesh Enterprise now offers an option for a Federal Information Processing Standard 140-2 (FIPS 140-2) compliant Istio control and data plane.
- Secure Control Plane Management – Gloo Mesh Enterprise 1.0 has changed its architecture from past releases to a pull model where credentials are not shared and are localized to individual clusters. Thanks to our recent beta, we have learned more about the security models of our customers. And these customers sometimes run hundreds of clusters. With this feedback, we have changed the service mesh registration to a pull model that now uses agents on each cluster to connect to the Gloo Mesh Enterprise control plane.
Comprehensive OBSERVABILITY and insights:
- Centralized Logging and Debugging – Gloo Mesh Enterprise 1.0 includes a new user facing CRD for enabling generation and capture of access logs (i.e. event logs) for traffic flowing between workloads and traffic targets in service mesh instances across multiple clusters. This feature includes a new meshctl command (meshctl accesslogs) that makes it easy for users to retrieve those access logs in a structured manner. Below is a demo of accesslog recap by solo’s engineer Harvey Xia:
Enterprise-grade service and SUPPORT:
- Support for Istio 1.9 – Istio 1.9 was announced on February 9th and we updated our support to include the latest version.
Try Gloo Mesh Enterprise!
Attend SoloCon and Learn at a Free Workshop!
Learn more about Gloo Mesh, Gloo Edge and our Gloo API Management Platform at Solo.io’s inaugural event SoloCon 2021. SoloCon is an engaging, interactive event featuring industry speakers, informative sessions and hands-on workshops that will take place March 23-25, 2021.
Attendees will also have the opportunity to engage with experts, learn from their peers, network with other attendees and attend hands-on workshops.
Register today at www.solo.io/solocon/.
BACK TO BLOG