Upgrade ambient service meshes
Upgrade your ambient control and data plane components in your Gloo Mesh cluster.
Considerations
Before you upgrade your ambient components, review the following limitations and recommendations.
Revision and canary upgrade limitations
The upgrade guides in this documentation show you how to perform in-place upgrades for your Istio components, which is the recommended upgrade strategy.
CNI upgrades
In an ambient installation, the istio-cni pods are enhanced for safe in-place upgrades. When istio-cni is scheduled for removal, it determines whether an upgrade is in process by checking the value of AGENT_UPGRADE_ID in the istio-cni ConfigMap against its internal upgrade ID. If the removal is due to an upgrade, istio-cni creates a “stub” CNI plug-in in its place on the node. This stub CNI plug-in stalls any newly scheduled pods on that node, and does not allow the pods to spin up until the replacement istio-cni is up and running.
ztunnel upgrades
As Kubernetes dynamically upgrades the ztunnel deployment by restarting the old ztunnel pods, all long-lived connections on the node are dropped. You can influence the duration of the downtime with the termination grace period of the ztunnel pod, which determines the drain period. Any TCP connections that are longer than the grace period are dropped. Alternatively, you might cordon nodes and use blue/green node pools to limit the number of active pods that are in the process of upgrading.
Version and license requirements
Verify that the minor version of the Solo distribution of Istio that you want to upgrade to is tested and supported for your Gloo Mesh version. To find the available patch versions, you can get the minor version repo URL from the Istio images built by Solo.io support article, and check the patch version builds in that repo.
Check the Istio release notes for the upgrade version to prepare for any breaking changes.
Be sure to review the following known Istio version restrictions.
- Single cluster setups:
- In Gloo Mesh version 2.6 and later, ambient mode requires the Solo distribution of Istio version 1.22.3 or later (
1.22.3-solo). - In Istio 1.22.0-1.22.3, the
ISTIO_DELTA_XDSenvironment variable must be set tofalse. For more information, see this upstream Istio issue. Note that this issue is resolved in Istio 1.22.4.
- In Gloo Mesh version 2.6 and later, ambient mode requires the Solo distribution of Istio version 1.22.3 or later (
- Single cluster setups:
Single cluster
Upgrade istioctl
Save the details for the version of the Solo distribution of Istio that you want to upgrade to.
- Save the Solo distribution of Istio patch version and tag.
export ISTIO_VERSION=1.23.4 # Change the tags as needed export ISTIO_IMAGE=${ISTIO_VERSION}-solo - Save the repo key for the minor version of the Solo distribution of Istio that you want to install. This is the 12-character hash at the end of the repo URL
us-docker.pkg.dev/gloo-mesh/istio-<repo-key>, which you can find in the Istio images built by Solo.io support article.# 12-character hash at the end of the minor version repo URL export REPO_KEY=<repo_key> export REPO=us-docker.pkg.dev/gloo-mesh/istio-${REPO_KEY} export HELM_REPO=us-docker.pkg.dev/gloo-mesh/istio-helm-${REPO_KEY}
- Save the Solo distribution of Istio patch version and tag.
Upgrade your
istioctlCLI client to the new version.curl -L https://istio.io/downloadIstio | ISTIO_VERSION=${ISTIO_VERSION} sh - cd istio-${ISTIO_VERSION} export PATH=$PWD/bin:$PATH
Upgrade CRDs and istiod
Upgrade the custom resources of the Kubernetes Gateway API to the latest supported version, 1.1.0.
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yamlUpgrade the Istio CRDs to the new version.
helm get values istio-base -n istio-system -o yaml > istio-base.yaml helm upgrade istio-base oci://${HELM_REPO}/base \ --namespace istio-system \ --version ${ISTIO_IMAGE} \ -f istio-base.yamlIf you see an error such asError: UPGRADE FAILED: Rendered manifests contain a resource that already exists, see the community Istio docs.Get the current values for the istiod Helm release in your cluster.
helm get values istiod -n istio-system -o yaml > istiod.yaml open istiod.yamlMake edits to the istiod Helm values, and save the file. If you update the Istio minor version, such as in the
global.tagfield, be sure to also update the value of thehubfield to the repo for the correct version of the Solo distribution of Istio.Upgrade your Helm release with the updated values.
helm upgrade istiod oci://${HELM_REPO}/istiod \ -n istio-system \ --version ${ISTIO_IMAGE} \ -f istiod.yamlVerify that the istiod pods are successfully restarted. Note that it might take a few seconds for the pods to become available.
kubectl get pods -n istio-system | grep istiodExample output:
istiod-b84c55cff-tllfr 1/1 Running 0 58s
Upgrade the CNI and ztunnel
If your changes include upgrading the Istio version of the components, be sure to upgrade the istiod control plane before you upgrade the CNI and ztunnel components. Otherwise, these components might have an outdated image.
For the component that you want to update, get the current values for its Helm release in your cluster.
Make edits to the Helm values of the components that you want to upgrade, and save the files. If you update the Istio minor version, such as in
tagfields, be sure to also update the value of thehubfield to the repo for the correct version of the Solo distribution of Istio.Upgrade your Helm releases with the updated values.
Verify that the ztunnel and Istio CNI pods are successfully restarted. Note that it might take a few seconds for the pods to become available.
Example output:
istiod-85c4dfd97f-mncj5 1/1 Running 0 42s istio-cni-node-pr5rl 1/1 Running 0 42s istio-cni-node-pvmx2 1/1 Running 0 42s istio-cni-node-lcrcd 1/1 Running 0 42s ztunnel-tvtzn 1/1 Running 0 40s ztunnel-vtpjm 1/1 Running 0 40s ztunnel-hllxg 1/1 Running 0 40s