No items found.
No items found.
No items found.

Advanced Auth Workflows with OpenID Connect & Gloo API Gateway

August 22, 2022
Gloo supports authentication via OpenID Connect (OIDC). OIDC is an identity layer on top of the OAuth 2.0 protocol. In OAuth 2.0 flows, authentication is performed by an external Identity Provider (IdP) which, in case of success, returns an Access Token representing the user identity. The protocol does not define the contents and structure of the Access Token, which greatly reduces the portability of OAuth 2.0 implementations. The goal of OIDC is to address this ambiguity by additionally requiring Identity Providers to return a well-defined ID Token. OIDC ID tokens follow the JSON Web Token standard and contain specific fields that your applications can expect and handle. This standardization allows you to switch between Identity Providers - or support multiple ones at the same time - with minimal, if any, changes to your downstream services; it also allows you to consistently apply additional security measures like Role-based Access Control (RBAC) based on the identity of your users, i.e. the contents of their ID token. In this post, we're going to expose a Service running on Kubernetes using Gloo. Then, we'll secure the access using Google OIDC. As explained above, Google OIDC will return a JWT token, so we'll use Gloo to extract some claims from this token and to create new headers corresponding to these claims. Finally, we'll see how Gloo RBAC rules can be created to leverage the claims contained in the JWT token.

Expose a Kubernetes Service

Let's start by deploying the httpbin service on our Kubernetes cluster: 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: httpbin
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  labels:
    app: httpbin
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 80
  selector:
    app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
      version: v1
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      serviceAccountName: httpbin
      containers:
      - image: docker.io/kennethreitz/httpbin
        imagePullPolicy: IfNotPresent
        name: httpbin
        ports:
        - containerPort: 80
Gloo automatically discovers Kubernetes services, by default. So, running the glooctl get upstreams command, you should be able to see a new Upstream created for our application: 
+----------------------------------------------------+------------+----------+-------------------------------------+
|                      UPSTREAM                      |    TYPE    |  STATUS  |               DETAILS               |
+----------------------------------------------------+------------+----------+-------------------------------------+
| default-httpbin-8000                               | Kubernetes | Accepted | svc name:      httpbin              |
|                                                    |            |          | svc namespace: default              |
|                                                    |            |          | port:          8000                 |
|                                                    |            |          |                                     |
...
To explose the application you can run the following command: 
glooctl add route \
  --path-prefix / \
  --dest-name default-httpbin-8000
It creates the following Virtual Service: 
apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: default
  namespace: gloo-system
spec:
  virtualHost:
    domains:
    - '*'
    routes:
    - matchers:
      - prefix: /
      routeAction:
        single:
          upstream:
            name: default-httpbin-8000
            namespace: gloo-system
status:
  reportedBy: gateway
  state: 1
  subresourceStatuses:
    '*v1.Proxy.gloo-system.gateway-proxy':
      reportedBy: gloo
      state: 1
The Virtual Service can be created using kubectl and this yaml instead of the glooctl command you have used. And you can see how Gloo updates the status of the Virtual Service to show that it has been able to process it. The glooctl get virtualservices command is using the status fields of the different objects to return the state of the different components. Here is the output you should get: 
+-----------------+--------------+---------+------+----------+-----------------+----------------------------------+
| VIRTUAL SERVICE | DISPLAY NAME | DOMAINS | SSL  |  STATUS  | LISTENERPLUGINS |              ROUTES              |
+-----------------+--------------+---------+------+----------+-----------------+----------------------------------+
| default         |              | *       | none | Accepted |                 | / ->                             |
|                 |              |         |      |          |                 | gloo-system.default-httpbin-8000 |
|                 |              |         |      |          |                 | (upstream)                       |
+-----------------+--------------+---------+------+----------+-----------------+----------------------------------+
Update your /etc/hosts file to resolve mydomain.com by the IP address returned by the glooctl proxy address command (without the port number). You can now access the application using the mydomain.com domain. 
# curl http://mydomain.com/get

{
  "args": {},
  "headers": {
    "Accept": "*/*",
    "Content-Length": "0",
    "Host": "mydomain.com",
    "User-Agent": "curl/7.64.1",
    "X-Envoy-Expected-Rq-Timeout-Ms": "15000"
  },
  "origin": "192.168.149.8",
  "url": "http://mydomain.com/get"
}
As you can see, the httpbin application returns information about the request we sent.

Secure the application using HTTPS

Let's create an SSL certificate for the mydomain.com domain: 
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
   -keyout tls.key -out tls.crt -subj "/CN=mydomain.com"
And create a Kubernetes secret with this certificate: 
kubectl create secret tls upstream-tls --key tls.key \
   --cert tls.crt --namespace gloo-system
Now, to enable HTTPS for our Virtual Service, you simply need to update it as follow: 
kubectl apply -f - <<EOF
apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: default
  namespace: gloo-system
spec:
  sslConfig:
    secretRef:
      name: upstream-tls
      namespace: gloo-system
  virtualHost:
    domains:
    - '*'
    routes:
    - matchers:
      - prefix: /
      routeAction:
        single:
          upstream:
            name: default-httpbin-8000
            namespace: gloo-system
You can now access the application using HTTPS: 
# curl -k https://mydomain.com/get

{
  "args": {},
  "headers": {
    "Accept": "*/*",
    "Content-Length": "0",
    "Host": "mydomain.com",
    "User-Agent": "curl/7.64.1",
    "X-Envoy-Expected-Rq-Timeout-Ms": "15000"
  },
  "origin": "192.168.149.8",
  "url": "https://mydomain.com/get"
}

Authenticate the user with Google OIDC

Go to the Google Developer Console to create credentials and to authorize the mydomain.com domain. More details are available here. Create a Kubernetes Secret using the client secret you got when you created the credentials: 
glooctl create secret oauth --namespace gloo-system --name google --client-secret $CLIENT_SECRET
Create an AuthConfig object using the client id and referencing the secret: 
apiVersion: enterprise.gloo.solo.io/v1
kind: AuthConfig
metadata:
  name: google-oidc
  namespace: gloo-system
spec:
  configs:
  - oauth:
      app_url: https://mydomain.com
      callback_path: /callback
      client_id: $CLIENT_ID
      client_secret_ref:
        name: google
        namespace: gloo-system
      issuer_url: https://accounts.google.com
      scopes:
        - email
Note that we have used the scopes parameter to indicate to the identity provider to include the email of the user in the claims of the JWT token it will return. Now, let's update the Virtual Service to use Google OIDC Authentication: 
apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: default
  namespace: gloo-system
spec:
  sslConfig:
    secretRef:
      name: upstream-tls
      namespace: gloo-system
  virtualHost:
    domains:
    - '*'
    routes:
    - matchers:
      - prefix: /
      routeAction:
        single:
          upstream:
            name: default-httpbin-8000
            namespace: gloo-system
   options:
      extauth:
        configRef:
          name: google-oidc
          namespace: gloo-system
Note that the /callback path is handled by the Virtual Service because we used the / prefix. Go to https://mydomain.com using your web browser. You should be redirected to the Google Login page and then access the application. Gloo has redirected you to the /callback page, with the information it got from Google OIDC added as a query string to create a Cookie. Then, the normal flow has occurred to reach the application. You should get the following output: 
{
  "args": {},
  "headers": {
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    "Accept-Encoding": "gzip, deflate, br",
    "Accept-Language": "fr-fr",
    "Content-Length": "0",
    "Cookie": "access_token=ya29.a0AfH6SMBv8QNdWFn_sEI4iN_GrfCdG__m_8itq_t7mcYVskjeJrJRpuZQJf9AFKAzEbSABsAZ633hvpQzUzPL_bHJ37CmbcO3MnDlltlgRNVscY-7KmauWwpkpDvrdPfQ886pwsoUvZiLHhE--TnBhtezyLd8E1D-LdeZ3w; id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjE3OGFiMWRjNTkxM2Q5MjlkMzdjMjNkY2FhOTYxODcyZjhkNzBiNjgiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI2MzUzODgzNDA1MjEtMHNtNzFtZ29rZXFmbGs0ajlyZGJncHQyNnRkbGJybjMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI2MzUzODgzNDA1MjEtMHNtNzFtZ29rZXFmbGs0ajlyZGJncHQyNnRkbGJybjMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMTc1NzcxOTAyMjM2ODAxODM2ODEiLCJlbWFpbCI6ImRqYW5ub3RAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiJEX1JJcWRHUl9xbWVzc29zdjUxRW5RIiwiaWF0IjoxNjAzMTAxMzMxLCJleHAiOjE2MDMxMDQ5MzF9.HHUO1JXRNA2348Erfla_PX7-s23us5Vr5WSpzvN7Ms0MmPXuZHyzxZSn4_ab-XhZPzqrKudYtbMpnVTlD-9fuPUC0Mm4ZIBh3cTxlH_4b512qzFU-gjStGdV0MGVBnVODDJFHOpOxywmd27aDnCPiEph-L4LyjCjPyEyqEA2bzQEaIE91pynWUgwj1BHajew_70zPVeKxwDplsJPyVM9LBNxr6LrfacaHUz_SvnkQimibEvdP9DotAHe5Msovdb44pdK8KhHawfLokCqc5Sb-baQ-ppWjfunRyMcaRCU1CI5ki7MTp4n95SlHC2Kr7XKg86oP4HTJWb5pStHgNA8qQ",
    "Host": "mydomain.com",
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15",
    "X-Envoy-Expected-Rq-Timeout-Ms": "15000"
  },
  "origin": "192.168.149.8",
  "url": "https://mydomain.com/get"
}
As you can see, the browser has sent the cookie as a header in the HTTP request.

Request transformation

Gloo is able to perform advanced transformations of the request and response. Let's modify the Virtual Service using the yaml below: 
apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: default
  namespace: gloo-system
spec:
  sslConfig:
    secretRef:
      name: upstream-tls
      namespace: gloo-system
  virtualHost:
    domains:
    - '*'
    routes:
    - matchers:
      - prefix: /
      routeAction:
        single:
          upstream:
            name: default-httpbin-8000
            namespace: gloo-system
   options:
     extauth:
       configRef:
         name: google-oidc
         namespace: gloo-system
          stagedTransformations:
            early:
          requestTransforms:
            - requestTransformation:
                transformationTemplate:
                  extractors:
                    token:
                      header: 'cookie'
                      regex: '.*id_token=(.*)'
                      subgroup: 1
                  headers:
                    jwt:
                      text: '{{ token }}'
      headerManipulation:
        requestHeadersToRemove:
        - "cookie"
This transformation is using a regular expression to extract the JWT token from the cookie header, creates a new jwt header that contains the token and removes the cookie header. Here is the output you should get if you refresh the web page: 
{
  "args": {},
  "headers": {
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    "Accept-Encoding": "gzip, deflate, br",
    "Accept-Language": "fr-fr",
    "Content-Length": "0",
    "Host": "mydomain.com",
    "Jwt": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjE3OGFiMWRjNTkxM2Q5MjlkMzdjMjNkY2FhOTYxODcyZjhkNzBiNjgiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI2MzUzODgzNDA1MjEtMHNtNzFtZ29rZXFmbGs0ajlyZGJncHQyNnRkbGJybjMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI2MzUzODgzNDA1MjEtMHNtNzFtZ29rZXFmbGs0ajlyZGJncHQyNnRkbGJybjMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMTc1NzcxOTAyMjM2ODAxODM2ODEiLCJlbWFpbCI6ImRqYW5ub3RAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiJTX2VjWWJ6UURmWVBXeTI3Vm5YS093IiwiaWF0IjoxNjAzMTEwNDkzLCJleHAiOjE2MDMxMTQwOTN9.FMMxbHdbBjAjlqF7q5QWxPBIxJQR1hz-niO3VgOr7nh_mDpMx4FOhvor1YSukwt5HWPHvS79IyUw_nnCHNakFHh55PnXMPOh9yAmgAE_Vq0kZBe0Nhh94Av_Zl5MoUMcdoKElt4e98Rf13P87Sw6dwOVGLqi177nYkgIsSiOJHZ-Y2fNJxNoRbLYyKwgTWqrsaRRVf8gzVpex9g9u7s3FRwXfIMPImxCZWDWp1MEd0QLk9GDA7yzQy2PAQkygJnAppAPoyV9q5OSi9MjYiZ1turniuxn06VwIMYsHY-p_-dNg6W9emonN-7aGLUbrZ2gPcPrL2CDWeqHzcOIZlnh-A",
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15",
    "X-Envoy-Expected-Rq-Timeout-Ms": "15000",
    "X-User-Id": "https://accounts.google.com;227577190223680133999"
  },
  "origin": "192.168.149.8",
  "url": "https://mydomain.com/get"
}
You can see that the jwt header has been added to the request while the cookie header has been removed.

Extract information from the JWT token

First of all, we need to create a Gloo Upstream for the Google JWKS (JSON Web Key Sets): 
apiVersion: gloo.solo.io/v1
kind: Upstream
metadata:
  name: google-jkws
  namespace: gloo-system
spec:
  static:
    hosts:
      - addr: www.googleapis.com
        port: 443
JWKS is a set of public keys that can be used to verify the JWT tokens. Now, we can update the Virtual Service to validate the token, extract claims from the token and create new headers based on these claims. 
apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: vs1
  namespace: gloo-system
spec:
  sslConfig:
    secretRef:
      name: upstream-tls
      namespace: gloo-system
  virtualHost:
    domains:
    - '*'
    routes:
    - matchers:
      - prefix: /
      routeAction:
        single:
          upstream:
            name: default-httpbin-8000
            namespace: gloo-system
    options:
      extauth:
        configRef:
          name: google-oidc
          namespace: gloo-system
      stagedTransformations:
        early:
          requestTransforms:
            - requestTransformation:
                transformationTemplate:
                  extractors:
                    token:
                      header: 'cookie'
                      regex: '.*id_token=(.*)'
                      subgroup: 1
                  headers:
                    jwt:
                      text: '{{ token }}'
      headerManipulation:
        requestHeadersToRemove:
        - "cookie"
      jwt:
        providers:
          google:
            issuer: https://accounts.google.com
            tokenSource:
              headers:
              - header: Jwt
            claimsToHeaders:
            - claim: email
              header: x-solo-claim-email
            - claim: email_verified
              header: x-solo-claim-email-verified
            jwks:
              remote:
                url: https://www.googleapis.com/oauth2/v3/certs
                upstreamRef:
                  name: google-jkws
                  namespace: gloo-system
Here is the output you should get if you refresh the web page: 
{
  "args": {},
  "headers": {
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    "Accept-Encoding": "gzip, deflate, br",
    "Accept-Language": "fr-fr",
    "Content-Length": "0",
    "Host": "mydomain.com",
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15",
    "X-Envoy-Expected-Rq-Timeout-Ms": "15000",
    "X-Solo-Claim-Email": "djannot@gmail.com",
    "X-Solo-Claim-Email-Verified": "true",
    "X-User-Id": "https://accounts.google.com;227577190223680133999"
  },
  "origin": "192.168.149.8",
  "url": "https://mydomain.com/get"
}
As you can see, Gloo has added the x-solo-claim-email and x-solo-claime-email-verified headers using the information it has extracted from the JWT token. It will allow the application to know who the user is and if his email has been verified.

RBAC using the claims of the JWT token

Gloo can also be used to set RBAC rules based on the claims of the JWT token returned by the identity provider. Let's update the Virtual Service as follow: 
apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: default
  namespace: gloo-system
spec:
  sslConfig:
    secretRef:
      name: upstream-tls
      namespace: gloo-system
  virtualHost:
    domains:
    - '*'
    routes:
    - matchers:
      - prefix: /
      routeAction:
        single:
          upstream:
            name: default-httpbin-8000
            namespace: gloo-system
    options:
      extauth:
        configRef:
          name: google-oidc
          namespace: gloo-system
      stagedTransformations:
        early:
          requestTransforms:
            - requestTransformation:
                transformationTemplate:
                  extractors:
                    token:
                      header: 'cookie'
                      regex: '.*id_token=(.*)'
                      subgroup: 1
                  headers:
                    jwt:
                      text: '{{ token }}'
      headerManipulation:
        requestHeadersToRemove:
        - "cookie"
      jwt:
        providers:
          google:
            issuer: https://accounts.google.com
            tokenSource:
              headers:
              - header: Jwt
            claimsToHeaders:
            - claim: email
              header: x-solo-claim-email
            - claim: email_verified
              header: x-solo-claim-email-verified
            jwks:
              remote:
                url: https://www.googleapis.com/oauth2/v3/certs
                upstreamRef:
                  name: google-jkws
                  namespace: gloo-system
      rbac:
        policies:
          viewer:
            permissions:
              methods:
              - GET
              pathPrefix: /get
            principals:
            - jwtPrincipal:
                claims:
                  email: djannot@gmail.com
If I refresh the web page, I can still access it as I have logged in using the Google account associated with the djannot@gmail.com email address. But if I log in using another Google account or if I try to access another path than /get, I get the following response: 
RBAC: access denied

Get Started with Gloo

Gloo is available in open source and enterprise editions addressing a wide range of edge and API gateway use cases. Learn more about Gloo by visiting the additional resources below.

Featured content

See More

Migrating from Sidecars to Ambient Mesh - Risks, Challenges, and Benefits

Considering migrating from Istio sidecars to ambient mesh? Learn about the key challenges, risks, and benefits of ambient, including improved performance, lower costs, and operational simplicity, plus tips to plan a safe, successful transition.

Read Blog

Overhaul of Agent Gateway supporting A2A, MCP, and Kubernetes Gateway API

Today, we’re excited to share the next major milestone: Agent Gateway is now a full-featured, AI-native gateway that combines deep MCP and A2A protocol awareness, robust traffic policy controls, inference gateway support, Kubernetes Gateway API support, and unified access to major LLMs, all purpose-built with Rust for real-world agentic systems.

Read Blog

How Ambient Mesh Delivers Advanced Resource and Cost Savings

Discover how Ambient Mesh architecture can reduce service mesh infrastructure costs by up to 92% compared to traditional sidecar deployments, with real-world savings

Read Blog

Getting Started with Ambient Mesh: From 0 to 100 mph

Learn how Ambient Mesh revolutionizes service mesh architecture by eliminating sidecars and introducing a split proxy approach for better performance and operational simplicity.

Read Blog

Agent Discovery, Naming, and Resolution - the Missing Pieces to A2A

While the A2A specification provides the critical first steps toward discovery with Agent Cards, the infrastructure for truly dynamic, scalable agent ecosystems requires additional components that the spec intentionally leaves “up to you.” In this blog, we dig into those missing pieces.

Read Blog

Part Two: MCP Authorization The Hard Way

Digging into the details of the MCP Authorization Spec

Read Blog

Part One: MCP Authorization The Hard Way

Deep dive into MCP Authorization, step by step with examples and in-depth detail

Read Blog

Agent Identity and Access Management - Can SPIFFE Work?

Digging into AI identity and how the current SPIFFE models may need to be revised to support AI Agents

Read Blog

Deep Dive into llm-d and Distributed Inference

Digging into the llm-d project and how it does distributed inference.

Read Blog

Gloo Mesh 2.8 simplifies service mesh operations with new enhanced user experience across multi-cluster environments.

Read Blog

Gloo Gateway 1.19 accelerates context-rich, real-time AI apps with Gateway API

Read Blog

llm-d: Distributed Inference Serving on Kubernetes

Read Blog

AI Reliability Engineering For More Dependable Humans

AI Reliability Engineering (AIRE) bringing AI agents to SRE and Platform Engineering workflows for dependable humans

Read Blog

Kubernetes Identity the Right Way with SPIRE and Ambient

Secure Kubernetes workloads with Istio Ambient and SPIRE. Gain robust workload identity, mTLS, and scalable identity management without sidecars.

Read Blog

Optimizing GenAI in Production: High-Value Use Cases for AI Gateways

Read Blog

Solo.io Recognized as a Visionary in the 2024 Gartner® Magic Quadrant™ for API Management for the SECOND year in a row.

Read Blog

Guardians of the Governance: GenAI Gateway Guidance with GitOps and Gloo

Read Blog

Istio Ambient Waypoint Proxy explained

Read Blog

Hands-On with the Kubernetes Gateway API and Envoy Proxy: A Tutorial with GitOps and Gloo Gateway

Read Blog

Istio and the State of DevOps: Enhancing Key Metrics

Read Blog

What is an AI Gateway and its role in AI Applications?

Read Blog

Best practices for secure Istio deployment with Gloo Mesh Core

Read Blog

Gloo Mesh 2.6: Istio's Ambient mode now ready for production

Read Blog

HTTP Observability Without Compromises

Read Blog

Advance your knowledge of service mesh tech with Solo.io Academy certifications

Read Blog

Service Mesh for the developer workflow, a series

Read Blog

Challenges of adopting service mesh in enterprise organizations

Read Blog

Service Mesh in the Real World #2 — Ingress Traffic Control

Read Blog

Service Mesh in the Real World Video Series – Episode # 1: Egress Traffic

Read Blog

Service Mesh the easy way with AWS App Mesh and SuperGloo

In March 2019, AWS announced general availability of AWS App Mesh which is a service mesh implementation that can be run across AWS services such as Fargate, ECS, EKS and EC2. Organizations now have multiple options for service mesh available in AWS including the AWS App Mesh service, other service meshes directly in EC2 (Linkerd, Istio, etc), or a combination of them both. This post will cover AWS App Mesh.

Read Blog

Webinar Recap: Intro to Service Mesh Hub and SMI

Read Blog

D-TECK Uses Solo.io Gloo Gateway and Google Cloud to Help Businesses Make Better HR Decisions

Read Blog

Minimize the blast radius of changes with Solo.io Gloo Gateway and Weaveworks Flagger

Read Blog

Announcing Service Mesh Interface (SMI) Support and Collaboration

Read Blog

Service Mesh Interface (SMI) and our Vision for the Community and Ecosystem

Read Blog

The need for a standard, service mesh API

Read Blog

SuperGloo to the Rescue! Making it easier to write extensions for Service Mesh

Read Blog

Introducing The Service Mesh Hub -everything you need for your service mesh

Read Blog

Kubernetes Ingress Past, Present, and Future

Read Blog

Solo.io Streamlines Service Mesh and Serverless Adoption for Enterprises in Google Cloud

Read Blog

Ingenico

Powered by Gloo Gateway, Solo.io helped Ingenico modernize its global payments infrastructure—boosting scalability, resilience, and developer autonomy. Explore their journey to building a fault-tolerant, future-ready platform.

Read Case Study

ParkMobile

ParkMobile’s Platform Engineering team utilized Kubernetes and Gloo Gateway to drive innovation, scalability, and seamless mobility solutions while fostering a culture of collaboration and technological excellence.

Read Case Study

Vonage

Powered by Gloo Gateway, Solo.io helped Vonage modernize its cloud infrastructure, enhancing scalability, reliability, and developer autonomy. Explore their journey to a building an efficient and agile platform.

Read Case Study

Domino’s Pizza

Powered by Gloo Gateway and Gloo Mesh, Solo.io helped Domino’s UK transition from a monolithic system to a microservices-based architecture. Learn about our 18-month journey to transform the way they operate.

Read Case Study

Gloo Mesh Feature Comparison

Compare features across Gloo Mesh Enterprise, Gloo Mesh Open Source, and Basic Open Source Istio.

Read Datasheet

Service Mesh for Developers, Part 1: Exploring the Power of Observability and OpenTelemetry

Navigating the complexity of modern applications requires a key ally – observability. Observability empowers teams to streamline application debugging, and within the architecture of a service mesh, provides valuable insights that increase reliability and performance.

Read Ebook

Service Mesh at Scale

Challenges and approaches to multi-cluster deployment patterns

Read Ebook

Compare Capabilities of the Top Service Mesh Platforms

Using a service mesh as a layer to unify communications between applications, services, and workloads empowers teams to modernize their systems, deliver faster results, and improve performance for modern enterprises.

Read Ebook

Compare Capabilities of the Top API Gateways

Download our Buyer’s Guide to API Gateways and learn about the modern requirements of API gateways in our guide’s comparison of five leading API gateway providers.

Read Ebook

Establishing zero trust security for modern cloud architectures

How your organization can ensure safer cloud architecture by applying a zero trust network security model

Read Ebook

Unlocking the Power of Your API Gateway

With automated API management, organizations save time and resources and streamline the development process.

Read Ebook

API Gateways: Productivity, Resilience, and Security for Next-Generation Cloud Applications

The rise of microservices architecture has brought about a significant shift in how software is developed and deployed, and as such, has presented new technical and organizational challenges.

Read Ebook

Driving Business Value with Istio

How a service mesh can help your organization simplify the adoption of a distributed architecture

Read Ebook

Service Mesh Vendor Comparison

See how top vendors with Istio-based service mesh offerings compare

Read Ebook

Istio Then & Now

Read Infographic

4 Reasons Why You Need an AI Gateway

Integrating LLM models in your applications? See our infographic to learn the top four reasons why you need an AI Gateway!

Read Infographic

Gloo Gateway vs. Kong

Kong Gateway offers a very capable competitor to Gloo Gateway by Solo.io, but there are growing questions about the efficacy and stability of the Nginx open-source community behind the technology.

Read Infographic

Gloo Gateway vs. Apigee

Apigee suits Google Cloud, but its traditional approach clashes with modern practices. In contrast, Gloo Gateway by Solo.io aligns with cloud-native strategies.

Read Infographic

3 Reasons You Need an API Gateway for Microservices Apps

Unlock the full potential of your microservices architecture with the strategic integration of API gateways. While microservices provide flexibility and scalability, they also introduce complexities that can impede seamless communication between services. Discover the crucial role of API gateways in overcoming these challenges and optimizing your microservices ecosystem.

Read Infographic

Ambient Mesh Lab: EnvoyFilter Support

Solo.io Free Lab: Learn how to preserve and migrate EnvoyFilter configurations when transitioning from sidecar to ambient mode in Istio using Solo.io’s extended build, with step-by-step guidance and validation.

Read Lab

Ambient Mesh Lab: SPIRE integration with Gloo Mesh in Istio Ambient Mode

Secure your Istio Ambient Mesh with SPIRE. This hands-on lab shows how to integrate SPIRE with Gloo Mesh to issue SPIFFE identities and certificates for ztunnel and mesh workloads.

Read Lab

Ambient Mesh Lab: Introduction to ztunnel in Ambient Mesh

Learn how Ambient Mesh uses ztunnel to secure traffic without sidecars. This free lab walks you through joining workloads, observing traffic, verifying mTLS, and applying Layer 4 policies.

Read Lab

Solo Academy Course: Service Mesh Basics

Solo Academy | Learn the fundamentals of service mesh in this free video-led course and get insights into using a service mesh to enhance your observability, security and reliability of your applications

Read Lab

Solo Academy Course: Istio Basics

Solo Academy | Learn the basics of Istio with our free 101 course. Understand what Istio is, how it works, and its features for traffic management, security, and observability in microservices and Kubernetes.

Read Lab

Solo Academy Course: Envoy Basics

Solo Academy | Master Envoy Proxy basics with our free 101 level course. Learn about the architecture, advanced load balancing, observability, and role in microservices, Kubernetes, and service meshes

Read Lab

Solo Academy Course: API Gateway Basics

Solo Academy | Learn API Gateway fundamentals in Kubernetes with this free beginner level video-led course. Discover how API Gateways control traffic, secure connectivity, and complement microservices architecture

Read Lab

Solo Academy Course: Get Started with Istio Service Mesh

Solo Academy | A fundamental level workshop for developers and operators to learn Istio service mesh. Install Istio, secure services, control traffic, and earn a Solo.io certification through hands-on labs.

Read Lab

Solo Academy Course: Introduction to Envoy Proxy

Solo Academy | Hands-on workshop introducing the core concepts of Envoy Proxy. Learn how Envoy works under the hood from its architecture, filter chains, and request flow and beyond the abstractions of service meshes and API gateways.

Read Lab

Solo Academy Course: Deploying Istio for Production

Solo Academy | Free hands-on workshop for operators looking to deploy Istio in production. Learn advanced routing, observability, security, mTLS, and multi-cluster setup and g free certification.

Read Lab

Kgateway Lab: Integrating kgateway with Istio at Ingress

Explore how to integrate kgateway's ingress gateway with Istio Ambient Mesh in this free hands-on lab. Learn to deploy workloads, configure Gateway and Route resources, and enable automatic mutual TLS between the gateway and backend services.

Read Lab

Kgateway Lab: Kgateway as a Waypoint

Learn how to deploy and configure kgateway as a waypoint in Istio Ambient Mesh. This free hands-on lab walks you through managing east-west traffic, applying custom policies, and enhancing service communication with enterprise-grade control.

Read Lab

Kgateway AI Lab: Consumption Reporting

kgateway labs | Consumption Reporting

Read Lab

Kgateway AI Lab: Deploying kgateway as an AI Gateway

Learn how to enable the AI extension, configure gateway parameters, and deploy an AI Gateway using kgateway to route requests to large language models (LLMs) from within your Kubernetes cluster.

Read Lab

Kagent Lab: How to build an AI agent

Create Your First AI Agent with Kagent in Kubernetes

Read Lab

Kagent Lab: Integrate tools from MCP servers with kagent

Kagent Lab: Integrate tools from MCP servers with kagent

Read Lab

Gloo AI Gateway Hands-On Lab: Semantic Caching

Gloo AI Gateway Labs | Semantic Caching with Gloo AI Gateway

Read Lab

Kgateway AI Lab: Credentials Management

kgateway labs | Managing LLM Credentials with kgateway - AI Gateway

Read Lab

Kgateway AI Lab: Prompt Enrichment

Kgateway labs | Managing Prompts for Enhanced LLM Performance

Read Lab

Kgateway AI Lab: Prompt Guards

kgateway labs | Content Safety with Prompt Guards

Read Lab

Ambient Mesh Lab: Migrating from Sidecar to Sidecarless

Ambient Mesh Lab | Migrate from Sidecar-based Service Mesh to Ambient Mesh

Read Lab

Ambient Mesh Lab: Multi-cluster scalability with Istio Ambient Mesh

Mastering Multi-Cluster Scalability with Ambient Mesh

Read Lab

Solo Lab: Gloo Cloud Preview

Simplify Mesh Management with Gloo Cloud: Onboarding, Ingress, Egress, and Service Mesh

Read Lab

Ambient Mesh Lab: Waypoints for Traffic management, Security and Observability

Solo Lab | Waypoints in Ambient Mesh: For L4 and L7 Security, Traffic and Observability Insights

Read Lab

Kgateway Lab: Gateway API inference extensions with kgateway

Exploring the Gateway API Inference Extension with kgateway

Read Lab

Gloo Gateway Lab: Securing access to workloads with Gloo Gateway

Securing Services with Gloo Gateway: TLS Termination and API Keys

Read Lab

Kgateway Lab: Route Delegation in kgateway

Route Delegation in kgateway

Read Lab

Kgateway Lab: Canary releases with Argo Rollouts & kgateway

Canary releases with Argo Rollouts & kgateway

Read Lab

Kgateway Lab: Understanding kgateway and Gateway API policy attachments

Understanding kgateway patterns of extensions

Read Lab

Kgateway Lab: Gateway API support for service mesh with kgateway

GatewayAPI support for service mesh with kgateway

Read Lab

Kgateway Lab: Exploring HTTPRoute resource configurations with kgateway

Exploring HTTPRoute resource configurations with kgateway

Read Lab

Kgateway Lab: Configuring gateways across multiple teams with kgateway

Configuring gateways across multiple teams with kgateway

Read Lab

Kgateway Lab: Configure HTTPS with the Gateway API and kgateway

Configure HTTPS with the Gateway API and kgateway

Read Lab

Kgateway Lab: Understanding the basics of Kubernetes Gateway API with kgateway

Understanding the basics of Kubernetes Gateway API with kgateway

Read Lab

Kgateway Lab: Installing kgateway, an open-source implementation of the Kubernetes Gateway API

Installing kgateway, an open-source implementation of the Kubernetes Gateway API

Read Lab

Ambient Mesh Lab: Employing circuit breaking in Ambient Mesh

Join our free, on-demand lab Employing Circuit Breaking to safeguard services with Istio Ambient mode. Learn to deploy waypoints, configure circuit breaking, and monitor using metrics, logs, and Prometheus.

Read Lab

Ambient Mesh Lab: Configuring Fault Injection in Ambient Mesh

Join our free, on-demand lab Configuring Fault Injection to enhance resiliency with Istio Ambient mode. Learn to observe system latency, configure delays, timeouts, retries, and augment with outlier detection.

Read Lab

Ambient Mesh Lab: Using Outlier Detection with Ambient Mesh

Join our free, on-demand lab Using Outlier Detection to learn how to configure Istio Ambient mode to avoid unhealthy workloads. Discover steps to implement outlier detection, assess workload health, and monitor metrics effectively.

Read Lab

Ambient Mesh Lab: Implementing Timeouts with Ambient Mesh

Join our free on-demand lab, Implementing Timeouts, and learn how to protect applications from slow upstream services with Istio. Discover how to prevent indefinite errors, configure and verify timeouts, and decouple resiliency concerns from your apps.

Read Lab

Kgateway Lab: Exposing, Securing, and Rate Limiting with kgateway

Free K8s Gateway Lab: Deploy, Secure, and Rate Limiting with Solo's Open Source Gateway

Read Lab

Ambient Mesh Lab: Traffic routing with waypoints in Ambient Mesh

Learn how to route traffic using waypoint proxies in ambient mesh.

Read Lab

Ambient Mesh Lab: Secure Your Cluster with Ambient Mesh and mTLS

Learn how to secure services in your Kubernetes cluster using ambient mesh and mTLS.

Read Lab

Ambient Mesh Lab: Access control with authorization policies

Learn how to enforce access control and write authorization policies for L4 and L7 traffic.

Read Lab

Ambient Mesh Lab: Getting Started with Ambient Mesh

Learn the basics of ambient and how to set up your first environment.

Read Lab

Ambient Mesh Lab: Getting L4 and L7 observability

Learn how to view metrics and traces from L4 and L7 traffic in ambient mesh.

Read Lab

Gloo AI Gateway Hands-On Lab: Prompt Management and Prompt Guards

Sign up for the free, hands-on technical labs.

Read Lab

Gloo AI Gateway Hands-On Lab: Rate Limiting and Model Failover

Sign up for the free, hands-on technical labs.

Read Lab

Gloo AI Gateway Hands-On Lab: RAG and Semantic Caching

Sign up for the free, hands-on technical labs.

Read Lab

Gloo AI Gateway Hands-On Lab: Credentials and Access Control

Sign up for the free, hands-on technical labs.

Read Lab

Gartner® Report: How to Adapt Your API Strategy to Succeed in the AI Era

As organizations unlock the potential of generative AI, one thing is clear: a modern, scalable API strategy is essential. In this complimentary Gartner® report learn how software engineering leaders can evolve their API programs to accelerate innovation, reduce risk, and control costs in the AI era.

Read Report

Omni-Directional API Management for Platform Engineering

Get to grips with API management in the age of cloud and AI. Discover the benefits of Omni-directional API management and learn about its pivotal role in architecture modernization.

Read Report

Sidecar-Less Istio Explained

Learn how Solo.io is lowering the barrier to service mesh adoption with Ambient Mode. Discover how you can deploy Istio ambient mode in production with the help of Gloo Mesh.

Read Report

API Gateway Resource Kit

A service mesh is a dedicated infrastructure layer that helps manage and secure communications between microservices within a distributed application.

Read Blog

Service Mesh Resource Kit

A service mesh is a dedicated infrastructure layer that helps manage and secure communications between microservices within a distributed application.

Read Blog

Guide to Migrating from Ingress to Gateway API

Migrate your project from ingress-nginx and the Ingress API to the Kubernetes Gateway API with kgateway—an open-source Gateway project powered by Envoy.

Read Whitepaper

Migrating from Sidecars to Sidecarless Istio Ambient Mesh

In our white paper Migrating from Sidecars to Sidecarless to Ambient Mesh, we share how sidecars and Ambient mode can work together, allowing for a gradual migration strategy.

Read Whitepaper

Introduction and Best Practices to AI Gateways

Read Whitepaper

Choosing the Right AI Gateway For You

Read our white paper and learn how to select the right AI Gateway to help you navigate the challenges of working with AI workloads. 

Read Whitepaper

Solo.io’s Guide to Navigating GenAI Complexity

Read Whitepaper

Unlocking Business Efficiency with Service Mesh Updates in AWS

Read Whitepaper

Evolve Your API Management

Read Whitepaper

Transitioning From App Mesh to Istio for AWS EKS

Read Whitepaper

How Service Mesh Supports a Zero Trust Architecture

Read Whitepaper

Achieve Compliance, Zero Trust with Istio Ambient Mode

Read Whitepaper

Get started

See why Solo.io is the leading provider of API Gateway and service mesh solutions.

Learn more

Istio support

Is Istio not working properly for you? Are you having performance issues with your Istio instance? Is there an upgrade you need to manage on multiple clusters?

Get support

Pricing

Reach out for tailored pricing options and step into a future of enhanced connectivity.

Get Started

Book a Gloo AI Gateway demo

Powered by Istio, Gloo Mesh empowers platform engineering teams to boost security, resiliency, and observability.

Get started

Book a Gloo Gateway demo

Gloo Gateway is a fast, Kubernetes-
native API gateway packed with features IT operations teams need to deliver a full lifecycle security strategy for their cloud-native environments.

Get started

Gloo Mesh - Ambient Readiness Assessment

A free program designed to assess your readiness for Istio Ambient adoption and prove the business benefits based on your own environment.

Get started

Book a Gloo Mesh demo

A free program designed to assess your readiness for Istio Ambient adoption and prove the business benefits based on your own environment.

Get started

Case Studies

Learn more

Ebooks

Learn more

Labs

Learn more

Reports

Read Reports

Resource Kits

See Resource Kits

Webinars

A free program designed to assess your readiness for Istio Ambient adoption and prove the business benefits based on your own environment.

Watch Webinars

Whitepapers

A free program designed to assess your readiness for Istio Ambient adoption and prove the business benefits based on your own environment.

Read Whitepapers

Gloo AI Gateway

Secure, observe, and control your AI applications with Gloo AI Gateway, the leading cloud native gateway built on Envoy.

Learn more

Gloo Gateway

The future of cloud APIs is omni.

Learn more

Gloo Mesh

Connecting, securing, controlling, and observing microservice communication is tough. We make it accessible to all.

Learn more

Datasheets

Read Datasheets

Infographics

Read Infographics

Videos

Watch Videos

Cloud connectivity done right

Get started