Upgrade Gloo-managed service meshes
Use the Gloo operator to upgrade your managed ambient service meshes.
By using the Gloo operator, you can perform safe in-place upgrades of your manage ambient service meshes, without the hassle of upgrading multiple Helm charts for each component.
Considerations
Before you upgrade your ambient components, review the following limitations and recommendations.
Revision and canary upgrade limitations
The upgrade guides in this documentation show you how to perform in-place upgrades for your Istio components, which is the recommended upgrade strategy.
Feature maturity
In Gloo Mesh version 2.7, the Gloo operator is an alpha feature. Alpha features are likely to change, are not fully tested, and are not supported for production. For more information, see Gloo feature maturity.
Version and license requirements
Single cluster setups:
- In Gloo Mesh version 2.6 and later, ambient mode requires the Solo distribution of Istio version 1.22.3 or later (
1.22.3-solo). - In Istio 1.22.0-1.22.3, the
ISTIO_DELTA_XDSenvironment variable must be set tofalse. For more information, see this upstream Istio issue. Note that this issue is resolved in Istio 1.22.4.
Multicluster setups:
- In Gloo Mesh version 2.7 and later, multicluster setups require the Solo distribution of Istio version 1.24.3 or later (
1.24.3-solo), including the Solo distribution ofistioctl. - A Gloo Mesh Enterprise license is required for multicluster ambient mesh setups. If you do not have one, contact an account representative.
Single cluster
Save the patch version of the Solo distribution of Istio that you want to upgrade to. For supported Istio versions in Gloo Mesh, see the Ambient section of the Istio images built by Solo.io support article.
# Solo distrubution of Istio patch version # in the format 1.x.x, with no tags export ISTIO_VERSION=1.24.2Upgrade your
istioctlCLI client to the new version.curl -L https://istio.io/downloadIstio | ISTIO_VERSION=${ISTIO_VERSION} sh - cd istio-${ISTIO_VERSION} export PATH=$PWD/bin:$PATHUpgrade the Gloo operator to the latest version.
helm get values gloo-operator -n gloo-mesh -o yaml > gloo-operator.yaml helm install gloo-operator oci://us-docker.pkg.dev/solo-public/gloo-operator-helm/gloo-operator \ --version 0.1.0 \ -n gloo-mesh \ -f gloo-operator.yamlVerify that the operator pod is running.
kubectl get pods -n gloo-mesh | grep operatorExample output:
gloo-operator-78d58d5c7b-lzbr5 1/1 Running 0 48sEdit the ServiceMeshController custom resource to make changes to your ambient mesh. For example, to upgrade the Istio patch or minor version of your service mesh, you might update the value of
spec.version. For a description of each configurable field, see the ServiceMeshController reference.kubectl edit -n gloo-mesh ServiceMeshController managed-istioSave and close the editor to apply your changes in-place.
Verify that the ServiceMeshController is ready. In the
Statussection of the output, make sure that all statuses areTrue, and that the phase isSUCCEEDED.kubectl describe servicemeshcontroller -n gloo-mesh managed-istioExample output:
... Status: Conditions: Last Transition Time: 2024-12-27T20:47:01Z Message: Manifests initialized Observed Generation: 1 Reason: ManifestsInitialized Status: True Type: Initialized Last Transition Time: 2024-12-27T20:47:02Z Message: CRDs installed Observed Generation: 1 Reason: CRDInstalled Status: True Type: CRDInstalled Last Transition Time: 2024-12-27T20:47:02Z Message: Deployment succeeded Observed Generation: 1 Reason: DeploymentSucceeded Status: True Type: ControlPlaneDeployed Last Transition Time: 2024-12-27T20:47:02Z Message: Deployment succeeded Observed Generation: 1 Reason: DeploymentSucceeded Status: True Type: CNIDeployed Last Transition Time: 2024-12-27T20:47:02Z Message: Deployment succeeded Observed Generation: 1 Reason: DeploymentSucceeded Status: True Type: WebhookDeployed Last Transition Time: 2024-12-27T20:47:02Z Message: All conditions are met Observed Generation: 1 Reason: SystemReady Status: True Type: Ready Phase: SUCCEEDED Events: <none>Verify that the istiod control plane, Istio CNI, and ztunnel pods are running.
kubectl get pods -n istio-systemExample output:
NAME READY STATUS RESTARTS AGE istio-cni-node-6s5nk 1/1 Running 0 2m53s istio-cni-node-blpz4 1/1 Running 0 2m53s istiod-gloo-bb86b959f-msrg7 1/1 Running 0 2m45s istiod-gloo-bb86b959f-w29cm 1/1 Running 0 3m ztunnel-mx8nw 1/1 Running 0 2m52s ztunnel-w8r6c 1/1 Running 0 2m52s
Multicluster
Save the version that you want to upgrade to in the following environment variables, such as the following examples for 1.24. You can find these values in the Ambient section of the Istio images built by Solo.io support article.
# Solo distrubution of Istio patch version to upgrade to # in the format 1.x.x, with no tags export ISTIO_VERSION=1.24.2 # Repo key for the minor version of the Solo distribution of Istio # This is the 12-character hash at the end of the repo URL: 'us-docker.pkg.dev/gloo-mesh/istio-<repo-key>' export REPO_KEY=<repo_key> # Solo distrubution of Istio binary repo export BINARY_REPO=https://console.cloud.google.com/storage/browser/istio-binaries-${REPO_KEY}/${ISTIO_VERSION}-soloDownload the Solo distribution of Istio binary to upgrade
istioctl.- Navigate to the storage repository for the Solo distribution of Istio binaries.
open ${BINARY_REPO} - Download the
tar.gzfile for your system, such asistio-1.24.2-solo-osx-amd64.tar.gz. - Extract the downloaded
tar.gzfile. - Navigate to the package directory and add the
istioctlclient to your system’sPATH.cd istio-${ISTIO_VERSION}-solo export PATH=$PWD/bin:$PATH - Verify that the
istioctlclient runs the Solo distribution of Istio that you want to upgrade to.Example output:istioctl version --remote=falseclient version: 1.24.2-solo
- Navigate to the storage repository for the Solo distribution of Istio binaries.
Save the kubeconfig context of a cluster where you want to upgrade an ambient mesh in the following environment variables. Each time you repeat the steps in this guide, you change these variables to the next workload cluster’s context.
export CLUSTER_CONTEXT=<cluster-context>Upgrade the Gloo operator to the latest version.
helm get values gloo-operator -n gloo-mesh -o yaml > gloo-operator.yaml helm install gloo-operator oci://us-docker.pkg.dev/solo-public/gloo-operator-helm/gloo-operator \ --version 0.1.0 \ -n gloo-mesh \ --kube-context ${CLUSTER_CONTEXT} \ -f gloo-operator.yamlVerify that the operator pod is running.
kubectl --context ${CLUSTER_CONTEXT} get pods -n gloo-mesh | grep operatorExample output:
gloo-operator-78d58d5c7b-lzbr5 1/1 Running 0 48sEdit the ServiceMeshController custom resource to make changes to your ambient mesh. For example, to upgrade the Istio patch or minor version of your service mesh, you might update the value of
spec.version. For a description of each configurable field, see the ServiceMeshController reference.kubectl --context ${CLUSTER_CONTEXT} edit -n gloo-mesh ServiceMeshController managed-istioSave and close the editor to apply your changes in-place.
Verify that the ServiceMeshController is ready. In the
Statussection of the output, make sure that all statuses areTrue, and that the phase isSUCCEEDED.kubectl describe servicemeshcontroller -n gloo-mesh managed-istio --context ${CLUSTER_CONTEXT}Example output:
... Status: Conditions: Last Transition Time: 2024-12-27T20:47:01Z Message: Manifests initialized Observed Generation: 1 Reason: ManifestsInitialized Status: True Type: Initialized Last Transition Time: 2024-12-27T20:47:02Z Message: CRDs installed Observed Generation: 1 Reason: CRDInstalled Status: True Type: CRDInstalled Last Transition Time: 2024-12-27T20:47:02Z Message: Deployment succeeded Observed Generation: 1 Reason: DeploymentSucceeded Status: True Type: ControlPlaneDeployed Last Transition Time: 2024-12-27T20:47:02Z Message: Deployment succeeded Observed Generation: 1 Reason: DeploymentSucceeded Status: True Type: CNIDeployed Last Transition Time: 2024-12-27T20:47:02Z Message: Deployment succeeded Observed Generation: 1 Reason: DeploymentSucceeded Status: True Type: WebhookDeployed Last Transition Time: 2024-12-27T20:47:02Z Message: All conditions are met Observed Generation: 1 Reason: SystemReady Status: True Type: Ready Phase: SUCCEEDED Events: <none>Verify that the istiod control plane, Istio CNI, and ztunnel pods are running.
kubectl get pods -n istio-system --context ${CLUSTER_CONTEXT}Example output:
NAME READY STATUS RESTARTS AGE istio-cni-node-6s5nk 1/1 Running 0 2m53s istio-cni-node-blpz4 1/1 Running 0 2m53s istiod-gloo-bb86b959f-msrg7 1/1 Running 0 2m45s istiod-gloo-bb86b959f-w29cm 1/1 Running 0 3m ztunnel-mx8nw 1/1 Running 0 2m52s ztunnel-w8r6c 1/1 Running 0 2m52sFor each cluster, repeat steps 3 - 9. Be sure to change the value of the
$CLUSTER_CONTEXTenvironment variable for each cluster.