In an Alibaba Cloud Service Mesh (ASM) instance, the sidecars on the data plane manipulate the traffic of all applications in the clusters that are managed by the ASM instance. To upgrade the data plane, you must restart sidecar containers. This may result in failed requests and application service interruption. ASM allows you to upgrade the data plane without interrupting services or affecting applications. This topic shows you how to upgrade the data plane of an ASM instance without service interruption. In this topic, an ASM instance of which the Istio version is 1.6.x is used as an example. An NGINX application is deployed on the ASM instance. The HTTP stress testing tool go-stress-testing is used to continuously access the NGINX application. During this process, the data plane is upgraded without service interruption.
Prerequisites
- An ASM instance of which the Istio version is 1.6.x is created. For more information, see Create an ASM instance.
- A cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.
- An ingress gateway service is deployed on the ASM instance. For more information, see Deploy an ingress gateway service.
- Automatic sidecar injection is disabled for namespaces. If this feature is enabled, you must disable it. For more information, see Install a sidecar proxy.
Precautions
- Deploy deployments and pods that require no service interruption during data plane
upgrade in an independent namespace.
Deploy deployments and pods that require no service interruption during data plane upgrade in an independent namespace. This way, you can use a SidecarSet to inject sidecars in this namespace and enable automatic sidecar injection for other namespaces.
- Disable automatic sidecar injection for specific pods and use a SidecarSet to inject
sidecars into these pods.
If automatic sidecar injection is enabled for the namespace of a pod, you can disable the feature by using pod annotations. Then, you can use the matching policy of the SidecarSet to match the pod for sidecar injection.
Step 1 Install OpenKruise in a cluster on the data plane
ASM does not automatically install OpenKruise in a cluster on the data plane. You must to manually install OpenKruise by using Helm.
Step 2: Deploy a ConfigMap
When you configure a SidecarSet, you must specify the ID of the cluster on the data plane. To avoid manually specifying the cluster ID for each SidecarSet, you can deploy a ConfigMap.
Step 3: Deploy a SidecarSet
The sidecar injection configuration of an application contains parameters that cannot be configured at a time. To resolve this issue, you must deploy an independent SidecarSet for each deployment to configure sidecar injection.
Step 4: Deploy an NGINX application
- Deploy an NGINX application.
- Expose the service port of the NGINX application to the ingress gateway and create
a routing rule.
- Verify whether the NGINX application is deployed.
- Access port 8080 of the IP address of the ingress gateway to check whether NGINX is
running as expected.If the following page is displayed, the NGINX application is deployed.
- Access port 8080 of the IP address of the ingress gateway to check whether NGINX is
running as expected.
Step 5: Use go-stress-testing to access the NGINX application
The go-stress-testing tool is an HTTP stress testing tool the is developed in Go. This tool is compatible with multiple platforms. In this example, this tool is used to continuously access the NGINX application. During the continuous access, the data plane is upgraded without service interruption. This tool counts the numbers of successful and failed requests.
Step 6: Upgrade the data plane without service interruption
- Modify the value of the image parameter of the sidecar to the URL of the image of
the new SidecarSet. Then, save the modification and exit.
registry.cn-hangzhou.aliyuncs.com/acs/asm-istio-proxy:feature-1.6.x-faee4bb874d29dabde41481b695718c5b73b6b04-1546
- Check whether services are interrupted when the data plane is upgraded.
- After the upgrade is completed, view the output of the go-stress-testing-mac command,
which is described in Step 5: Use go-stress-testing to access the NGINX application. The following figure shows that the return code of all requests is 200. This indicates
that no request failed during the upgrade.
- After the upgrade is completed, view the output of the go-stress-testing-mac command,
which is described in Step 5: Use go-stress-testing to access the NGINX application. The following figure shows that the return code of all requests is 200. This indicates
that no request failed during the upgrade.
References
Customize a SidecarSet
{
"apiVersion": "apps.kruise.io/v1alpha1",
"kind": "SidecarSet",
"metadata": {
"name": "sidecarset-example"
},
"spec": {
"containers": [
{
"args": [
"proxy",
"sidecar",
"--domain",
"$(POD_NAMESPACE).svc.cluster.local",
"--serviceCluster",
"$(ISTIO_META_WORKLOAD_NAME). $(POD_NAMESPACE)",
"--drainDuration",
"45s",
"--parentShutdownDuration",
"1m0s",
"--discoveryAddress",
"istiod.istio-system.svc:15012",
"--zipkinAddress",
"zipkin.istio-system:9411",
"--proxyLogLevel=warning",
"--proxyComponentLogLevel=misc:error",
"--proxyAdminPort",
"15000",
"--concurrency",
"2",
"--controlPlaneAuthPolicy",
"NONE",
"--dnsRefreshRate",
"300s",
"--statusPort",
"15021",
"--trust-domain=cluster.local",
"--controlPlaneBootstrap=false"
],
"env": [
{
"name": "JWT_POLICY",
"value": "first-party-jwt"
},
{
"name": "PILOT_CERT_PROVIDER",
"value": "istiod"
},
{
"name": "CA_ADDR",
"value": "istiod.istio-system.svc:15012"
},
{
"name": "POD_NAME",
"valueFrom": {
"fieldRef": {
"apiVersion": "v1",
"fieldPath": "metadata.name"
}
}
},
{
"name": "POD_NAMESPACE",
"valueFrom": {
"fieldRef": {
"apiVersion": "v1",
"fieldPath": "metadata.namespace"
}
}
},
{
"name": "INSTANCE_IP",
"valueFrom": {
"fieldRef": {
"apiVersion": "v1",
"fieldPath": "status.podIP"
}
}
},
{
"name": "SERVICE_ACCOUNT",
"valueFrom": {
"fieldRef": {
"apiVersion": "v1",
"fieldPath": "spec.serviceAccountName"
}
}
},
{
"name": "CANONICAL_SERVICE",
"valueFrom": {
"fieldRef": {
"apiVersion": "v1",
"fieldPath": "metadata.labels['service.istio.io/canonical-name']"
}
}
},
{
"name": "CANONICAL_REVISION",
"valueFrom": {
"fieldRef": {
"apiVersion": "v1",
"fieldPath": "metadata.labels['service.istio.io/canonical-revision']"
}
}
},
{
"name": "PROXY_CONFIG",
"value": "{\"configPath\":\"/etc/istio/proxy\",\"proxyMetadata\":{\"DNS_AGENT\":\"\"}}\n"
},
{
"name": "ISTIO_META_POD_PORTS",
"value": "[\n]"
},
{
"name": "ISTIO_META_CLUSTER_ID",
"valueFrom": {
"configMapKeyRef": {
"name": "ack-cluster-profile",
"key": "clusterid"
}
}
},
{
"name": "ISTIO_META_POD_NAME",
"valueFrom": {
"fieldRef": {
"apiVersion": "v1",
"fieldPath": "metadata.name"
}
}
},
{
"name": "ISTIO_META_CONFIG_NAMESPACE",
"valueFrom": {
"fieldRef": {
"apiVersion": "v1",
"fieldPath": "metadata.namespace"
}
}
},
{
"name": "ISTIO_META_INTERCEPTION_MODE",
"value": "REDIRECT"
},
{
"name": "ISTIO_METAJSON_ANNOTATIONS",
"value": "{\"kubernetes.io/psp\":\"ack.privileged\"}\n"
},
{
"name": "ISTIO_META_WORKLOAD_NAME",
"valueFrom": {
"fieldRef": {
"apiVersion": "v1",
"fieldPath": "metadata.labels['app']"
}
}
},
{
"name": "ISTIO_META_MESH_ID",
"value": "cluster.local"
},
{
"name": "DNS_AGENT"
},
{
"name": "TERMINATION_DRAIN_DURATION_SECONDS",
"value": "5"
}
],
"image": "$$$IMAGE$$$",
"imagePullPolicy": "IfNotPresent",
"name": "istio-proxy",
"podInjectPolicy": "BeforeAppContainer",
"lifecycle": {
"postStart": {
"exec": {
"command": ["/bin/sh", "-c", "/usr/local/bin/pilot-agent wait"]
}
}
},
"ports": [
{
"containerPort": 15090,
"name": "http-envoy-prom",
"protocol": "TCP"
}
],
"resources": {
"limits": {
"cpu": "2",
"memory": "1Gi"
},
"requests": {
"cpu": "100m",
"memory": "128Mi"
}
},
"securityContext": {
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": [
"ALL"
]
},
"privileged": false,
"readOnlyRootFilesystem": true,
"runAsGroup": 1337,
"runAsNonRoot": true,
"runAsUser": 1337
},
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File",
"upgradeStrategy": {
"upgradeType": "HotUpgrade",
"hotUpgradeEmptyImage": "registry.cn-hangzhou.aliyuncs.com/acs/asm-istio-proxy-empty:feature-1.6.x-511e4bb6e85be2c753a46d620efb1973251c1778"
},
"volumeMounts": [
{
"mountPath": "/var/run/secrets/istio",
"name": "istiod-ca-cert"
},
{
"mountPath": "/var/lib/istio/data",
"name": "istio-data"
},
{
"mountPath": "/etc/istio/proxy",
"name": "istio-envoy"
},
{
"mountPath": "/etc/istio/pod",
"name": "istio-podinfo"
},
{
"mountPath": "/etc/asm/uds/",
"name": "asm-hotupgrade-data"
}
]
}
],
"initContainers": [
{
"args": [
"istio-iptables",
"-p",
"15001",
"-z",
"15006",
"-u",
"1337",
"-m",
"REDIRECT",
"-i",
"*",
"-x",
"172.23.0.1/32",
"-b",
"*",
"-d",
"15090,15021,15021"
],
"env": [
{
"name": "DNS_AGENT"
}
],
"image": "registry-vpc.cn-zhangjiakou.aliyuncs.com/acs/proxyv2:1.6.8",
"imagePullPolicy": "IfNotPresent",
"name": "istio-init",
"resources": {
"limits": {
"cpu": "100m",
"memory": "50Mi"
},
"requests": {
"cpu": "10m",
"memory": "10Mi"
}
},
"securityContext": {
"allowPrivilegeEscalation": false,
"capabilities": {
"add": [
"NET_ADMIN",
"NET_RAW"
],
"drop": [
"ALL"
]
},
"privileged": false,
"readOnlyRootFilesystem": false,
"runAsGroup": 0,
"runAsNonRoot": false,
"runAsUser": 0
},
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File",
"upgradeStrategy": {}
}
],
"selector": {
"matchExpressions": [
...
]
},
"strategy": {
"type": "RollingUpdate",
"partition": 0,
"maxUnavailable": 1
},
"volumes": [
{
"emptyDir": {},
"name": "asm-hotupgrade-data"
},
{
"emptyDir": {
"medium": "Memory"
},
"name": "istio-envoy"
},
{
"emptyDir": {},
"name": "istio-data"
},
{
"downwardAPI": {
"defaultMode": 420,
"items": [
{
"fieldRef": {
"apiVersion": "v1",
"fieldPath": "metadata.labels"
},
"path": "labels"
},
{
"fieldRef": {
"apiVersion": "v1",
"fieldPath": "metadata.annotations"
},
"path": "annotations"
}
]
},
"name": "istio-podinfo"
},
{
"configMap": {
"defaultMode": 420,
"name": "istio-ca-root-cert"
},
"name": "istiod-ca-cert"
}
]
}
}- Replace
$$$IMAGE$$$with the URL of the sidecar image. - Set the
matchExpressionsparameter for the selector. This way, the selector can be used to match the pod where you want to inject sidecars. For more information, visit Labels and Selectors.
- Istio 1.6.x-1 : registry.cn-hangzhou.aliyuncs.com/acs/asm-istio-proxy:feature-1.6.x-faee4bb874d29dabde41481b695718c5b73b6b04-1531
- Istio 1.6.x-2 : registry.cn-hangzhou.aliyuncs.com/acs/asm-istio-proxy:feature-1.6.x-faee4bb874d29dabde41481b695718c5b73b6b04-1546