Upgrade with Helm
Follow this guide to upgrade and configure an ambient mode installation using Helm. This guide assumes you have already performed an ambient mesh installation with Helm with a previous minor or patch version of Istio.
Prerequisites
Update the Helm repository:
$ helm repo update istio
In-place upgrade
You can perform an in place upgrade of Istio in your cluster using the Helm upgrade workflow.
Before upgrading Istio, it is recommended to run the istioctl x precheck
command to make sure the upgrade is compatible with your environment.
$ istioctl x precheck
✔ No issues found when checking the cluster. Istio is safe to install or upgrade!
To get started, check out <https://istio.io/latest/docs/setup/getting-started/>
Manually upgrade the CRDs and Istio base chart
Upgrade the Kubernetes custom resource definitions (CRDs):
$ kubectl apply -f manifests/charts/base/crds
Upgrade the Istio base chart:
$ helm upgrade istio-base manifests/charts/base -n istio-system --skip-crds
Upgrade the Istio discovery Component
Istiod is the control plane component that manages and configures the proxies to route traffic within an ambient mesh.
$ helm upgrade istiod istio/istiod -n istio-system
Upgrade the ztunnel component
The ztunnel DaemonSet is the node proxy component.
The ztunnel at version 1.x is generally compatible with the control plane at version 1.x+1 and 1.x. This means the control plane must be upgraded before ztunnel, as long as their version difference is within one minor version.
$ helm upgrade ztunnel istio/ztunnel -n istio-system
Upgrade the CNI component
The Istio CNI agent is responsible for detecting pods added to the ambient mesh, informing ztunnel that proxy ports should be established within added pods, and configuring traffic redirection within the pod network namespace. It is not part of the data plane or control plane.
The CNI at version 1.x is generally compatible with the control plane at version 1.x+1 and 1.x. This means the control plane must be upgraded before Istio CNI, as long as their version difference is within one minor version.
$ helm upgrade istio-cni istio/cni -n istio-system
Upgrade the Gateway component (optional)
Gateway components manage east-west and north-south dataplane traffic between ambient mesh boundaries, as well as some aspects of the L7 dataplane.
$ helm upgrade istio-ingress istio/gateway -n istio-ingress
Configuration
To view supported configuration options and documentation, run:
$ helm show values istio/istiod
Verify the installation
Verify the workload status
After installing all the components, you can check the Helm deployment status with:
$ helm list -n istio-system
You can check the status of the deployed Istio pods with:
$ kubectl get pods -n istio-system
Uninstall
Please refer to the uninstall section in the Helm installation guide.