Skip to main content
logoTetrate Service BridgeVersion: 1.6.x

Revisioned Istio CNI and Upgrades

Alpha Feature

Istio CNI upgrades are controlled by Istio Isolation Boundaries, which is an Alpha feature and is not recommended for production usage.

Before you continue, make sure you are familiar with Istio Isolation Boundaries feature.

Revisioned Istio CNI

The Istio CNI can be bound to a specific Istio revision, in a revisioned Istio environment. Consider the following Isolation Boundary configuration that allows for managing revisioned Istio environments

spec:
  ...
  components:
    xcp:
      isolationBoundaries:
      - name: global
        revisions:
        - name: stable
          istio:
            tsbVersion: 1.6.1

Once a revision is in place, Istio CNI can be enabled with the revision specified under Isolation Boundary configuration as shown below

apiVersion: install.tetrate.io/v1alpha1
kind: ControlPlane
metadata:
  name: <cluster-name>
  namespace: istio-system
spec:
  components:
    istio:
      kubeSpec:
        CNI:
          chained: true
          binaryDirectory: /opt/cni/bin
          configurationDirectory: /etc/cni/net.d
          revision: stable
    ...
    xcp:
      isolationBoundaries:
      - name: global
        revisions:
        - name: stable
          istio:
            tsbVersion: 1.6.1
    ...
  hub: <registry-location>
  managementPlane:
    host: <tsb-address>
    port: <tsb-port>
    clusterName: <cluster-name>
  telemetryStore:
    elastic:
      host: <elastic-hostname-or-ip>
      port: <elastic-port>
      version: <elastic-version>
Brownfield Setup

In a brownfield setup, with Isolation Boundaries and Istio CNI already enabled - the revision value defaults to the revision with the latest revisions[].istio.tsbVersion. If multiple such tsbVersions are present, alphabetical preference is given based on revisions[].name.

Istio CNI Upgrade

Once Istio CNI is bound to a revision, upgrading to a different revision is fairly straightforward.

First add a canary Istio control plane under the Isolation Boundaries configuration.

spec:
  ...
  components:
    xcp:
      isolationBoundaries:
      - name: global
        revisions:
        - name: stable
          istio:
            tsbVersion: 1.6.1
        - name: canary
          istio:
            tsbVersion: 1.6.1-rc1

Then, update the revision value under Istio CNI settings, to point to the canary revision as shown below.

Openshift

For Openshift environments, Istio CNI is enabled by default and no specific configuration is required. Therefore, to manage revisioned Istio CNI in Openshift, on the revision field is supported.

apiVersion: install.tetrate.io/v1alpha1
kind: ControlPlane
metadata:
  name: <cluster-name>
  namespace: istio-system
spec:
  components:
    istio:
      kubeSpec:
        CNI:
          chained: true
          binaryDirectory: /opt/cni/bin
          configurationDirectory: /etc/cni/net.d
          revision: canary
    ...
    xcp:
      isolationBoundaries:
      - name: global
        revisions:
        - name: stable
          istio:
            tsbVersion: 1.6.1
        - name: canary
          istio:
            tsbVersion: 1.6.1-rc1
  ...