Upgrading Apigee hybrid to version 1.6

Upgrading to version 1.6.3 overview.

The procedures for upgrading Apigee hybrid are organized in the following sections:

  1. Backup your hybrid installation.
  2. Check your Kubernetes version and upgrade as appropriate.
  3. Install hybrid runtime version 1.6.3.
  4. Upgrade ASM.

Prerequisite

Upgrade to version 1.6

  1. (Recommended) Make a backup copy of your version 1.5 $APIGEECTL_HOME/ directory. For example:
    tar -czvf $APIGEECTL_HOME/../apigeectl-v1.5-backup.tar.gz $APIGEECTL_HOME
  2. (Recommended) Backup your Cassandra database following the instructions in Cassandra backup and recovery
  3. Upgrade your Kubernetes platform to the versions supported by hybrid 1.6. Follow your platform's documentation if you need help.
  4. If you are running a version of cert-manager prior to v1.2.0, you need to upgrade it to v1.2.0.
    1. Check the current cert-manager version using the following command:

      kubectl -n cert-manager get deployment -o yaml | grep 'image:'
      

      Something similar to the following is returned:

      image: quay.io/jetstack/cert-manager-controller:v1.2.0
      image: quay.io/jetstack/cert-manager-cainjector:v1.2.0
      image: quay.io/jetstack/cert-manager-webhook:v1.2.0
      
    2. Remove the deployments using the following command:
      $ kubectl delete -n cert-manager deployment cert-manager cert-manager-cainjector cert-manager-webhook
      
    3. Upgrade cert-manager to v1.2.0 version using the following command:
      $ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml
      
  5. Create the apigee-runtimeservice account required for use with Google OAUTH tokens. Use the create-service-account tool:
    1. Create the service account:
      ./tools/create-service-account --env prod --profile apigee-runtime
    2. Add the new service account to your Apigee overrides.yaml file:
      envs:
       - name: "environment-name"
         … … …
         serviceAccountPaths:
           runtime: "path-to-service-account-file"
         … … …
  6. Add the udca.serviceAccountPath property at the top level in your overrides file, in addition to the entry under envs. udca must appear in your overrides twice, once at the environment level and once at the organization level, parallel with connectAgent, logger, mart, metrics, and watcher.

    For example:

    … … …
    
    metrics:
      serviceAccountPath: "metrics-service-account-file"
    
    udca:
      serviceAccountPath: "udca-service-account-file"
    
    watcher:
      serviceAccountPath: "watcher-service-account-file"
    … … …
  7. Optional: If you have enabled cloud trace on ASM, you need to add the Cloud Trace Agent (roles/cloudtrace.agent) role to the apigee-runtime service account. You can do so in the Google Cloud Platform > IAM & Admin > Service accounts UI or with the following commands:
    1. Get the email address for your apigee-runtime service account with the following command:
      gcloud iam service-accounts list --filter "apigee-runtime"

      If it matches the pattern apigee-runtime@$ORG_NAME.iam.gserviceaccount.com, you can use that pattern in the next step.

    2. Assign the Cloud Trace Agent role to the service account:
      gcloud projects add-iam-policy-binding $PROJECT_ID \
          --member="serviceAccount:apigee-runtime@$PROJECT_ID.iam.gserviceaccount.com" \
          --role="roles/cloudtrace.agent"

      Where: $PROJECT_ID is the name of your Google Cloud project

Install the hybrid 1.6.3 runtime

  1. Store the latest version number in a variable using the following command:

    Linux

    export VERSION=$(curl -s \
      https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/current-version.txt?ignoreCache=1)

    Mac OS

    export VERSION=$(curl -s \
      https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/current-version.txt)

    Windows

    for /f "tokens=*" %a in ('curl -s ^
      https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/current-version.txt') ^
    do set VERSION=%a
  2. Check that the variable was populated with a version number using the following command. If you want to use a different version, you can save that in an environment variable instead.
    echo $VERSION
      1.6.3
  3. Download the release package for your operating system using the following command:

    Linux

    Linux 64 bit:

    curl -LO \
      https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/$VERSION/apigeectl_linux_64.tar.gz

    Mac OS

    Mac 64 bit:

    curl -LO \
      https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/$VERSION/apigeectl_mac_64.tar.gz

    Windows

    Windows 64 bit:

    curl -LO ^
      https://storage.googleapis.com/apigee-release/hybrid/apigee-hybrid-setup/%VERSION%/apigeectl_windows_64.zip
  4. Rename your current apigeectl/ directory to a backup directory name. For example:

    Linux

    mv $APIGEECTL_HOME/ $APIGEECTL_HOME-v1.5/

    Mac OS

    mv $APIGEECTL_HOME/ $APIGEECTL_HOME-v1.5/ 

    Windows

    rename %APIGEECTL_HOME% %APIGEECTL_HOME%-v1.5 
  5. Extract the downloaded gzip file contents into your hybrid base directory using the following command:

    Linux

    tar xvzf filename.tar.gz -C path-to-base-directory

    Mac OS

    tar xvzf filename.tar.gz -C path-to-base-directory

    Windows

    tar xvzf filename.zip -C path-to-base-directory
  6. Change directory to the base directory.
  7. The tar contents are, by default, expanded into a directory with the version and platform in its name. For example: ./apigeectl_1.6.0-d591b23_linux_64. Rename that directory to apigeectl using the following command:

    Linux

    mv apigeectl_1.6.0-d591b23_linux_64 apigeectl

    Mac OS

    mv apigeectl_1.6.0-d591b23_mac_64 apigeectl

    Windows

    rename apigeectl_1.6.0-d591b23_windows_64 apigeectl
  8. Change to the directory using the following command:
    cd ./apigeectl

    This directory is the apigeectl home directory. It is where the apigeectl executable command is located.

  9. Verify the version of apigeectl with the version command:
    ./apigeectl version
    Version: 1.6.3
  10. Create an environment variable to hold this home directory path using the following command:
    export APIGEECTL_HOME=$PWD
  11. Verify that the variable holds the correct path using the following command:
    echo $APIGEECTL_HOME
  12. In the new apigeectl/ directory, run apigeectl init, apigeectl apply, and apigeectl check-ready:
    1. Initialize hybrid 1.6.3:
      apigeectl init -f OVERRIDES.yaml

      Where OVERRIDES.yaml is your edited overrides.yaml file.

    2. Check that it initialized correctly with the following commands:
      apigeectl check-ready -f OVERRIDES.yaml
      kubectl describe apigeeds -n apigee

      Your output should look something like:

      Status:
        Cassandra Data Replication:
        Cassandra Pod Ips:
          10.8.2.204
        Cassandra Ready Replicas:  1
        Components:
          Cassandra:
            Last Successfully Released Version:
              Revision:  v1-f8aa9a82b9f69613
              Version:   v1
            Replicas:
              Available:  1
              Ready:      1
              Total:      1
              Updated:    1
            State:        running
        Scaling:
          In Progress:         false
          Operation:
          Requested Replicas:  0
        State:                 running
      
    3. Check for errors with a dry run:
      apigeectl apply -f OVERRIDES.yaml --dry-run=client
    4. Apply your overrides. Select and follow the instructions for production environments or demo/experimental environments, depending on your installation.

      Production

      For production environments you should upgrade each hybrid component individually, and check the status of the upgraded component before proceeding to the next component.

      1. Apply your overrides to upgrade Cassandra:
        apigeectl apply -f OVERRIDES.yaml --datastore
      2. Check completion:
        kubectl -n NAMESPACE get pods
        apigeectl check-ready -f OVERRIDES.yaml

        Where NAMESPACE is your Apigee hybrid namespace.

        Proceed to the next step only when the pods are ready.

      3. Apply your overrides to upgrade Telemetry components and check completion:
        apigeectl apply -f OVERRIDES.yaml --telemetry
        kubectl -n NAMESPACE get pods
        apigeectl check-ready -f OVERRIDES.yaml
      4. Bring up Redis components:
        apigeectl apply -f OVERRIDES.yaml --redis
      5. Apply your overrides to upgrade the org-level components (MART, Watcher and Apigee Connect) and check completion:
        apigeectl apply -f OVERRIDES.yaml --org
        kubectl -n NAMESPACE get pods
        apigeectl check-ready -f OVERRIDES.yaml
      6. Apply your overrides to upgrade your environments. You have two choices:
        • Environment by environment: Apply your overrides to one environment at a time and check completion. Repeat this step for each environment:
          apigeectl apply -f OVERRIDES.yaml --env ENV_NAME
          kubectl -n NAMESPACE get pods
          apigeectl check-ready -f OVERRIDES.yaml

          Where ENV_NAME is the name of the environment you are upgrading.

        • All environments at one time: Apply your overrides to all environments at once and check completion:
          apigeectl apply -f OVERRIDES.yaml --all-envs
          kubectl -n NAMESPACE get pods
          apigeectl check-ready -f OVERRIDES.yaml

      Demo/Experimental

      In most demo or experimental environments, you can apply the overrides to all components at once. If your demo/experimental environment large and complex or closely mimics a production environment, you may want to use the instructions for upgrading production environments

      1. apigeectl apply -f OVERRIDES.yaml
      2. Check the status:
        apigeectl check-ready -f OVERRIDES.yaml

Upgrade ASM to version 1.9

Perform the upgrade using the ASM documentation appropriate for your platform:

GKE

To upgrade to ASM version 1.9.8 for hybrid on GKE:

  1. Review the requirements in Upgrading Anthos Service Mesh to the latest version, but do not perform the upgrade yet.
  2. Create a file named overlay.yaml with the following contents:
    apiVersion: install.istio.io/v1alpha1
    kind: IstioOperator
    spec:
      revision: asm-198-6
      components:
        ingressGateways:
          - name: istio-ingressgateway
            enabled: true
            k8s:
              nodeSelector:
                # default node selector, if different or not using node selectors, change accordingly.
                cloud.google.com/gke-nodepool: apigee-runtime
              resources:
                requests:
                  cpu: 1000m
              readinessProbe:
                initialDelaySeconds: 45
                periodSeconds: 60
              service:
                type: LoadBalancer
                loadBalancerIP: STATIC_IP # If you do not have a reserved static IP, leave this out.
                ports:
                  - name: http-status-port
                    port: 15021
                  - name: http2
                    port: 80
                    targetPort: 8080
                  - name: https
                    port: 443
                    targetPort: 8443
  3. Follow the instructions in Upgrading with an overlay file.

On-prem / GKE on AWS

To upgrade ASM for Apigee hybrid installations on GKE on-prem (Anthos), GKE on AWS, and bare metal follow these instructions.
  1. Review the instructions in Upgrading Anthos Service Mesh on premises.
  2. Specify the following ingress ports and set the runAsRoot property to true in your istio-operator.yaml file"
        … … …
                ports:
                - port: 15021
                  name: status-port
                  targetPort: 15021
                - port: 80
                  name: http2
                  targetPort: 80
                - port: 443
                  name: https
                  targetPort: 443
    
        … … …
        values:
          gateways:
            istio-ingressgateway:
              runAsRoot: true 
  3. Apply these changes with istioctl as described in the ASM documentation: Updating the control plane

AKS / EKS

In these instructions the process of upgrading Anthos Service Mesh (ASM) version istio-1.9.8-asm.6 on Anthos attached clusters is the same as performing a fresh install.

Preparing to install Anthos Service Mesh

    Linux

  1. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.9.8-asm.6-linux-amd64.tar.gz
  2. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.9.8-asm.6-linux-amd64.tar.gz.1.sig
    openssl dgst -verify /dev/stdin -signature istio-1.9.8-asm.6-linux-amd64.tar.gz.1.sig istio-1.9.8-asm.6.tar.gz <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  3. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.9.8-asm.6-linux-amd64.tar.gz

    The command creates an installation directory in your current working directory named istio-1.9.8-asm.6 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests/profiles directory.
  4. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.9.8-asm.6
  5. For convenience, add the tools in the /bin directory to your PATH:
    export PATH=$PWD/bin:$PATH
  6. Mac OS

  7. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.9.8-asm.6-osx.tar.gz
  8. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.9.8-asm.6-osx.tar.gz.1.sig
    openssl dgst -sha256 -verify /dev/stdin -signature istio-1.9.8-asm.6-osx.tar.gz.1.sig istio-1.9.8-asm.6.tar.gz <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  9. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.9.8-asm.6-osx.tar.gz

    The command creates an installation directory in your current working directory named istio-1.9.8-asm.6 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests/profiles directory.
  10. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.9.8-asm.6
  11. For convenience, add the tools in the /bin directory to your PATH:
    export PATH=$PWD/bin:$PATH
  12. Windows

  13. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.9.8-asm.6-win.zip
  14. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.9.8-asm.6-win.zip.1.sig
    openssl dgst -verify - -signature istio-1.9.8-asm.6-win.zip.1.sig istio-1.9.8-asm.6.win.zip <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  15. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.9.8-asm.6-win.zip

    The command creates an installation directory in your current working directory named istio-1.9.8-asm.6 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests\profiles directory.
  16. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.9.8-asm.6
  17. For convenience, add the tools in the \bin directory to your PATH:
    set PATH=%CD%\bin:%PATH%
  18. Now that ASM Istio is installed, check the version of istioctl:
    istioctl version
  19. Create a namespace called istio-system for the control plane components:
    kubectl create namespace istio-system

Configure the validating webhook

When you install Anthos Service Mesh, you set a revision label on istiod. You need to set the same revision on the validating webhook.

  1. Create a file called istiod-service.yaml with the following contents:
    apiVersion: v1
    kind: Service
    metadata:
      name: istiod
      namespace: istio-system
      labels:
        istio.io/rev: asm-198-6
        app: istiod
        istio: pilot
        release: istio
    spec:
      ports:
        - port: 15010
          name: grpc-xds # plaintext
          protocol: TCP
        - port: 15012
          name: https-dns # mTLS with k8s-signed cert
          protocol: TCP
        - port: 443
          name: https-webhook # validation and injection
          targetPort: 15017
          protocol: TCP
        - port: 15014
          name: http-monitoring # prometheus stats
          protocol: TCP
      selector:
        app: istiod
        istio.io/rev: asm-198-6
  2. Use kubectl to apply the validating webhook configuration:
    kubectl apply -f istiod-service.yaml
  3. Verify that the configuration was applied:
    kubectl get svc -n istio-system

    The response should look similar to:

    NAME     TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                                 AGE
    istiod   ClusterIP   172.200.18.133   <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP   22s
    

Installing Anthos Service Mesh

  1. Install Anthos Service Mesh with istioctl using the asm-multicloud profile:
    istioctl install \
        --set profile=asm-multicloud \
        --set revision="asm-198-6"

    Your output should look something like:

    kubectl get pods -n istio-system
    NAME                                   READY   STATUS    RESTARTS   AGE
    istio-ingressgateway-88b6fd976-flgp2   1/1     Running   0          3m13s
    istio-ingressgateway-88b6fd976-p5dl9   1/1     Running   0          2m57s
    istiod-asm-198-6-798ffb964-2ls88       1/1     Running   0          3m21s
    istiod-asm-198-6-798ffb964-fnj8c       1/1     Running   1          3m21s
    

    The --set revision argument adds a revision label in the format istio.io/rev=asm-198-6 to istiod. The revision label is used by the automatic sidecar injector webhook to associate injected sidecars with a particular istiod revision. To enable sidecar auto-injection for a namespace, you must label it with a revision that matches the label on istiod.

  2. Verify that your install completed:
    kubectl get svc -n istio-system

    Your output should look something like:

    NAME                   TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                                                                      AGE
    istio-ingressgateway   LoadBalancer   172.200.48.52    34.74.177.168   15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP   3m35s
    istiod                 ClusterIP      172.200.18.133   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        4m46s
    istiod-asm-198-6       ClusterIP      172.200.63.220   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        3m43s
    

OpenShift

In these instructions the process of upgrading Anthos Service Mesh (ASM) version istio-1.9.8-asm.6 on Anthos attached clusters is the same as performing a fresh install.

Preparing to install Anthos Service Mesh

    Linux

  1. Grant the anyuid security context constraint (SCC) to the istio-system with the following OpenShift CLI (oc) command:
    oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
  2. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.9.8-asm.6-linux-amd64.tar.gz
  3. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.9.8-asm.6-linux-amd64.tar.gz.1.sig
    openssl dgst -verify /dev/stdin -signature istio-1.9.8-asm.6-linux-amd64.tar.gz.1.sig istio-1.9.8-asm.6.tar.gz <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  4. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.9.8-asm.6-linux-amd64.tar.gz

    The command creates an installation directory in your current working directory named istio-1.9.8-asm.6 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests/profiles directory.
  5. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.9.8-asm.6
  6. For convenience, add the tools in the /bin directory to your PATH:
    export PATH=$PWD/bin:$PATH
  7. Mac OS

  8. Grant the anyuid security context constraint (SCC) to the istio-system with the following OpenShift CLI (oc) command:
    oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
  9. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.9.8-asm.6-osx.tar.gz
  10. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.9.8-asm.6-osx.tar.gz.1.sig
    openssl dgst -sha256 -verify /dev/stdin -signature istio-1.9.8-asm.6-osx.tar.gz.1.sig istio-1.9.8-asm.6.tar.gz <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  11. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.9.8-asm.6-osx.tar.gz

    The command creates an installation directory in your current working directory named istio-1.9.8-asm.6 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests/profiles directory.
  12. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.9.8-asm.6
  13. For convenience, add the tools in the /bin directory to your PATH:
    export PATH=$PWD/bin:$PATH
  14. Windows

  15. Grant the anyuid security context constraint (SCC) to the istio-system with the following OpenShift CLI (oc) command:
    oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
  16. Download the Anthos Service Mesh installation file to your current working directory:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.9.8-asm.6-win.zip
  17. Download the signature file and use openssl to verify the signature:
    curl -LO https://storage.googleapis.com/gke-release/asm/istio-1.9.8-asm.6-win.zip.1.sig
    openssl dgst -verify - -signature istio-1.9.8-asm.6-win.zip.1.sig istio-1.9.8-asm.6.win.zip <<'EOF'
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
    wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
    -----END PUBLIC KEY-----
    EOF
    
  18. Extract the contents of the file to any location on your file system. For example, to extract the contents to the current working directory:
    tar xzf istio-1.9.8-asm.6-win.zip

    The command creates an installation directory in your current working directory named istio-1.9.8-asm.6 that contains:

    • Sample applications in the samples directory.
    • The istioctl command-line tool that you use to install Anthos Service Mesh is in the bin directory.
    • The Anthos Service Mesh configuration profiles are in the manifests\profiles directory.
  19. Ensure that you're in the Anthos Service Mesh installation's root directory:
    cd istio-1.9.8-asm.6
  20. For convenience, add the tools in the \bin directory to your PATH:
    set PATH=%CD%\bin:%PATH%
  21. Now that ASM Istio is installed, check the version of istioctl:
    istioctl version
  22. Create a namespace called istio-system for the control plane components:
    kubectl create namespace istio-system

Configure the validating webhook

When you install Anthos Service Mesh, you set a revision label on istiod. You need to set the same revision on the validating webhook.

  1. Create a file called istiod-service.yaml with the following contents:
    apiVersion: v1
    kind: Service
    metadata:
      name: istiod
      namespace: istio-system
      labels:
        istio.io/rev: asm-198-6
        app: istiod
        istio: pilot
        release: istio
    spec:
      ports:
        - port: 15010
          name: grpc-xds # plaintext
          protocol: TCP
        - port: 15012
          name: https-dns # mTLS with k8s-signed cert
          protocol: TCP
        - port: 443
          name: https-webhook # validation and injection
          targetPort: 15017
          protocol: TCP
        - port: 15014
          name: http-monitoring # prometheus stats
          protocol: TCP
      selector:
        app: istiod
        istio.io/rev: asm-198-6
  2. Use kubectl to apply the validating webhook configuration:
    kubectl apply -f istiod-service.yaml
  3. Verify that the configuration was applied:
    kubectl get svc -n istio-system

    The response should look similar to:

    NAME     TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                                 AGE
    istiod   ClusterIP   172.200.18.133   <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP   22s
    

Installing Anthos Service Mesh

  1. Install Anthos Service Mesh with istioctl using the asm-multicloud profile:
    istioctl install \
        --set profile=asm-multicloud \
        --set revision=istio-1.9.8-asm.6

    Your output should look something like:

    kubectl get pods -n istio-system
    NAME                                   READY   STATUS    RESTARTS   AGE
    istio-ingressgateway-88b6fd976-flgp2   1/1     Running   0          3m13s
    istio-ingressgateway-88b6fd976-p5dl9   1/1     Running   0          2m57s
    istiod-asm-198-6-798ffb964-2ls88       1/1     Running   0          3m21s
    istiod-asm-198-6-798ffb964-fnj8c       1/1     Running   1          3m21s
    

    The --set revision argument adds a revision label in the format istio.io/rev=1.6.11-asm.1 to istiod. The revision label is used by the automatic sidecar injector webhook to associate injected sidecars with a particular istiod revision. To enable sidecar auto-injection for a namespace, you must label it with a revision that matches the label on istiod.

  2. Verify that your install completed:
    kubectl get svc -n istio-system

    Your output should look something like:

    NAME                   TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                                                                      AGE
    istio-ingressgateway   LoadBalancer   172.200.48.52    34.74.177.168   15021:30479/TCP,80:30030/TCP,443:32200/TCP,15012:32297/TCP,15443:30244/TCP   3m35s
    istiod                 ClusterIP      172.200.18.133   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        4m46s
    istiod-asm-198-6       ClusterIP      172.200.63.220   <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP                                        3m43s
    

Rolling back an upgrade

Follow these steps to roll back a previous upgrade:

  1. Clean up completed jobs for the hybrid runtime namespace, where NAMESPACE is the namespace specified in your overrides file, if you specified a namespace. If not, the default namespace is apigee:
    kubectl delete job -n NAMESPACE \
      $(kubectl get job -n NAMESPACE \
      -o=jsonpath='{.items[?(@.status.succeeded==1)].metadata.name}')
  2. Clean up completed jobs for the apigee-system namespace:
    kubectl delete job -n apigee-system \
      $(kubectl get job -n apigee-system \
      -o=jsonpath='{.items[?(@.status.succeeded==1)].metadata.name}')
  3. Change the APIGEECTL_HOME variable to point to the directory that contains the previous version of apigeectl. For example:
    export APIGEECTL_HOME=PATH_TO_PREVIOUS_APIGEECTL_DIRECTORY
  4. In the root directory of the installation you want to roll back to, run apigeectl apply, check the status of your pods, delete the Redis component (new in hybrid v1.6.0), and then run apigeectl init. Be sure to use the original overrides file for the version you wish to roll back to:
    1. Run apigeectl apply:
      $APIGEECTL_HOME/apigeectl apply -f overrides/ORIGINAL_OVERRIDES.yaml
    2. Check the status of your pods:
      kubectl -n NAMESPACE get pods

      Where NAMESPACE is your Apigee hybrid namespace.

    3. Check the status of apigeeds:
      kubectl describe apigeeds -n apigee

      Your output should look something like:

      Status:
        Cassandra Data Replication:
        Cassandra Pod Ips:
          10.8.2.204
        Cassandra Ready Replicas:  1
        Components:
          Cassandra:
            Last Successfully Released Version:
              Revision:  v1-f8aa9a82b9f69613
              Version:   v1
            Replicas:
              Available:  1
              Ready:      1
              Total:      1
              Updated:    1
            State:        running
        Scaling:
          In Progress:         false
          Operation:
          Requested Replicas:  0
        State:                 running
      

      Proceed to the next step only when the apigeeds ßpod is running.

    4. Since Redis is a new component in hybrid v1.6.0, run the following command to delete it:

      apigeectl_1.6.0 delete --redis -f ORIGINAL_OVERRIDES.yaml
    5. Run apigeectl init:
      $APIGEECTL_HOME/apigeectl init -f overrides/ORIGINAL_OVERRIDES.yaml