Installing Gloo Gateway on Kubernetes

Install command line tool (CLI)

The glooctl command line provides useful functions to install, configure, and debug Gloo, though it is not required to use Gloo.

Verify the CLI is installed and running correctly with:

glooctl --version
glooctl community edition version 0.13.29

Installing the Gloo Gateway on Kubernetes

These directions assume you’ve prepared your Kubernetes cluster appropriately. Full details on setting up your Kubernetes cluster here.

Note: For certain providers with more strict multi-tenant security, like OpenShift, be sure to follow the cluster set up accordingly.

Installing on Kubernetes with glooctl

Once your Kubernetes cluster is up and running, run the following command to deploy the Gloo Gateway to the gloo-system namespace:

glooctl install gateway

Note: You can run the command with the flag --dry-run to output the Kubernetes manifests (as yaml) that glooctl will apply to the cluster instead of installing them.

Installing on Kubernetes with Helm

This is the recommended method for installing Gloo to your production environment as it offers rich customization to the Gloo control plane and the proxies Gloo manages.

As a first step, you have to add the Gloo repository to the list of known chart repositories:

helm repo add gloo https://storage.googleapis.com/solo-public-helm

Finally, install Gloo using the following command:

helm install gloo/gloo --namespace my-namespace

Customizing your installation with Helm

You can customize the Gloo installation by providing your own value file.

For example, you can create a file named value-overrides.yaml with the following content:

rbac:
  # do not create kubernetes rbac resources
  create: false
settings:
  # configure gloo to write generated custom resources to a custom namespace
  writeNamespace: my-custom-namespace

and use it to override default values in the Gloo Helm chart:

helm install gloo/gloo --name gloo-custom-0-7-6 --namespace my-namespace -f value-overrides.yaml

List of Gloo Helm chart values

The table below describes all the values that you can override in your custom values file.

Option Type Default Value Description
namespace.create bool false create the installation namespace
crds.create bool true create CRDs for Gloo (turn off if installing with Helm to a cluster that already has Gloo CRDs)
settings.watchNamespaces[] string whitelist of namespaces for gloo to watch for services and CRDs. Empty list means all namespaces
settings.writeNamespace string namespace where intermediary CRDs will be written to, e.g. Upstreams written by Gloo Discovery.
settings.integrations.knative.enabled bool false enabled knative components
settings.integrations.knative.version string the version of knative installed to the cluster. if using version < 0.8.0, gloo will use Knative’s ClusterIngress API for configuration rather than the namespace-scoped Ingress
settings.integrations.knative.proxy.image.tag string tag for the container
settings.integrations.knative.proxy.image.repository string image name (repository) for the container.
settings.integrations.knative.proxy.image.registry string image prefix/registry e.g. (quay.io/solo-io)
settings.integrations.knative.proxy.image.pullPolicy string image pull policy for the container
settings.integrations.knative.proxy.image.pullSecret string image pull policy for the container
settings.integrations.knative.proxy.httpPort int HTTP port for the proxy
settings.integrations.knative.proxy.httpsPort int HTTPS port for the proxy
settings.integrations.knative.proxy.tracing string tracing configuration
settings.integrations.knative.proxy.replicas int number of instances to deploy
settings.integrations.knative.proxy.resources.limits.memory string amount of memory
settings.integrations.knative.proxy.resources.limits.cpu string amount of CPUs
settings.integrations.knative.proxy.resources.requests.memory string amount of memory
settings.integrations.knative.proxy.resources.requests.cpu string amount of CPUs
settings.create bool false create a Settings CRD which configures Gloo controllers at boot time
settings.extensions interface
settings.singleNamespace bool false Enable to use install namespace as WatchNamespace and WriteNamespace
gloo.deployment.image.tag string 0.19.1 tag for the container
gloo.deployment.image.repository string gloo image name (repository) for the container.
gloo.deployment.image.registry string image prefix/registry e.g. (quay.io/solo-io)
gloo.deployment.image.pullPolicy string image pull policy for the container
gloo.deployment.image.pullSecret string image pull policy for the container
gloo.deployment.xdsPort int 9977 port where gloo serves xDS API to Envoy
gloo.deployment.stats bool true enable prometheus stats
gloo.deployment.floatingUserId bool false set to true to allow the cluster to dynamically assign a user ID
gloo.deployment.runAsUser float64 Explicitly set the user ID for the container to run as. Default is 10101
gloo.deployment.replicas int 1 number of instances to deploy
gloo.deployment.resources.limits.memory string amount of memory
gloo.deployment.resources.limits.cpu string amount of CPUs
gloo.deployment.resources.requests.memory string amount of memory
gloo.deployment.resources.requests.cpu string amount of CPUs
discovery.deployment.image.tag string 0.19.1 tag for the container
discovery.deployment.image.repository string discovery image name (repository) for the container.
discovery.deployment.image.registry string image prefix/registry e.g. (quay.io/solo-io)
discovery.deployment.image.pullPolicy string image pull policy for the container
discovery.deployment.image.pullSecret string image pull policy for the container
discovery.deployment.stats bool true enable prometheus stats
discovery.deployment.floatingUserId bool false set to true to allow the cluster to dynamically assign a user ID
discovery.deployment.runAsUser float64 Explicitly set the user ID for the container to run as. Default is 10101
discovery.deployment.replicas int 1 number of instances to deploy
discovery.deployment.resources.limits.memory string amount of memory
discovery.deployment.resources.limits.cpu string amount of CPUs
discovery.deployment.resources.requests.memory string amount of memory
discovery.deployment.resources.requests.cpu string amount of CPUs
discovery.fdsMode string mode for function discovery (blacklist or whitelist). See more info in the settings docs
discovery.enabled bool true enable Discovery features
gateway.enabled bool true enable Gloo API Gateway features
gateway.upgrade bool false Deploy a Job to convert (but not delete) v1 Gateway resources to v2 and not add a ‘live’ label to the gateway-proxy deployment’s pod template. This allows for canary testing of gateway-v2 alongside an existing instance of gloo running with v1 gateway resources and controllers.
gateway.deployment.image.tag string 0.19.1 tag for the container
gateway.deployment.image.repository string gateway image name (repository) for the container.
gateway.deployment.image.registry string image prefix/registry e.g. (quay.io/solo-io)
gateway.deployment.image.pullPolicy string image pull policy for the container
gateway.deployment.image.pullSecret string image pull policy for the container
gateway.deployment.stats bool true enable prometheus stats
gateway.deployment.floatingUserId bool false set to true to allow the cluster to dynamically assign a user ID
gateway.deployment.runAsUser float64 Explicitly set the user ID for the container to run as. Default is 10101
gateway.deployment.replicas int 1 number of instances to deploy
gateway.deployment.resources.limits.memory string amount of memory
gateway.deployment.resources.limits.cpu string amount of CPUs
gateway.deployment.resources.requests.memory string amount of memory
gateway.deployment.resources.requests.cpu string amount of CPUs
gateway.conversionJob.image.tag string 0.19.1 tag for the container
gateway.conversionJob.image.repository string gateway-conversion image name (repository) for the container.
gateway.conversionJob.image.registry string image prefix/registry e.g. (quay.io/solo-io)
gateway.conversionJob.image.pullPolicy string image pull policy for the container
gateway.conversionJob.image.pullSecret string image pull policy for the container
gateway.conversionJob.restartPolicy string Never restart policy to use when the pod exits
gateway.updateValues bool false if true, will use a provided helm helper ‘gloo.updatevalues’ to update values during template render - useful for plugins/extensions
gateway.proxyServiceAccount.disableAutomount bool false disable automunting the service account to the gateway proxy. not mounting the token hardens the proxy container, but may interfere with service mesh integrations
gatewayProxies.NAME.kind.deployment.antiAffinity bool configure anti affinity such that pods are prefferably not co-located
gatewayProxies.NAME.kind.deployment.replicas int number of instances to deploy
gatewayProxies.NAME.kind.deployment.resources.limits.memory string amount of memory
gatewayProxies.NAME.kind.deployment.resources.limits.cpu string amount of CPUs
gatewayProxies.NAME.kind.deployment.resources.requests.memory string amount of memory
gatewayProxies.NAME.kind.deployment.resources.requests.cpu string amount of CPUs
gatewayProxies.NAME.kind.daemonSet.hostPort bool whether or not to enable host networking on the pod. Only relevant when running as a DaemonSet
gatewayProxies.NAME.podTemplate.image.tag string tag for the container
gatewayProxies.NAME.podTemplate.image.repository string image name (repository) for the container.
gatewayProxies.NAME.podTemplate.image.registry string image prefix/registry e.g. (quay.io/solo-io)
gatewayProxies.NAME.podTemplate.image.pullPolicy string image pull policy for the container
gatewayProxies.NAME.podTemplate.image.pullSecret string image pull policy for the container
gatewayProxies.NAME.podTemplate.httpPort int HTTP port for the gateway service
gatewayProxies.NAME.podTemplate.httpsPort int HTTPS port for the gateway service
gatewayProxies.NAME.podTemplate.extraPorts[] interface extra ports for the gateway pod
gatewayProxies.NAME.podTemplate.extraAnnotations.NAME string extra annotations to add to the pod
gatewayProxies.NAME.podTemplate.nodeName string name of node to run on
gatewayProxies.NAME.podTemplate.nodeSelector.NAME string label selector for nodes
gatewayProxies.NAME.podTemplate.tolerations[].key string
gatewayProxies.NAME.podTemplate.tolerations[].operator string
gatewayProxies.NAME.podTemplate.tolerations[].value string
gatewayProxies.NAME.podTemplate.tolerations[].effect string
gatewayProxies.NAME.podTemplate.tolerations[].tolerationSeconds int64
gatewayProxies.NAME.podTemplate.probes bool enable liveness and readiness probes
gatewayProxies.NAME.podTemplate.resources.limits.memory string amount of memory
gatewayProxies.NAME.podTemplate.resources.limits.cpu string amount of CPUs
gatewayProxies.NAME.podTemplate.resources.requests.memory string amount of memory
gatewayProxies.NAME.podTemplate.resources.requests.cpu string amount of CPUs
gatewayProxies.NAME.podTemplate.disableNetBind bool don’t add the NET_BIND_SERVICE capability to the pod. This means that the gateway proxy will not be able to bind to ports below 1024
gatewayProxies.NAME.podTemplate.runUnprivileged bool run envoy as an unprivileged user
gatewayProxies.NAME.podTemplate.floatingUserId bool set to true to allow the cluster to dynamically assign a user ID
gatewayProxies.NAME.podTemplate.runAsUser float64 Explicitly set the user ID for the container to run as. Default is 10101
gatewayProxies.NAME.configMap.data.NAME string
gatewayProxies.NAME.service.type string gateway service type. default is LoadBalancer
gatewayProxies.NAME.service.httpPort int HTTP port for the gateway service
gatewayProxies.NAME.service.httpsPort int HTTPS port for the gateway service
gatewayProxies.NAME.service.clusterIP string static clusterIP (or None) when gatewayProxies[].gatewayProxy.service.type is ClusterIP
gatewayProxies.NAME.service.extraAnnotations.NAME string
gatewayProxies.NAME.service.externalTrafficPolicy string
gatewayProxies.NAME.tracing.provider string
gatewayProxies.NAME.tracing.cluster string
gatewayProxies.NAME.gatewaySettings.disableGeneratedGateways bool set to true to disable the gateway generation for a gateway proxy
gatewayProxies.NAME.gatewaySettings.useProxyProto bool use proxy protocol
gatewayProxies.NAME.gatewaySettings.customHttpGateway string custom yaml to use for http gateway settings
gatewayProxies.NAME.gatewaySettings.customHttpsGateway string custom yaml to use for https gateway settings
gatewayProxies.NAME.extraContainersHelper string
gatewayProxies.NAME.stats bool enable prometheus stats
gatewayProxies.NAME.readConfig bool expose a read-only subset of the envoy admin api
gatewayProxies.gatewayProxyV2.kind.deployment.antiAffinity bool false configure anti affinity such that pods are prefferably not co-located
gatewayProxies.gatewayProxyV2.kind.deployment.replicas int 1 number of instances to deploy
gatewayProxies.gatewayProxyV2.kind.deployment.resources.limits.memory string amount of memory
gatewayProxies.gatewayProxyV2.kind.deployment.resources.limits.cpu string amount of CPUs
gatewayProxies.gatewayProxyV2.kind.deployment.resources.requests.memory string amount of memory
gatewayProxies.gatewayProxyV2.kind.deployment.resources.requests.cpu string amount of CPUs
gatewayProxies.gatewayProxyV2.kind.daemonSet.hostPort bool whether or not to enable host networking on the pod. Only relevant when running as a DaemonSet
gatewayProxies.gatewayProxyV2.podTemplate.image.tag string 0.19.1 tag for the container
gatewayProxies.gatewayProxyV2.podTemplate.image.repository string gloo-envoy-wrapper image name (repository) for the container.
gatewayProxies.gatewayProxyV2.podTemplate.image.registry string image prefix/registry e.g. (quay.io/solo-io)
gatewayProxies.gatewayProxyV2.podTemplate.image.pullPolicy string image pull policy for the container
gatewayProxies.gatewayProxyV2.podTemplate.image.pullSecret string image pull policy for the container
gatewayProxies.gatewayProxyV2.podTemplate.httpPort int 8080 HTTP port for the gateway service
gatewayProxies.gatewayProxyV2.podTemplate.httpsPort int 8443 HTTPS port for the gateway service
gatewayProxies.gatewayProxyV2.podTemplate.extraPorts[] interface extra ports for the gateway pod
gatewayProxies.gatewayProxyV2.podTemplate.extraAnnotations.NAME string extra annotations to add to the pod
gatewayProxies.gatewayProxyV2.podTemplate.nodeName string name of node to run on
gatewayProxies.gatewayProxyV2.podTemplate.nodeSelector.NAME string label selector for nodes
gatewayProxies.gatewayProxyV2.podTemplate.tolerations[].key string
gatewayProxies.gatewayProxyV2.podTemplate.tolerations[].operator string
gatewayProxies.gatewayProxyV2.podTemplate.tolerations[].value string
gatewayProxies.gatewayProxyV2.podTemplate.tolerations[].effect string
gatewayProxies.gatewayProxyV2.podTemplate.tolerations[].tolerationSeconds int64
gatewayProxies.gatewayProxyV2.podTemplate.probes bool false enable liveness and readiness probes
gatewayProxies.gatewayProxyV2.podTemplate.resources.limits.memory string amount of memory
gatewayProxies.gatewayProxyV2.podTemplate.resources.limits.cpu string amount of CPUs
gatewayProxies.gatewayProxyV2.podTemplate.resources.requests.memory string amount of memory
gatewayProxies.gatewayProxyV2.podTemplate.resources.requests.cpu string amount of CPUs
gatewayProxies.gatewayProxyV2.podTemplate.disableNetBind bool false don’t add the NET_BIND_SERVICE capability to the pod. This means that the gateway proxy will not be able to bind to ports below 1024
gatewayProxies.gatewayProxyV2.podTemplate.runUnprivileged bool false run envoy as an unprivileged user
gatewayProxies.gatewayProxyV2.podTemplate.floatingUserId bool false set to true to allow the cluster to dynamically assign a user ID
gatewayProxies.gatewayProxyV2.podTemplate.runAsUser float64 Explicitly set the user ID for the container to run as. Default is 10101
gatewayProxies.gatewayProxyV2.configMap.data.NAME string
gatewayProxies.gatewayProxyV2.service.type string LoadBalancer gateway service type. default is LoadBalancer
gatewayProxies.gatewayProxyV2.service.httpPort int 80 HTTP port for the gateway service
gatewayProxies.gatewayProxyV2.service.httpsPort int 443 HTTPS port for the gateway service
gatewayProxies.gatewayProxyV2.service.clusterIP string static clusterIP (or None) when gatewayProxies[].gatewayProxy.service.type is ClusterIP
gatewayProxies.gatewayProxyV2.service.extraAnnotations.NAME string
gatewayProxies.gatewayProxyV2.service.externalTrafficPolicy string
gatewayProxies.gatewayProxyV2.tracing.provider string
gatewayProxies.gatewayProxyV2.tracing.cluster string
gatewayProxies.gatewayProxyV2.gatewaySettings.disableGeneratedGateways bool false set to true to disable the gateway generation for a gateway proxy
gatewayProxies.gatewayProxyV2.gatewaySettings.useProxyProto bool false use proxy protocol
gatewayProxies.gatewayProxyV2.gatewaySettings.customHttpGateway string custom yaml to use for http gateway settings
gatewayProxies.gatewayProxyV2.gatewaySettings.customHttpsGateway string custom yaml to use for https gateway settings
gatewayProxies.gatewayProxyV2.extraContainersHelper string
gatewayProxies.gatewayProxyV2.stats bool true enable prometheus stats
gatewayProxies.gatewayProxyV2.readConfig bool false expose a read-only subset of the envoy admin api
ingress.enabled bool false
ingress.deployment.image.tag string tag for the container
ingress.deployment.image.repository string image name (repository) for the container.
ingress.deployment.image.registry string image prefix/registry e.g. (quay.io/solo-io)
ingress.deployment.image.pullPolicy string image pull policy for the container
ingress.deployment.image.pullSecret string image pull policy for the container
ingress.deployment.replicas int number of instances to deploy
ingress.deployment.resources.limits.memory string amount of memory
ingress.deployment.resources.limits.cpu string amount of CPUs
ingress.deployment.resources.requests.memory string amount of memory
ingress.deployment.resources.requests.cpu string amount of CPUs
ingress.requireIngressClass bool only serve traffic for Ingress objects with the annotation ‘kubernetes.io/ingress.class: gloo”
ingressProxy.deployment.image.tag string tag for the container
ingressProxy.deployment.image.repository string image name (repository) for the container.
ingressProxy.deployment.image.registry string image prefix/registry e.g. (quay.io/solo-io)
ingressProxy.deployment.image.pullPolicy string image pull policy for the container
ingressProxy.deployment.image.pullSecret string image pull policy for the container
ingressProxy.deployment.httpPort int HTTP port for the ingress container
ingressProxy.deployment.httpsPort int HTTPS port for the ingress container
ingressProxy.deployment.extraPorts[] interface
ingressProxy.deployment.extraAnnotations.NAME string
ingressProxy.deployment.replicas int number of instances to deploy
ingressProxy.deployment.resources.limits.memory string amount of memory
ingressProxy.deployment.resources.limits.cpu string amount of CPUs
ingressProxy.deployment.resources.requests.memory string amount of memory
ingressProxy.deployment.resources.requests.cpu string amount of CPUs
ingressProxy.configMap.data.NAME string
ingressProxy.tracing string
k8s.clusterName string cluster.local cluster name to use when referencing services.
accessLogger.image.tag string 0.19.1 tag for the container
accessLogger.image.repository string access-logger image name (repository) for the container.
accessLogger.image.registry string image prefix/registry e.g. (quay.io/solo-io)
accessLogger.image.pullPolicy string image pull policy for the container
accessLogger.image.pullSecret string image pull policy for the container
accessLogger.port uint 8083
accessLogger.serviceName string AccessLog
accessLogger.enabled bool false
accessLogger.replicas int 1 number of instances to deploy
accessLogger.resources.limits.memory string amount of memory
accessLogger.resources.limits.cpu string amount of CPUs
accessLogger.resources.requests.memory string amount of memory
accessLogger.resources.requests.cpu string amount of CPUs
global.image.tag string tag for the container
global.image.repository string image name (repository) for the container.
global.image.registry string quay.io/solo-io image prefix/registry e.g. (quay.io/solo-io)
global.image.pullPolicy string IfNotPresent image pull policy for the container
global.image.pullSecret string image pull policy for the container
global.extensions interface
global.glooRbac.create bool true create rbac rules for the gloo-system service account
global.glooRbac.Namespaced bool false use Roles instead of ClusterRoles


Verify your Installation

Check that the Gloo pods and services have been created. Depending on your install option, you may see some differences from the following example. And if you choose to install Gloo into a different namespace than the default gloo-system, then you will need to query your chosen namespace instead.

kubectl get all -n gloo-system
NAME                                READY     STATUS    RESTARTS   AGE
pod/discovery-f7548d984-slddk       1/1       Running   0          5m
pod/gateway-5689fd59d7-wsg7f        1/1       Running   0          5m
pod/gateway-proxy-9d79d48cd-wg8b8   1/1       Running   0          5m
pod/gloo-5b7b748dbf-jdsvg           1/1       Running   0          5m

NAME                    TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
service/gateway-proxy   LoadBalancer   10.97.232.107   <pending>     8080:31800/TCP   5m
service/gloo            ClusterIP      10.100.64.166   <none>        9977/TCP         5m

NAME                            DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/discovery       1         1         1            1           5m
deployment.apps/gateway         1         1         1            1           5m
deployment.apps/gateway-proxy   1         1         1            1           5m
deployment.apps/gloo            1         1         1            1           5m

NAME                                      DESIRED   CURRENT   READY     AGE
replicaset.apps/discovery-f7548d984       1         1         1         5m
replicaset.apps/gateway-5689fd59d7        1         1         1         5m
replicaset.apps/gateway-proxy-9d79d48cd   1         1         1         5m
replicaset.apps/gloo-5b7b748dbf           1         1         1         5m

Uninstall

To uninstall Gloo and all related components, simply run the following.

glooctl uninstall

If you installed Gloo to a different namespace, you will have to specify that namespace using the -n option:

glooctl uninstall -n my-namespace

Next Steps

After you’ve installed Gloo, please check out our user guides on Gloo Routing.