Helm
Upgrade your sidecar control and data plane components in your Solo Enterprise for Istio cluster.
Considerations
Before you upgrade your service mesh components, review the following limitations and recommendations.
Revision and canary upgrade limitations
The upgrade guides in this documentation show you how to perform in-place upgrades for your Istio components, which is the recommended upgrade strategy.
Version and license requirements
Verify that the minor version of the Solo distribution of Istio that you want to upgrade to is tested and supported for your Solo Enterprise for Istio version. For Istio 1.29 and later, you can check available patch builds in the
us-docker.pkg.dev/soloio-img/istiorepo. For Istio version 1.28 and earlier, you can get the minor version repo URL from the Istio images built by Solo.io support article, and check the patch version builds in that repo.Check the Istio release notes for the upgrade version to prepare for any breaking changes.
Be sure to review the following known Istio version restrictions.
- If you use Istio versions versions 1.27.7, 1.28.4, 1.29.0 or later, and you installed the Solo Enterprise for Istio management plane into a namespace other than
gloo-mesh, you must allow that namespace by listing it in theDEBUG_ENDPOINT_AUTH_ALLOWED_NAMESPACESenvironment variable of your istiod installation. For more information, see the release notes. - Patch versions 1.26.0 and 1.26.1 of the Solo distribution of Istio lack support for FIPS-tagged images and ztunnel outlier detection. When upgrading or installing 1.26, be sure to use patch version
1.26.1-patch0and later only. - In the Solo distribution of Istio 1.25 and later, you can access enterprise-level features by passing your Solo license in the
license.valueorlicense.secretReffield of the Solo distribution of the istiod Helm chart. The Solo istiod Helm chart is strongly recommended due to the included safeguards, default settings, and upgrade handling to ensure a reliable and secure Istio deployment. Though it is not recommended, you can pass your license key in the open source istiod Helm chart by using the--set pilot.env.SOLO_LICENSE_KEYfield. - Due to a lack of support for the Istio CNI and iptables for the Istio proxy, you cannot run Istio (and therefore Solo Enterprise for Istio) on AWS Fargate. For more information, see the Amazon EKS issue.
- If you use Istio versions versions 1.27.7, 1.28.4, 1.29.0 or later, and you installed the Solo Enterprise for Istio management plane into a namespace other than
Single cluster
Upgrade Istio in your single cluster setup.
Upgrade istioctl
Save the Solo distribution of Istio patch version and tag.
export ISTIO_VERSION=1.29.0 # Change the tags as needed export ISTIO_IMAGE=${ISTIO_VERSION}-soloSave the image and Helm repository information for the Solo distribution of Istio.
- Istio 1.29 and later:
export REPO=us-docker.pkg.dev/soloio-img/istio export HELM_REPO=us-docker.pkg.dev/soloio-img/istio-helm - Istio 1.28 and earlier: Save the repo key for the minor version of the Solo distribution of Istio that you want to install. This is the 12-character hash at the end of the repo URL
us-docker.pkg.dev/gloo-mesh/istio-<repo-key>, which you can find in the Istio images built by Solo.io support article.# 12-character hash at the end of the minor version repo URL export REPO_KEY=<repo_key> export REPO=us-docker.pkg.dev/gloo-mesh/istio-${REPO_KEY} export HELM_REPO=us-docker.pkg.dev/gloo-mesh/istio-helm-${REPO_KEY}
- Istio 1.29 and later:
Upgrade your
istioctlCLI client to the new version.curl -L https://istio.io/downloadIstio | ISTIO_VERSION=${ISTIO_VERSION} sh - cd istio-${ISTIO_VERSION} export PATH=$PWD/bin:$PATH
Upgrade CRDs and istiod
Upgrade the Istio CRDs to the new version.
helm get values istio-base -n istio-system -o yaml > istio-base.yaml helm upgrade istio-base oci://${HELM_REPO}/base \ --namespace istio-system \ --version ${ISTIO_IMAGE} \ -f istio-base.yamlIf you see an error such asError: UPGRADE FAILED: Rendered manifests contain a resource that already exists, see the community Istio docs.Get the current values for the istiod Helm release in your cluster. Your release might have a different name.
helm get values istiod -n istio-system -o yaml > istiod.yaml open istiod.yamlMake edits to the istiod Helm values, and save the file. If you update the Istio minor version, such as in the
global.tagfield, be sure to also update the value of thehubfield to the repo for the correct version of the Solo distribution of Istio.Upgrade your Helm release with the updated values.
helm upgrade istiod oci://${HELM_REPO}/istiod \ -n istio-system \ --version ${ISTIO_IMAGE} \ -f istiod.yamlVerify that the istiod pods are successfully restarted. Note that it might take a few seconds for the pods to become available.
kubectl get pods -n istio-system | grep istiodExample output:
istiod-main-bb86b959f-msrg7 1/1 Running 0 2m45s istiod-main-bb86b959f-w29cm 1/1 Running 0 3m
Optional: Upgrade the CNI
If you installed the Istio CNI, such as in OpenShift setups, follow the steps to upgrade this component.
If your changes include upgrading the Istio version of the components, be sure to upgrade the istiod control plane before you upgrade the CNI component. Otherwise, these components might have an outdated image.
Get the current values for its Helm release in your cluster.
- Kubernetes:
helm get values istio-cni -n istio-system -o yaml > cni.yaml open cni.yaml - OpenShift:
helm get values istio-cni -n kube-system -o yaml > cni.yaml open cni.yaml
- Kubernetes:
Make edits to the Helm values, and save the files. If you update the Istio minor version, such as in
tagfields, be sure to also update the value of thehubfield to the repo for the correct version of the Solo distribution of Istio.Upgrade your Helm releases with the updated values.
- Kubernetes:
helm upgrade istio-cni oci://${HELM_REPO}/cni -n istio-system --version ${ISTIO_IMAGE} -f cni.yaml - OpenShift:
helm upgrade istio-cni oci://${HELM_REPO}/cni -n kube-system --version ${ISTIO_IMAGE} -f cni.yaml
- Kubernetes:
Verify that the Istio CNI pods are successfully restarted. Note that it might take a few seconds for the pods to become available.
- Kubernetes:
kubectl get pods -n istio-system - OpenShift:
kubectl get pods -n kube-system
Example output:
istiod-main-85c4dfd97f-mncj5 1/1 Running 0 42s istio-cni-node-pr5rl 1/1 Running 0 42s istio-cni-node-pvmx2 1/1 Running 0 42s istio-cni-node-lcrcd 1/1 Running 0 42s- Kubernetes:
Multicluster
Upgrade the multicluster sidecar mesh in your multicluster setup.
Upgrade istioctl
Save the Solo distribution of Istio patch version and tag.
# Change the tags as needed export ISTIO_IMAGE=1.29.0-soloSave the Helm repository information for the Solo distribution of Istio.
- Istio 1.29 and later:
export REPO=us-docker.pkg.dev/soloio-img/istio export HELM_REPO=us-docker.pkg.dev/soloio-img/istio-helm - Istio 1.28 and earlier: Save the repo key for the minor version of the Solo distribution of Istio that you want to install. This is the 12-character hash at the end of the repo URL
us-docker.pkg.dev/gloo-mesh/istio-<repo-key>, which you can find in the Istio images built by Solo.io support article.# 12-character hash at the end of the minor version repo URL export REPO_KEY=<repo_key> export REPO=us-docker.pkg.dev/gloo-mesh/istio-${REPO_KEY} export HELM_REPO=us-docker.pkg.dev/gloo-mesh/istio-helm-${REPO_KEY}
- Istio 1.29 and later:
Upgrade your
istioctlCLI client to the new version. This script automatically detects your OS and architecture, downloads the appropriate Solo distribution of Istio binary, and verifies the installation.bash <(curl -sSfL https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/gloo-mesh/install-istioctl.sh) export PATH=${HOME}/.istioctl/bin:${PATH}
Upgrade CRDs and istiod
Save the name and kubeconfig context of a workload cluster in the following environment variables. Each time you repeat the steps in this guide, you change these variables to the next workload cluster’s name and context.
export CLUSTER_NAME=<cluster-name> export CLUSTER_CONTEXT=<cluster-context>Upgrade the custom resources of the Kubernetes Gateway API to the latest supported version, 1.4.0.
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard-install.yamlUpgrade the Istio CRDs to the new version.
helm get values --kube-context ${CLUSTER_CONTEXT} istio-base -n istio-system -o yaml > istio-base.yaml helm upgrade istio-base oci://${HELM_REPO}/base \ --namespace istio-system \ --kube-context ${CLUSTER_CONTEXT} \ --version ${ISTIO_IMAGE} \ -f istio-base.yamlIf you see an error such asError: UPGRADE FAILED: Rendered manifests contain a resource that already exists, see the community Istio docs.Get the current values for the istiod Helm release in your cluster.
helm get values istiod --kube-context ${CLUSTER_CONTEXT} -n istio-system -o yaml > istiod.yaml open istiod.yamlMake edits to the istiod Helm values, and save the file. If you update the Istio minor version, such as in the
global.tagfield, be sure to also update the value of thehubfield to the repo for the correct version of the Solo distribution of Istio.Upgrade your Helm release with the updated values.
helm upgrade istiod oci://${HELM_REPO}/istiod \ -n istio-system \ --version ${ISTIO_IMAGE} \ --kube-context ${CLUSTER_CONTEXT} \ -f istiod.yamlVerify that the istiod pods are successfully restarted. Note that it might take a few seconds for the pods to become available.
kubectl get pods -n istio-system --context ${CLUSTER_CONTEXT} | grep istiodExample output:
istiod-main-b84c55cff-tllfr 1/1 Running 0 58s
Upgrade the CNI and ztunnel
If your changes include upgrading the Istio version of the components, be sure to upgrade the istiod control plane before you upgrade the CNI and ztunnel components. Otherwise, these components might have an outdated image.
For the component that you want to update, get the current values for its Helm release in your cluster.
- Kubernetes:
helm get values istio-cni --kube-context ${CLUSTER_CONTEXT} -n istio-system -o yaml > cni.yaml open cni.yaml helm get values ztunnel --kube-context ${CLUSTER_CONTEXT} -n istio-system -o yaml > ztunnel.yaml open ztunnel.yaml - OpenShift:
helm get values istio-cni --kube-context ${CLUSTER_CONTEXT} -n kube-system -o yaml > cni.yaml open cni.yaml helm get values ztunnel --kube-context ${CLUSTER_CONTEXT} -n kube-system -o yaml > ztunnel.yaml open ztunnel.yaml
- Kubernetes:
Make edits to the Helm values of the components that you want to upgrade, and save the files. If you update the Istio minor version, such as in
tagfields, be sure to also update the value of thehubfield to the repo for the correct version of the Solo distribution of Istio.Upgrade your Helm releases with the updated values.
- Kubernetes:
helm upgrade istio-cni oci://${HELM_REPO}/cni --kube-context ${CLUSTER_CONTEXT} -n istio-system --version ${ISTIO_IMAGE} -f cni.yaml helm upgrade ztunnel oci://${HELM_REPO}/ztunnel --kube-context ${CLUSTER_CONTEXT} -n istio-system --version ${ISTIO_IMAGE} -f ztunnel.yaml - OpenShift:
helm upgrade istio-cni oci://${HELM_REPO}/cni --kube-context ${CLUSTER_CONTEXT} -n kube-system --version ${ISTIO_IMAGE} -f cni.yaml helm upgrade ztunnel oci://${HELM_REPO}/ztunnel --kube-context ${CLUSTER_CONTEXT} -n kube-system --version ${ISTIO_IMAGE} -f ztunnel.yaml
- Kubernetes:
Verify that the ztunnel and Istio CNI pods are successfully restarted. Note that it might take a few seconds for the pods to become available.
- Kubernetes:
kubectl get pods --context ${CLUSTER_CONTEXT} -n istio-system - OpenShift:
kubectl get pods --context ${CLUSTER_CONTEXT} -n kube-system
Example output:
istiod-main-85c4dfd97f-mncj5 1/1 Running 0 42s istio-cni-node-pr5rl 1/1 Running 0 42s istio-cni-node-pvmx2 1/1 Running 0 42s istio-cni-node-lcrcd 1/1 Running 0 42s ztunnel-tvtzn 1/1 Running 0 40s ztunnel-vtpjm 1/1 Running 0 40s ztunnel-hllxg 1/1 Running 0 40s- Kubernetes:
Repeat for each cluster
Repeat Upgrade CRDs and istiod and Upgrade the CNI and ztunnel for each cluster in your setup. Note that no multicluster components, such as the east-west gateway or global service entries, require upgrades when you update the version of your other control and data plane components.