Upgrade using Helm
Follow this guide to upgrade the Istio control plane and sidecar proxies of an existing Istio deployment that was previously installed using Helm. The upgrade process may install new binaries and may change configuration and API schemas. The upgrade process may result in service downtime. To minimize downtime, please ensure your Istio control plane components and your applications are highly available with multiple replicas.
Upgrade steps
Download the new Istio release and change directory to the new release directory.
Istio CNI upgrade
If you have installed or are planning to install Istio CNI,
you can check whether Istio CNI is already installed and to upgrade it. You can use Kubernetes’ rolling update mechanism to upgrade the Istio CNI components. This is suitable for cases where kubectl apply
was used to deploy Istio CNI.
To check whether
istio-cni
is installed, search foristio-cni-node
pods and in which namespace they are running (typically,kube-system
oristio-system
):$ kubectl get pods -l k8s-app=istio-cni-node --all-namespaces $ NAMESPACE=$(kubectl get pods -l k8s-app=istio-cni-node --all-namespaces --output='jsonpath={.items[0].metadata.namespace}')
If
istio-cni
is currently installed in a namespace other thankube-system
(for example,istio-system
), deleteistio-cni
:$ helm template install/kubernetes/helm/istio-cni --name=istio-cni --namespace=$NAMESPACE | kubectl delete -f -
Install or upgrade
istio-cni
in thekube-system
namespace:$ helm template install/kubernetes/helm/istio-cni --name=istio-cni --namespace=kube-system | kubectl apply -f -
Control plane upgrade
You can use Kubernetes’ rolling update mechanism to upgrade the control plane components.
This is suitable for cases where kubectl apply
was used to deploy the Istio components,
including configurations generated using
helm template.
Use
kubectl apply
to upgrade all of Istio’s CRDs. Wait a few seconds for the Kubernetes API server to commit the upgraded CRDs:$ kubectl apply -f install/kubernetes/helm/istio-init/files/
Wait for all Istio CRDs to be created:
$ kubectl -n istio-system wait --for=condition=complete job --all
Apply the update templates:
$ helm template install/kubernetes/helm/istio --name istio \ --namespace istio-system | kubectl apply -f -
You must pass the same settings as when you first installed Istio.
The rolling update process will upgrade all deployments and configmaps to the new version. After this process finishes, your Istio control plane should be updated to the new version. Your existing application should continue to work without any change. If there is any critical issue with the new control plane, you can rollback the changes by applying the yaml files from the old version.
Sidecar upgrade
After the control plane upgrade, the applications already running Istio will still be using an older sidecar. To upgrade the sidecar, you will need to re-inject it.
If you’re using automatic sidecar injection, you can upgrade the sidecar by doing a rolling update for all the pods, so that the new version of the sidecar will be automatically re-injected.
$ kubectl rollout restart deployment --namespace default
If you’re using manual injection, you can upgrade the sidecar by executing:
$ kubectl apply -f <(istioctl kube-inject -f $ORIGINAL_DEPLOYMENT_YAML)
If the sidecar was previously injected with some customized inject configuration files, you will need to change the version tag in the configuration files to the new version and re-inject the sidecar as follows:
$ kubectl apply -f <(istioctl kube-inject \
--injectConfigFile inject-config.yaml \
--filename $ORIGINAL_DEPLOYMENT_YAML)