Upgrading Istio

Upgrade Istio in the Kubernetes cluster by changing all the Istio components so they're managed by Helm, and installing the latest version of Istio from the application catalog.

This upgrades Istio Release 1.20.4 to Release 1.20.5. Release 1.20.4 is the latest available Istio version available with Oracle CNE Release 1.9. We recommend you upgrade Istio to the latest available version listed in the application catalog, which might be a newer release than shown here.

  1. Check the Istio version.
    kubectl describe pod --namespace istio-system istiod

    Enter the Tab key to auto complete the name of the istiod pod.

    The output contains the Image option, which shows the Istio version, for example: 

     Image: container-registry.oracle.com/olcne/pilot:1.20.4
  2. Search the application catalog for Istio versions.

    Several Istio versions are available to install. We recommend you install the latest version. To see the list of available versions, use:

    ocne catalog search --pattern istio
  3. Change the Istio objects to be managed by Helm.

    Change the Istio Base objects:

    kubectl --namespace istio-system label ServiceAccount istio-reader-service-account app.kubernetes.io/managed-by=Helm
kubectl --namespace istio-system annotate ServiceAccount istio-reader-service-account meta.helm.sh/release-name=istio-base
kubectl --namespace istio-system annotate ServiceAccount istio-reader-service-account meta.helm.sh/release-namespace=istio-system
 
kubectl label ValidatingWebhookConfiguration istiod-default-validator app.kubernetes.io/managed-by=Helm
kubectl annotate ValidatingWebhookConfiguration istiod-default-validator meta.helm.sh/release-name=istio-base
kubectl annotate ValidatingWebhookConfiguration istiod-default-validator meta.helm.sh/release-namespace=istio-system

    Change the Istiod objects:

    kubectl --namespace istio-system label ServiceAccount istiod app.kubernetes.io/managed-by=Helm
kubectl --namespace istio-system annotate ServiceAccount istiod meta.helm.sh/release-name=istiod
kubectl --namespace istio-system annotate ServiceAccount istiod meta.helm.sh/release-namespace=istio-system
 
kubectl --namespace istio-system label ConfigMap istio app.kubernetes.io/managed-by=Helm
kubectl --namespace istio-system annotate ConfigMap istio meta.helm.sh/release-name=istiod
kubectl --namespace istio-system annotate ConfigMap istio meta.helm.sh/release-namespace=istio-system
 
kubectl --namespace istio-system label ConfigMap istio-sidecar-injector app.kubernetes.io/managed-by=Helm
kubectl --namespace istio-system annotate ConfigMap istio-sidecar-injector meta.helm.sh/release-name=istiod
kubectl --namespace istio-system annotate ConfigMap istio-sidecar-injector meta.helm.sh/release-namespace=istio-system
 
kubectl label ClusterRole istiod-clusterrole-istio-system app.kubernetes.io/managed-by=Helm
kubectl annotate ClusterRole istiod-clusterrole-istio-system meta.helm.sh/release-name=istiod
kubectl annotate ClusterRole istiod-clusterrole-istio-system meta.helm.sh/release-namespace=istio-system
 
kubectl label ClusterRole istiod-gateway-controller-istio-system app.kubernetes.io/managed-by=Helm
kubectl annotate ClusterRole istiod-gateway-controller-istio-system meta.helm.sh/release-name=istiod
kubectl annotate ClusterRole istiod-gateway-controller-istio-system meta.helm.sh/release-namespace=istio-system
 
kubectl label ClusterRole istio-reader-clusterrole-istio-system app.kubernetes.io/managed-by=Helm
kubectl annotate ClusterRole istio-reader-clusterrole-istio-system meta.helm.sh/release-name=istiod
kubectl annotate ClusterRole istio-reader-clusterrole-istio-system meta.helm.sh/release-namespace=istio-system
 
kubectl label ClusterRoleBinding istiod-clusterrole-istio-system app.kubernetes.io/managed-by=Helm
kubectl annotate ClusterRoleBinding istiod-clusterrole-istio-system meta.helm.sh/release-name=istiod
kubectl annotate ClusterRoleBinding istiod-clusterrole-istio-system meta.helm.sh/release-namespace=istio-system
 
kubectl label ClusterRoleBinding istiod-gateway-controller-istio-system app.kubernetes.io/managed-by=Helm
kubectl annotate ClusterRoleBinding istiod-gateway-controller-istio-system meta.helm.sh/release-name=istiod
kubectl annotate ClusterRoleBinding istiod-gateway-controller-istio-system meta.helm.sh/release-namespace=istio-system
 
kubectl label ClusterRoleBinding istio-reader-clusterrole-istio-system app.kubernetes.io/managed-by=Helm
kubectl annotate ClusterRoleBinding istio-reader-clusterrole-istio-system meta.helm.sh/release-name=istiod
kubectl annotate ClusterRoleBinding istio-reader-clusterrole-istio-system meta.helm.sh/release-namespace=istio-system
 
kubectl --namespace istio-system label Role istiod app.kubernetes.io/managed-by=Helm
kubectl --namespace istio-system annotate Role istiod meta.helm.sh/release-name=istiod
kubectl --namespace istio-system annotate Role istiod meta.helm.sh/release-namespace=istio-system
 
kubectl --namespace istio-system label RoleBinding istiod app.kubernetes.io/managed-by=Helm
kubectl --namespace istio-system annotate RoleBinding istiod meta.helm.sh/release-name=istiod
kubectl --namespace istio-system annotate RoleBinding istiod meta.helm.sh/release-namespace=istio-system
 
kubectl --namespace istio-system label Service istiod app.kubernetes.io/managed-by=Helm
kubectl --namespace istio-system annotate Service istiod meta.helm.sh/release-name=istiod
kubectl --namespace istio-system annotate Service istiod meta.helm.sh/release-namespace=istio-system
 
kubectl --namespace istio-system label Deployment istiod app.kubernetes.io/managed-by=Helm
kubectl --namespace istio-system annotate Deployment istiod meta.helm.sh/release-name=istiod
kubectl --namespace istio-system annotate Deployment istiod meta.helm.sh/release-namespace=istio-system

kubectl label MutatingWebhookConfiguration istio-sidecar-injector app.kubernetes.io/managed-by=Helm
kubectl annotate MutatingWebhookConfiguration istio-sidecar-injector meta.helm.sh/release-name=istiod
kubectl annotate MutatingWebhookConfiguration istio-sidecar-injector meta.helm.sh/release-namespace=istio-system

kubectl --namespace istio-system label HorizontalPodAutoscaler istiod app.kubernetes.io/managed-by=Helm
kubectl --namespace istio-system annotate HorizontalPodAutoscaler istiod meta.helm.sh/release-name=istiod 
kubectl --namespace istio-system annotate HorizontalPodAutoscaler istiod meta.helm.sh/release-namespace=istio-system

    Change the Istio-Ingress Gateway objects:

    kubectl --namespace istio-system label ServiceAccount istio-ingressgateway-service-account app.kubernetes.io/managed-by=Helm
kubectl --namespace istio-system annotate ServiceAccount istio-ingressgateway-service-account meta.helm.sh/release-name=istio-ingressgateway
kubectl --namespace istio-system annotate ServiceAccount istio-ingressgateway-service-account meta.helm.sh/release-namespace=istio-system

kubectl --namespace istio-system label Service istio-ingressgateway app.kubernetes.io/managed-by=Helm
kubectl --namespace istio-system annotate Service istio-ingressgateway meta.helm.sh/release-name=istio-ingressgateway
kubectl --namespace istio-system annotate Service istio-ingressgateway meta.helm.sh/release-namespace=istio-system
 
kubectl --namespace istio-system label Deployment istio-ingressgateway app.kubernetes.io/managed-by=Helm
kubectl --namespace istio-system annotate Deployment istio-ingressgateway meta.helm.sh/release-name=istio-ingressgateway
kubectl --namespace istio-system annotate Deployment istio-ingressgateway meta.helm.sh/release-namespace=istio-system

kubectl --namespace istio-system label Role istio-ingressgateway-sds app.kubernetes.io/managed-by=Helm
kubectl --namespace istio-system annotate Role istio-ingressgateway-sds meta.helm.sh/release-name=istio-ingressgateway
kubectl --namespace istio-system annotate Role istio-ingressgateway-sds meta.helm.sh/release-namespace=istio-system
 
kubectl --namespace istio-system label RoleBinding istio-ingressgateway-sds app.kubernetes.io/managed-by=Helm
kubectl --namespace istio-system annotate RoleBinding istio-ingressgateway-sds meta.helm.sh/release-name=istio-ingressgateway
kubectl --namespace istio-system annotate RoleBinding istio-ingressgateway-sds meta.helm.sh/release-namespace=istio-system

kubectl --namespace istio-system label HorizontalPodAutoscaler istio-ingressgateway app.kubernetes.io/managed-by=Helm 
kubectl --namespace istio-system annotate HorizontalPodAutoscaler istio-ingressgateway meta.helm.sh/release-name=istio-ingressgateway 
kubectl --namespace istio-system annotate HorizontalPodAutoscaler istio-ingressgateway meta.helm.sh/release-namespace=istio-system

    Change the Istio-Egress Gateway objects:

    kubectl --namespace istio-system label ServiceAccount istio-egressgateway-service-account app.kubernetes.io/managed-by=Helm
kubectl --namespace istio-system annotate ServiceAccount istio-egressgateway-service-account meta.helm.sh/release-name=istio-egressgateway
kubectl --namespace istio-system annotate ServiceAccount istio-egressgateway-service-account meta.helm.sh/release-namespace=istio-system

kubectl --namespace istio-system label Service istio-egressgateway app.kubernetes.io/managed-by=Helm
kubectl --namespace istio-system annotate Service istio-egressgateway meta.helm.sh/release-name=istio-egressgateway
kubectl --namespace istio-system annotate Service istio-egressgateway meta.helm.sh/release-namespace=istio-system
 
kubectl --namespace istio-system label Deployment istio-egressgateway app.kubernetes.io/managed-by=Helm
kubectl --namespace istio-system annotate Deployment istio-egressgateway meta.helm.sh/release-name=istio-egressgateway
kubectl --namespace istio-system annotate Deployment istio-egressgateway meta.helm.sh/release-namespace=istio-system

kubectl --namespace istio-system label Role istio-egressgateway-sds app.kubernetes.io/managed-by=Helm
kubectl --namespace istio-system annotate Role istio-egressgateway-sds meta.helm.sh/release-name=istio-egressgateway
kubectl --namespace istio-system annotate Role istio-egressgateway-sds meta.helm.sh/release-namespace=istio-system
 
kubectl --namespace istio-system label RoleBinding istio-egressgateway-sds app.kubernetes.io/managed-by=Helm
kubectl --namespace istio-system annotate RoleBinding istio-egressgateway-sds meta.helm.sh/release-name=istio-egressgateway
kubectl --namespace istio-system annotate RoleBinding istio-egressgateway-sds meta.helm.sh/release-namespace=istio-system

kubectl --namespace istio-system label HorizontalPodAutoscaler istio-egressgateway app.kubernetes.io/managed-by=Helm 
kubectl --namespace istio-system annotate HorizontalPodAutoscaler istio-egressgateway meta.helm.sh/release-name=istio-egressgateway 
kubectl --namespace istio-system annotate HorizontalPodAutoscaler istio-egressgateway meta.helm.sh/release-namespace=istio-system
  4. Install Istio from the application catalog.

    Ensure you install the latest version of Istio. This might be later than the one shown in this example. 

    ocne application install --namespace istio-system --name istio-base --release istio-base --version 1.20.5
ocne application install --namespace istio-system --name istiod --release istiod --version 1.20.5
ocne application install --namespace istio-system --name istio-ingress --release istio-ingressgateway --version 1.20.5
ocne application install --namespace istio-system --name istio-egress --release istio-egressgateway --version 1.20.5
  5. Restart the Istio pods.
    kubectl rollout restart deployment --namespace istio-system istiod
kubectl rollout restart deployment --namespace istio-system istio-ingressgateway
kubectl rollout restart deployment --namespace istio-system istio-egressgateway
  6. Check the Istio pods are running.
    kubectl get pods -o wide -A
  7. Validate the Istio installation.
    kubectl get pods -A -o yaml | grep image: | grep proxyv2 | grep -i cont

    The output contains the image option for the Istio pods, which shows the Istio version, is now proxyv2:1.20.5. For example: 

    image: container-registry.oracle.com/olcne/proxyv2:1.20.5
image: container-registry.oracle.com/olcne/proxyv2:1.20.5
image: container-registry.oracle.com/olcne/proxyv2:1.20.5
image: container-registry.oracle.com/olcne/proxyv2:1.20.5