Skip to content

Commit 076d6bb

Browse files
Merge pull request #269566 from SanyaKochhar/kochhars/asm/docs-improvements
asm: clarify installation and upgrade docs based on feedback
2 parents 41b4098 + 98f5cac commit 076d6bb

File tree

2 files changed

+51
-16
lines changed

2 files changed

+51
-16
lines changed

articles/aks/istio-deploy-addon.md

Lines changed: 48 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,23 @@ export LOCATION=<location>
2929

3030
The add-on requires Azure CLI version 2.57.0 or later installed. You can run `az --version` to verify version. To install or upgrade, see [Install Azure CLI][azure-cli-install].
3131

32-
## Install Istio add-on at the time of cluster creation
32+
## Get available Istio add-on revisions
33+
To find information about which Istio add-on revisions are available in a region and their compatibility with AKS cluster versions, use:
34+
35+
```azurecli-interactive
36+
az aks mesh get-revisions --location <location> -o table
37+
```
38+
39+
40+
## Install Istio add-on
41+
### Revision selection
42+
If you enable the add-on without specifying a revision, a default supported revision is installed for you.
43+
44+
If you wish to specify the revision instead:
45+
1. Use the `get-revisions` command in the [previous step](#get-available-istio-add-on-revisions) to check which revisions are available for different AKS cluster versions in a region.
46+
1. Based on the available revisions, you can include the `--revision asm-X-Y` (ex: `--revision asm-1-20`) flag in the enable command you use for mesh installation.
47+
48+
### Install mesh during cluster creation
3349

3450
To install the Istio add-on when creating the cluster, use the `--enable-azure-service-mesh` or`--enable-asm` parameter.
3551

@@ -42,7 +58,7 @@ az aks create \
4258
--enable-asm
4359
```
4460

45-
## Install Istio add-on for existing cluster
61+
### Install mesh for existing cluster
4662

4763
The following example enables Istio add-on for an existing AKS cluster:
4864

@@ -86,23 +102,44 @@ istiod-asm-1-18-74f7f7c46c-xfdtl 1/1 Running 0 2m
86102

87103
## Enable sidecar injection
88104

89-
To automatically install sidecar to any new pods, annotate your namespaces:
105+
To automatically install sidecar to any new pods, you will need to annotate your namespaces with the revision label corresponding to the control plane revision currently installed.
106+
107+
If you're unsure which revision is installed, use:
108+
```bash
109+
az aks show --resource-group ${RESOURCE_GROUP} --name ${CLUSTER} --query 'serviceMeshProfile.istio.revisions'
110+
```
90111

112+
Apply the revision label:
91113
```bash
92-
kubectl label namespace default istio.io/rev=asm-1-18
114+
kubectl label namespace default istio.io/rev=asm-X-Y
93115
```
94116

95117
> [!IMPORTANT]
96-
> The default `istio-injection=enabled` labeling doesn't work. Explicit versioning (`istio.io/rev=asm-1-18`) is required.
118+
> The default `istio-injection=enabled` labeling doesn't work. Explicit versioning matching the control plane revision (ex: `istio.io/rev=asm-1-18`) is required.
97119
120+
For manual injection of sidecar using `istioctl kube-inject`, you need to specify extra parameters for `istioNamespace` (`-i`) and `revision` (`-r`). For example:
98121

99-
For manual injection of sidecar using `istioctl kube-inject`, you need to specify extra parameters for `istioNamespace` (`-i`) and `revision` (`-r`). Example:
122+
```bash
123+
kubectl apply -f <(istioctl kube-inject -f sample.yaml -i aks-istio-system -r asm-X-Y) -n foo
124+
```
125+
126+
## Trigger sidecar injection
127+
You can either deploy the sample application provided for testing, or trigger sidecar injection for existing workloads.
128+
129+
### Existing applications
130+
If you have existing applications to be added to the mesh, ensure their namespaces are labeled as in the previous step, and then restart their deployments to trigger sidecar injection:
131+
```bash
132+
kubectl rollout restart -n <namespace> <deployment name>
133+
```
100134

135+
Verify that sidecar injection succeeded by ensuring all containers are ready and looking for the `istio-proxy` container in the `kubectl describe` output, for example:
101136
```bash
102-
kubectl apply -f <(istioctl kube-inject -f sample.yaml -i aks-istio-system -r asm-1-18) -n foo
137+
kubectl describe pod -n namespace <pod name>
103138
```
104139

105-
## Deploy sample application
140+
The `istio-proxy` container is the Envoy sidecar. Your application is now part of the data plane.
141+
142+
### Deploy sample application
106143

107144
Use `kubectl apply` to deploy the sample application on the cluster:
108145

@@ -150,10 +187,8 @@ reviews ClusterIP 10.0.73.95 <none> 9080/TCP 86s
150187
kubectl get pods
151188
```
152189

153-
Confirm that all the pods have status of `Running`.
154-
155190
```
156-
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
191+
NAME READY STATUS RESTARTS AGE
157192
details-v1-558b8b4b76-2llld 2/2 Running 0 2m41s
158193
productpage-v1-6987489c74-lpkgl 2/2 Running 0 2m40s
159194
ratings-v1-7dc98c7588-vzftc 2/2 Running 0 2m41s
@@ -162,8 +197,8 @@ reviews-v2-7d79d5bd5d-8zzqd 2/2 Running 0 2m41s
162197
reviews-v3-7dbcdcbc56-m8dph 2/2 Running 0 2m41s
163198
```
164199

165-
> [!NOTE]
166-
> Each pod has two containers, one of which is the Envoy sidecar injected by Istio and the other is the application container.
200+
201+
Confirm that all the pods have status of `Running` with 2 containers in the `READY` column. The second container (`istio-proxy`) added to each pod is the Envoy sidecar injected by Istio, and the other is the application container.
167202

168203
To test this sample application against ingress, check out [next-steps](#next-steps).
169204

articles/aks/istio-upgrade.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ The following example illustrates how to upgrade from revision `asm-1-18` to `as
3232
1. Initiate a canary upgrade from revision `asm-1-18` to `asm-1-19` using [az aks mesh upgrade start](/cli/azure/aks/mesh#az-aks-mesh-upgrade-start):
3333
3434
```bash
35-
az aks mesh upgrade start --resource-group $RESOURCE_GROUP --name $CLUSTER --revision asm-1-18
35+
az aks mesh upgrade start --resource-group $RESOURCE_GROUP --name $CLUSTER --revision asm-1-19
3636
```
3737
3838
A canary upgrade means the 1.18 control plane is deployed alongside the 1.17 control plane. They continue to coexist until you either complete or roll back the upgrade.
@@ -101,7 +101,7 @@ The following example illustrates how to upgrade from revision `asm-1-18` to `as
101101

102102
* **Rollback the canary upgrade**: In case you observe any issues with the health of your workloads, you can roll back to the previous revision of Istio:
103103

104-
* Relabel the namespace to the previous revision
104+
* Relabel the namespace to the previous revision:
105105

106106
```bash
107107
kubectl label namespace default istio.io/rev=asm-1-18 --overwrite
@@ -119,7 +119,7 @@ The following example illustrates how to upgrade from revision `asm-1-18` to `as
119119
az aks mesh upgrade rollback --resource-group $RESOURCE_GROUP --name $CLUSTER
120120
```
121121

122-
1. If [mesh configuration][meshconfig] was set up for the revisions in previous steps, you can now delete the ConfigMap for the revision that was removed from the cluster on completing or rolling back the upgrade.
122+
1. If [mesh configuration][meshconfig] was previously set up for the revisions, you can now delete the ConfigMap for the revision that was removed from the cluster during complete/rollback.
123123

124124
> [!NOTE]
125125
> Manually relabeling namespaces when moving them to a new revision can be tedious and error-prone. [Revision tags](https://istio.io/latest/docs/setup/upgrade/canary/#stable-revision-labels) solve this problem. Revision tags are stable identifiers that point to revisions and can be used to avoid relabeling namespaces. Rather than relabeling the namespace, a mesh operator can simply change the tag to point to a new revision. All namespaces labeled with that tag will be updated at the same time. However, note that you still need to restart the workloads to make sure the correct version of `istio-proxy` sidecars are injected.

0 commit comments

Comments
 (0)