Upgrade ambient service meshes

Use the Istio Lifecycle Manager to upgrade ambient service meshes in your Gloo Mesh Core clusters.

An in-place upgrade involves restarting the existing the ztunnel pods. As Kubernetes dynamically upgrades the deployment by deleting the old ztunnel pods, all long-lived connections on the node are dropped. You can influence the duration of the downtime with the termination grace period of the ztunnel pod, which determines the drain period. Any TCP connections that are longer than the grace period are dropped.

Upgrade your istiod control plane by editing the IstioLifecycleManager resource in your management cluster. For example, you might update the patch version of Istio by changing the value of istioOperatorSpec.tag. After you save and close the editor, Gloo starts an in-place upgrade of the istiod control planes.
```
  kubectl edit IstioLifecycleManager -n gloo-mesh --context $MGMT_CONTEXT istiod-control-plane
  
```

Verify that the istiod, ztunnel, and Istio CNI pods are successfully redeployed. Note that it might take a few seconds for the pods to become available.

  kubectl get pods --context $REMOTE_CONTEXT -A | grep istio

Example output:

  istio-cni-node-6q26l                    1/1     Running   0          1m3s
istio-cni-node-7gg8k                    1/1     Running   0          1m3s
istio-cni-node-lcrcd                    1/1     Running   0          1m3s
istiod-d765ff7cf-46dbm                  1/1     Running   0          48s
ztunnel-648wc                           1/1     Running   0          48s
ztunnel-6rhp5                           1/1     Running   0          48s
ztunnel-hllxg                           1/1     Running   0          48s

Optional: If you created a GatewayLifecycleManager resource to also deploy an Istio ingress gateway, you can upgrade your gateways by editing the resource in your management cluster. For example, if you updated the patch version of the control plane, you can also update your gateway patch versions by changing the value of istioOperatorSpec.tag. After you save and close the editor, Gloo starts an in-place upgrade of the gateways.
warning
If you are updating the Istio image, be sure to update the istiod control plane via the IstioLifecycleManager first, before you update your gateways. If you update the gateways before the control plane, the gateways might have an outdated image.
```
  kubectl edit GatewayLifecycleManager -n gloo-mesh --context $MGMT_CONTEXT istio-ingressgateway
  
```

In the workload cluster, verify that the ingress gateway pod is successfully redeployed.

  kubectl get pods -n gloo-mesh-gateways --context $REMOTE_CONTEXT

Example output:

  NAME                                    READY   STATUS    RESTARTS   AGE
istio-ingressgateway-665d46686f-nhh52   1/1     Running   0          60s