Version 1.11

Prepare to migrate from Istio

Migrating from Istio to Anthos Service Mesh takes some planning. This page provides information to help you prepare for the migration.

Reviewing the supported features

The features Anthos Service Mesh supports differ between platforms. Review the Supported features to see which features are available for your platform. Some features are enabled by default, and others you can optionally enable by creating an IstioOperator configuration file.

Preparing configuration files

If you customized the Istio installation, you need the same customizations when you migrate to Anthos Service Mesh. If you customized the installation by adding the --set values flag, add those settings to an IstioOperator YAML file. You specify the file by using the -f flag when you run the istioctl install command. If you are using the Google-provided install_asm script to migrate to Anthos Service Mesh, you can specify the --custom_overlay option with the file.

Choosing a certificate authority

You can continue to use Istio CA (previously known as Citadel) as the certificate authority (CA) for issuing mutual TLS (mTLS) certificates, or you can choose to migrate to Anthos Service Mesh certificate authority (Mesh CA).

Unless you require a custom CA, such as HashiCorp Vault, we recommend that you use Mesh CA for the following reasons:

  • Mesh CA is a highly reliable and scalable service that is optimized for dynamically scaled workloads on Google Cloud.
  • With Mesh CA, Google manages the security and availability of the CA backend.
  • Mesh CA lets you rely on a single root of trust across clusters.

Migrating to Mesh CA from the Istio CA requires migrating the root of trust. You have the following options when migrating to Mesh CA:

  • Schedule downtime for the migration. Operationally, this is the easiest option, but because mTLS traffic is interrupted during the migration, you need to schedule downtime. For more information, see the following guides:

  • If you can't schedule downtime for the migration to Mesh CA, you have the following options:

    • GKE clusters in the same project: You have the option to distribute the new root of trust and then migrate to Mesh CA. With this approach, mTLS traffic isn't interrupted so you shouldn't have to schedule downtime, but the migration process has many more steps. For more information, see Migrating to Mesh CA.

    • GKE clusters in different projects: Continue to use Istio CA. See Migrating from Istio to Anthos Service Mesh.