Migrating from Istio to Anthos Service Mesh takes some planning. This page provides information to help you prepare for the migration.
Reviewing the supported features
The features Anthos Service Mesh supports differ between platforms. Review the
Supported features to see which features are
available for your platform. Some features are enabled by default, and others
you can optionally enable by
IstioOperator configuration file.
Preparing configuration files
If you customized the Istio installation, you need the same customizations when
you migrate to Anthos Service Mesh. If you customized the installation by adding the
--set values flag, add those settings to an
IstioOperator YAML file. You
specify the file by using the
-f flag when you run the
command. If you are using the Google-provided
install_asm script to migrate
to Anthos Service Mesh, you can specify the
option with the file.
Choosing a certificate authority
You can continue to use Istio CA (previously known as Citadel) as the certificate authority (CA) for issuing mutual TLS (mTLS) certificates, or you can choose to migrate to Anthos Service Mesh certificate authority (Mesh CA).
Unless you require a custom CA, such as HashiCorp Vault, we recommend that you use Mesh CA for the following reasons:
- Mesh CA is a highly reliable and scalable service that is optimized for dynamically scaled workloads on Google Cloud.
- With Mesh CA, Google manages the security and availability of the CA backend.
- Mesh CA lets you rely on a single root of trust across clusters.
Migrating to Mesh CA from the Istio CA requires migrating the root of trust. You have the following options when migrating to Mesh CA:
Schedule downtime for the migration. Operationally, this is the easiest option, but because mTLS traffic is interrupted during the migration, you need to schedule downtime. For more information, see the following guides:
If you can't schedule downtime for the migration to Mesh CA, you have the following options:
GKE clusters in the same project: You have the option to distribute the new root of trust and then migrate to Mesh CA. With this approach, mTLS traffic isn't interrupted so you shouldn't have to schedule downtime, but the migration process has many more steps. For more information, see Migrating to Mesh CA.
GKE clusters in different projects: Continue to use Istio CA. See Migrating from Istio to Anthos Service Mesh.