Upgrade Gloo-managed service meshes
Use Gloo Mesh Enterprise to upgrade your managed Solo distributions of Istio service meshes.
Istio 1.22 is supported only as patch version 1.22.1-patch0
and later. Do not use patch versions 1.22.0 and 1.22.1, which contain bugs that impact several Gloo Mesh Enterprise routing features that rely on virtual destinations. Additionally, in Istio 1.22.0-1.22.3, the ISTIO_DELTA_XDS
environment variable must be set to false
. For more information, see this upstream Istio issue. Note that this issue is resolved in Istio 1.22.4.
Istio 1.20 is supported only as patch version 1.20.1-patch1
and later. Do not use patch versions 1.20.0 and 1.20.1, which contain bugs that impact several Gloo Mesh Enterprise features that rely on Istio ServiceEntries.
If you have multiple external services that use the same host and plan to use Istio 1.20, 1.21, or 1.22, you must use patch versions 1.20.7, 1.21.3, or 1.22.1-patch0 or later to ensure that the Istio service entry that is created for those external services is correct.
Introduction
After you deploy Gloo-managed service meshes, changes that you make to the IstioLifecycleManager
and GatewayLifecycleManager
resources are automatically propagated to your Istio installations. In some cases, these changes might require updates to your control plane or gateway deployments. Depending on the type of change, you apply updates to the installations by using an in-place upgrade or a revisioned canary upgrade.
In-place upgrade
In an in-place upgrade, Gloo upgrades your existing control plane or gateway installations. In-place upgrades behave differently based on whether your installation is revisionless or revisioned.
Revisionless (testing only): If your testing-only installation is revisionless (your settings omit the revision
and gatewayRevision
fields), in-place upgrades are triggered when you apply changes to any field in the istioInstallations
section.
Revisioned: If your installation is revisioned, in-place upgrades are triggered only when you apply changes to one of the following fields in the istioInstallations
section. Otherwise, a canary upgrade is required. You can change this behavior by setting the spec.installations.skipUpgradeValidation
boolean value to true
in the IstioLifecycleManager
and GatewayLifecycleManager
resources.
istioOperatorSpec.tag
patch version- In-place upgrades are not supported for downgrading the patch version.
- In-place upgrades are not supported if you do not already specify a
tag
value, such as if you want to switch from theauto
setting to a specific version. This is because you must also specifyhub
andrevision
values, which require a canary upgrade.
istioOperatorSpec.meshConfig
values
Multicluster
Get the names of your managed Istio installation resources.
Upgrade your istiod control plane by editing the
IstioLifecycleManager
resource. For example, you might update the patch version of Istio by changing the value ofistioOperatorSpec.tag
. After you save and close the editor, Gloo starts an in-place upgrade of theistiod
control planes.If you created
GatewayLifecycleManager
resources for ingress, egress, or east-west gateways, you can upgrade your gateways by editing each resource. For example, if you updated the patch version of the control plane, you can also update your gateway patch versions by changing the value ofistioOperatorSpec.tag
. After you save and close the editor, Gloo starts an in-place upgrade of the gateways.If you are updating the Istio image, be sure to update theistiod
control plane via the IstioLifecycleManager first, before you update your gateways. If you update the gateways before the control plane, the gateways might have an outdated image.Verify that your Istio resources are updated.
Single cluster
Get the names of your managed Istio installation resources.
Upgrade your istiod control plane by editing the
IstioLifecycleManager
resource. For example, you might update the patch version of Istio by changing the value ofistioOperatorSpec.tag
. After you save and close the editor, Gloo starts an in-place upgrade of theistiod
control planes.If you created
GatewayLifecycleManager
resources for ingress, egress, or east-west gateways, you can upgrade your gateways by editing each resource. For example, if you updated the patch version of the control plane, you can also update your gateway patch versions by changing the value ofistioOperatorSpec.tag
. After you save and close the editor, Gloo starts an in-place upgrade of the gateways.If you are updating the Istio image, be sure to update theistiod
control plane via the IstioLifecycleManager first, before you update your gateways. If you update the gateways before the control plane, the gateways might have an outdated image.Verify that your Istio resources are updated.
Revisioned canary upgrade
In a canary upgrade, you install another Istio installation (canary) alongside your active installation. Each installation is revisioned so that you can easily identify and verify the separate settings and resources for each installation.
Perform a canary upgrade when you change one of the following fields:
istioOperatorSpec.tag
minor versionistioOperatorSpec.hub
repository, such as switching to the repository for the minor version of the Solo distribution of Istio that you want to upgrade tocomponents
,profile
,values
, ornamespace
in theistioOperatorSpec
Keep in mind the following considerations:
- During a canary upgrade, the validating admissions webhook is enabled only for the canary installation to prevent issues that occur when multiple webhooks are enabled.
- If you plan to run multiple revisions of Istio in your cluster and use
discoverySelectors
in each revision to discover the resources in specific namespaces, enable theglooMgmtServer.extraEnvs.IGNORE_REVISIONS_FOR_VIRTUAL_DESTINATION_TRANSLATION
environment variable on the Gloo management server. For more information, see Multiple Istio revisions in the same cluster.
Multicluster
OpenShift only: Elevate the permissions of the service account that will be created for the new revision’s operator project. This permission allows the Istio sidecar to make use of a user ID that is normally restricted by OpenShift. Replace the revision with the revision you plan to use.
Get the names of your managed Istio installation resources.
Edit the
IstioLifecycleManager
resource for theistiod
control plane to add another installation entry for the canary revision. For the canary revision, be sure to setdefaultRevision
tofalse
so that only the existing revision continues to run.For example, if you upgrade to Istio 1.24.2, add the following
1-24
canary revision as a new entry in theinstallations
section:Updating the minor version of Istio? In your canary revision section, be sure to update both the repo key in thehub
field, and the Istio version in thetag
field. You can get the repo key for the Istio version that you want to install from the Istio images built by Solo.io support article.If you created
GatewayLifecycleManager
resources for ingress, egress, or east-west gateways, edit those resources to add another installation entry for the canary revision. Be sure to setactiveGateway
tofalse
so that only the existing revision continues to run.If you are updating the Istio image, be sure to update theistiod
control plane via the IstioLifecycleManager first, before you update your gateways. If you update the gateways before the control plane, the gateways might have an outdated image.
If you disable the load balancer services that are defined by default in the GatewayLifecycleManager, and instead maintain your own services to expose the gateways, you can later switch from the old to the new gateways by updating the services to point to the new gateways. However, note that due to an upstream Istio bug, it can takeistiod
up to 10 minutes to reconfigure the gateway listener for the updated ports on the service. To avoid this delay, you can expose the canary gateway with at least a ClusterIP service so that the control plane detects the service's ports immediately at deployment time.For example, if you upgrade to Istio 1.24.2, add the following
1-24
canary revision as a new entry in theinstallations
section:For most use cases, you can set therevision
for the IstioLifecycleManager and thegatewayRevision
for the GatewayLifecycleManager to the same version. However, gateway installations can point to any istiod control plane revision by using thecontrolPlaneRevision
field. For simplicity, if you do not specifycontrolPlaneRevision
, the gateway installation uses a control plane with the same revision as itself.Verify that Istio resources for the canary installation are created. For example, if you updated the Istio minor version to
1.24.2
, verify that resources are created in thegm-iop-1-24
namespace, and that resources for1-24
are created alongside the existing resources for the previous version in theistio-system
andgloo-mesh-gateways
namespaces. Note that the gateway load balancers for the canary revision contain the revision in the name, such asistio-ingressgateway-1-24
.After performing any necessary testing, switch to the new
istiod
control plane revision by changingdefaultRevision
tofalse
for the old revision and totrue
for the new revision.Example:
In your workload clusters, update the labels on your service namespaces to use the new revision.
For any namespace where you run Istio-managed apps, change the label to use the new revision, such as in these example commands.
For example, if you installed the Bookinfo sample app:
If you did not previously use revision labels for your apps, you can upgrade your application's sidecars by runningkubectl label ns <namespace> istio-injection-
andkubectl label ns <namespace> istio.io/rev=<revision>
.Update any Istio-managed apps by rolling out restarts. The Istio sidecars for each microservice are updated to use the new Istio version. Make sure that you only restart one microservice at a time. For example, in the following commands to update the Bookinfo microservices, 20 seconds elapse between each restart to ensure that the pods have time to start running.
Verify that your workloads and new gateways point to the new revision.
Example output:
Switch to any new gateways by changing
activeGateway
tofalse
for the old revision and totrue
for the new revision.Example:
New load balancers are created for the canary gateways. To instead change the control plane revision in use by the existing gateway load balancers, you can set theistio.io/rev
label on the gateway deployment, which triggers a rolling restart.Verify that the active gateways for the new revision are created, which do not have the revision appended to the name. Note that gateways for the inactive revision that you previously ran also exist in the namespace, in the case that a rollback is required.
Example output, in which the active gateway (
istio-ingressgateway
) for the new revision and inactive gateway (such asistio-ingressgateway-1-23
) for the old revision are created:To uninstall the previous installation, or if you need to uninstall the canary installation, you can edit the
IstioLifecycleManager
andGatewayLifecycleManager
resources to remove the revision’s entry from theinstallations
list.
Single cluster
OpenShift only: Elevate the permissions of the service account that will be created for the new revision’s operator project. This permission allows the Istio sidecar to make use of a user ID that is normally restricted by OpenShift. Replace the revision with the revision you plan to use.
Get the names of your managed Istio installation resources.
Edit the
IstioLifecycleManager
resource for theistiod
control plane to add another installation entry for the canary revision. For the canary revision, be sure to setdefaultRevision
tofalse
so that only the existing revision continues to run.For example, if you upgrade to Istio 1.24.2, add the following
1-24
canary revision as a new entry in theinstallations
section:Updating the minor version of Istio? In your canary revision section, be sure to update both the repo key in thehub
field, and the Istio version in thetag
field. You can get the repo key for the Istio version that you want to install from the Istio images built by Solo.io support article.If you created
GatewayLifecycleManager
resources for ingress, egress, or east-west gateways, edit those resources to add another installation entry for the canary revision. Be sure to setactiveGateway
tofalse
so that only the existing revision continues to run.If you are updating the Istio image, be sure to update theistiod
control plane via the IstioLifecycleManager first, before you update your gateways. If you update the gateways before the control plane, the gateways might have an outdated image.
If you disable the load balancer services that are defined by default in the GatewayLifecycleManager, and instead maintain your own services to expose the gateways, you can later switch from the old to the new gateways by updating the services to point to the new gateways. However, note that due to an upstream Istio bug, it can takeistiod
up to 10 minutes to reconfigure the gateway listener for the updated ports on the service. To avoid this delay, you can expose the canary gateway with at least a ClusterIP service so that the control plane detects the service's ports immediately at deployment time.For example, if you upgrade to Istio 1.24.2, add the following
1-24
canary revision as a new entry in theinstallations
section:For most use cases, you can set therevision
for the IstioLifecycleManager and thegatewayRevision
for the GatewayLifecycleManager to the same version. However, gateway installations can point to any istiod control plane revision by using thecontrolPlaneRevision
field. For simplicity, if you do not specifycontrolPlaneRevision
, the gateway installation uses a control plane with the same revision as itself.Verify that Istio resources for the canary installation are created. For example, if you updated the Istio minor version to
1.24.2
, verify that resources are created in thegm-iop-1-24
namespace, and that resources for1-24
are created alongside the existing resources for the previous version in theistio-system
andgloo-mesh-gateways
namespaces. Note that the gateway load balancers for the canary revision contain the revision in the name, such asistio-ingressgateway-1-24
.After performing any necessary testing, switch to the new
istiod
control plane revision by changingdefaultRevision
tofalse
for the old revision and totrue
for the new revision.Example:
Update the labels on your service namespaces to use the new revision.
For any namespace where you run Istio-managed apps, change the label to use the new revision, such as in these example commands.
For example, if you installed the Bookinfo sample app:
If you did not previously use revision labels for your apps, you can upgrade your application's sidecars by runningkubectl label ns <namespace> istio-injection-
andkubectl label ns <namespace> istio.io/rev=<revision>
.Update any Istio-managed apps by rolling out restarts. The Istio sidecars for each microservice are updated to use the new Istio version. Make sure that you only restart one microservice at a time. For example, in the following commands to update the Bookinfo microservices, 20 seconds elapse between each restart to ensure that the pods have time to start running.
Verify that your workloads and new gateways point to the new revision.
Example output:
Switch to any new gateways by changing
activeGateway
tofalse
for the old revision and totrue
for the new revision.Example:
New load balancers are created for the canary gateways. To instead change the control plane revision in use by the existing gateway load balancers, you can set theistio.io/rev
label on the gateway deployment, which triggers a rolling restart.Verify that the active gateways for the new revision are created, which do not have the revision appended to the name. Note that gateways for the inactive revision that you previously ran also exist in the namespace, in the case that a rollback is required.
Example output, in which the active gateway (
istio-ingressgateway
) for the new revision and inactive gateway (such asistio-ingressgateway-1-23
) for the old revision are created:To uninstall the previous installation, or if you need to uninstall the canary installation, you can edit the
IstioLifecycleManager
andGatewayLifecycleManager
resources to remove the revision’s entry from theinstallations
list.