github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Docs for dataplane upgrade on k8s

pull/18103/head
Luke Kysow 2023-07-07 12:05:57 -07:00
parent b0a2e33e0a
commit 0d7bee8adc
1 changed files with 25 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
website/content/docs/k8s/upgrade/index.mdx
View File

@ -219,7 +219,19 @@ In earlier versions, Consul on Kubernetes used client agents in its deployments.
If you upgrade Consul from a version that uses client agents to a version the uses dataplanes, complete the following steps to upgrade your deployment safely and without downtime.
1. Before you upgrade, edit your Helm chart configuration to enable Consul client agents by setting `client.enabled` and `client.updateStrategy`:
1. If ACLs are enabled, you must first upgrade to consul-k8s 0.49.8 or above. These versions expose the setting `connectInject.prepareDataplanesUpgrade`
which is required for no-downtime upgrades when ACLs are enabled.
Set `connectInject.prepareDataplanesUpgrade` to `true` and then perform the upgrade to 0.49.8 or above (whichever is the latest in the 0.49.x series)
```yaml filename="values.yaml"
connectInject:
prepareDataplanesUpgrade: true
```
1. Now you're ready to upgrade to a consul-k8s version that supports Consul dataplanes. Consul dataplanes disables Consul clients by default since they are no longer needed
for fresh installs but during an upgrade you need to ensure Consul clients stay running.
Edit your Helm chart configuration to ensure Consul client agents stay running by setting `client.enabled` and `client.updateStrategy`:
```yaml filename="values.yaml"
client:
@ -228,25 +240,21 @@ If you upgrade Consul from a version that uses client agents to a version the us
type: OnDelete
```
1. Update the `connect-injector` to not log out on restart
to make sure that the ACL tokens used by existing services are still valid during the migration to `consul-dataplane`.
Note that you must remove the token manually after completing the migration.
The following command triggers the deployment rollout. Wait for the rollout to complete before proceeding to next step.
```bash
kubectl config set-context --current --namespace=<consul installation namespace>
INJECTOR_DEPLOYMENT=$(kubectl get deploy -l "component=connect-injector" -o=jsonpath='{.items[0].metadata.name}')
kubectl patch deploy $INJECTOR_DEPLOYMENT --type='json' -p='[{"op": "remove", "path": "/spec/template/spec/containers/0/lifecycle"}]'
```
1. Follow our [recommended procedures to upgrade servers](#upgrade-consul-servers) on Kubernetes deployments to upgrade Helm values for the new version of Consul. The latest version of consul-k8s components may be in a CrashLoopBackoff state during the performance of the server upgrade from versions <1.14.x until all Consul servers are on versions >=1.14.x. Components in CrashLoopBackoff will not negatively affect the cluster because older versioned components will still be operating. Once all servers have been fully upgraded, the latest consul-k8s components will automatically restore from CrashLoopBackoff and older component versions will be spun down.
1. Run `kubectl rollout restart` to restart your service mesh applications. Restarting service mesh application causes Kubernetes to re-inject them with the webhook for dataplanes.
1. Restart all gateways in your service mesh.
1. Disable client agents in your Helm chart by deleting the `client` stanza or setting `client.enabled` to `false` and running a `consul-k8s` or Helm upgrade.
1. Now that all services and gateways are using Consul dataplanes, disable client agents in your Helm chart by deleting the `client` stanza or setting `client.enabled` to `false` and running a `consul-k8s` or Helm upgrade.
1. If you have ACLs enabled, you will have some old ACL tokens that are now no longer needed. If you wish, you can manually clean up these tokens.
The old connect-injector tokens can be identified by the description `token created via login: {"component":"connect-injector"}`. Note that you should not delete
the tokens that have a description with `pod` as a key (e.g. `token created via login: {"component":"connect-injector","pod":"default/consul-connect-injector-576b65747c-9547x"}`) as those
are the tokens used by the new dataplane-enabled connect inject pods.
You can also look at the creation date for the tokens and only delete the injector tokens created before your upgrade (do not delete all old tokens as some, e.g. the server tokens, are still in use).
## Configuring TLS on an existing cluster