Upgrade

Istio升级 #

众所周知,Istio 目前属于快速发展时期,版本的更新也是很快,Istio 版本升级也是必须要考虑的一个重要环节。目前,Istio 官方也给出多种升级方法供大家根据实际情况选择,但实践操作下来,还是有些复杂。 我们SolarMesh考虑到用户的使用,整合了Istio Canary升级方案,推出了更简单易用的操作命令供用户使用。你可以下载我们提供的可执行文件,即可进行istio控制面、数据面的快速升级。

下载安装包 #

例如,你想升级你的Istio集群到1.16.0版本,那么可以指定你的下载路径如下:

使用linux安装

wget http://release.solarmesh.cn/istio/istio-upgrade-1.16.0

使用 #

升级Istio分为三个部分:控制面、数据面以及网关,你可以分别升级这三个部分,具体的操作命令可以参考如下。

To upgrade both control plane and all gateways,
istio-upgrade -p -g -A

To upgrade only control plane
istio-upgrade -p

To upgrade all gateways
istio-upgrade -g -A

To upgrade given gateways
istio-upgrade -g --gateway ingress-foo --gateway egress-bar

To upgrade all data-plane
istio-upgrade -d 

To upgrade all data-planes under the specified namespace
istio-upgrade -d --namespaces foo,bar

To upgrade all data-planes under the specified namespace,name 
istio-upgrade -d --namespaces foo --names bar

Specify the upgrade option via -p or -g
Usage of ./istio-upgrade-1.16.0:
  -A, --all                          Upgrade all gateways
      --context string               The name of the kubeconfig context to use
  -p, --control-plane                Upgrade Istio control plane
  -d, --data-plane                   Upgrade Istio data plane
      --dry-run                      Console/log output only, make no changes.
  -f, --filename string              Path to file containing IstioOperator custom resource. The installed IstioOperator will be used if not specify.
      --gateway strings              Specify gateway name to be upgraded
  -g, --gateways                     Upgrade Istio gateways
      --hub string                   Istio hub. default docker.io/istio (default "docker.io/istio")
  -c, --kubeconfig string            Kubernetes configuration file
      --names strings                Kubernetes workload names
      --namespaces strings           Kubernetes namespace
      --readiness-timeout duration   Maximum time to wait for Istio resources in each component to be ready. (default 5m0s)
  -v, --values string                Path to file containing helm values
      --verbose                      Enable verbose log
  -r, --version string               Target control plane version or revision for the command. (default "1.16.0")

升级控制面 #

首先,如果你想要升级 contro-plane,你需要指定 –control-plane

如,将业务集群中的istio的控制面升级到 1.16.0 版本:

$ ./istio-upgrade-1.16.0 --control-plane

当你执行完,你可以查看集群中的资源:

$ kubectl get po -n istio-system
NAME                                    READY   STATUS    RESTARTS   AGE
istiod-1-16-0-db554cfcf-992m4           1/1     Running   0          2m7s

此时,你会拥有两个不同版本的控制面,新老版本互不影响。

升级数据面 #

升级完控制面,需要做的就是逐步升级数据面,也即逐步升级业务容器中的sidecar。

升级 data-plane 有几个级别,你可以指定 –namespaces 去升级 namespace下所有的workload 。你也可以再追加一个–names 参数,指定升级某个workload。

如下将业务集群的bookinfo 名称空间下面的所有负载的数据平面升级到 1.16.0版本:

$ ./istio-upgrade-1.16.0 --data-plane --namespaces bookinfo
2022-12-09T08:41:58.061443Z	info	Ready to upgrade Data-Plane.
2022-12-09T08:41:58.071638Z	info	Ready to upgrade namespace: bookinfo Data-Plane.
2022-12-09T08:41:58.086866Z	info	Update namespace: bookinfo
2022-12-09T08:41:58.130399Z	info	rolling upgrade deployment: details-v1 ,namespace: bookinfo
2022-12-09T08:41:58.148526Z	info	rolling upgrade deployment: productpage-v1 ,namespace: bookinfo
2022-12-09T08:41:58.170111Z	info	rolling upgrade deployment: ratings-v1 ,namespace: bookinfo
2022-12-09T08:41:58.208599Z	info	rolling upgrade deployment: reviews-v1 ,namespace: bookinfo
2022-12-09T08:41:58.233685Z	info	rolling upgrade deployment: reviews-v2 ,namespace: bookinfo
2022-12-09T08:41:58.266166Z	info	rolling upgrade deployment: reviews-v3 ,namespace: bookinfo

当你升级后,你可以查看 pod中的 istio-proxy 版本验证升级是否成功。

$ kubectl get po -n bookinfo -oyaml | grep "image:" 
image: docker.io/istio/proxyv2:1.16.0

升级网关 #

如下将业务集群的所有网关升级到1.16.0版本

$ ./istio-upgrade-1.16.0 -g -A

验证是否升级成功

$ kubectl get po -n istio-system
NAME                                    READY   STATUS    RESTARTS   AGE
istio-egressgateway-fb568dffc-qbhk6     1/1     Running   0          38s
istio-ingressgateway-867c59bc47-p6t8c   1/1     Running   0          38s
$ kubectl get po -n istio-system istio-ingressgateway-867c59bc47-p6t8c -oyaml | grep "image:"
    image: docker.io/istio/proxyv2:1.16.0
    image: docker.io/istio/proxyv2:1.16.0

移除旧版本 #

如果你从未进行istio升级,理论上,你的旧版本的revision=default,所以你要卸载旧版本,你指定的revision应该为default。

$ solarctl uninstall istio --cluster cluster1 --revision default
If you proceed with the uninstall, these proxies will become detached from any control plane and will not function correctly.
Proceed? (y/N) y
  Removed HorizontalPodAutoscaler:istio-system:istiod.
  Removed PodDisruptionBudget:istio-system:istiod.
  Removed Deployment:istio-operator:istio-operator.
  Removed Deployment:istio-system:istiod.
  Removed Service:istio-operator:istio-operator.
  Removed Service:istio-system:istiod.
  Removed ConfigMap:istio-system:istio.
  Removed ConfigMap:istio-system:istio-sidecar-injector.
  Removed Pod:istio-system:istiod-7bfb4654d4-hf74j.
  Removed ServiceAccount:istio-operator:istio-operator.
  Removed ServiceAccount:istio-system:istiod.
  Removed RoleBinding:istio-system:istiod.
  Removed Role:istio-system:istiod.
  Removed EnvoyFilter:istio-system:metadata-exchange-1.10.
  Removed EnvoyFilter:istio-system:metadata-exchange-1.11.
  Removed EnvoyFilter:istio-system:metadata-exchange-1.9.
  Removed EnvoyFilter:istio-system:stats-filter-1.10.
  Removed EnvoyFilter:istio-system:stats-filter-1.11.
  Removed EnvoyFilter:istio-system:stats-filter-1.9.
  Removed EnvoyFilter:istio-system:tcp-metadata-exchange-1.10.
  Removed EnvoyFilter:istio-system:tcp-metadata-exchange-1.11.
  Removed EnvoyFilter:istio-system:tcp-metadata-exchange-1.9.
  Removed EnvoyFilter:istio-system:tcp-stats-filter-1.10.
  Removed EnvoyFilter:istio-system:tcp-stats-filter-1.11.
  Removed EnvoyFilter:istio-system:tcp-stats-filter-1.9.
  Removed MutatingWebhookConfiguration::istio-sidecar-injector.
  Removed ClusterRole::istio-operator.
  Removed ClusterRole::istio-reader-clusterrole-istio-system.
  Removed ClusterRole::istiod-clusterrole-istio-system.
  Removed ClusterRoleBinding::istio-operator.
  Removed ClusterRoleBinding::istio-reader-clusterrole-istio-system.
  Removed ClusterRoleBinding::istiod-clusterrole-istio-system.
✔ Uninstall complete

同步SolarMesh的配置 #

SolarMesh有某些功能,跟istio的版本有关联,所以你在升级完后,你需要同步下配置。命令如下:

$ solarctl upgrade istio  --sync-solarmesh --revision 1-15-2 --cluster cluster1
This operation will synchronize the configuration of solarmesh to the new version of istio, are you sure to upgrade?
Proceed? (y/N) y
2022-11-16T07:03:21.013913Z	info	klog	Ready to sync istio and solarmesh configuration
2022-11-16T07:03:21.048473Z	info	klog	Ready to sync envoyfilter grpc-logging-config-inbound
2022-11-16T07:03:21.079752Z	info	klog	Sync envoyfilter grpc-logging-config-inbound success
2022-11-16T07:03:21.079847Z	info	klog	Ready to sync envoyfilter grpc-logging-config-outbound
2022-11-16T07:03:21.104112Z	info	klog	Sync envoyfilter grpc-logging-config-outbound success
2022-11-16T07:03:21.104283Z	info	klog	Ready to sync envoyfilter grpc-logging-inbound
2022-11-16T07:03:21.126191Z	info	klog	using deprecated filter name "envoy.http_connection_manager"; use "envoy.filters.network.http_connection_manager" instead
2022-11-16T07:03:21.127114Z	info	klog	Sync envoyfilter grpc-logging-inbound success
2022-11-16T07:03:21.127219Z	info	klog	Ready to sync envoyfilter grpc-logging-outbound
2022-11-16T07:03:21.151592Z	info	klog	using deprecated filter name "envoy.http_connection_manager"; use "envoy.filters.network.http_connection_manager" instead
2022-11-16T07:03:21.152895Z	info	klog	Sync envoyfilter grpc-logging-outbound success
2022-11-16T07:03:21.171816Z	info	klog	Ready to update solaroperator: cluster1 istioVersion