Prepare to upgrade

Before you upgrade Gloo Gateway, complete the following preparatory steps:

• Prepare your environment, such as upgrading your current version to the latest patch and upgrading any dependencies to the required supported versions.
• Review important changes made to Gloo Gateway in version 1.18, including CRD, Helm, CLI, and feature changes.
• Review frequently-asked questions about the upgrade process.

Prepare your environment

Review the following preparatory steps that might be required for your environment.

Upgrade your current minor version to the latest patch

Before you upgrade your minor version, first upgrade your current version to the latest patch. For example, if you currently run Gloo Gateway Enterprise version 1.17.3, first upgrade your installation to version 1.17.4. This ensures that your current environment is up-to-date with any bug fixes or security patches before you begin the minor version upgrade process.

1. Find the latest patch of your minor version by checking the Open Source changelog or Enterprise changelog.
2. Go to the documentation set for your current minor version. For example, if you currently run Gloo Gateway Enterprise version 1.17.3, use the drop-down menu in the header of this page to select v 1.17.x.
3. Follow the upgrade guide, using the latest patch for your minor version.

If required, perform incremental minor version updates

If you plan to upgrade to a version that is more than one minor version greater than your current version, such as to version 1.18 from 1.16 or older, you must upgrade incrementally. For example, you must first use the upgrade guide in the v 1.17.x documentation set to upgrade from 1.16 to 1.17, and then follow the upgrade guide in the v 1.18.x documentation set to upgrade from 1.17 to 1.18.

Upgrade dependencies

Check that your underlying infrastructure platform, such as Kubernetes, and other dependencies run a version that is supported for 1.18.

1. Review the supported versions for dependencies such as Kubernetes, Istio, Helm, and more.
2. Compare the supported versions against the versions you currently use.
3. If necessary, upgrade your dependencies, such as consulting your cluster infrastructure provider to upgrade the version of Kubernetes that your cluster runs.

Consider settings to avoid downtime

You might deploy Gloo Gateway in Kubernetes environments that use the Kubernetes load balancer, or in non-Kubernetes environments. Depending on your setup, you can take additional steps to avoid downtime during the upgrade process.

• Kubernetes: Enable Envoy readiness and liveness probes during the upgrade. When these probes are set, Kubernetes sends requests only to the healthy Envoy proxy during the upgrade process, which helps to prevent potential downtime. The probes are not enabled in default installations because they can lead to timeouts or other poor getting started experiences.
• Non-Kubernetes: Configure health checks on Envoy. Then, configure your load balancer to leverage these health checks, so that requests stop going to Envoy when it begins draining connections.

Review version 1.18 changes

Review the following changes made to Gloo Gateway in version 1.18. For some changes, you might be required to complete additional steps during the upgrade process.

Breaking changes

Envoy version 1.31 upgrade

The Envoy dependency in Gloo Gateway 1.18 was upgraded from 1.29.x to 1.31.x. This upgrade includes the following changes. For more information about these changes, see the Envoy changelog documentation.

• Opencensus: Opencensus was marked as deprecated in previous Envoy releases. Starting in the 1.31.x Envoy release, Opencensus is now disabled by default. If Opencensus is set, Envoy rejects the configuration. You can use Envoy’s layered_runtime section to enable deprecated configuration so that you can continue using Opencensus. However, note that Opencensus is completely removed in Envoy version 1.32.x.
• JWT tokens: The behavior for extracting JWT tokens changed in the 1.29.x Envoy release. Previously, the JWT token was cut into non-base64 characters. Now, the entire JWT token is passed for validation. You can no longer revert this change by setting envoy.reloadable_features.token_passed_entirely to false as this option was removed in the 1.31.x Envoy release.
• JWT_authn: Provider URIs that are defined in the jwt_authn section are now validated for RFC-compliance. Envoy might fail to start correctly if non-compliant URIs are found. If the URI validation is too strict, you can temporarily disable it by setting the runtime guard envoy.reloadable_features.jwt_authn_validate_uri to false. Common URI issues that were previously ignored, include:
  • Hostname contains _ (underscore character)
  • URL contains non-English characters (ASCII code > 127)
  • URL contains an unencoded (space character)
  • URL contains TAB (ASCII code 9) or FormFeed (ASCII code 12) characters
• JWT_authn: The provider forward configuration changed. Previously, JWTs could only be removed from headers. Starting in Envoy version 1.31.x, JWTs can now be removed from query parameters. You can temporarily revert this change by setting envoy.reloadable_features.jwt_authn_remove_jwt_from_query_params to false.
• access_log: The following access log format specifiers changed:
  • The upstream connection address is now used for the %UPSTREAM_REMOTE_ADDRESS%, %UPSTREAM_REMOTE_PORT% and %UPSTREAM_REMOTE_ADDRESS_WITHOUT_PORT% access log format specifiers. Previously, the upstream host address was used. You can temporarily revert this change by setting the runtime guard envoy.reloadable_features.upstream_remote_address_use_connection to false.
  • The %UPSTREAM_CLUSTER_RAW% access log formatter was added to log the original upstream cluster name, regardless of whether alt_stat_name is set.
  • SNIs are automatically sanitized for potential log injection. The invalid characters are replaced by _ with an invalid: marker. To disable this feature, set envoy.reloadable_features.sanitize_sni_in_access_log is set to false.
• YAML parsing: The behavior for parsing YAML configuration changed. Previously, malformed boolean values and fraction objects that set true or false as a string value, are no longer interpreted as a boolean value. You can revert this change by setting envoy.reloadable_features.reject_invalid_yaml to false.
• HTTP/2: HTTP/2 colon prefixed headers are now sanitized by Envoy. Previously, sanitation was performed by the nghttp2 library, which caused pseudo headers with upper case letters to fail validation. Now, these pseudo headers pass validation. You can temporarily revert this change by setting the runtime guard envoy.reloadable_features.sanitize_http2_headers_without_nghttp2 to false.
• Local ratelimit: The token bucket implementation changed. Previously, a timer-based token bucket was used to assign tokens to connections. In Envoy 1.31.x, the new AtomicToken bucket is used that is no longer timer-based. Tokens are now automatically refilled when the token bucket is accessed. Because of this change, the x-ratelimit-reset header is no longer sent. You can temporarily revert this change by setting the runtime guard envoy.reloadable_features.no_timer_based_rate_limit_token_bucket to false.

New features

Watch namespace based on label

Previously, the namespaces that you wanted Gloo Gateway to watch for resources needed to be provided as a static list via the watchNamespaces setting in the Settings resource and had to be updated manually every time a namespace was added or deleted. Starting in 1.18.0, you can now define the namespaces that you want to watch by using the WatchNamespaceSelectors option on the Settings CR. This way, Gloo Gateway automatically includes new namespaces that have the required selectors.

Label selectors can use exact matches or an In, NotIn, Exists, or DoesNotExist expression. You can also chain label selectors to form logical AND or OR expressions as shown in the following example.

settings: 
  watchNamespaceSelectors: 
    - matchLabels: 
        label: match
    - matchLabels: 
        label: and
    - matchExpressions: 
      - key: expression
        operator: In
        values: 
          - and

For more information, see Specify namespaces to watch for Kuberenetes services and Gloo Gateway CRs.

ARM images

In Gloo Gateway Enterprise, ARM images are now supported for Gloo Gateway components. An image that is tagged with -arm is compatible with ARM64 architectures. Note that ARM images are currently not published for VMs.

Kubernetes 1.30 and 1.31 support

Starting in version 1.18.0, Gloo Gateway can now run on Kubernetes 1.30 and 1.31. For more information about supported Kubernetes, Envoy, and Istio versions, see Supported versions.

Front channel logout

You can configure a front channel logout path on an AuthConfig that configures OIDC authorization code for your apps.

Front channel logout is a security mechanism that is used in the context of Single Sign-On (SSO) and Identity and Access Management (IAM) systems to ensure that when a user logs out of one app or service, they are also automatically logged out of the Identity Provider (IdP) and therefore all related apps and services in a secure and synchronized manner. Without front channel logout, the user is logged out of the requested app only.

For more information, see Front channel logout.

Changelogs

Check the changelogs for the type of Gloo Gateway deployment that you have. Focus especially on any Breaking Changes that might require a different upgrade procedure. For Gloo Gateway Enterprise, you might also review the open source changelogs because most of the proto definitions are open source.

• Open Source changelogs
• Enterprise changelogs: Keep in mind that Gloo Gateway Enterprise pulls in Gloo Gateway Open Source as a dependency. Although the major and minor version numbers are the same for open source and enterprise, their patch versions often differ. For example, open source might use version x.y.a but enterprise uses version x.y.b. If you are unfamiliar with these versioning concepts, see Semantic versioning. Because of the differing patch versions, you might notice different output when checking your version with glooctl version. For example, your API server might run Gloo Gateway Enterprise version 1.18.0, which pulls in Gloo Gateway Open Source version 1.19.0-beta2 as a dependency.

  ~ > glooctl version
  Client: {"version":"
  1.19.0-beta2"}
  Server: {"type":"Gateway","enterprise":true,"kubernetes":...,{"Tag":"
  1.18.0","Name":"grpcserver-ee","Registry":"quay.io/solo-io"},...,{"Tag":"
  1.19.0-beta2","Name":"discovery","Registry":"quay.io/solo-io"},...}
  

Feature changes

Review the following summary of important new, deprecated, or removed features.

New or improved features:

• Apply JWT policy at the route-level: Now, you can apply JWT policies to specific routes by configuring the jwtProvidersStaged settings in the route option. Previously, JWT policies applied at the gateway level and were configured in only the VirtualHost option. With this new feature, you can apply JWT policies at both the route and gateway level. For more information and example steps, see Route-level JWT policy.

Deprecated features:

• GraphQL integration: The GraphQL integration is deprecated in Gloo Gateway 1.18 and will be removed in a future release.
• Plugin Auth: The Plugin Auth feature is deprecated in Gloo Gateway 1.18 and will be removed in a future release. Consider using the Passthrough Auth feature instead.

Helm changes

Review the following summary of important new, deprecated, or removed Helm fields. For full details, see the changelogs.

New Helm fields:

Updated Helm fields:

Deprecated Helm fields:

CRD changes

New CRDs are automatically applied to your cluster when performing a helm install operation, but are not applied when performing an helm upgrade operation. This is a deliberate design choice on the part of the Helm maintainers, given the risk associated with changing CRDs. Given this limitation, you must apply new CRDs to the cluster before upgrading.

Review the following summary of important new, deprecated, or removed CRD updates. For full details, see the changelogs.

As part of the 1.19.0-beta2 release, no CRD changes were introduced.

CLI changes

You must upgrade glooctl before you upgrade Gloo Gateway. Because glooctl can create resources in your cluster, such as with glooctl add route, you might have errors in Gloo Gateway if you create resources with an older version of glooctl.

Review the following summary of important new, deprecated, or removed CLI options. For full details, see the changelogs.

New CLI commands or options:

• glooctl proxy snapshot: Create a snapshot of the current state in Envoy for the purpose of simplified issue reporting and triaging.

As part of the 1.19.0-beta2 release, no CLI changes were introduced.

Changed behavior:–>

Frequently-asked questions

Review the following frequently-asked questions about the upgrade process. If you still aren’t sure about the version upgrade impact, or if your use case doesn’t quite fit the standard upgrade path, feel free to post in the #gloo or #gloo-enterprise channels of our public Slack.

How do I upgrade Gloo Gateway in testing or sandbox environments?

If downtime is not a concern for your use case, you can follow the Quick upgrade guide to update your Gloo Gateway installation.

Note that for sandbox or exploratory environments, the easiest way to upgrade is to uninstall Gloo Gateway by running glooctl uninstall --all. Then, re-install Gloo Gateway at the desired version by the following one of the installation guides.

How do I upgrade Gloo Gateway in a production environment, where downtime is unacceptable?

The basic helm upgrade process is not suitable for environments in which downtime is unacceptable. Instead, you can follow the Canary upgrade guide to deploy multiple version of Gloo Gateway to your cluster, and test the upgrade version before uninstalling the existing version.

Additionally, you might need to take steps to account for other factors such as Gloo Gateway version changes, probe configurations, and external infrastructure like the load balancer that Gloo Gateway uses. Consider setting up liveness probes and healthchecks in your environment.

What happens to my Gloo Gateway CRs during an upgrade? How do I handle breaking changes?

A typical upgrade of Gloo Gateway across minor versions should not cause disruptions to the existing Gloo Gateway state. In the case of a breaking change, Solo will communicate through the upgrade guides, changelogs, or other channels if you must make a specific adjustment to perform the upgrade. Note that you can always use the glooctl debug yaml command to download the current Gloo Gateway state to one large YAML manifest.

Is the upgrade procedure different if I am not a cluster administrator?

If you are not an administrator of your cluster, you might be unable to create custom resource definitions (CRDs) and other cluster-scoped resources, such as cluster roles and cluster role bindings. If you encounter an error related to these resources, you can disable their creation by including the following setting in your Helm values:

global:
  glooRbac:
    create: false

Otherwise, you can try performing an installation of Gloo Gateway that is scoped to a single namespace by including the following setting in your Helm values:

global:
  glooRbac:
    namespaced: true

Why do I get an error about re-creating CRDs when upgrading using helm install or helm upgrade?

Helm v2 does not manage CRDs well, and is not supported in Gloo Gateway. Upgrade to Helm v3, delete the CRDs, and try again.

Why do I get an error about a gateway-certgen job?

The upgrade creates a Kubernetes Job named gateway-certgen to generate a certificate for the validation webhook. The job contains the ttlSecondsAfterFinished value so that the cluster cleans up the job automatically, but because this setting is still in Alpha, your cluster might ignore this value. In this case, you might have an issue while upgrading in which the upgrade attempts to change the gateway-certgen job, but the change fails because the job is immutable. To fix this issue, you can delete the job, which already completed, and re-apply the upgrade.