• Home
  • Blog
  • Istio 1.5 API Gateway with Gloo

Istio 1.5 API Gateway with Gloo

Christian Posta | April 10, 2020

Gloo is an API Gateway built on Envoy Proxy that highly complements a service mesh like Istio with edge capabilities like transformations, OIDC authentication, OPA authorization, Web Application Firewalling (WAF), and others. A lot of our Solo.io customers combine the two to replace legacy API Management vendors. I’ve written quite a bit about the overlap and complementary roles of API Gateways and Service Mesh. We’ve explored combining Istio and Gloo in previous blog posts as well.

In the Istio 1.5 release, many architectural considerations have changed with out folks deploy and manage Istio. The way mTLS is implemented in Istio has also changed a bit. For example, In the past, Istio would create secrets for each service account and mount those in for the workloads to assume their identity. That has now changed. Istio uses Envoy’s SDS to distribute workload identity/certificates by default with Istio 1.5 now.

We’ve integrated with Istio SDS for a while now while giving the option to use SDS (more secure) or the secret mounting approach, but now with the Istio 1.5 change, among some of the other ways it implements SDS, we’ve updated our Gloo Documentation to show how to get Gloo working with Istio 1.5.

There are two different approaches to doing this. The supported way for Gloo OSS is to load an Istio proxy (and istio-agent) to connect to the mesh and pull down the certificates and allow upstreams to use that. This requires, unfortunately, running another Envoy next to the Gloo proxy (also based on Envoy) that does nothing other than pull down certificates. This is the recommended way to accomplish integration with SDS and Istio. However, for GlooEE, we feel we can do better. We have a custom build of the istio-agent that can serve SDS for Istio without the need for running an entirely separate Envoy. This slims down the deployment of the Gloo API Gateway when integrating with Istio. Reach out to us on Slack or through the Solo.io website to hear more about this.

See this short video demo of Gloo + Istio 1.5

Check out combining Gloo with Istio by starting with the documentation. Join our slack [https://slack.solo.io] if you have any questions or issues you’d like to discuss (anything Service Mesh, API Gateway, Envoy, Web Assembly, etc!)

[featured_boxes class=”featured-box”]

Learn More

[/featured_boxes]

About the Author
Christian Posta Headshot 24 Christian Posta
Christian Posta (@christianposta) is Global Field CTO at Solo.io supporting customers and end users in their adoption of cloud-native technologies. He is an author for Manning and O’Reilly publications, open source contributor, blogger and sought after speaker on Envoy Proxy and Kubernetes technologies. Prior to Solo.io, Chrisitan was a Chief Architect at Red Hat, FuseSource and held engineering positions at organizations like Wells Fargo, Apollo Group, Intel.
Additional Resources
post
Implementing a Custom Integration in the Gateway: An Example With AWS SigV4

April 24, 2024

Read the Article
post
Comparing AWS App Mesh and Istio for AWS Users

April 23, 2024

Read the Article
infographic
Gloo Gateway vs. Apigee
View the Infographic
post
The Battle of Titans: Kong vs. Gloo Gateway

April 19, 2024

Read the Article