Upgrade with Helm

    The Helm charts used in this guide are the same underlying charts used when installing Istio via Istioctl or the .

    This feature is currently considered alpha.

    1. Perform any necessary platform-specific setup.

    2. Check the .

    3. Install the Helm client, version 3.6 or above.

    4. Configure the Helm repository:

    Before upgrading Istio, it is recommended to run the command to make sure the upgrade is compatible with your environment.

    1. $ istioctl x precheck
    2. No issues found when checking the cluster. Istio is safe to install or upgrade!
    3. To get started, check out <https://istio.io/latest/docs/setup/getting-started/>

    Helm does not upgrade or delete CRDs when performing an upgrade. Because of this restriction, an additional step is required when upgrading Istio with Helm.

    You can install a canary version of Istio control plane to validate that the new version is compatible with your existing configuration and data plane using the steps below:

    Note that when you install a canary version of the istiod service, the underlying cluster-wide resources from the base chart are shared across your primary and canary installations.

    1. Install a canary version of the Istio discovery chart by setting the revision value:

      1. $ helm install istiod-canary istio/istiod \
      2. --set revision=canary \
      3. -n istio-system
      1. $ kubectl get pods -l app=istiod -L istio.io/rev -n istio-system
      2. NAME READY STATUS RESTARTS AGE REV
      3. istiod-5649c48ddc-dlkh8 1/1 Running 0 71m default
      4. istiod-canary-9cc9fd96f-jpc7n 1/1 Running 0 34m canary
    2. Follow the steps here to test or migrate existing workloads to use the canary control plane.

    3. Once you have verified and migrated your workloads to use the canary control plane, you can uninstall your old control plane:

    4. Upgrade the Istio base chart, making the new revision the default.

      1. $ helm upgrade istio-base istio/base --set defaultRevision=canary -n istio-system --skip-crds

    Manually relabeling namespaces when moving them to a new revision can be tedious and error-prone. Revision tags solve this problem. are stable identifiers that point to revisions and can be used to avoid relabeling namespaces. Rather than relabeling the namespace, a mesh operator can simply change the tag to point to a new revision. All namespaces labeled with that tag will be updated at the same time.

    Usage

    Consider a cluster with two revisions installed, 1-9-5 and . The cluster operator creates a revision tag prod-stable, pointed at the older, stable 1-9-5 version, and a revision tag prod-canary pointed at the newer 1-10-0 revision. That state could be reached via these commands:

    1. $ helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-stable}" --set revision=1-9-5 -n istio-system | kubectl apply -f -

    These commands create new MutatingWebhookConfiguration resources in your cluster, however, they are not owned by any Helm chart due to kubectl manually applying the templates. See the instructions below to uninstall revision tags.

    The resulting mapping between revisions, tags, and namespaces is as shown below:

    Two namespaces pointed to prod-stable and one pointed to prod-canary

    The cluster operator can view this mapping in addition to tagged namespaces through the istioctl tag list command:

    1. $ istioctl tag list
    2. TAG REVISION NAMESPACES
    3. prod-canary 1-10-0 ...
    4. prod-stable 1-9-5 ...

    After the cluster operator is satisfied with the stability of the control plane tagged with prod-canary, namespaces labeled istio.io/rev=prod-stable can be updated with one action by modifying the revision tag to point to the newer 1-10-0 revision.

    1. $ helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-stable}" --set revision=1-10-0 -n istio-system | kubectl apply -f -

    Now, the situation is as below:

    Namespace labels unchanged but now all namespaces pointed to 1-10-0

    Restarting injected workloads in the namespaces marked prod-stable will now result in those workloads using the 1-10-0 control plane. Notice that no namespace relabeling was required to migrate workloads to the new revision.

    Default tag

    The revision pointed to by the tag default is considered the default revision and has additional semantic meaning. The default revision performs the following functions:

    • Injects sidecars for the istio-injection=enabled namespace selector, the sidecar.istio.io/inject=true object selector, and the istio.io/rev=default selectors
    • Validates Istio resources
    • Steals the leader lock from non-default revisions and performs singleton mesh responsibilities (such as updating resource statuses)

    To make a revision 1-10-0 the default, run:

    When using the default tag alongside an existing non-revisioned Istio installation it is recommended to remove the old MutatingWebhookConfiguration (typically called istio-sidecar-injector) to avoid having both the older and newer control planes attempt injection.

    You can perform an in place upgrade of Istio in your cluster using the Helm upgrade workflow.

    Add your override values file or custom options to the commands below to preserve your custom configuration during Helm upgrades.

    1. Upgrade the Kubernetes custom resource definitions (CRDs):

      1. $ kubectl apply -f manifests/charts/base/crds
    2. Upgrade the Istio base chart:

      1. $ helm upgrade istio-base manifests/charts/base -n istio-system --skip-crds
    3. Upgrade the Istio discovery chart:

      1. $ helm upgrade istiod istio/istiod -n istio-system
    4. (Optional) Upgrade and gateway charts installed in your cluster:

      Please refer to the uninstall section in our .