1

I am very new to ISTIO and would like to get clarified with my following doubts.

Details

Current AKS version 1.18.14
planning upgrade to AKS 1.19.11
Current istio version 1.7
Planning upgrade to 1.8

We are planning to upgrade Istio version from 1.7 to 1.8 in our AKS cluster 1.18.14 in our production.

But I am not sure about the proper method of upgrade to follow in production since there are multiple methods are given by Istio.

I don't have any clue about the how the current Istio setup is done in my environment and what profile settings we used as it was done long before. Could understand below are the steps followed to install istio..

Istio was installed following way:

  1. Created manifest:

    istioctl manifest generate --set profile=default -f /manifests/overlay/overlay.yaml > $HOME/generated-manifest.yaml

  2. Installed istio:

    istioctl install --set profile=default -f /manifests/overlay/overlay.yaml

  3. Verified istio against the deployed manifest:

    istioctl verify-install -f $HOME/generated-manifest.yaml

Is there any method to export all the existing settings (the one currently running) and do the upgrade?

So I am looking for a production ready approach to upgrade Istio with all existing settings in placed.

moonkotte
  • 3,661
  • 2
  • 10
  • 25
Vowneee
  • 956
  • 10
  • 33
  • Do you have `helm` installed in your cluster? if so, you can list all deployed charts by `helm list --all-namespaces` and see if there's anything related to `istio`. Secondly run `istioctl version` and update the question with it please – moonkotte Jun 25 '21 at 11:42
  • @moonkotteThe steps used for the installation has beed added to the question part.. our current istio version is 1.7.3 – Vowneee Jun 25 '21 at 13:21

1 Answers1

1

Important

Consider replicating the environment and performing the upgrade on dev/stage first to make sure it works for you and your infrastructure.

Check what exactly you have installed

Can be done by getting installed state custom resource and all settings:

kubectl -n istio-system get IstioOperator installed-state -o yaml > installed-state.yaml

Below are steps based on official documentation to upgrade using istioctl

From 1.7.3 to 1.8.6, this will be similar for other versions, however upgrades should be no more than 1 minor version of difference e.g. 1.5 to 1.6.

Available versions and releases can be checked in Istio Github.

1 - install istioctl version 1.8.6: Get required binaries:

curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.8.6 TARGET_ARCH=x86_64 sh -

and copy istiolctl bin:

sudo cp bin/istioctl /usr/local/bin/

2 - run istioctl version to confirm istioctl version and control/data plane versions:

client version: 1.8.6
control plane version: 1.7.3
data plane version: 1.7.3 (3 proxies)

3 - run istioctl x precheck to see if revision was set (it may be different if set - see warning at the end of section)

Istio Revision "" already installed in namespace "istio-system"

There are two main upgrade strategies:

Vendor suggests to go with canary as it's more safe and can be tested before final migration.

4 - Create a backup:

kubectl get istio-io --all-namespaces -oyaml >  "$HOME"/istio_resource_backup.yaml

Can be restored with:

kubectl apply -f "$HOME"/istio_resource_backup.yaml

5 - Control plane - install Canary version

 istioctl install --set profile=default --set revision=1-8-6

Check it installed successfully by running following commands:

kubectl get pods -n istio-system -l app=istiod

NAME                           READY   STATUS    RESTARTS   AGE
istiod-1-8-6-b855c557b-qq4qd   1/1     Running   0          44s
istiod-54b46bbc58-wzklh        1/1     Running   0          14m

kubectl get svc -n istio-system -l app=istiod

NAME           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                                         AGE
istiod         ClusterIP   10.109.24.78    <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP,853/TCP   15m
istiod-1-8-6   ClusterIP   10.101.241.85   <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP           2m12s

kubectl get mutatingwebhookconfigurations

NAME                           WEBHOOKS   AGE
istio-sidecar-injector         1          15m
istio-sidecar-injector-1-8-6   1          98s

6 - Data plane

Unlike istiod, Istio gateways do not run revision-specific instances, but are instead in-place upgraded to use the new control plane revision. You can verify that the istio-ingress gateway is using the canary revision by running the following command:

istioctl proxy-status | grep $(kubectl -n istio-system get pod -l app=istio-ingressgateway -o jsonpath='{.items..metadata.name}') | awk '{print $7}'

To upgrade the namespace NAME_SPACE, remove the istio-injection label, and add the istio.io/rev label to point to the canary revision. The istio-injection label must be removed because it takes precedence over the istio.io/rev label for backward compatibility:

kubectl label namespace NAME_SPACE istio-injection- istio.io/rev=1-8-6

Once namespace(s) updated, pods need to be re-injected. This can be done by restarting them, e.g. with:

kubectl rollout restart deployment -n NAME_SPACE

Verify pods are now using canary istiod:

istioctl proxy-status

NAME                                                   CDS        LDS        EDS        RDS          ISTIOD                           VERSION
istio-ingressgateway-6664d4b478-j7vhh.istio-system     SYNCED     SYNCED     SYNCED     NOT SENT     istiod-1-8-6-b855c557b-qq4qd     1.8.6
nginx-68748d7f8c-82x8k.default                         SYNCED     SYNCED     SYNCED     SYNCED       istiod-1-8-6-b855c557b-qq4qd     1.8.6
nginx-68748d7f8c-fnhgz.default                         SYNCED     SYNCED     SYNCED     SYNCED       istiod-1-8-6-b855c557b-qq4qd     1.8.6

7 - Uninstall old control-plane

Run: istioctl x uninstall -f manifests/profiles/default.yaml

Check only canary control-plane is running: kubectl get pods -n istio-system -l app=istiod

NAME                           READY   STATUS    RESTARTS   AGE
istiod-1-8-6-b855c557b-qq4qd   1/1     Running   0          17m

Other types of istio installation available:

Please get familiar with istio installation methods' pros and cons.

Useful links

Update

Moving this from comments. There are more challenges with updating from 1.7.3 to 1.8.6 istio versions. For removing current control-plane -f with previous manifest should be used. When applying for the same manifest to 1.8.6 versions, there are errors about policy and telemetry components:

Error: failed to get profile and enabled components: failed to read profile: unknown field "telemetry" in v1alpha1.IstioComponentSetSpec

After digging, it appeared, even though api version is used the same - v1alpha1, newer version of istioctl operator can't validate manifest from 1.7.3.

I took installed-state.yaml as it's described at the beginning of the asnwer from 1.7.3 and 1.8.6 istio installations and got diff between them: policy and telemetry components are completely missing in 1.8.6 which explains the errors. Also there are some changes as well. Github link to the diff file, left is 1.7.3, right is 1.8.6.

In that case it's probably impossible to upgrade without manual work with manifests:

1 - check if manifest which was applied is default or has changes. Get a default profile (note! istioctl should be used 1.7.3):

istioctl profile dump default > default-profile.yaml

2 - If manifest is default, then safely proceed to install canary with --set profile=default.

3 - Manifest is not default and has customization. Using istioctl 1.8.6 get a dump of default profile:

istioctl profile dump default > default-profile-186.yaml

"Adapt" it to current existing manifest and then proceed to install canary with -f option and adapted manifest.

moonkotte
  • 3,661
  • 2
  • 10
  • 25
  • But some doubts on point 5 - Control plane-install Canary version:- istioctl install --set profile=default --set revision=1-8-6. So as per my understanding this will install default profile only and willnot reflect the customisation we did in 1.7.3. S0 the new control plane of version 1.8.6 not getting installed with the exported installed-state of istiooperator 1.7. First its pointed that the fields "telemetry" and and "policy" are not valid. ' Error: failed to get profile and enabled components: failed to read profile: unknown field "telemetry" in v1alpha1.IstioComponentSetSpec – Vowneee Jun 29 '21 at 11:22
  • So I manually removed those entire part from the iop.yml...This would make anysettings missed? how to customise the exported installed state iops file to make the canary upgrade of 1.8.6. If I remove the telemetry and policy . it again result some error like this . './istioctl8 install --set revision=1-8 --set profile=default -f /home/admin/upgrade/iop__nopol_notelim.yml Error: failed to get profile and enabled components: failed to read profile: json: cannot unmarshal string into Go value of type map[string]json.RawMessage: – Vowneee Jun 29 '21 at 12:03
  • Instaead of using the installed-state file , can we directly point it to the overlay file which we used to create the istio old version ?. But from there also i removed the telemetry portion and prpmetheus addon part as well. So will this affect the upgrade missing any component or configuration – Vowneee Jun 29 '21 at 12:07
  • The idea behind canary is all customization is stored in `CRD` ([Custom Resource Defenition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/)), can be checked with `kubectl get crd`. When old control plane is removed, CRDs are not affected (until full `istio` uninstall happens). Here's a quote from `Canary upgrade` when removing old control plane: "Note that the above instructions only removed the resources for the specified control plane revision, but not cluster-scoped resources shared with other control planes." – moonkotte Jun 29 '21 at 12:16
  • So you meant to say in the avove steps, step 5 "installing canary -1.8.6" there is no need to use any flag, either the instaled-state.yml or the overlay file which we used for the 1.7.3 version ? and all the components and configurations will come in the new version by default right ? Could you please confirm this. Because this was the one point we were looking for some clarity as, in the docs of istio for inplace upgrade, it was telling to use -f flag to point the custom file else it will replace the customised setup with default profile.. – Vowneee Jun 29 '21 at 12:28
  • @Vowneee I've added an update in my answer. It took some time to reproduce and understand what and why and what to do further. Manifest is related to `istio` components itself + config on kubernetes infra (you can check it in my update). Other resources will remain the same in `CRDs` – moonkotte Jun 29 '21 at 15:47
  • in our old istio setup, yes we have several customisation enabled. So as you told, the installed-state yaml file is not allowing to pass with the istio 1.8.6. So I am not clear about the manifest which you mentioned. (1)How can I Generate a manifest fle of current existing istio environment and will this include all the component and configuration customisation of current setp. (2)Can we generate manifest file directly from the exported installed-statefile. – Vowneee Jun 29 '21 at 18:37
  • (3) During our installation of V1.7.3, we used a custom overlay file and flagged to istioctl with -f during the installation. If I use the same overlay file with flag -f option and --revision 1-8-6 along with default profile to V1.8.6 istoctl binary will this get all the component and configuration settings as 1.7.3? "./istioctl1.8 install --set revision=1-8 --set profile=default -f /tmp/overlay1-7-3.yml" – Vowneee Jun 29 '21 at 18:43
  • When I tried, Again I got error releted to "telemetry" and prometheus part. So manually I removed those from the overlayfile and created new controlplane of 1-8-6. But here I am not sure whether I missed any existing configuration or components (like telemetry and prometheus or any other), since I used default profile with overlay instead of installed-state of 1.7.3.. I went through multiple docs.. but I didnt get any proper guidance on this yet – Vowneee Jun 29 '21 at 18:47
  • @Vowneee have you checked an **update** part in my answer? I covered such questions there – moonkotte Jun 29 '21 at 18:54
  • yes I went through that, As a beginner to istio its very difficult for me to adapt the V1.8.6 default dump profile manifest with the changes according to the v1.7.3 manifest. So here my doubt is, whether the custom overlay1-7-3.yml (the one we used during the v1.7.3 installation ) will help the custmisation for the V1.8.6 default profile when we flag this during the installation of V1.8.6 canary . – Vowneee Jun 29 '21 at 19:08
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/234344/discussion-between-vowneee-and-moonkotte). – Vowneee Jun 29 '21 at 19:11
  • I just tried this by running V1.8.6 binary with old overlay1-7-3.yml by removing "telemetry" and "prometheus" part from the overlay file and set the profile as "default. "./istioctl8 install --set revision=1-8 --set profile=default -f /tmp/overlay1-7-3.yml ". It installed the canry version control plane succesfully. But i am not sure wheter the reoved components(telemetry and prometheus) will be created for new control plane will i miss any existing configuration. – Vowneee Jun 29 '21 at 19:14
  • @Vowneee As I said in my update, you need to get a dump from default profile using `istioctl 1.8.6` and **manually** change what you need from previous config. Because there's a difference between versions and how api parses configs. Also this is why having dev/stage environment is very important. Unfortunately it's possible that even documentation can have mistakes, it should be tested properly with all cases before moving to production. – moonkotte Jun 30 '21 at 07:17