A Field Guide for Safe Istio Upgrades As a Field Engineer at Solo.io, the speaker helps organizations of all sizes install and upgrade Istio in production every day. What we already know is that there is no one-size-fits-all approach to perform upgrades. Enterprise platform owners and service owners maintain distinctive environments and Istio deployment models depending on their tenancy, security, and cost requirements. The varying risk tolerance for a potential downtime during an upgrade is another factor to consider. Developing a custom plan is often critical to address an organization’s unique architecture and constraints. In this session, the speaker will outline the various upgrade strategies, their advantages and disadvantages, the gotchas that you need to watch out for, and most importantly - some best practices you can apply from day 1 to ensure successful upgrades in the future.

1. #IstioCon
A Field Guide for
Safe Istio Upgrades
Ram Vennam / @RamVennam / Field Engineer @ Solo.io

2. #IstioCon
@RamVennam
ram.vennam@solo.io
https://www.linkedin.com/in/ramvennam/
Field Engineering Lead, N.Amer, Solo.io
About me

3. #IstioCon
Istio

4. #IstioCon
What gets installed?
istioctl manifest generate --set profile=default
(istioctl manifest generate -f ~/istio-1.13.2/manifests/profiles/default.yaml)
CustomResourceDefinition 15
Deployment 2
Service 2
ValidatingWebhookConfiguration 1
MutatingWebhookConfiguration 1
ConfigMap 2
ServiceAccount 4
ClusterRole/ClusterRoleBinding 5
Role/RoleBinding 3
EnvoyFilter 6
HorizontalPodAutoscaler 2
PodDisruptionBudget 2

5. #IstioCon
How are they wired together?

6. #IstioCon
Certs

7. #IstioCon
Best Practice: Separate IstioOperator

8. #IstioCon
Before you upgrade:
Capture state
Analyze and address any issues
istioctl analyze --all-namespaces
istioctl proxy-status
Precheck
istioctl x precheck
Backup Istio CR’s
kubectl get istio-io --all-namespaces -oyaml

9. #IstioCon
Before you upgrade:
Capture state
Capture everything:
istioctl bug-report
analyze
Istio CR’s
Sidecar proxy logs
Gateway logs
ConfigMaps

10. #IstioCon
Before you upgrade:
Dashboards
https://krisztianfekete.org/upgrading-to-istio-1.11/

11. #IstioCon
Before you upgrade:
Upgrade Notes (Different from release announcements and change notes)

12. #IstioCon
Special attention
● EnvoyFilters
● EnvoyFilters
● EnvoyFilters!
● IstioOperator customizations
○ overlays
○ meshConfig
○ Compare:
~/istio-1.11.5/bin/istioctl manifest generate -f myIstioInstall.yaml
~/istio-1.12.6/bin/istioctl manifest generate -f myIstioInstall.yaml
● Resource annotations
kubectl get deploy -o yaml | grep 'istio.io'

13. #IstioCon
istioctl upgrade
istioctl upgrade -f istiodIstioOperator.yaml
istioctl upgrade -f ingressGatewayIstioOperator.yaml
istioctl upgrade -f ewGatewayIstioOperator.yaml
kubectl rollout restart deployment -n myns
istioctl proxy-status

14. #IstioCon
Problems after upgrade
Analyze
istioctl analyze --all-namespaces
Check the logs
Compare proxy config with previous
istioctl proxy-config <clusters|listeners|routes|...>
istioctl bug-report
Troubleshoot
https://istio.io/latest/docs/ops/common-problems/
https://istio.io/latest/docs/ops/diagnostic-tools/
https://www.solo.io/blog/navigating-istio-config-toolkit/

15. #IstioCon
Revisions

16. Revisions

17. Revisions: Step 1
istioctl install -f istiodIstioOperator.yaml --revision 1-12-1
istioctl x revision list

18. Revisions: Step 2
kubectl label namespace app2 istio.io/rev=1-12-1 --overwrite
kubectl rollout restart deployment -n app2
istioctl proxy-status

19. Revisions: Step 3
istioctl install -y -f ingress-gateway-test.yaml --revision 1-12-1

20. Revisions: Step 4

21. #IstioCon
Revision tags
https://istio.io/latest/blog/2021/revision-tags/
istioctl x revision tag list
TAG REVISION NAMESPACES
prod-stable 1-9-5 istioinaction
prod-canary 1-10-0 istioinaction-canary

22. #IstioCon
Multi-Cluster

23. #IstioCon
One cluster at a time

24. #IstioCon
Cluster Failover

25. #IstioCon
Workload Failover

26. #IstioCon
Global Service

27. #IstioCon
Cross cluster routing (multiple networks)
cluster1: cluster2:
$ istioctl pc endpoints istio-ingressgateway-78b995cf66-24td6.istio-gateways --cluster "outbound|7000||web-ui.mesh.internal"
ENDPOINT STATUS OUTLIER CHECK CLUSTER
10.16.1.53:7000 HEALTHY OK outbound|7000||web-api.mesh.internal (LOCAL)
34.82.32.121:15443 HEALTHY OK outbound|7000||web-api.mesh.internal (REMOTE)

28. #IstioCon
Front-end Failover
$ istioctl pc endpoints istio-ingressgateway-78b995cf66-24td6.istio-gateways --cluster "outbound|7000||web-ui.mesh.internal"
ENDPOINT STATUS OUTLIER CHECK CLUSTER
10.16.1.53:7000 HEALTHY OK outbound|7000||web-api.mesh.internal (LOCAL)
34.82.32.121:15443 HEALTHY OK outbound|7000||web-api.mesh.internal (REMOTE)

29. #IstioCon
Back-end Failover

30. 30 | Copyright © 2022
Idit Levine
Leader in Istio Community
Christian Posta
Leader in Istio Community,
former Chief Architect at Red Hat
Lin Sun
Istio Technical Oversight
Committee & Steering Committee
Neeraj Poddar
Istio Technical Oversight
Committee and Steering
Committee
Yuval Kohavi
Chief Architect, Gloo Mesh
Ram Vennam
Former Istio Steering Committee
Nick Nellis
Contributor and maintainer
of the Istio project
Solo Istio/Envoy Community Leadership
Founded in 2017 by Idit Levine
Based in Cambridge, MA
with multiple locations around the globe
Industry leaders in application networking, service
mesh, and modern API gateway technologies
Open-Core, “Enterprise” Subscription model
Growing fast
with happy customers
Well Funded
400+%
bookings
growth y/y
98%+
renewal
rate
$171.5M
venture financing
$1 Billion
valuation
We’re hiring!
Gloo Application Networking Platform
Simplify your application networking with unified control,
reliability, observability, extensibility, and security
30 | Copyright © 2022

31. #IstioCon
Thank you!
@RamVennam
https://www.linkedin.com/in/ramvennam/