Upgrade Istio service meshes with Helm

Overview link

Before you upgrade your service mesh components, review the following limitations and recommendations.

Revision and canary upgrade limitations

The upgrade guides in this documentation show you how to perform in-place upgrades for your Istio components, which is the recommended upgrade strategy.

Version and license requirements

1. Verify that the minor version of the Solo distribution of Istio that you want to upgrade to is tested and supported for your Gloo Mesh version. To find the available patch versions, you can get the minor version repo URL from the Istio images built by Solo.io support article, and check the patch version builds in that repo.

2. Check the Istio release notes for the upgrade version to prepare for any breaking changes.

3. Be sure to review the following known Istio version restrictions.

   warning

   In the Solo distribution of Istio 1.25 and later, you can access enterprise-level features by passing your Solo license in the license.value or license.secretRef field of your Solo istiod Helm chart. The Helm chart that is provided by Solo includes safeguards, default settings, and upgrade handling to ensure a reliable and secure Istio deployment. Although you can pass the license key in the pilot.env.SOLO_LICENSE_KEY field of the open source Istio Helm chart, this method is not recommended. For best results, we strongly recommend using the Solo Helm chart to install and manage Istio. For example, to install the Solo distribution of 1.25, you can run the helm install istiod oci://us-docker.pkg.dev/gloo-mesh/istio-helm-e038d180f90a/istiod … command and provide your installation values in –set flags or a -f <file.yaml> config file.
   
   Istio patch versions 1.25.1 and 1.24.4 contain an upstream certificate rotation bug in which requests with more than one trusted root certificate cannot be validated. If you use Gloo Mesh Enterprise to manage root certificate rotation and use Istio 1.25 or 1.24, be sure to use 1.25.2 or 1.24.5 and later only.
   
   Istio 1.22 is supported only as patch version 1.22.1-patch0 and later. Do not use patch versions 1.22.0 and 1.22.1, which contain bugs that impact several Gloo Mesh Enterprise routing features that rely on virtual destinations. Additionally, in Istio 1.22.0-1.22.3, the ISTIO_DELTA_XDS environment variable must be set to false. For more information, see this upstream Istio issue. Note that this issue is resolved in Istio 1.22.4.
   
   If you have multiple external services that use the same host and plan to use Istio 1.21 or 1.22, you must use patch versions 1.21.3 or 1.22.1-patch0 or later to ensure that the Istio service entry that is created for those external services is correct.

Upgrade istioctl link

1. Save the details for the version of the Solo distribution of Istio that you want to upgrade to.

     export ISTIO_VERSION=1.25.2
   # Change the tags as needed
   export ISTIO_IMAGE=${ISTIO_VERSION}-solo
   export REPO_KEY=e038d180f90a
   export REPO=us-docker.pkg.dev/gloo-mesh/istio-${REPO_KEY}
   export HELM_REPO=us-docker.pkg.dev/gloo-mesh/istio-helm-${REPO_KEY}
     

   1. Save the Solo distribution of Istio patch version and tag.

        export ISTIO_VERSION=1.24.5
      # Change the tags as needed
      export ISTIO_IMAGE=${ISTIO_VERSION}-solo
        

   2. Save the repo key for the minor version of the Solo distribution of Istio that you want to install. This is the 12-character hash at the end of the repo URL us-docker.pkg.dev/gloo-mesh/istio-<repo-key>, which you can find in the Ambient section of the Istio images built by Solo.io support article.

        # 12-character hash at the end of the minor version repo URL
      export REPO_KEY=<repo_key>
      export REPO=us-docker.pkg.dev/gloo-mesh/istio-${REPO_KEY}
      export HELM_REPO=us-docker.pkg.dev/gloo-mesh/istio-helm-${REPO_KEY}
        

2. Upgrade your istioctl CLI client to the new version.

     curl -L https://istio.io/downloadIstio | ISTIO_VERSION=${ISTIO_VERSION} sh -
   cd istio-${ISTIO_VERSION}
   export PATH=$PWD/bin:$PATH
     

Upgrade CRDs and istiod link

1. Save the name and kubeconfig context of a workload cluster in the following environment variables. Each time you repeat the steps in this guide, you change these variables to the next workload cluster’s name and context.

     export CLUSTER_NAME=<cluster-name>
   export CLUSTER_CONTEXT=<cluster-context>
     

2. Upgrade the Istio CRDs to the new version.

     helm get values istio-base -n istio-system -o yaml > istio-base.yaml
   helm upgrade istio-base oci://${HELM_REPO}/base \
   --namespace istio-system \
   --version ${ISTIO_IMAGE} \
   --kube-context ${CLUSTER_CONTEXT} \
   -f istio-base.yaml
     

   notifications

   If you see an error such as Error: UPGRADE FAILED: Rendered manifests contain a resource that already exists, see the community Istio docs.

3. Get the current values for the istiod Helm release in your cluster. Your release might have a different name.

     helm get values istiod -n istio-system --kube-context ${CLUSTER_CONTEXT} -o yaml > istiod.yaml
   open istiod.yaml
     

4. Make edits to the istiod Helm values, and save the file. If you update the Istio minor version, such as in the global.tag field, be sure to also update the value of the hub field to the repo for the correct version of the Solo distribution of Istio.

5. Upgrade your Helm release with the updated values.

     helm upgrade istiod oci://${HELM_REPO}/istiod \
   -n istio-system \
   --version ${ISTIO_IMAGE} \
   --kube-context ${CLUSTER_CONTEXT} \
   -f istiod.yaml
     

6. Verify that the istiod pods are successfully restarted. Note that it might take a few seconds for the pods to become available.

     kubectl get pods -n istio-system --context ${CLUSTER_CONTEXT} | grep istiod
     

   Example output:

     istiod-main-bb86b959f-msrg7   1/1     Running   0          2m45s
   istiod-main-bb86b959f-w29cm   1/1     Running   0          3m
     

Optional: Upgrade the CNI link

If you installed the Istio CNI, such as in OpenShift setups, follow the steps to upgrade this component.

1. Get the current values for its Helm release in your cluster.

   • Kubernetes:

       helm get values istio-cni -n istio-system --kube-context ${CLUSTER_CONTEXT} -o yaml > cni.yaml
     open cni.yaml
       

   • OpenShift:

       helm get values istio-cni -n kube-system --kube-context ${CLUSTER_CONTEXT} -o yaml > cni.yaml
     open cni.yaml
       

2. Make edits to the Helm values, and save the files. If you update the Istio minor version, such as in tag fields, be sure to also update the value of the hub field to the repo for the correct version of the Solo distribution of Istio.

3. Upgrade your Helm releases with the updated values.

   • Kubernetes:

       helm upgrade istio-cni oci://${HELM_REPO}/cni -n istio-system --kube-context ${CLUSTER_CONTEXT} --version ${ISTIO_IMAGE} -f cni.yaml
       

   • OpenShift:

       helm upgrade istio-cni oci://${HELM_REPO}/cni -n kube-system --kube-context ${CLUSTER_CONTEXT} --version ${ISTIO_IMAGE} -f cni.yaml
       

4. Verify that the Istio CNI pods are successfully restarted. Note that it might take a few seconds for the pods to become available.

   • Kubernetes:

       kubectl get pods -n istio-system --context ${CLUSTER_CONTEXT}
       

   • OpenShift:

       kubectl get pods -n kube-system --context ${CLUSTER_CONTEXT}
       

   Example output:

     istiod-main-85c4dfd97f-mncj5       1/1     Running   0             42s
   istio-cni-node-pr5rl               1/1     Running   0             42s
   istio-cni-node-pvmx2               1/1     Running   0             42s
   istio-cni-node-lcrcd               1/1     Running   0             42s
     

Repeat for each cluster link

Multicluster setups: Repeat the steps to upgrade CRDs and istiod and optionally upgrade the CNI for each cluster where you want to upgrade Istio. Be sure to change the values of the $CLUSTER_NAME and $CLUSTER_CONTEXT environment variables for each cluster.