Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate Istio-on-gke to Anthos Service doesn't work on 1.6 #1147

Open
lucasmpr opened this issue Mar 10, 2022 · 1 comment
Open

Migrate Istio-on-gke to Anthos Service doesn't work on 1.6 #1147

lucasmpr opened this issue Mar 10, 2022 · 1 comment

Comments

@lucasmpr
Copy link

Hello, just passing by because I had a bad time with the migration script from istio-on-gke to anthos.

I've come to the conclusion that it doesn't work on clusters that have istio on gke version 1.6.

I've found two problems here.

configure_mesh_ca() {
  configure_mesh_ca_14
  configure_mesh_ca_16
}

The configure_mesh_ca_14 doesn't work if it's version 1.6 installed. I got stuck in the 1.4 part and 16 never runs.
I had two issues with it:
A) I've created a new namespace, after citadel was already down when I created it, istio.default secret was not created. So the script failed
B) Even after I've deleted the namespace, I got stuck on Waiting to pick up the new certificate forever. I'm not sure why.

I got to proceed the tutorial after commenting configure_mesh_ca_14. But soon after I got another problem.
The tutorial says to "test my application" before continuing, but it didn't update the gateway yet, so i was really confused that nothing was working.

I decided to rollback. But to my surprise it didn't work either. The command described for rollback is the following:

kubectl --context=${CLUSTER_1_CTX} label namespace ${NAMESPACE} istio.io/rev- istio-injection=enabled --overwrite

The problem is istio on gke 1.6 uses the revision istio-1611 and not istio-injection=enabled

I lost so many hours trying to understand why nothing was working. I just had the wrong label on the namespace.
The real command to rollback in 1.6 (at least for me) is:

kubectl --context=${CLUSTER_1_CTX} label namespace ${NAMESPACE} istio.io/rev=istio-1611 --overwrite

Trying to warn people.

@richardwxn
@richardwxn
Copy link
Contributor

Thanks for the feedback.

for the issue A), that was expected in your case since this function is for migrating 1.4 ca, you already removed citadel so the new cert can't be distributed by it. I can update the script to add a safe check for the existence of 1.4 control plane before proceeding

for the gateway update, you'll need to proceed to https://cloud.google.com/istio/docs/istio-on-gke/migrate-to-anthos-service-mesh#complete-migration for migrating gateways. we put it in a different section because this step may actually impact your existing legacy control plane, we hope users can verify whether the requests still succeed at this point before proceeding. Old gateway can still work before this step even after you migrate the ca and the proxies.

The rollback part instruction is not clear, we should include both 1.4 and 1.6 as you pointed out, I will update the doc for it.

@lucasmpr

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lucasmpr @richardwxn