This topic describes how to upgrade Istio components.

Background information

  • The upgrade of Istio components may install new binaries and modify configurations and API schemas.
  • The upgrade of Istio components may cause service downtime.
  • During the upgrade of Istio components, the system may create a Server Load Balancer (SLB) instance again due to configuration changes. Therefore, we recommend that you enable deletion protection for the existing SLB instance.
Note The following examples are based on Istio that is deployed to the istio-system namespace.

To upgrade Istio, upgrade the following Istio components: custom resource definition (CRD) files, the control plane, and the data plane sidecars.

Note The upgrade of Istio components may cause service downtime. We recommend that you use multiple replicas to ensure the high availability of the data plane, the control plane, and applications.

Upgrade CRD files and the control plane

  1. Log on to the ACK console.
  2. Log on to the ACK console. In the left-side navigation pane, choose Service Mesh > Istio Management.
On the management page of Istio, view the current version.
  • If the version of Istio is earlier than 1.1.4, submit a ticket to upgrade Istio components.
  • If the version of Istio is 1.1.4 or later and a message that prompts you to upgrade Istio appears, click Upgrade. Then, the upgrade of Istio automatically starts.
Note If you change configurations of Kubernetes resources such as services and deployments in the YAML file, the operations in the Container Service for Kubernetes (ACK) console overwrite the changes. Therefore, we recommend that you change the Istio configurations in the ACK console. For more information, see Update Istio.

Upgrade data plane sidecars

After you upgrade the control plane, applications that run Istio still use sidecars of an earlier version. To upgrade a sidecar, inject the sidecar again. You can use the following methods to upgrade a sidecar.

  • Automatic sidecar injection

    If you use automatic sidecar injection, you can upgrade the sidecar by performing a rolling upgrade for all pods. In this case, the sidecar of the latest version is injected to the pods.

    You can run the following script to perform a rolling upgrade by patching the grace termination period:
    NAMESPACE=$1
    DEPLOYMENT_LIST=$(kubectl -n $NAMESPACE get deployment -o jsonpath='{.items[*].metadata.name}')
    echo "Refreshing pods in all Deployments: $DEPLOYMENT_LIST"
    for deployment_name in $DEPLOYMENT_LIST ; do
        #echo "get TERMINATION_GRACE_PERIOD_SECONDS from deployment: $deployment_name"
        TERMINATION_GRACE_PERIOD_SECONDS=$(kubectl -n $NAMESPACE get deployment "$deployment_name" -o jsonpath='{.spec.template.spec.terminationGracePeriodSeconds}')
        if [ "$TERMINATION_GRACE_PERIOD_SECONDS" -eq 30 ]; then
            TERMINATION_GRACE_PERIOD_SECONDS='31'
        else
            TERMINATION_GRACE_PERIOD_SECONDS='30'
        fi
        patch_string="{\"spec\":{\"template\":{\"spec\":{\"terminationGracePeriodSeconds\":$TERMINATION_GRACE_PERIOD_SECONDS}}}}"
        #echo $patch_string
        kubectl -n $NAMESPACE patch deployment $deployment_name -p $patch_string
    done
    echo "done."
  • Manual sidecar injection
    Run the following command to upgrade the sidecar:
    kubectl apply -f <(istioctl kube-inject -f $ORIGINAL_DEPLOYMENT_YAML)
    If you inject custom configuration files into the sidecar before, run the following command to upgrade the sidecar:
    kubectl apply -f <(istioctl kube-inject --injectConfigFile inject-config.yaml --filename $ORIGINAL_DEPLOYMENT_YAML)

Impacts

  • Upgrade CRD files

    During the upgrade of CRD files, the calls between services within a cluster or the calls from a gateway to services are not affected.

    Calls between services within a clusterUpgrade CRD files
  • Upgrade the control plane

    If you create two replicas for Pilot, high availability is enabled. In this case, the Horizontal Pod Autoscaler (HPA) setting of istio-pilot/istio-policy/istio-telemetry is minReplicas: 2.

    Assume that you have changed the Istio version multiple times, including upgrades and rollbacks. The test result shows that the rate of queries between services remains stable and services are running properly.Upgrade the control plane
  • Upgrade data plane sidecars

    The rate of queries between services or queries from a gateway to services remains stable. However, service interruption may occur. We recommend that you create replicas for high availability.