projectcalico · spikecurtis · May 23, 2019 · May 20, 2019 · May 20, 2019 · May 20, 2019
@@ -0,0 +1,22 @@
+      - name: dikastes
+        image: {{page.registry}}{{site.imageNames["dikastes"]}}:{{site.data.versions[page.version].first.components["calico/dikastes"].version}}
+        args: ["/dikastes", "server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket"]
+        livenessProbe:
+          exec:
+            command:
+            - /healthz
+            - liveness
+          initialDelaySeconds: 3
+          periodSeconds: 3
+        readinessProbe:
+          exec:
+            command:
+            - /healthz
+            - readiness
+          initialDelaySeconds: 3
+          periodSeconds: 3
+        volumeMounts:
+        - mountPath: /var/run/dikastes
+          name: dikastes-sock
+        - mountPath: /var/run/felix
+          name: felix-sync
@@ -0,0 +1,2 @@
+        - mountPath: /var/run/dikastes
+          name: dikastes-sock
@@ -0,0 +1,6 @@
+      - name: dikastes-sock
+        emptyDir:
+          medium: Memory
+      - name: felix-sync
+        flexVolume:
+          driver: nodeagent/uds
@@ -90,15 +90,16 @@ with Istio. This step modifies the injector configuration to add Dikastes, a
 1. Apply the following ConfigMap to enable injection of Dikastes alongside Envoy.
 
    ```bash
-   kubectl apply -f {{site.url}}/{{page.version}}/manifests/alp/istio-inject-configmap.yaml
+   kubectl apply -f {{site.url}}/{{page.version}}/manifests/alp/istio-inject-configmap-1.0.7.yaml
    ```
 
 	 > **Note**: You can also
-   > [view the manifest in your browser]({{site.url}}/{{page.version}}/manifests/alp/istio-inject-configmap.yaml){:target="_blank"}.
+   > [view the manifest in your browser]({{site.url}}/{{page.version}}/manifests/alp/istio-inject-configmap-1.0.7.yaml){:target="_blank"}.
    {: .alert .alert-info}
 
-If you would like to install a different version of Istio or inspect the changes
-we have made to the standard sidecar injector `ConfigMap`, see
+If you have installed a different version of Istio, substitute `1.0.7` in the above URL for your Istio version. We have
+pre-defined `ConfigMaps` for Istio versions 1.0.6 and 1.0.7. To customize the standard sidecar injector `ConfigMap` or
+understand the changes we have made, see
 [Customizing the manifests](config-options).
 
 ## Adding {{site.prodname}} authorization services to the mesh

@@ -249,32 +249,19 @@ Open the `install/kubernetes/istio-demo-auth.yaml` file in an
 editor, and locate the `istio-sidecar-injector` ConfigMap.  In the existing `istio-proxy` container, add a new `volumeMount`.
 
 ```
-        - mountPath: /var/run/dikastes
-          name: dikastes-sock
+{% include {{page.version}}/non-helm-manifests/istio-proxy-volume-mounts %}
 ```
 
 Add a new container to the template.
 
 ```
-      - name: dikastes
-        image: {{page.registry}}{{site.imageNames["dikastes"]}}:{{site.data.versions[page.version].first.components["calico/dikastes"].version}}
-        args: ["/dikastes", "server", "-l", "/var/run/dikastes/dikastes.sock", "-d", "/var/run/felix/nodeagent/socket", "--debug"]
-        volumeMounts:
-        - mountPath: /var/run/dikastes
-          name: dikastes-sock
-        - mountPath: /var/run/felix
-          name: felix-sync
+{% include {{page.version}}/non-helm-manifests/dikastes-container %}
 ```
 
 Add two new volumes.
 
 ```
-      - name: dikastes-sock
-        emptyDir:
-          medium: Memory
-      - name: felix-sync
-        flexVolume:
-          driver: nodeagent/uds
+{% include {{page.version}}/non-helm-manifests/istio-volumes %}
 ```
 
 The volumes you added are used to create Unix domain sockets that allow
@@ -283,5 +270,5 @@ Felix.  Once created, a Unix domain socket is an in-memory communications
 channel. The volumes are not used for any kind of stateful storage on disk.
 
 Refer to the
-[Calico ConfigMap manifest](./manifests/app-layer-policy/istio-inject-configmap.yaml){:target="_blank"} for an
+[Calico ConfigMap manifest](/{{page.version}}/manifests/alp/istio-inject-configmap-1.0.7.yaml){:target="_blank"} for an
 example with the above changes.
@@ -73,6 +73,9 @@ procedure varies by datastore type.
 
    It should return a `Cluster Version` of `{{page.version}}.x`.
 
+1. If you have [enabled Application Layer Policy](/{{page.version}}/getting-started/kubernetes/installation/app-layer-policy),
+   follow [the instructions below](#upgrading-if-you-have-application-layer-policy-enabled) to complete your upgrade. Skip this if you are not using Istio with {{site.prodname}}.
+
 1. Congratulations! You have upgraded to {{site.prodname}} {{page.version}}.
 
 
@@ -133,4 +136,26 @@ procedure varies by datastore type.
 
    It should return a `Cluster Version` of `{{page.version}}`.
 
+1. If you have [enabled Application Layer Policy](/{{page.version}}/getting-started/kubernetes/installation/app-layer-policy),
+   follow [the instructions below](#upgrading-if-you-have-application-layer-policy-enabled) to complete your upgrade. Skip this if you are not using Istio with {{site.prodname}}.
+
 1. Congratulations! You have upgraded to {{site.prodname}} {{page.version}}.
+
+## Upgrading if you have Application Layer Policy enabled
+
+Dikastes is versioned the same as the rest of {{site.prodname}}, but an upgraded `calico-node` will still be able to work with a downlevel Dikastes
+so that you will not lose data plane connectivity during the upgrade.  Once `calico-node` is upgraded, you can begin redeploying your service pods
+with the updated version of Dikastes. 
+
+If you have [enabled Application Layer Policy](/{{page.version}}/getting-started/kubernetes/installation/app-layer-policy),
+take the following steps to upgrade the Dikastes sidecars running in your application pods. Skip these steps if you are not using Istio with {{site.prodname}}.
+
+1. Update the Istio sidecar injector template to use the new version of Dikastes. Replace `<your Istio version>` below with
+   the full version string of your Istio install, for example `1.0.7`.
+
+   ```bash
+   kubectl apply -f {{site.url}}/{{page.version}}/manifests/alp/istio-inject-configmap-<your Istio version>.yaml
+   ```
+
+1. Once the new template is in place, newly created pods use the upgraded version of Dikastes. Perform a rolling update of each of your service deployments
+   to get them on the new version of Dikastes.