OSSM-8958: Cluster-wide migration using istio-injection label

rh-tokeefe · rh-tokeefe · commit b5bca5e47ce7 · 2025-02-27T10:21:23.000-05:00
diff --git a/modules/ossm-migrating-a-cluster-wide-deployment-using-the-istio-injection-label.adoc b/modules/ossm-migrating-a-cluster-wide-deployment-using-the-istio-injection-label.adoc
@@ -0,0 +1,96 @@
+// Module included in the following assemblies:
+//
+// * service-mesh-docs-main/migrating/checklists/ossm-migrating-cluster-wide-assembly.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="ossm-migrating-a-cluster-wide-deployment-using-the-istio-injection-label_{context}"]
+= Migrating a cluster-wide deployment using the istio injection label
+
+This procedure performs a canary upgrade with the gradual migration of data plane namespaces for a cluster-wide deployment using the `istio-injection=enabled` label. It is safe to restart any workloads at any point during the {SMProduct} {SMv2Version} to {SMProduct} 3 migration process. You must apply new namespace labels.  
+
+The `bookinfo` example application is being used for demonstration purposes with a minimal example for the `Istio` resource. For more information on configuration differences between the {SMProduct} 2 `ServiceMeshControlPlane` resource and the {SMProduct} 3 `Istio` resource, see "ServiceMeshControlPlane resource to Istio resource fields mapping".
+
+You can follow these same steps with your own workloads.
+
+.Prerequisites
+
+* You have deployed {ocp-product-title} 4.14 or later.
+* You are logged in to the {ocp-product-title} web console as a user with the `cluster-admin` role.
+* You have completed the premigration checklists.
+* You have the {SMProduct} {SMv2Version} Operator installed.
+* You have the {SMProduct} 3 Operator installed.
+* You created an `IstioCNI` resource.
+* You have the `istioctl` tool installed.
+* You are running a `MultiTenant` `ServiceMeshControlPlane`.
+* You have installed the `bookinfo` application.
+
+.Procedure
+
+. Identify the namespaces that contain a 2.6 control plane by running the following command:
++
+[source,terminal]
+----
+$ oc get smcp -A
+----
++
+.Sample output:
+[source,terminal]
+----
+NAMESPACE      NAME                   READY   STATUS            PROFILES      VERSION   AGE
+istio-system   install-istio-system   6/6     ComponentsReady   ["default"]   2.6.4     115m
+----
+
+. Create a YAML file named `ossm-3.yaml` that creates the {istio} resource for the 3.0 installation in the same namespace as the `ServiceMeshControlPlane` resource for the 2.6 installation.
+
+.Example configuration
+[source,yaml,subs="attributes,verbatim"]
+----
+apiVersion: sailoperator.io/v1alpha1
+kind: Istio
+metadata:
+  name: ossm-3 <1>
+spec:
+  updateStrategy:
+    type: RevisionBased
+  namespace: istio-system <2>
+  version: v1.24.1
+  values:  <3>
+    meshConfig:
+    extensionProviders:
+      - name: prometheus
+        prometheus: {}
+      - name: otel
+        opentelemetry:
+          port: 4317
+          service: otel-collector.opentelemetrycollector-3.svc.cluster.local
+----
+<1> The `name`, `updateStrategy` and `version` fields are significant for injection labels.
+<2> The 3.0 and 2.6 control planes must run in the same namespace.
+<3> Tracing and metrics configurations are optional.
++
+This example configuration does not use any `discoverySelectors`, which means the {istio} control plane has access to all namespaces. If you want to define `discoverySelectors` all data plane namespaces that you plan to migrate from 2.6 must be matched.
++
+[NOTE]
+====
+To prevent the {SMProduct} 3.0 control pane from injecting proxies to workloads in namespaces with istio-injection=enabled label applied do not use use the default name or default revision tag.
+====
+
+. Apply the YAML file by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f ossm-3.yaml
+----
+
+. Verify that the new `istiod` resource uses the existing root certificate by running the following command:
++
+[source,terminal]
+----
+$ oc logs deployments/istiod-ossm-3-v1-24-1 -n istio-system | grep 'Load signing key and cert from existing secret'
+----
++
+.Sample output:
+[source,terminal]
+----
+2024-12-18T08:13:53.788959Z	info	pkica	Load signing key and cert from existing secret istio-system/istio-ca-secret
+----
diff --git a/modules/ossm-migrating-workloads-using-the-istio-injection-label.adoc b/modules/ossm-migrating-workloads-using-the-istio-injection-label.adoc
@@ -0,0 +1,87 @@
+// Module included in the following assemblies:
+//
+// * service-mesh-docs-main/migrating/checklists/ossm-migrating-cluster-wide-assembly.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="ossm-migrating-a-cluster-wide-deployment-using-the-istio-injection-label_{context}"]
+= Migrating workloads for cluster-wide deployment using the istio injection label
+
+Now you can migrate your workloads from the {SMProduct} 2.6 control plane to the {SMproduct} 3.0 control plane.
+
+[NOTE]
+====
+You can migrate workloads and gateways separately, and in any order. For more information, see "Migrating gateways".
+====
+
+.Procedure
+
+. Update the injection labels on the data plane namespace by running the following command:
++
+[source,terminal]
+----
+$ oc label ns bookinfo istio.io/rev=ossm-3-v1-24-1 maistra.io/ignore-namespace="true" istio-injection- --overwrite=true
+----
++
+The previous example adds two labels and removes one.
++
+The `istio.io/rev=ossm-3-v1-24-1` label ensures that 3.0 proxy gets injected to any new or restarted pods in the namespace. In the previous example, the 3.0 revision is named `ossm-3-v1-24-1`.
++
+The `maistra.io/ignore-namespace: "true"` label ensures that 2.6 control plane stops injecting proxies in this namespace to avoid conflicts between 2.6 and 3.0 side car injectors.
++
+The `istio-injection` label must be removed if it exists because it takes precedence over `istio.io/rev` label. Leaving the `istio-injection=enabled` label applied prevents proxy injection.
+
+. Restart the workloads by using one of the following options:
++
+.. To restart all the workloads at once so that the new pods are injected with the {SMProduct} 3.0 proxy, run the following command:
++
+.Example command for `bookinfo` application
+[source,terminal]
+----
+$ oc rollout restart deployments -n bookinfo
+----
+
+.. To restart each workload individually, run the following command for each workload:
++
+.Example command with `bookinfo` application
+[source,terminal]
+----
+$ oc rollout restart deployments productpage-v1 -n bookinfo
+----
+
+. Wait for the `productpage` application to restart by running the following command:
++
+[source,terminal]
+----
+$ oc rollout status deployment productpage-v1 -n bookinfo
+----
+
+.Verification
+
+. Ensure that expected workloads are managed by the new control plane by running the following command:
++
+[source,terminal]
+----
+$ istioctl ps -n bookinfo
+----
++
+.Sample output:
+[source,terminal]
+----
+$ istioctl ps -n bookinfo
+NAME                                          CLUSTER        CDS             LDS             EDS             RDS             ECDS         ISTIOD                                           VERSION
+details-v1-7f46897b-d497c.bookinfo            Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
+productpage-v1-74bfbd4d65-vsxqm.bookinfo      Kubernetes     SYNCED (4s)     SYNCED (4s)     SYNCED (3s)     SYNCED (4s)     IGNORED      istiod-ossm-3-v1-24-1-797bb4d78f-xpchx           1.24.1
+ratings-v1-559b64556-c5ppg.bookinfo           Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
+reviews-v1-847fb7c54d-qxt5d.bookinfo          Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
+reviews-v2-5c7ff5b77b-8jbhd.bookinfo          Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
+reviews-v3-5c5d764c9b-rrx8w.bookinfo          Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
+----
++
+Even if there are different versions of the proxies communication between services should work.
+
+. If the 2.6 installation contains additional namespaces, migrate the next namespace now.
++
+[Important]
+====
+Do not remove the `maistra.io/ignore-namespace="true"` label until the 2.6 control plane is uninstalled.
+====
