Upgrading SMM

The procedure to upgrade Service Mesh Manager depends on whether you have installed Service Mesh Manager in imperative mode or in operator mode.

  • If you have installed Service Mesh Manager in imperative mode, upgrade it using the CLI.
  • If you have installed Service Mesh Manager in operator mode, upgrade the operator.
  • If you have installed Service Mesh Manager using our GitOps guide, upgrade the operator chart.

Using the CLI

In case your Service Mesh Manager deployment is managed using the Service Mesh Manager CLI it should be used to upgrade to the new version.

  1. Download the Service Mesh Manager command-line tool for version 1.10.0 and update your local copy of the binary on your machine. For details, see Accessing the Service Mesh Manager binaries.

  2. Deploy a new version of Service Mesh Manager.

    The following command upgrades the Service Mesh Manager control plane. It also installs the new Istio control plane (version 1.13.x), but the applications keep using the old control plane until you restart your workloads.

    • In case you want to have custom settings for your Istio control plane, you can provide that during the installation:

      smm install -a --istio-cr-file <custom-istio-cr-file.yaml>
      
    • Otherwise, simply run:

      smm install -a
      
  3. Check that the Service Mesh Manager control plane is upgraded and already uses the new Istio control plane. Run the following command.

    kubectl get po -n=smm-system -L istio.io/rev
    

    The output should be similar to:

    NAME                                              READY   STATUS    RESTARTS   AGE   REV
    istio-operator-v112x-64bc574fdf-mdtwj             2/2     Running   0          21m
    istio-operator-v113x-8558dbb88c-6r6fx             2/2     Running   0          21m
    mesh-manager-0                                    2/2     Running   0          21m
    prometheus-node-exporter-76jwv                    1/1     Running   0          18m
    prometheus-node-exporter-ptbwk                    1/1     Running   0          18m
    prometheus-node-exporter-w86lc                    1/1     Running   0          18m
    prometheus-smm-prometheus-0                       4/4     Running   0          19m   cp-v113x.istio-system
    smm-6b5575474d-l88lg                              2/2     Running   0          19m   cp-v113x.istio-system
    smm-6b5575474d-wp727                              2/2     Running   0          19m   cp-v113x.istio-system
    smm-als-6b995458c-z8jt9                           2/2     Running   0          19m   cp-v113x.istio-system
    smm-authentication-78d96d6fc9-hg89p               2/2     Running   0          19m   cp-v113x.istio-system
    smm-federation-gateway-7c7d9b7fb5-xgv5t           2/2     Running   0          19m   cp-v113x.istio-system
    smm-federation-gateway-operator-ff8598cb7-xj7pk   2/2     Running   0          19m   cp-v113x.istio-system
    smm-grafana-7bcf9f5885-jhwpg                      3/3     Running   0          19m   cp-v113x.istio-system
    smm-health-56896f5b9b-r54w8                       2/2     Running   0          19m   cp-v113x.istio-system
    smm-health-api-665d4787-pw7z4                     2/2     Running   0          19m   cp-v113x.istio-system
    smm-ingressgateway-b6d5b5b84-l5llx                1/1     Running   0          17m   cp-v113x.istio-system
    smm-kubestatemetrics-5455b9697-5tbgq              2/2     Running   0          19m   cp-v113x.istio-system
    smm-leo-7b64559786-2sj4c                          2/2     Running   0          19m   cp-v113x.istio-system
    smm-prometheus-operator-66dbdb499d-sz6t8          3/3     Running   1          19m   cp-v113x.istio-system
    smm-sre-alert-exporter-668d9cbd68-926t5           2/2     Running   0          19m   cp-v113x.istio-system
    smm-sre-api-86cf44fbbb-lxvxd                      2/2     Running   0          19m   cp-v113x.istio-system
    smm-sre-controller-858b984df6-6b5r6               2/2     Running   0          19m   cp-v113x.istio-system
    smm-tracing-76c688ff6f-7ctjk                      2/2     Running   0          19m   cp-v113x.istio-system
    smm-vm-integration-5df64bdb4b-68xgh               2/2     Running   0          19m   cp-v113x.istio-system
    smm-web-677b9f4f5b-ss9zs                          3/3     Running   0          19m   cp-v113x.istio-system
    
  4. Restart your workloads.

  5. Restart federation-gateway deployment specifically so that it can combine the latest upgraded APIs.

    kubectl rollout restart deployment smm-federation-gateway -n smm-system
    

In operator mode

In case the deployment is managed in operator mode the upgrade procedure only consists of installing a newer version of the operator helm chart and allowing it to reconcile the cluster.

  1. Upgrade the helm chart to the target version.

    Note: If the system uses helm for deploying the chart (and not some other CI/CD solution such as Argo CD), then the CustomResourceDefinitions (CRDs) will not be automatically upgraded. In this case, fetch the helm chart locally using the helm pull command and apply the CRDs in the crds folder of the helm chart manually.

  2. After the operator has been started, monitor the status of the ControlPlane resource until it finishes the upgrade (reconciliation). Run the following command:

    kubectl describe cp
    

    After the upgrade is finished, the output should be similar to the following. The Status: Succeeded line shows that the deployment has been upgraded. In case of any errors, consult the Kubernetes logs of the operator (installed by Helm) for further information.

    ...
    Status:
      Components:
        Cert Manager:
          Status:  Available
        Cluster Registry:
          Status:  Available
        Mesh Manager:
          Status:  Available
        Node Exporter:
          Status:  Available
        Registry Access:
          Status:  Available
        Smm:
          Status:  Available
      Status:      Succeeded
    
  3. Restart your workloads.

  4. Restart federation-gateway deployment specifically so that it can combine the latest upgraded APIs.

    kubectl rollout restart deployment smm-federation-gateway -n smm-system
    

In a GitOps scenario

If you have installed Service Mesh Manager using our GitOps guide, complete the following steps to upgrade the operator chart.

  1. Check your username and password on the download page.

  2. Download the smm-operator chart from registry.eticloud.io into the charts directory of your Service Mesh Manager GitOps repository and unpack it. Run the following commands:

    cd charts 
    
    export HELM_EXPERIMENTAL_OCI=1
    
    echo <calisti-password> | helm registry login registry.eticloud.io -u '<calisti-username>' --password-stdin
    
    helm pull oci://registry.eticloud.io/smm-charts/smm-operator --version 1.10.0 --untar
    
  3. Commit the changes and push the repository.

    git add .
    git commit -m "Update smm-operator chart"
    git push origin
    
  4. Restart your workloads.

  5. Restart federation-gateway deployment specifically so that it can combine the latest upgraded APIs.

    kubectl rollout restart deployment smm-federation-gateway -n smm-system
    

Restarting workloads

After the upgrade has completed, the Pods running in applications' namespaces are still running the old version of Istio proxy sidecar.

  1. To obtain the latest security patches, restart these Controllers (Deployments, StatefulSets, and so on) either using the kubectl rollout command, or by instructing the CI/CD systems enabled on the cluster. For example, to restart the deployments in a namespace, you can run:

    kubectl rollout restart deployment -n <name-of-your-namespace>
    
  2. If the upgrade also involved a minor or major version upgrade of Istio, the kubectl rollout command will only ensure that the latest patch level is being used on the Pods.

    For example: Service Mesh Manager 1.8.2 comes with Istio 1.11, while Service Mesh Manager 1.9.0 is bundled with Istio 1.12. By upgrading from Service Mesh Manager 1.8.2 to 1.9.0, and then restarting the Controllers will only result in the latest 1.11 Istio sidecar proxy to be started in the Pods.

    To upgrade to the new minor/major version of Istio on your workloads, complete the Canary control plane upgrades procedure.