After the control plane of an Alibaba Cloud Service Mesh (ASM) instance is upgraded, you also need to upgrade the sidecar proxies for Istio-enabled applications on the ASM instance. This topic describes how to upgrade sidecar proxies by automatic sidecar injection and manual sidecar injection.

Prerequisites

The kubectl client is connected to the Container Service for Kubernetes cluster. For more information, see Use kubectl to connect to a cluster.

Background information

Sidecar proxies are deployed on the data plane. When you upgrade sidecar proxies, you need to upgrade the kubeconfig file of the data plane instead of the ASM instance. Therefore, you need to obtain the kubeconfig file from the Container Service console instead of the ASM console.

Automatic sidecar injection

If automatic sidecar injection is enabled, you can upgrade sidecar proxies in all pods by performing a rolling upgrade for these pods. In this way, sidecar proxies of the new version are injected to the pods. We recommend that you this method because it only requires simple upgrade operations.

You can use the following shell script to trigger a rolling upgrade by patching the grace termination period.

NAMESPACE=$1
DEPLOYMENT_LIST=$(kubectl -n $NAMESPACE get deployment -o jsonpath='{.items[*].metadata.name}')
echo "Refreshing pods in all Deployments: $DEPLOYMENT_LIST"
for deployment_name in $DEPLOYMENT_LIST ; do
    #echo "get TERMINATION_GRACE_PERIOD_SECONDS from deployment: $deployment_name"
    TERMINATION_GRACE_PERIOD_SECONDS=$(kubectl -n $NAMESPACE get deployment "$deployment_name" -o jsonpath='{.spec.template.spec.terminationGracePeriodSeconds}')
    if [ "$TERMINATION_GRACE_PERIOD_SECONDS" -eq 30 ]; then
        TERMINATION_GRACE_PERIOD_SECONDS='31'
    else
        TERMINATION_GRACE_PERIOD_SECONDS='30'
    fi
    patch_string="{\"spec\":{\"template\":{\"spec\":{\"terminationGracePeriodSeconds\":$TERMINATION_GRACE_PERIOD_SECONDS}}}}"
    #echo $patch_string
    kubectl -n $NAMESPACE patch deployment $deployment_name -p $patch_string
done
echo "done."

Save the preceding shell script in a file named upgradeproxy.sh and grant the executable permission to the file. For example, you can run the chmod +x upgradeproxy.sh command on the Linux command line to grant the executable permission.

You must specify the namespace in the command. For example, if you want to upgrade the pods in the default namespace, you need to run the ./upgradeproxy.sh default command.

chmod +x upgradeproxy.sh
./upgradeproxy.sh  default

Manual sidecar injection

If automatic sidecar injection is disabled, you need to run the following command to upgrade sidecar proxies.

Create a deployment YAML file and run the kubectl apply command.

kubectl apply -f <(istioctl kube-inject -f <A raw application YAML file with no sidecar proxy configuration injected>)