You can use this guide to upgrade the Gloo version of your Gloo components, such as the management server and agents, or to apply changes to the components’ configuration settings.

Considerations

Consider the following rules before you plan your Gloo Mesh (Gloo Platform APIs) upgrade.

Testing upgrades

During the upgrade, the data plane continues to run, but you might not be able to modify the configurations through the management plane. Because zero downtime is not guaranteed, try testing the upgrade in a staging environment before upgrading your production environment.

Patch and minor versions

Patch version upgrades:
You can skip patch versions within the same minor release. For example, you can upgrade from version 2.13.0 to 2.13.2 directly, and skip the patch versions in between.

Minor version upgrades:

  • Always upgrade to the latest patch version of the target minor release. For example, if you want to upgrade from version 2.12.0 to 2.13.x, and 2.13.0 is the latest patch version, upgrade to that version and skip any previous patch versions for that minor release.
  • Do not skip minor versions during your upgrade. Upgrade minor release versions one at a time. For example, if you want to upgrade from 2.10.x to 2.12.x, you must first upgrade to the latest patch version of the 2.10 minor release. After you upgrade to 2.11.x, you can then plan your upgrade to the latest patch version of the 2.12.x release.

Multicluster only: Version skew policy for management and remote clusters

Plan to always upgrade your Gloo management server and agents to the same target version. Always upgrade the Gloo management server first. Then, roll out the upgrade to the Gloo agents in your workload clusters. During this upgrade process, your management server and agents can be one minor version apart.

For example, let’s say you want to upgrade from 2.12.0 to 2.13.x. Start by upgrading your management server to the latest patch version of the 2.13 minor release. Your management server and agent are still compliant as they are one minor version apart. Then, roll out the 2.13 minor release upgrade to the agents in your workload clusters.

If you plan to upgrade more than one minor releases, you must perform one minor release upgrade at a time. For example, to upgrade your management server and agent from 2.10.x to 2.12.x, you upgrade your management server to the latest patch version of the 2.9 minor release first. Your management server and agent are compliant because they are one minor version apart. Then, you upgrade your agents to the 2.11 minor release. After you verify the 2.11 upgrade, use the same approach to upgrade the management server and agents from 2.11 to the target 2.12 minor release.

If both your management server and agent run the same minor version, the agent can run any patch version that is equal or lower than the management server’s patch version.

Consider the following example version skew scenarios:

Supported?Management server versionAgent versionRequirement
2.9.32.9.1The management server and agents run the same minor version. The agent patch version is equal to or lower than the management server.
2.9.32.9.6The agent runs the same minor version as the server, but has a patch version greater than the server.
2.9.32.8.1The agent runs a minor version no greater than n-1 behind the server.
2.9.32.7.2The agent runs a minor version that is greater than n-1 behind the server.

Step 1: Prepare to upgrade

  1. Review changes from the previous version.

  2. Check that your underlying Kubernetes platform and Istio service mesh run supported versions for the Gloo Mesh (Gloo Platform APIs) version that you want to upgrade to.

    1. Review the supported versions.
    2. Compare the supported version against the versions of Kubernetes and Istio that you run in your clusters.
    3. If necessary, upgrade Istio or Kubernetes to a version that is supported by the Gloo Mesh (Gloo Platform APIs) version that you want to upgrade to.

  3. Set the Gloo Mesh (Gloo Platform APIs) version that you want to upgrade to as an environment variable. The latest version is used as an example. You can find other versions in the changelog documentation. Append -fips for a FIPS-compliant image, such as 2.13.0-fips. Do not include v before the version number.

      export UPGRADE_VERSION=2.13.0

Step 2: Upgrade the meshctl CLI

Upgrade the meshctl CLI to the version of Gloo Mesh (Gloo Platform APIs) you want to upgrade to.

  1. Re-install meshctl to the upgrade version.

      curl -sL https://run.solo.io/meshctl/install | GLOO_MESH_VERSION=v$UPGRADE_VERSION sh -

  2. Verify that the client version matches the version you want to upgrade to.

      meshctl version

    Example output:

      {
"client": {
  "version": "2.13.0"
},

Step 3: Upgrade Gloo Mesh (Gloo Platform APIs)

Upgrade your Gloo Mesh (Gloo Platform APIs) installation. The steps differ based on whether you run Gloo Mesh (Gloo Platform APIs) in a single-cluster or multicluster environment.

Single cluster

  1. Scale down the Gloo management server to 0 replicas. This step is required to safely enable safe mode and I/O threads in Redis. If you already enabled safe mode and you do not want to set I/O threads in Redis, you can skip this step.

      kubectl scale deployment gloo-mesh-mgmt-server --replicas=0 -n gloo-mesh

  2. Update the gloo-platform Helm repo.

      helm repo add gloo-platform https://storage.googleapis.com/gloo-platform/helm-charts
helm repo update

  3. Apply the Gloo custom resource definitions (CRDs) for the upgrade version.

      helm upgrade -i gloo-platform-crds gloo-platform/gloo-platform-crds \
    --namespace gloo-mesh \
    --version $UPGRADE_VERSION \
    --set installEnterpriseCrds=true

  4. Get the Helm values file for your current version.

      helm get values gloo-platform -o yaml -n gloo-mesh > gloo-single.yaml
open gloo-single.yaml

  5. Compare your current Helm chart values with the version that you want to upgrade to. You can get a values file for the upgrade version with the helm show values command.

      helm show values gloo-platform/gloo-platform --version $UPGRADE_VERSION > all-values.yaml

  6. Make any changes that you want, such as modifications required for breaking changes or to enable new features, by editing your gloo-single.yaml Helm values file or preparing the --set flags. For example, enabling the Gloo insights engine by including the --set glooInsightsEngine.enabled=true and --set glooAnalyzer.enabled=true settings is recommended to help you improve the security and observability of your environment. If you do not want to use certain settings, comment them out.

  7. Upgrade the Gloo Mesh (Gloo Platform APIs) Helm installation.

      helm upgrade gloo-platform gloo-platform/gloo-platform \
    --namespace gloo-mesh \
    -f gloo-single.yaml \
    --version $UPGRADE_VERSION

  8. Confirm that Gloo components, such as the gloo-mesh-mgmt-server, run the version that you upgraded to.

      meshctl version

    Example output:

      "server": [
{
  "Namespace": "gloo-mesh",
  "components": [
    {
      "componentName": "gloo-mesh-mgmt-server",
      "images": [
         {
          "name": "gloo-mesh-mgmt-server",
          "domain": "gcr.io",
          "path": "gloo-mesh-mgmt-server",
          "version": "2.13.0"
        }
      ]
    },

  9. If you previously scaled down the Gloo management server, scale it back to the number of replicas that you had before. The following example uses 1 replica.

      kubectl scale deployment gloo-mesh-mgmt-server --replicas=1 -n gloo-mesh

  10. Wait until all Gloo agents are connected to the Gloo management server.

      meshctl check

Multicluster

  1. Scale down the Gloo management server to 0 replicas. This step is required to safely enable safe mode and I/O threads in Redis. If you already enabled safe mode and you do not want to set I/O threads in Redis, you can skip this step.

      kubectl scale deployment gloo-mesh-mgmt-server --context $MGMT_CONTEXT --replicas=0 -n gloo-mesh

  2. Update the gloo-platform Helm repo.

      helm repo add gloo-platform https://storage.googleapis.com/gloo-platform/helm-charts
helm repo update

  3. Get the Helm values files for your current version.

    1. Get your current values for the management cluster.
        helm get values gloo-platform -n gloo-mesh -o yaml --kube-context $MGMT_CONTEXT > mgmt-plane.yaml
open mgmt-plane.yaml
    2. Get your current values for the workload clusters.
        helm get values gloo-platform -n gloo-mesh -o yaml --kube-context $REMOTE_CONTEXT > data-plane.yaml
open data-plane.yaml
    3. Optional: If you maintain a separate gloo-agent-addons Helm release, get the values for that Helm release too. Note that your add-ons might be installed in a different namespace, such as gloo-mesh-addons.
        helm get values gloo-agent-addons -n gloo-mesh -o yaml --kube-context $REMOTE_CONTEXT > gloo-agent-addons.yaml
open gloo-agent-addons.yaml

  4. Compare your current Helm chart values with the version that you want to upgrade to. You can get a values file for the upgrade version with the helm show values command.

      helm show values gloo-platform/gloo-platform --version $UPGRADE_VERSION > all-values.yaml

  5. Make any changes that you want, such as modifications required for breaking changes or to enable new features, by editing your mgmt-plane.yaml and data-plane.yaml Helm values files or preparing the --set flags. For example, enabling the Gloo insights engine by including the --set glooInsightsEngine.enabled=true setting is recommended to help you improve the security and observability of your environment. If you do not want to use certain settings, comment them out.

  6. Upgrade the Gloo Mesh (Gloo Platform APIs) Helm release in your management cluster.

    1. Apply the Gloo custom resource definitions (CRDs) for the upgrade version in the management cluster.
        helm upgrade -i gloo-platform-crds gloo-platform/gloo-platform-crds \
    --kube-context $MGMT_CONTEXT \
    --namespace gloo-mesh \
    --version $UPGRADE_VERSION \
    --set installEnterpriseCrds=true
    2. Upgrade your Helm release in the management cluster. Make sure to include your Helm values when you upgrade either as a configuration file in the --values flag or with --set flags. Otherwise, any previous custom values that you set might be overwritten.
        helm upgrade gloo-platform gloo-platform/gloo-platform \
    --kube-context $MGMT_CONTEXT \
    --namespace gloo-mesh \
    -f mgmt-plane.yaml \
    --version $UPGRADE_VERSION
    3. Confirm that the management plane components, such as the gloo-mesh-mgmt-server, run the version that you upgraded to.
        meshctl version --kubecontext $MGMT_CONTEXT
      Example output:
        "server": [
{
  "Namespace": "gloo-mesh",
  "components": [
    {
      "componentName": "gloo-mesh-mgmt-server",
      "images": [
         {
          "name": "gloo-mesh-mgmt-server",
          "domain": "gcr.io",
          "path": "gloo-mesh-mgmt-server",
          "version": "2.13.0"
        }
      ]
    },

  7. If you previously scaled down the Gloo management server, scale it back to the number of replicas that you had before. The following example uses 1 replica.

      kubectl scale deployment gloo-mesh-mgmt-server --context $MGMT_CONTEXT --replicas=1 -n gloo-mesh

  8. Wait until all Gloo agents are connected to the Gloo management server.

      meshctl check --kubecontext $REMOTE_CONTEXT

  9. Open the Gloo UI and verify that none of your clusters are currently in safe mode. If a cluster is in safe more, the agent’s input snapshot is not yet populated in Redis. You see a yellow banner in the Gloo UI indicating the cluster that triggered safe mode. Wait until the input snapshot is populated and the yellow banner does not display in the Gloo UI anymore.

      meshctl dashboard --kubecontext $MGMT_CONTEXT

  10. Upgrade the Gloo Mesh (Gloo Platform APIs) Helm releases in your workload clusters. Repeat these steps for each workload cluster, and be sure to update the cluster context each time.

    1. Apply the Gloo custom resource definitions (CRDs) for the upgrade version in each workload cluster.

        helm upgrade -i gloo-platform-crds gloo-platform/gloo-platform-crds \
   --kube-context $REMOTE_CONTEXT \
   --namespace=gloo-mesh \
   --version=$UPGRADE_VERSION \
   --set installEnterpriseCrds=true

    2. Upgrade your Helm release in each workload cluster. Make sure to include your Helm values when you upgrade either as a configuration file in the --values flag or with --set flags. For example, enabling the Gloo insights analyzer by including the --set glooAnalyzer.enabled=true setting is recommended to help you improve the security and observability of your environment. Otherwise, any previous custom values that you set might be overwritten.

        helm upgrade gloo-platform gloo-platform/gloo-platform \
   --kube-context $REMOTE_CONTEXT \
   --namespace gloo-mesh \
   -f data-plane.yaml \
   --version $UPGRADE_VERSION

    3. Optional: If you maintain a separate gloo-agent-addons Helm release, upgrade that Helm release in each workload cluster too. Be sure to update the cluster context for each workload cluster that you repeat this command for. Note that your add-ons might be installed in a different namespace, such as gloo-mesh-addons.

        helm upgrade gloo-agent-addons gloo-platform/gloo-platform \
  --kube-context $REMOTE_CONTEXT \
  --namespace gloo-mesh \
  -f gloo-agent-addons.yaml \
  --version $UPGRADE_VERSION

    4. Ensure that the Gloo agent connects to the Gloo management server.

        meshctl check --kubecontext $REMOTE_CONTEXT

    5. Open the Gloo UI and verify that none of your clusters are currently in safe mode. If a cluster is in safe more, the agent’s input snapshot is not yet populated in Redis. You see a yellow banner in the Gloo UI indicating the cluster that triggered safe mode. Wait until the input snapshot is populated and the yellow banner does not display in the Gloo UI anymore.

        meshctl dashboard --kubecontext $MGMT_CONTEXT

    6. Confirm that the data plane components, such as the gloo-mesh-agent, run the version that you upgraded to.

        meshctl version --kubecontext $REMOTE_CONTEXT

      Example output:

        {
     "componentName": "gloo-mesh-agent",
     "images": [
       {
         "name": "gloo-mesh-agent",
         "domain": "gcr.io",
         "path": "gloo-mesh/gloo-mesh-agent",
         "version": "2.13.0"
       }
     ]
   },

    7. Repeat these steps for each workload cluster, and be sure to update the cluster context each time.

Update your Gloo license

Before your Gloo license expires, you can update the license by patching the license key secret. If you use Solo Enterprise for Istio along with other Solo products such as Gloo Mesh Gateway, you can also update those licenses.

For example, if you notice that your Gloo management plane deployments are in a crash loop, your Gloo license might be expired. You can check the status of your license with the meshctl license check command.

  • To pass in a license key directly, encode the key in base64 and pass it in the --key flag. For example, to check your Solo Enterprise for Istio license key, you can run the following command:
      meshctl license check --key $(echo ${SOLO_ISTIO_LICENSE_KEY} | base64 -w0) --context ${MGMT_CONTEXT}
  • If you store your license keys in a Kubernetes secret, you can pass the secret YAML file in the --secrets-file flag instead.
      meshctl license check --secrets-file license-keys.yaml --context ${MGMT_CONTEXT}

Example output for an expired license:

  WARNING  Your gloo-mesh license expired on 2024-01-24 19:30:53 +0100 CET. To get a new license, contact Support.
ERROR  License is expired. For more info, see https://docs.solo.io/gloo-mesh-enterprise/latest/setup/prepare/licensing/#update-licenses

To update your license key in your Solo installation:

  1. Get a new Solo license key by contacting your account representative. If you use Solo Enterprise for Istio along with other Solo products such as Gloo Mesh Gateway, make sure to ask for up-to-date license keys for all your products.

  2. Save the new license key as an environment variable.

    • Gloo Mesh (Gloo Platform APIs):
        export GLOO_MESH_LICENSE_KEY=<new-key-string>
    • Gloo Mesh Gateway:
        export GLOO_MESH_GATEWAY_LICENSE_KEY=<new-key-string>

  3. Update your license in your Gloo installation. The method depends on how you provided your license during your Helm installation.

    If you provided your license key directly in your Helm values file, follow the regular upgrade steps to modify your Helm values file and replace your expired license with your new license.

    If you created a secret to store your license, update the license secret to use the new Gloo license key.

    • Gloo Mesh (Gloo Platform APIs):
        kubectl -n gloo-mesh patch secret license-secret -p "stringData: { gloo-mesh-license-key: $GLOO_MESH_LICENSE_KEY }"
    • Gloo Mesh Gateway:
        kubectl -n gloo-mesh patch secret license-secret -p "stringData: { gloo-gateway-license-key: $GLOO_MESH_GATEWAY_LICENSE_KEY }"

  4. Optional: If your license expired and the management server pods are in a crash loop, restart the management server pods. If you updated the license before expiration, skip this step.

      kubectl rollout restart -n gloo-mesh deployment/gloo-mesh-mgmt-server --context ${MGMT_CONTEXT}

  5. Verify that your license check is now valid, and no errors are reported.

    • To pass in a license key directly, encode the key in base64 and pass it in the --key flag. For example, to check your Solo Enterprise for Istio license key, you can run the following command:
        meshctl license check --key $(echo ${SOLO_ISTIO_LICENSE_KEY} | base64 -w0) --context ${MGMT_CONTEXT}
    • If you store your license keys in a Kubernetes secret, you can pass the secret YAML file in the --secrets-file flag instead.
        meshctl license check --secrets-file license-keys.yaml --context ${MGMT_CONTEXT}

    Example output:

      INFO  License key gloo-mesh-license-key for product gloo-mesh is valid. Expires at 08 Oct 24 12:31 CEST
SUCCESS  Licenses are valid