Sky Cone


Welcome to my blog. The topics here include: public clouds (AWS, Alibaba Cloud, Azure, Tencent Cloud and Google Cloud), big data, Serverless, DevOps, and IaC. Any question try to contact me: leo@tianzhui.cloud.

Upgrade Notes of Istio (from v1.20 to v1.22)

2024年06月14日

Background

The post Release Notes of Site Upgrades holds the catalog of the whole upgrade's note. 

This post focuses on the upgrade of Istio, from v1.20.3 to v1.22.1.

Upgrading across more than two minor versions (e.g., 1.6.x to 1.9.x) in one step is not officially tested or recommended.

Find the current version of Istio:
$ istioctl proxy-status
NAME                                                       CLUSTER        CDS        LDS        EDS        RDS          ECDS         ISTIOD                     VERSION
activator-bfb97979b-j***7.knative-serving                  Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-94f498c7b-b***x     1.20.3

Prerequisites

The commands executed in the article is from a ARM CPU-architecture environment.

K8s Preparation

Install kubectl binary with curl on Linux

1. Download the latest release with the command:
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/arm64/kubectl"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   138  100   138    0     0   1235      0 --:--:-- --:--:-- --:--:--  1243
100 47.6M  100 47.6M    0     0   122M      0 --:--:-- --:--:-- --:--:--  122M

2. Install kubectl
$ sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl

3. $ kubectl version --client
Client Version: v1.30.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3

Download the Istio Release

Go to the Istio release page to download the installation file for your OS, or download and extract the latest release automatically (Linux or macOS):
ISTIO_VER=1.21.3
$ LOCAL_ARCH=$(uname -m)
$ echo $LOCAL_ARCH
aarch64

curl -kL https://istio.io/downloadIstio | ISTIO_VERSION=${ISTIO_VER} TARGET_ARCH=${LOCAL_ARCH} sh -
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   102  100   102    0     0    676      0 --:--:-- --:--:-- --:--:--   680
100  4899  100  4899    0     0  20374      0 --:--:-- --:--:-- --:--:-- 20374

Downloading istio-1.21.3 from https://github.com/istio/istio/releases/download/1.21.3/istio-1.21.3-linux-arm64.tar.gz ...

Istio 1.21.3 Download Complete!

Istio has been successfully downloaded into the istio-1.21.3 folder on your system.

Next Steps:
See https://istio.io/latest/docs/setup/install/ to add Istio to your Kubernetes cluster.

To configure the istioctl client tool for your workstation,
add the /home/ec2-user/istio-1.21.3/bin directory to your environment path variable with:
	 export PATH="$PATH:/home/ec2-user/istio-1.21.3/bin"

Begin the Istio pre-installation check by running:
	 istioctl x precheck

Need more information? Visit https://istio.io/latest/docs/setup/install/

Install Istioctl

Install the istioctl binary with curl
1. Download the latest release
curl -kL https://istio.io/downloadIstioctl | ISTIO_VERSION=${ISTIO_VER} TARGET_ARCH=$(uname -m) sh -
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    96  100    96    0     0   1532      0 --:--:-- --:--:-- --:--:--  1523
100  4636  100  4636    0     0  21722      0 --:--:-- --:--:-- --:--:-- 21722

Downloading istioctl-1.21.3 from https://github.com/istio/istio/releases/download/1.21.3/istioctl-1.21.3-linux-arm64.tar.gz ...
istioctl-1.21.3-linux-arm64.tar.gz download complete!

Add the istioctl to your path with:
  export PATH=$HOME/.istioctl/bin:$PATH

Begin the Istio pre-installation check by running:
	 istioctl x precheck

Need more information? Visit https://istio.io/docs/reference/commands/istioctl/

2. Add the istioctl client to the path that could be executed from command line.
sudo cp $HOME/.istioctl/bin/istioctl /usr/local/bin/

istioctl version
client version: 1.21.3
control plane version: 1.20.3
data plane version: 1.20.3 (13 proxies)

Upgrade Istio to v1.21.3

Upgrade Istio to v1.21.3

istioctl x precheck
✔ No issues found when checking the cluster. Istio is safe to install or upgrade!
  To get started, check out https://istio.io/latest/docs/setup/getting-started/

cd istio-${ISTIO_VER}

Modify the file manifests/charts/gateways/istio-ingress/values.yaml:
...
    #serviceAnnotations: {}

    # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
    ipFamilyPolicy: ""
    ipFamilies: []

    # To generate an internal load balancer:
    # --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
    #serviceAnnotations:
    #    cloud.google.com/load-balancer-type: "internal"
    serviceAnnotations:
        service.beta.kubernetes.io/aws-load-balancer-type: "external"
        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "instance"
        service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
...

istioctl install --set profile=demo --charts=./manifests/ \
> --set components.cni.enabled=true \
> --set components.cni.namespace=kube-system
istioctl install --set profile=demo --charts=./manifests/ \
 --set components.cni.enabled=true \
 --set components.cni.namespace=kube-system

WARNING: Istio is being upgraded from 1.20.3 to 1.21.3.
         Running this command will overwrite it; use revisions to upgrade alongside the existing version.
         Before upgrading, you may wish to use 'istioctl x precheck' to check for upgrade warnings.
This will install the Istio 1.21.3 "demo" profile (with components: Istio core, Istiod, CNI, Ingress gateways, and Egress gateways) into the cluster. Proceed? (y/N) y
✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ CNI installed
✔ Installation complete                                                                                                                                                      Made this installation the default for injection and validation.

$ istioctl proxy-status
NAME                                                       CLUSTER        CDS        LDS        EDS        RDS          ECDS         ISTIOD                      VERSION
activator-6db****5c7-klnr8.knative-serving                 Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-6lsmr     1.20.3
autoscaler-6f5****848-76ph2.knative-serving                Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-6lsmr     1.20.3
blog-v1-64d****7f8-hzfb2.blog                              Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-8m8lp     1.20.3
blog-v2-75b****4c5-zh248.blog                              Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-6lsmr     1.20.3
controller-677****cdf-tzc5n.knative-serving                Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-8m8lp     1.20.3
domainmapping-webhook-566****94d-w4kxm.knative-serving     Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-8m8lp     1.20.3
istio-egressgateway-7c6****cd4-rxc9l.istio-system          Kubernetes     SYNCED     SYNCED     SYNCED     NOT SENT     NOT SENT     istiod-859****49f-6lsmr     1.21.3
istio-ingressgateway-7b7****f56-5gzct.istio-system         Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-6lsmr     1.21.3
istio-ingressgateway-7b7****f56-lc8xc.istio-system         Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-6lsmr     1.21.3
istio-ingressgateway-7b7****f56-s4rmb.istio-system         Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-bvx69     1.21.3
net-istio-webhook-864****d95-pmk6c.knative-serving         Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-8m8lp     1.20.3
pk2hash-test-first-deployment-777****6c9-bg8qc.default     Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-8m8lp     1.20.3
webhook-6d8****64-4m6f4.knative-serving                    Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-bvx69     1.20.3

If any pod's Istio version is not updated, force it update.
k delete po -l app=example

$ istioctl proxy-status
NAME                                                       CLUSTER        CDS        LDS        EDS        RDS          ECDS         ISTIOD                      VERSION
activator-6db****5c7-7xl25.knative-serving                 Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-6lsmr     1.21.3
autoscaler-6f5****848-jjwj9.knative-serving                Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-6lsmr     1.21.3
blog-v1-64d****7f8-qdvbc.blog                              Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-bvx69     1.21.3
blog-v2-75b****4c5-94qqz.blog                              Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-8m8lp     1.21.3
controller-677****cdf-svthn.knative-serving                Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-8m8lp     1.21.3
domainmapping-webhook-566****94d-z4mtz.knative-serving     Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-8m8lp     1.21.3
istio-egressgateway-7c6****cd4-rxc9l.istio-system          Kubernetes     SYNCED     SYNCED     SYNCED     NOT SENT     NOT SENT     istiod-859****49f-6lsmr     1.21.3
istio-ingressgateway-7b7****f56-5gzct.istio-system         Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-6lsmr     1.21.3
istio-ingressgateway-7b7****f56-lc8xc.istio-system         Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-6lsmr     1.21.3
istio-ingressgateway-7b7****f56-s4rmb.istio-system         Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-bvx69     1.21.3
net-istio-webhook-864****d95-zdgll.knative-serving         Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-6lsmr     1.21.3
pk2hash-test-first-deployment-777****6c9-mrfmj.default     Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-bvx69     1.21.3
webhook-6d8****64-rlb8l.knative-serving                    Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-859****49f-8m8lp     1.21.3


Upgrade from Istio 1.21.3 to 1.22.1.

ISTIO_VER=1.22.1
LOCAL_ARCH=$(uname -m)
curl -kL https://istio.io/downloadIstio | ISTIO_VERSION=${ISTIO_VER} TARGET_ARCH=${LOCAL_ARCH} sh -
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   102  100   102    0     0    872      0 --:--:-- --:--:-- --:--:--   879
100  4899  100  4899    0     0  32846      0 --:--:-- --:--:-- --:--:-- 32846

Downloading istio-1.22.1 from https://github.com/istio/istio/releases/download/1.22.1/istio-1.22.1-linux-arm64.tar.gz ...

Istio 1.22.1 Download Complete!

Istio has been successfully downloaded into the istio-1.22.1 folder on your system.

Next Steps:
See https://istio.io/latest/docs/setup/install/ to add Istio to your Kubernetes cluster.

To configure the istioctl client tool for your workstation,
add the /home/ec2-user/istio-1.22.1/bin directory to your environment path variable with:
	 export PATH="$PATH:/home/ec2-user/istio-1.22.1/bin"

Begin the Istio pre-installation check by running:
	 istioctl x precheck

Need more information? Visit https://istio.io/latest/docs/setup/install/

curl -kL https://istio.io/downloadIstioctl | ISTIO_VERSION=${ISTIO_VER} TARGET_ARCH=$(uname -m) sh -
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    95  100    95    0     0   1516      0 --:--:-- --:--:-- --:--:--  1532
100  4636  100  4636    0     0  24349      0 --:--:-- --:--:-- --:--:-- 24349

Downloading istioctl-1.22.1 from https://github.com/istio/istio/releases/download/1.22.1/istioctl-1.22.1-linux-arm64.tar.gz ...
istioctl-1.22.1-linux-arm64.tar.gz download complete!

Add the istioctl to your path with:
  export PATH=$HOME/.istioctl/bin:$PATH

Begin the Istio pre-installation check by running:
	 istioctl x precheck

Need more information? Visit https://istio.io/docs/reference/commands/istioctl/

sudo cp $HOME/.istioctl/bin/istioctl /usr/local/bin/
istioctl x precheck
✔ No issues found when checking the cluster. Istio is safe to install or upgrade!
  To get started, check out https://istio.io/latest/docs/setup/getting-started/

cd istio-${ISTIO_VER}
$ nano manifests/charts/gateways/istio-ingress/values.yaml
...
    #serviceAnnotations: {}

    # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
    ipFamilyPolicy: ""
    ipFamilies: []

    # To generate an internal load balancer:
    # --set serviceAnnotations.cloud.google.com/load-balancer-type=internal
    #serviceAnnotations:
    #    cloud.google.com/load-balancer-type: "internal"
    serviceAnnotations:
        service.beta.kubernetes.io/aws-load-balancer-type: "external"
        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "instance"
        service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
...

istioctl install --set profile=demo --charts=./manifests/ \
> --set components.cni.enabled=true \
> --set components.cni.namespace=kube-system
istioctl install --set profile=demo --charts=./manifests/ \
 --set components.cni.enabled=true \
 --set components.cni.namespace=kube-system

WARNING: Istio is being upgraded from 1.21.3 to 1.22.1.
         Running this command will overwrite it; use revisions to upgrade alongside the existing version.
         Before upgrading, you may wish to use 'istioctl x precheck' to check for upgrade warnings.
This will install the Istio 1.22.1 "demo" profile (with components: Istio core, Istiod, CNI, Ingress gateways, and Egress gateways) into the cluster. Proceed? (y/N) y
✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ CNI installed
✔ Installation complete                                                                                                                                                      Made this installation the default for injection and validation.

$ istioctl proxy-status
NAME                                                       CLUSTER        CDS        LDS        EDS        RDS          ECDS         ISTIOD                      VERSION
activator-6db****5c7-bds6d.knative-serving                 Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-6bc****596-8gl2g     1.22.1
autoscaler-6f5****848-xtc7x.knative-serving                Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-6bc****596-8gl2g     1.22.1
blog-v1-64d****7f8-xfjqb.blog                              Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-6bc****596-8gl2g     1.22.1
blog-v2-75b****4c5-9c8q4.blog                              Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-6bc****596-g25mn     1.22.1
controller-677****cdf-596q5.knative-serving                Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-6bc****596-w829k     1.22.1
domainmapping-webhook-566****94d-64jp5.knative-serving     Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-6bc****596-g25mn     1.22.1
istio-egressgateway-848****84d-k49kq.istio-system          Kubernetes     SYNCED     SYNCED     SYNCED     NOT SENT     NOT SENT     istiod-6bc****596-8gl2g     1.22.1
istio-ingressgateway-6d5****96b-22pls.istio-system         Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-6bc****596-8gl2g     1.22.1
istio-ingressgateway-6d5****96b-b4bx6.istio-system         Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-6bc****596-8gl2g     1.22.1
istio-ingressgateway-6d5****96b-z2cgc.istio-system         Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-6bc****596-8gl2g     1.22.1
net-istio-webhook-864****d95-hk5tg.knative-serving         Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-6bc****596-w829k     1.22.1
pk2hash-test-first-deployment-777****6c9-2qzb9.default     Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-6bc****596-w829k     1.22.1
webhook-6d8****64-5dswg.knative-serving                    Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-6bc****596-8gl2g     1.22.1


References


Organizing Cluster Access Using kubeconfig Files

Install with Istioctl

Using the Istioctl Command-line Tool

Category: container Tags: public

Upvote


Downvote