Upgrade with Helm

Follow this guide to upgrade and configure an ambient mode installation using Helm. This guide assumes you have already performed an ambient mesh installation with Helm with a previous minor or patch version of Istio.

Prerequisites

  1. Update the Helm repository:

    $ helm repo update istio
    

In-place upgrade

You can perform an in place upgrade of Istio in your cluster using the Helm upgrade workflow.

Before upgrading Istio, it is recommended to run the istioctl x precheck command to make sure the upgrade is compatible with your environment.

$ istioctl x precheck
✔ No issues found when checking the cluster. Istio is safe to install or upgrade!
  To get started, check out <https://istio.io/latest/docs/setup/getting-started/>

Manually upgrade the CRDs and Istio base chart

  1. Upgrade the Kubernetes custom resource definitions (CRDs):

    $ kubectl apply -f manifests/charts/base/crds
    
  2. Upgrade the Istio base chart:

    $ helm upgrade istio-base manifests/charts/base -n istio-system --skip-crds
    

Upgrade the Istio discovery Component

Istiod is the control plane component that manages and configures the proxies to route traffic within an ambient mesh.

$ helm upgrade istiod istio/istiod -n istio-system

Upgrade the ztunnel component

The ztunnel DaemonSet is the node proxy component.

The ztunnel at version 1.x is generally compatible with the control plane at version 1.x+1 and 1.x. This means the control plane must be upgraded before ztunnel, as long as their version difference is within one minor version.

$ helm upgrade ztunnel istio/ztunnel -n istio-system

Upgrade the CNI component

The Istio CNI agent is responsible for detecting pods added to the ambient mesh, informing ztunnel that proxy ports should be established within added pods, and configuring traffic redirection within the pod network namespace. It is not part of the data plane or control plane.

The CNI at version 1.x is generally compatible with the control plane at version 1.x+1 and 1.x. This means the control plane must be upgraded before Istio CNI, as long as their version difference is within one minor version.

$ helm upgrade istio-cni istio/cni -n istio-system

Upgrade the Gateway component (optional)

Gateway components manage east-west and north-south dataplane traffic between ambient mesh boundaries, as well as some aspects of the L7 dataplane.

$ helm upgrade istio-ingress istio/gateway -n istio-ingress

Configuration

To view supported configuration options and documentation, run:

$ helm show values istio/istiod

Verify the installation

Verify the workload status

After installing all the components, you can check the Helm deployment status with:

$ helm list -n istio-system

You can check the status of the deployed Istio pods with:

$ kubectl get pods -n istio-system

Uninstall

Please refer to the uninstall section in the Helm installation guide.

Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!