Migrating from Service Mesh 2 to Service Mesh 3

Red Hat OpenShift Service Mesh 3.0

Migrating from Service Mesh 2 to Service Mesh 3 Hub

Red Hat OpenShift Documentation Team

Legal Notice

Abstract

This content provides an overview for migrating from OpenShift Service Mesh 2 to OpenShift Service Mesh 3.

Chapter 1. Migrating from Service Mesh 2 to Service Mesh 3

The content in this migration section applies only in the following cases:

You are an existing Red Hat OpenShift Service Mesh user running OpenShift Service Mesh 2.6.7.
You want to move to OpenShift Service Mesh 3.0.

Important

If you are not running OpenShift Service Mesh 2.6.7, you must update before you can continue. For more information, see Upgrading Service Mesh.

During the migration process, you might need to reference, or you might be directed to OpenShift Service Mesh 2.x content. It can be beneficial to open OpenShift Service Mesh 2.x in a new tab or window for easier reference. This can be especially helpful when you move between OpenShift Service Mesh 2 ServiceMeshControlPlane resource content and OpenShift Service Mesh 3 Istio resource content.

1.1. Recommendations for migrating

Consider the following recommendations to limit the risk of misconfigurations or possible conflicts:

If you have automated updates configured in the OpenShift Container Platform web console, change them to Manual. By switching to manual updates, you can prevent updates to the OpenShift Service Mesh 2 Operator and control planes during your migration.
Keep the amount of the service mesh configuration changes, such as changes for traffic management or security or adding new workloads or gateways, to a minimum during the migration.

Note

If you need to add a new workload namespace during the migration, it must be managed by the OpenShift Service Mesh 3 control plane and labeled with maistra.io/ignore-namespace: "true" to avoid conflicts between the OpenShift Service Mesh 3 control plane and the OpenShift Service Mesh 2 ServiceMeshControlPlane resource.

Finish the migration without unnecessary delays.

1.1.1. Using the migration guides

The migration guides are designed to help you move from OpenShift Service Mesh 2.6.7 to OpenShift Service Mesh 3.0, based on your deployment model:

Mulitenant
Mulitenant with cert-manager
Cluster-wide
Cluster-wide with cert-manager

The migration guides use the bookinfo application as an example for demonstrations purposes.

You can also migrate gateways.

1.2. Premigration checklists

Before you can begin your migration, complete the premigration checklists.

These checklists include steps for managing your network policies and configuration updates to set up add ons such as Kiali Operator provided by Red Hat and distributed tracing platform (Tempo).

1.3. Migrating your deployment and workloads

After you complete the premigration checklists, you can migrate your workloads and gateways, based on your deployment model:

Mulitenant
Mulitenant with cert-manager
Cluster-wide
Cluster-wide with cert-manager

1.4. Completing your migration

Depending on your deployment model, you might need to take extra steps to complete the migration. For example, when you migrate with the cert-manager tool, you need to take additional steps before you can remove OpenShift Service Mesh 2 resources.

After you complete your migration, you can add new workloads, re-create network policies, and remove OpenShift Service Mesh 2 resources.

Chapter 2. Before migrating

2.1. Important information to know if you are migrating from OpenShift Service Mesh 2.6

If you are moving from Red Hat OpenShift Service Mesh 2.6 to Red Hat OpenShift Service Mesh 3, read the content in this section first as it contains important information and explanations on the differences between the versions. These differences have a direct impact on your installation and configuration of OpenShift Service Mesh 3.

2.1.1. Differences between OpenShift Service Mesh 2 and OpenShift Service Mesh 3

If you are a current Red Hat OpenShift Service Mesh user, there are a number of important differences you need to understand between OpenShift Service Mesh 2 and OpenShift Service Mesh 3 before you migrate, including the following:

A new Operator
Integrations like Observability and Kiali are installed separately
New resources: Istio and IstioCNI
Scoping of a mesh with discoverySelectors and labels
New considerations for sidecar injection
Support for multiple control planes
Independently managed gateways
Explicit Istio OpenShift route creation
Canary upgrades
Support for Istio multi-cluster topologies
Support for Istioctl
Change to Kubernetes network policy management
Transport layer security (TLS) configuration change

You must be using OpenShift Service Mesh 2.6 to migrate to OpenShift Service Mesh 3.

2.1.2. New Operator: The Red Hat OpenShift Service Mesh 3 Operator

Red Hat OpenShift Service Mesh 3 is a major update with a feature set closer to the Istio project. Whereas OpenShift Service Mesh 2 was based on the midstream Maistra project, OpenShift Service Mesh 3 is based directly on Istio. This means OpenShift Service Mesh 3 is managed using a different, simplified Operator and provides greater support for the latest stable features of Istio.

This alignment with the Istio project along with lessons learned in the first two major releases of OpenShift Service Mesh have resulted in the following changes:

2.1.2.1. From Maistra to Istio

OpenShift Service Mesh 1 and 2 were based on Istio, and included additional functionality that was maintained as part of the midstream Maistra project, but not part of the upstream Istio project. While this provided extra features to OpenShift Service Mesh users, the effort to maintain Maistra meant that OpenShift Service Mesh 2 was usually several releases behind Istio, and did not support major features like multi-cluster deployment. Since the release of OpenShift Service Mesh 1 and 2, Istio has matured to cover most of the use cases addressed by Maistra.

Basing OpenShift Service Mesh 3 directly on Istio ensures that OpenShift Service Mesh 3 supports users on the latest stable Istio features while Red Hat contributes directly to the Istio community on behalf of its customers.

2.1.2.2. OpenShift Service Mesh 3 Operator

OpenShift Service Mesh 3 uses an Operator that is maintained upstream as the Sail Operator in the istio-ecosystem organization on GitHub. The OpenShift Service Mesh 3 Operator is smaller in scope and includes significant changes from the Operator used in OpenShift Service Mesh 2:

The Istio resource replaces the ServiceMeshControlPlane resource.
The IstioCNI resource manages the Istio Container Network Interface (CNI).
Red Hat OpenShift Observability components are installed and configured separately.

2.1.3. New resources in OpenShift Service Mesh 3

Red Hat OpenShift Service Mesh 3 uses two new resources:

Istio resource
IstioCNI resource

2.1.3.1. The Istio resource replaces the ServiceMeshControlPlane resource

OpenShift Service Mesh 2 uses a resource called ServiceMeshControlPlane to configure Istio. In OpenShift Service Mesh 3, the ServiceMeshControlPlane resource is replaced with a resource called Istio.

The Istio resource contains a spec.values field that derives its schema from Istio’s Helm chart values. This means that configuration examples from the community Istio documentation can often be applied directly to the OpenShift Service Mesh 3 Istio resource.

The Istio resource provides an additional validation schema enabling the ability to explore the resource running the following the OpenShift command line interface (CLI) command:

$ oc explain istios.spec.values

2.1.3.2. New resource: IstioCNI

The Istio Container Network Interface (CNI) node agent is used to configure traffic redirection for pods in the mesh. It runs as a daemon set, on every node, with elevated privileges.

In OpenShift Service Mesh 2, the Operator deployed an Istio CNI instance for each minor version of Istio present in the cluster, and pods were automatically annotated during sidecar injection so they picked up the correct Istio CNI. While this meant that the management of Istio CNI was mostly hidden from you, it obscured the fact that the Istio CNI agent has an independent lifecycle from the Istio control plane and, in some cases, the Istio CNI agent must be be upgraded separately.

For these reasons, the OpenShift Service Mesh 3 Operator manages the Istio CNI node agent with a separate resource called IstioCNI. A single instance of this resource is shared by all Istio control planes, which are managed by Istio resources.

2.1.4. Independent Red Hat OpenShift Observability component integrations and configurations

A significant change in Red Hat OpenShift Service Mesh 3 is that the Operator no longer installs and manages observability components such as Prometheus and Grafana with the Istio control plane. It also no longer installs and manages Red Hat OpenShift distributed tracing platform components such as distributed tracing platform (Tempo) and Red Hat OpenShift distributed tracing data collection (previously Jaeger and Elasticsearch), or Kiali.

The OpenShift Service Mesh 3 Operator limits its scope to Istio-related resources, with observability components supported and managed by the independent Operators that make up Red Hat OpenShift Observability, such as the following:

Logging
User workload monitoring
Red Hat OpenShift distributed tracing platform

Kiali and the OpenShift Service Mesh Console (OSSMC) plugin are still supported with the Kiali Operator provided by Red Hat.

This simplification greatly reduces the footprint and complexity of OpenShift Service Mesh 3, while providing better, production-grade support for observability through Red Hat OpenShift Observability components.

2.1.5. Scoping of the mesh with discoverySelectors and labels

In OpenShift Service Mesh 2.4, a cluster-wide mode was introduced to allow a mesh to be cluster-scoped, with the option to limit the mesh using an Istio feature called discoverySelectors. Using discoverySelectors limits the Istio control plane’s visibility to a set of namespaces defined with a label selector. This aligned with how community Istio worked, and allowed Istio to manage cluster-level resources. For more information, see "Labels and Selectors".

OpenShift Service Mesh 3 makes all meshes cluster-wide by default. This change means that Istio control planes are all cluster-scoped resources and the resources ServiceMeshMemberRoll and ServiceMeshMember are no longer present, with control planes watching, or discovering, the entire cluster by default. The control plane’s discovery of namespaces can be limited using the discoverySelectors feature.

Next steps

Scoping Service Mesh with discoverySelectors

2.1.6. New considerations for sidecar injection

Red Hat OpenShift Service Mesh 2 supported using pod annotations and labels to configure sidecar injection and there was no need to indicate which control plane a workload belonged to.

With OpenShift Service Mesh 3, even though the Istio control plane discovers a namespace, the workloads present in that namespace still require sidecar proxies to be included as workloads in the service mesh, and to be able to use Istio’s many features.

In OpenShift Service Mesh 3, sidecar injection works the same way as it does for Istio, with pod or namespace labels used to trigger sidecar injection. However, it might be necessary to include a label that indicates which control plane the workload belongs to.

Note

The Istio Project has deprecated pod annotations in favor of labels for sidecar injection.

When an Istio resource has the name default and InPlace upgrades are used, there is a single IstioRevision with the name default and the label istio-injection=enabled for sidecar injection.

However, an IstioRevision resource is required to have a different name in the following cases:

Multiple control plane instances are present.
A RevisionBased, canary-style control plane upgrade is in progress.

If there are running multiple control plane instances, or you chose the RevisionBased update strategy during your OpenShift Service Mesh 3 installation, then an IstioRevision resource is required to have a different name than default. When that happens, it is necessary to use a label that indicates which control plane revision the workloads belong to by specifying istio.io/rev=<istiorevision_name>.

These labels can be applied at the workload or namespace level.

You can inspect available revisions by running the following command:

$ oc get istiorevision

2.1.7. Support for multiple control planes

Red Hat OpenShift Service Mesh 3 supports multiple service meshes in the same cluster, but in a different manner than in OpenShift Service Mesh 2. A cluster administrator must create multiple Istio instances and then configure discoverySelectors appropriately to ensure that there is no overlap between mesh namespaces.

As Istio resources are cluster-scoped, they must have unique names to represent unique meshes within the same cluster. The OpenShift Service Mesh 3 Operator uses this unique name to create a resource called IstioRevision with a name in the format of {Istio name} or {Istio name}-{Istio version}.

Each instance of IstioRevision is responsible for managing a single control plane. Workloads are assigned to a specific control plane using Istio’s revision labels of the format istio.io/rev={IstioRevision name}. The name with the version identifier becomes important to support canary-style control plane upgrades.

2.1.8. Independently managed Istio gateways

In Istio, gateways are used to manage traffic entering (ingress) and exiting (egress) the mesh. Red Hat OpenShift Service Mesh 2 deployed and managed an ingress gateway and an egress gateway with the Service Mesh control plane. Both an ingress gateway and an egress gateway were configured using the ServiceMeshControlPlane resource.

The OpenShift Service Mesh 3 Operator does not create or manage gateways.

Instead, gateways in OpenShift Service Mesh 3 are created and managed independent of the Operator and control plane using gateway injection or the Kubernetes Gateway API. This provides greater flexibility and ensures that gateways can be fully customized and managed as part of a Red Hat OpenShift GitOps pipeline. This allows the gateways to be deployed and managed alongside their applications with the same lifecycle.

This change was made for two reasons:

To start with a gateway configuration that can expand over time to meet the more robust needs of a production environment.
Gateways are better managed together with their corresponding workloads.

Gateways may continue to be deployed onto nodes or namespaces independent of applications. For example, a centralized gateway node. Istio gateways also remain eligible to be deployed on OpenShift Container Platform infrastructure nodes.

Next steps

If you are using OpenShift Service Mesh 2.6, and have not migrated from ServiceMeshControlPlane defined gateways to gateway injection, then you must follow the OpenShift Service Mesh 2.x gateway migration procedure before you can move to OpenShift Service Mesh 3.

Gateway migration

2.1.9. Explicitly create OpenShift Routes

An OpenShift Route resource allows an application to be exposed with a public URL using OpenShift Container Platform Ingress Operator for managing HAProxy based Ingress controllers.

Red Hat OpenShift Service Mesh 2 used Istio OpenShift Routing (IOR) that automatically created and managed OpenShift routes for Istio gateways. While this was convenient, as the Operator managed these routes for you, it also caused confusion around ownership as many Route resources are managed by administrators. Istio OpenShift Routing also lacked the ability to configure an independent Route resource, created unnecessary routes, and exhibited unpredictable behavior during updates.

Thus, in OpenShift Service Mesh 3, when a Route is desired to expose an Istio gateway, you must create and manage it manually. You can also expose an Istio gateway through a Kubernetes service of type LoadBalancer if a route is not desired.

2.1.10. Introducing canary updates

Red Hat OpenShift Service Mesh 2 supported only in-place style updates, which created risk for large meshes where, after the control plane was updated, all workloads must update to the new control plane version without a simple way to roll back if something goes wrong.

OpenShift Service Mesh 3 retains support for simple in-place style updates, and adds support for canary-style updates of the Istio control plane using Istio’s revision feature.

The Istio resource manages Istio revision labels using the IstioRevision resource. When the Istio resource’s updateStrategy type is set to RevisionBased, it creates Istio revision labels using the Istio resource’s name combined with the Istio version, for example mymesh-v1-21-2.

During an updates, a new IstioRevision deploys the new Istio control plane with an updated revision label, for example mymesh-v1-22-0. Workloads can then be migrated between control planes using the revision label on namespaces or workloads, for example istio.io/rev=mymesh-v1-22-0.

Setting your updateStrategy to RevisionBased also has implications for integrations, such as the cert-manager tool, and gateways.

Next steps

You can set updateStrategy to RevisionBased to use canary updates.

About RevisionBased strategy

Be aware that setting the updateStrategy to RevisionBased also has implications for some integrations with OpenShift Service Mesh, such as the cert-manager tool integration.

Updating istio-csr agents with revision-based update strategies

2.1.11. Supported multi-cluster topologies

Red Hat OpenShift Service Mesh 2 supported one form of multi-cluster, federation, which was introduced in OpenShift Service Mesh 2.1. Each cluster maintained its own independent control plane in this topology, with services only shared between those meshes on an as-needed basis.

Communication between federated meshes is through Istio gateways, so there was no need for Service Mesh control planes to watch remote Kubernetes control planes, as is the case with Istio’s multi-cluster service mesh topologies. Federation is ideal where service meshes are loosely coupled, such as those managed by different administrative teams.

OpenShift Service Mesh 3 introduces support for the following Istio multi-cluster topologies as well:

Multi-Primary
Primary-Remote
External control planes

These topologies effectively stretch a single, unified service mesh across multiple clusters, which is ideal when all clusters involved are managed by the same administrative team. Istio’s multi-cluster topologies are also ideal for implementing high-availability or failover use cases across a commonly managed set of applications.

2.1.12. Support for Istioctl

Red Hat OpenShift Service Mesh 1 and 2 did not include support for Istioctl, the command line utility for the Istio project that includes many diagnostic and debugging utilities. OpenShift Service Mesh 3 introduces support for Istioctl for select commands.

Table 2.1. Supported Istioctl commands
Command	Description
`admin`	Manage the control plane (`istiod`) configuration
`analyze`	Analyze the Istio configuration and print validation messages
`completion`	Generate the autocompletion script for the specified shell
`create-remote-secret`	Create a secret with credentials to allow Istio to access remote Kubernetes API servers
`help`	Display help about any command
`proxy-config`, `pc`	Retrieve information about the proxy configuration from Envoy (Kubernetes only)
`proxy-status`, `ps`	Retrieve the synchronization status of each Envoy in the mesh
`remote-clusters`	List the remote clusters each `istiod` instance is connected to
`validate`, `v`	Validate the Istio policy and rules files
`version`	Print out build version information
`waypoint`	Manage the waypoint configuration
`ztunnel-config`	Update or retrieve the current Ztunnel configuration.

Installation and management of Istio is only supported by the OpenShift Service Mesh 3 Operator.

Next steps

You can install the Istioctl tool.

2.1.13. Kubernetes network policy management

By default, Red Hat OpenShift Service Mesh 2 created Kubernetes NetworkPolicy resources with the following behavior:

Ensured network applications and the control plane could communicate with each other.
Restricted ingress for mesh applications to only member projects.

OpenShift Service Mesh 3 does not create these policies. Instead, you must configure the level of isolation required for your environment. Istio provides fine grained access control of service mesh workloads through Authorization Policies. For more information, see "Authorization Policies".

2.1.14. Transport layer security (TLS) configuration change

In Red Hat OpenShift Service Mesh 2, you created the ServiceMeshControlPlane resource, and enabled mTLS strict mode by setting spec.security.dataPlane.mtls to true.

You were able to set the minimum and maximum TLS protocol versions by setting the spec.security.controlPlane.tls.minProtocolVersion or spec.security.controlPlane.tls.maxProtocolVersion in your ServiceMeshControlPlane resource.

In OpenShift Service Mesh 3, the Istio resource replaces the ServiceMeshControlPlane resource and does not include these settings.

To enable enable mTLS strict mode in OpenShift Service Mesh 3, you must apply the corresponding PeerAuthentication and DestinationRule resources.

In OpenShift Service Mesh 3, you can enable the minimum TLS protocol by setting spec.meshConfig.tlsDefaults.minProtocolVersion in your Istio resource. For more information, see "Istio Workload Minimum TLS Version Configuration".

In OpenShift Service Mesh 2 and OpenShift Service Mesh 3, auto mTLS remains enabled by default.

2.1.15. Additional Resources

Red Hat OpenShift Observability
Logging
User workload monitoring
Red Hat OpenShift distributed tracing platform
Labels and Selectors (Kubernetes documentation)
Istio Workload Minimum TLS Version Configuration (Istio documentation)
Authorization Policies (Istio documentation)

2.2. Premigration checklists

Before you begin

You have read "Migrating from Service Mesh 2 to Service Mesh 3".
You have read and understand the differences between OpenShift Service Mesh 2 and OpenShift Service Mesh 3.
You have reviewed the Migrating references material.
You want to migrate from OpenShift Service Mesh 2 to OpenShift Service Mesh 3.
You are running OpenShift Service Mesh 2.6.7.
You have upgraded your ServiceMeshControlPlane resource to the latest version.
If you are using the Kiali Operator provided by Red Hat, you are running the latest version.
You have installed the OpenShift Service Mesh Operator 3. To install the OpenShift Service Mesh 3 Operator, see: Installing OpenShift Service Mesh

Important

You must complete the following checklists before you can begin migrating your deployment and workloads.

2.2.1. Disable add-ons and reconfigure replacements

❏ Disable Prometheus in your ServiceMeshControlPlane resource: spec.addons.prometheus.enabled=false
- ❏ Configure the ServiceMeshControlPlane with OpenShift Monitoring as the replacement. These instructions also include installing a standalone Kiali resource. Both can be done at the same time. Integration user-workload monitoring
- ❏ If you are not using OpenShift monitoring, see: Integration with external Prometheus installation.
❏ Disable tracing in your ServiceMeshControlPlane resource: spec.tracing.type=None
- ❏ Configure the ServiceMeshControlPlane with OpenShift Distributed Tracing as the replacement: Configuring Red Hat OpenShift distributed tracing platform (Tempo) and the Red Hat build of OpenTelemetry.
❏ Disable Kiali in your ServiceMeshControlPlane resource: spec.addons.kiali.enabled=false
- ❏ If you did not create a standalone Kiali resource as part of Prometheus or tracing, see: "Using Kiali Operator provided by Red Hat".

2.2.2. Migrate to explicitly managed routes

Automatic route creation, also known as Istio OpenShift Routing (IOR), is a deprecated feature that is disabled by default for any ServiceMeshControlPlane resource created using OpenShift Service Mesh 2.5 and later. To move from OpenShift Service Mesh 2 to OpenShift Service Mesh 3, you need to migrate from IOR to explicitly-managed routes.

If you already moved to explicitly-managed routes in OpenShift Service Mesh 2, then continue to gateway injection.

❏ Migrate from Istio OpenShift Routing (IOR) to to explicitly-managed routes: Service Mesh route migration.

2.2.3. Migrate to gateway injection

Gateways were controlled by the ServiceMeshControlPlane (SMCP) resource in OpenShift Service Mesh 2. The OpenShift Service Mesh 3 control plane does not manage gateways so you must migrate from SMCP-Defined gateways to gateway injection.

❏ Service Mesh gateway migration.

2.2.4. Disable network policy management

If you do not want your network policies in place during your migration:

❏ Disable network policy management in the OpenShift Service Mesh 2 ServiceMeshControlPlane resource: spec.security.manageNetworkPolicy=false.
❏ Complete the rest of the checklists.
❏ Migrate your deployment and workloads.
❏ Manually recreate your network policies after you have migrated your workloads.

If you want your network policies in place during your migration:

❏ Manually set up network policies to use during migration.
❏ Disable network policy management in the OpenShift Service Mesh 2 ServiceMeshControlPlane resource: spec.security.manageNetworkPolicy=false.
❏ Complete the rest of the checklists.
❏ Migrate your deployment and workloads.

2.2.5. Disable Grafana in OpenShift Service Mesh 2

Grafana is not supported in OpenShift Service Mesh 3, and must be disabled in your OpenShift Service Mesh 2 ServiceMeshControlPlane.

❏ Disable Grafana in your OpenShift Service Mesh 2 ServiceMeshControlPlane: spec.addons.grafana.enabled=false.

2.2.6. Example resource files

After you have completed the premigration procedures, your OpenShift Service Mesh 2 resources might be similar to the following examples:

2.2.6.1. The ServiceMeshControlPlane resource file

Example ServiceMeshControlPlane resource

apiVersion: maistra.io/v2
kind: ServiceMeshControlPlane
metadata:
  name: basic
  namespace: istio-system
spec:
  version: v2.6 1
  security: 2
    manageNetworkPolicy: false
  addons: 3
    grafana:
      enabled: false
    kiali:
      enabled: false
    prometheus:
      enabled: false
  meshConfig: 4
    extensionProviders:
      - name: prometheus
        prometheus: {}
      - name: otel
        opentelemetry:
          port: 4317
          service: otel-collector.istio-system.svc.cluster.local
  gateways: 5
    enabled: false
    openshiftRoute:
      enabled: false
  mode: MultiTenant 6
  tracing: 7
    type: None

1: Update your ServiceMeshControlPlane resource to the latest OpenShift Service Mesh version.
2: Disable network policy management.
3: Disable all resources in the addons stanza.
4: Your ServiceMeshControlPlane resource is configured to use external metrics and tracing providers.
5: Disable managed gateways.
6: Set to either MultiTenant or ClusterWide.
7: Disable tracing.

2.2.6.2. Telemetry resource file

The Telemetry resource file is located in your root namespace. The following example uses istio-system as the root namespace.

Example Telemetry resource

apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
  name: mesh-default
  namespace: istio-system
spec:
  metrics: 1
    - providers:
        - name: prometheus
  tracing: 2
    - providers:
        - name: otel

1: Specify your metrics provider. The name field must match what is specified in your ServiceMeshControlPlane resource in the spec.meshConfig.extensionProviders field.
2: Specify yur tracing provider. The name field must match what is specified in your ServiceMeshControlPlane resource in the spec.meshConfig.extensionProviders field.

2.2.6.3. Kiali resource file

Example Kiali resource

apiVersion: kiali.io/v1alpha1
kind: Kiali
metadata:
  name: kiali
  namespace: istio-system
spec:
  version: default 1
  external_services:
    prometheus: 2
      auth:
        type: bearer
        use_kiali_token: true
      thanos_proxy:
        enabled: true
      url: https://thanos-querier.openshift-monitoring.svc.cluster.local:9091
    tracing: 3
      enabled: true
      provider: tempo
      use_grpc: false
      internal_url: http://tempo-sample-query-frontend.tempo:3200
      external_url: https://tempo-sample-query-frontend-tempo.apps-crc.testing
    grafana: 4
      enabled: false

1: You can use the default value of the version parameter if you install OpenShift Service Mesh 3 before updating Kiali. The default version is compatible with both 2.6 and 3.0 control planes.
2: Configure Kiali to use external Prometheus.
3: Configure Kiali to use the external tracing store.
4: Disable the Grafana configuration. Grafana is not supported with OpenShift Service Mesh 3.0.

2.2.7. Find your deployment model

Run the following command to find your deployment model:

oc get smcp <smcp-name> -n <smcp-namespace> -o jsonpath='{.spec.mode}'

Note

If you did not set a value for the .spec.mode parameter in your ServiceMeshControlPlane resource, your deployment is multitenant.

2.2.8. Migrate based on your deployment model

If you are not using the cert-manager tool with your deployment, you are ready to migrate your deployment.

Multitenant migration guide
Cluster-wide migration guide

If you are unsure, you can check if you are using the cert-manager tool with your deployment.

2.2.9. Using the cert-manager tool with your deployment

You must check if your deployment uses the cert-manager tool. If you are using the cert-manager tool with OpenShift Service Mesh 2, you must perform additional configurations before you can start migrating your deployments and workloads.

Procedure

Use one of the following ways to check if you are using the cert-manager tool with your deployment:

Inspect your ServiceMeshControlPlane resource to verify that the spec.security.certificateAuthority.type parameter is set to cert-manager:

apiVersion: maistra.io/v2
kind: ServiceMeshControlPlane
metadata:
  name: basic
  namespace: istio-system
spec:
  ...
  security:
    certificateAuthority:
      cert-manager:
        address: cert-manager-istio-csr.istio-system.svc:443
      type: cert-manager
    dataPlane:
      mtls: true
    identity:
      type: ThirdParty
    manageNetworkPolicy: false

Run the following command to verify that the spec.security.certificateAuthority.type parameter is set to cert-manager:
```
oc get smcp <smcp-name> -n <smcp-namespace> -o jsonpath='{.spec.security.certificateAuthority.type}'
```
Example output
```
cert-manager
```

Next steps for migrating with the cert-manager tool

There are some configurations you must complete first before you can start migrating your deployments.

Migrating a multitenant deployment with the cert-manager tool
Cluster-wide migration methods

2.2.10. Additional resources

Using Kiali Operator provided by Red Hat

2.3. Migrating network policies from Service Mesh 2 to Service Mesh 3

In Red Hat OpenShift Service Mesh 2, network policies are created by default when the spec.security.manageNetworkPolicy field is set to true in the ServiceMeshControlPlane resource. During the migration to OpenShift Service Mesh 3, these policies are removed.

It is recommended to re-create your network policies after you have migrated your deployment and workloads. However, if your security policies require you to keep your network policies, you must re-create them first, and then set the spec.security.manageNetworkPolicy field to false as outlined in the migration checklists.

2.3.1. Set up network policies to use during migration

You can set up network policies to use during your migration.

Important

During the recreation of network policies from OpenShift Service Mesh 2 to OpenShift Service Mesh 3, both control planes must have access to all workloads and all workloads must have access to control planes.
The maistra.io/member-of: label is removed from the namespaces during migration.

Prerequisites

You have deployed OpenShift Container Platform 4.14 or later.
You are logged in to the OpenShift Container Platform web console as a user with the cluster-admin role.
You have the OpenShift Service Mesh 2.6.7 Operator installed.
You have the ServiceMeshControlPlane 2.6 resource installed.
In OpenShift Service Mesh 2, you have set spec.security.manageNetworkPolicy=true in your ServiceMeshControlPlane resource.
You have deployed the bookinfo and bookinfo2 applications.

Procedure

Label namespaces by running the following command:
```
$ oc label namespace <app_namespace> service-mesh=enabled
```
Note
Use a label scoped specifically to your mesh that you can reuse for discovery selectors.

Create your network policies by using the following NetworkPolicy example configurations:

Example of an Istiod network policy in a mesh namespace

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: istiod-basic
  namespace: istio-system
spec:
  ingress:
    - {}
  podSelector:
    matchLabels:
      app: istiod
      istio.io/rev: basic
  policyTypes:
    - Ingress

Example of an expose route policy in a mesh namespace

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: expose-route-basic
  namespace: istio-system
spec:
  podSelector:
    matchLabels:
      maistra.io/expose-route: "true"
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              network.openshift.io/policy-group: ingress
  policyTypes:
    - Ingress

Example of a default mesh network policy in a mesh namespace

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: istio-mesh
  namespace: istio-system
spec:
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              service-mesh: enabled
  podSelector: {}
  policyTypes:
    - Ingress

Example expose route network policy in the bookinfo namespace

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: istio-expose-route
  namespace: bookinfo
spec:
  podSelector:
    matchLabels:
      maistra.io/expose-route: "true"
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              network.openshift.io/policy-group: ingress
  policyTypes:
    - Ingress

Example mesh network policy in the bookinfo namespace

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: istio-mesh
  namespace: bookinfo
spec:
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              service-mesh: enabled
  podSelector: {}
  policyTypes:
    - Ingress

Example expose route network policy in the bookinfo2 namespace

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: istio-expose-route
  namespace: bookinfo2
spec:
  podSelector:
    matchLabels:
      maistra.io/expose-route: "true"
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              network.openshift.io/policy-group: ingress
  policyTypes:

Example mesh network policy in the bookinfo2 namespace

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: istio-mesh
  namespace: bookinfo2
spec:
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              service-mesh: enabled
  podSelector: {}
  policyTypes:
    - Ingress

Disable network policies in OpenShift Service Mesh 2 by setting the spec.security.manageNetworkPolicy field to false in your ServiceMeshControlPlane resource.
Note
Setting the spec.security.manageNetworkPolicy field to false in your ServiceMeshControlPlane resource removes the network policies created by default in OpenShift Service Mesh 2.

Find your current active revision by running the following command:

$ oc get istios <istio_name>

Example output

NAME             REVISIONS   READY   IN USE   ACTIVE REVISION   STATUS    VERSION   AGE
istio-tenant-a   1           1       0        istio-tenant-a    Healthy   v1.24.3   30s

Copy the active revision name from the output to use for your istio.io/rev label in your second Istiod network policy for OpenShift Service Mesh 3.

Create a second Istiod network policy for OpenShift Service Mesh 3 by using the following NetworkPolicy example configuration:

Sample policy

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: istio-istiod-v3
  namespace: istio-system
spec:
  ingress:
    - {}
  podSelector:
    matchLabels:
      app: istiod
      istio.io/rev: istio-tenant-a 1
  policyTypes:
    - Ingress

1: Must match your current active revision name.

Next steps

In OpenShift Service Mesh 2, set the spec.security.manageNetworkPolicy field to false in your ServiceMeshControlPlane resource, and continue with the migration checklists.

2.4. Kiali differences for Red Hat OpenShift Service Mesh 3

Kiali Operator provided by Red Hat with Red Hat OpenShift Service Mesh 3 introduces the following changes:

New topology graphs
Deprecated configuration settings
Renamed configuration settings

2.4.1. New topology graphs

The Traffic Page Graph page has been reorganized and built using Patternfly topology with a new topology view showcasing the mesh infrastructure.

2.4.2. Deprecated configuration settings

To control which namespaces are accessible or visible to users in OpenShift Service Mesh 3, Kiali relies on discoverySelectors.

By default, deployment.cluster_wide_access=true is enabled, granting Kiali cluster-wide access to all namespaces in the local cluster. If you are migrating a cluster-wide deployment with Kiali, you must remove the following deprecated and unavailable configuration settings from your Kiali custom resource (CR):

spec.deployment.accessible_namespaces
api.namespaces.exclude
api.namespaces.include
api.namespaces.label_selector_exclude
api.namespaces.label_selector_include

If you are are using discovery selectors in Istio to restrict the namespaces that Istiod watches, then those must match the discovery selectors in your Kiali CR.

2.4.3. Renamed configuration settings

The following configuration settings have been renamed:

Old configuration	New configuration
`external_service.grafana.in_cluster_url`	`external_service.grafana.internal_url`
`external_service.grafana.url`	`external_service.grafana.external_url`
`external_service.tracing.in_cluster_url`	`external_service.tracing.internal_url`
`external_service.tracing.url`	`external_service.tracing.external_url`

These changes reflect evolving capabilities and configuration standards of Kiali within OpenShift Service Mesh 3.

Chapter 3. Multitenant migration guide

3.1. Multitenant migration guide

This guide is for users who are currently running a multitenant deployment of Red Hat OpenShift Service Mesh 2.6.7, and are migrating to OpenShift Service Mesh 3.0.

Important

If you have not completed the premigration checklists, you must complete them first before you can start migrating your deployment.

3.1.1. Migrating a multitenant deployment

The bookinfo example application is being used for demonstration purposes with a minimal example for the Istio resource. For more information on configuration differences between the OpenShift Service Mesh 2 ServiceMeshControlPlane resource and the OpenShift Service Mesh 3 Istio resource, see "ServiceMeshControlPlane resource to Istio resource fields mapping".

You can follow these same steps with your own workloads.

Prerequisites

You have deployed OpenShift Container Platform 4.14 or later.
You are logged in to the OpenShift Container Platform web console as a user with the cluster-admin role.
You have completed the premigration checklists.
You have the OpenShift Service Mesh 2.6.7 Operator installed.
You have the OpenShift Service Mesh 3 Operator installed.
You created an IstioCNI resource.
You have the istioctl tool installed.
You are running a MultiTenant ServiceMeshControlPlane.
You have installed the bookinfo application.

Procedure

Create your Istio resource.
Example Istio resource
```
apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: istio-tenant-a
spec:
  namespace: istio-system-tenant-a 1
  version: v1.24.3
  values:
    meshConfig:
      discoverySelectors: 2
        - matchLabels:
            tenant: tenant-a
      extensionProviders:  3
        - name: prometheus
          prometheus: {}
        - name: otel
          opentelemetry:
            port: 4317
            service: otel-collector.opentelemetrycollector-3.svc.cluster.local
```
1
The spec.namespace field in your Istio resource must be the same namespace as your ServiceMeshControlPlane resource. If you set the spec.namespace field in your Istio resource to a different namespace than your ServiceMeshControlPlane resource, the migration does not complete successfully.
2
By default, control planes watch the entire cluster. When managing multiple control planes on a single cluster, you must narrow the scope of each control plane by setting discoverySelectors fields. In this example, the label tenant-a is used, but you can use any label or combination of labels.
3
Optional: If you are migrating metrics and tracing, update the extensionProviders fields according to your tracing and metrics configurations.
Add your tenant label to each one of your dataplane namespaces by running the following command for each dataplane namespace:
```
$ oc label ns bookinfo tenant=tenant-a
```
Note
With OpenShift Service Mesh 2.6, namespaces were enrolled into the mesh by adding them to the ServiceMeshMemberRoll resource. In OpenShift Service Mesh 3, you must label each one of your dataplane namespaces to match your discoverySelectors fields.

3.1.2. Migrating workloads in a multitenant deployment

Now you can migrate your workloads from the OpenShift Service Mesh 2.6 control plane to the OpenShift Service Mesh 3.0 control plane.

Note

You can migrate workloads and gateways separately, and in any order. For more information, see "Migrating gateways".

Procedure

Find the current IstioRevision for your OpenShift Service Mesh 3.0 control plane by running the following command:
```
$ oc get istios istio-tenant-a
```
Example output
```
NAME             REVISIONS   READY   IN USE   ACTIVE REVISION   STATUS    VERSION   AGE
istio-tenant-a   1           1       0        istio-tenant-a    Healthy   v1.24.3   30s
```
Note
The naming format of your revisions depends on which upgrade strategy you choose for your Istio instance.
Copy the ACTIVE REVISION to use as your istio.io/rev label in the next step.
Update injection labels on the dataplane namespace by running the following command:
```
$ oc label ns bookinfo istio.io/rev=istio-tenant-a maistra.io/ignore-namespace="true" --overwrite=true
```
This adds the following labels to the namespace:
1. The istio.io/rev: istio-tenant-a label: Ensures that any new pods that get created in that namespace connect to the OpenShift Service Mesh 3.0 proxy.
2. The maistra.io/ignore-namespace: "true" label: Disables sidecar injection for OpenShift Service Mesh 2.6 proxies in the namespace so OpenShift Service Mesh 2.6 stops injecting proxies in this namespace, and any new proxies are injected by OpenShift Service Mesh 3.0. Without this label, the OpenShift Service Mesh 2.6 injection webhook tries to inject the pod and the injected sidecar proxy will refuse to start since it will have both the OpenShift Service Mesh 2.6 and the OpenShift Service Mesh 3.0 Container Network Interface(CNI) annotations.
  Note
  Once you apply the maistra.io/ignore-namespace label, any new pod that gets created in the namespace will connect to the OpenShift Service Mesh 3.0 proxy. Workloads can still communicate with each other regardless of which controlplane they are connected to.
Restart the workloads by using one of the following options:
1. To restart all the workloads at once so that the new pods are injected with the OpenShift Service Mesh 3.0 proxy, run the following command:
  Example command for bookinfo application
```
$ oc rollout restart deployments -n bookinfo
```
2. To restart each workload individually, run the following command for each workload:
  Example command with bookinfo application
```
$ oc rollout restart deployments productpage-v1 -n bookinfo
```
Wait for the productpage application to restart by running the following command:
```
$ oc rollout status deployment productpage-v1 -n bookinfo
```

Verification

Check that your workload is connected to the new control plane.

Fetch the list of proxies that are still connected to the OpenShift Service Mesh 2.6 control plane with the istioctl tool by running the following command:

$ istioctl ps --istioNamespace istio-system-tenant-a --revision basic

In this example, basic is the name of your ServiceMeshControlPlane:

Example output

   NAME                                              CLUSTER        CDS        LDS        EDS        RDS          ECDS         ISTIOD                            VERSION
   details-v1-7b49464bc-zr7nr.bookinfo               Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-basic-6c9f8d9894-sh6lx     1.20.8
   ratings-v1-d6f449f59-9rds2.bookinfo               Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-basic-6c9f8d9894-sh6lx     1.20.8
   reviews-v1-686cd989df-9x59z.bookinfo              Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-basic-6c9f8d9894-sh6lx     1.20.8
   reviews-v2-785b8b48fc-l7xkj.bookinfo              Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-basic-6c9f8d9894-sh6lx     1.20.8
   reviews-v3-67889ffd49-7bhxn.bookinfo              Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-basic-6c9f8d9894-sh6lx     1.20.8

View the list proxies that have been migrated to the new OpenShift Service Mesh 3.0 control plane by running the following command:

$ istioctl ps --istioNamespace istio-system-tenant-a --revision istio-tenant-a

Example output

NAME                                         CLUSTER        CDS        LDS        EDS        RDS        ECDS     ISTIOD                      VERSION
productpage-v1-7745c5cc94-wpvth.bookinfo     Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED              istiod-5bbf98dccf-n8566     1.24.3

Verify your application is still working correctly. For the bookinfo application, run the following command:
```
$ oc exec -it -n bookinfo deployments/productpage-v1 -c istio-proxy -- curl localhost:9080/productpage
```

Next steps

If you are using gateways, you must migrate them before you complete the migration process for your deployment and workloads.

Migrating gateways

If you are not using gateways, and have verified your mulitenant migration, you can proceed to complete the migration and remove OpenShift Service Mesh 2 resources.

Completing the Migration

3.1.3. Migrating a multitenant deployment with cert-manager

You can follow these same steps with your own workloads.

Prerequisites

You have deployed OpenShift Container Platform 4.14 or later.
You are logged in to the OpenShift Container Platform web console as a user with the cluster-admin role.
You have completed the premigration checklists.
You have the OpenShift Service Mesh 2.6.7 Operator installed.
You have the OpenShift Service Mesh 3 Operator installed.
You created an IstioCNI resource.
You have the istioctl tool installed.
You are using the cert-manager and istio-csr tools in a multitenant deployment.
Your OpenShift Service Mesh 2 ServiceMeshControlPlane is configured with the cert-manager tool.

Procedure

Check that your OpenShift Service Mesh 2 ServiceMeshControlPlane is configured with the cert-manager-tool:

Example ServiceMeshControlPlane cert-manager configuration

apiVersion: maistra.io/v2
kind: ServiceMeshControlPlane
metadata:
  name: basic
  namespace: istio-system
spec:
  ...
  security:
    certificateAuthority:
      cert-manager:
        address: cert-manager-istio-csr.istio-system.svc:443
      type: cert-manager
    dataPlane:
      mtls: true
    identity:
      type: ThirdParty
    manageNetworkPolicy: false

Update the istio-csr deployment to include your OpenShift Service Mesh 3 control plane by running the following command:
```
  helm upgrade cert-manager-istio-csr jetstack/cert-manager-istio-csr \
      --install \
      --reuse-values \
      --namespace istio-system \
      --wait \
      --set "app.istio.revisions={basic,istio-tenant-a}" 1
```
1
The app.istio.revisions field needs to include your OpenShift Service Mesh 3.0 control plane revision before you create your Istio resource so that proxies can properly communicate with the OpenShift Service Mesh 3.0 control plane.
Create your Istio resource.
Example Istio resource with cert-manager
```
apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: istio-tenant-a
spec:
  namespace: istio-system-tenant-a 1
  version: v1.24.3
  values:
    meshConfig:
      discoverySelectors: 2
        - matchLabels:
            tenant: tenant-a
      extensionProviders:  3
        - name: prometheus
          prometheus: {}
        - name: otel
          opentelemetry:
           port: 4317
           service: otel-collector.opentelemetrycollector-3.svc.cluster.local
    global:
      caAddress: cert-manager-istio-csr.istio-system.svc:443
    pilot:
      env:
        ENABLE_CA_SERVER: "false"
```
1
The spec.namespace field in your Istio resource must be the same namespace as your ServiceMeshControlPlane resource. If you set the spec.namespace field in your Istio resource to a different namespace than your ServiceMeshControlPlane resource, the migration will not work properly.
2
By default, control planes watch the entire cluster. When managing multiple control planes on a single cluster, you must narrow the scope of each control plane by setting discoverySelectors fields. In this example, the label tenant-a is used, but you can use any label or combination of labels.
3
Optional: If you are migrating metrics and tracing, update the extensionProviders fields according to your tracing and metrics configurations.
Add your tenant label to each one of your dataplane namespaces by running the following command for each dataplane namespace:
```
$ oc label ns bookinfo tenant=tenant-a
```
Note
With OpenShift Service Mesh 2.6, namespaces were enrolled into the mesh by adding them to the ServiceMeshMemberRoll resource. In OpenShift Service Mesh 3, you must label each one of your dataplane namespaces to match your discoverySelectors fields.

3.1.4. Migrating workloads in a multitenant deployment with cert-manager

Now you can migrate your workloads from the OpenShift Service Mesh 2.6 control plane to the OpenShift Service Mesh 3.0 control plane.

Note

You can migrate workloads and gateways separately, and in any order. For more information, see "Migrating gateways".

Procedure

Find the current IstioRevision for your OpenShift Service Mesh 3.0 control plane by running the following command:
```
$ oc get istios istio-tenant-a
```
Example output
```
NAME             REVISIONS   READY   IN USE   ACTIVE REVISION   STATUS    VERSION   AGE
istio-tenant-a   1           1       0        istio-tenant-a    Healthy   v1.24.3   30s
```
Note
The naming format of your revisions depends on which upgrade strategy you choose for your Istio instance.
Copy the ACTIVE REVISION to use as your istio.io/rev label in the next step.
Update injection labels on the dataplane namespace by running the following command:
```
$ oc label ns bookinfo istio.io/rev=istio-tenant-a maistra.io/ignore-namespace="true" --overwrite=true
```
This adds the following labels to the namespace:
1. The istio.io/rev: istio-tenant-a label: Ensures that any new pods that get created in that namespace connect to the OpenShift Service Mesh 3.0 proxy.
2. The maistra.io/ignore-namespace: "true" label: Disables sidecar injection for OpenShift Service Mesh 2.6 proxies in the namespace so OpenShift Service Mesh 2.6 stops injecting proxies in this namespace, and any new proxies are injected by OpenShift Service Mesh 3.0. Without this label, the OpenShift Service Mesh 2.6 injection webhook tries to inject the pod and the injected sidecar proxy will refuse to start since it will have both the OpenShift Service Mesh 2.6 and the OpenShift Service Mesh 3.0 Container Network Interface(CNI) annotations.
  Note
  Once you apply the maistra.io/ignore-namespace label, any new pod that gets created in the namespace connects to the OpenShift Service Mesh 3.0 proxy. Workloads can still communicate with each other regardless of which controlplane they are connected to.
Restart the workloads by using one of the following options:
1. To restart all the workloads at once so that the new pods are injected with the OpenShift Service Mesh 3.0 proxy, run the following command:
  Example command for bookinfo application
```
$ oc rollout restart deployments -n bookinfo
```
2. To restart each workload individually, run the following command for each workload:
  Example command with bookinfo application
```
$ oc rollout restart deployments productpage-v1 -n bookinfo
```
Wait for the productpage application to restart by running the following command:
```
$ oc rollout status deployment productpage-v1 -n bookinfo
```

Verification

Check that your workload is connected to the new control plane.

Fetch the list of proxies that are still connected to the OpenShift Service Mesh 2.6 control plane with the istioctl tool by running the following command:

$ istioctl ps --istioNamespace istio-system-tenant-a --revision basic

In this example, basic is the name of your ServiceMeshControlPlane:

Example output

   NAME                                              CLUSTER        CDS        LDS        EDS        RDS          ECDS         ISTIOD                            VERSION
   details-v1-7b49464bc-zr7nr.bookinfo               Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-basic-6c9f8d9894-sh6lx     1.20.8
   ratings-v1-d6f449f59-9rds2.bookinfo               Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-basic-6c9f8d9894-sh6lx     1.20.8
   reviews-v1-686cd989df-9x59z.bookinfo              Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-basic-6c9f8d9894-sh6lx     1.20.8
   reviews-v2-785b8b48fc-l7xkj.bookinfo              Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-basic-6c9f8d9894-sh6lx     1.20.8
   reviews-v3-67889ffd49-7bhxn.bookinfo              Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-basic-6c9f8d9894-sh6lx     1.20.8

View the list proxies that have been migrated to the new OpenShift Service Mesh 3.0 control plane by running the following command:

$ istioctl ps --istioNamespace istio-system-tenant-a --revision istio-tenant-a

Example output

NAME                                         CLUSTER        CDS        LDS        EDS        RDS        ECDS     ISTIOD                      VERSION
productpage-v1-7745c5cc94-wpvth.bookinfo     Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED              istiod-5bbf98dccf-n8566     1.24.3

Verify your application is still working correctly. For the bookinfo application, run the following command:
```
$ oc exec -it -n bookinfo deployments/productpage-v1 -c istio-proxy -- curl localhost:9080/productpage
```

Next steps

If you are using gateways, you must migrate them before you can complete the migration process for your deployment and workloads.

Migrating gateways

After you have migrated your gateways, you must update the app.controller.configmapNamespaceSelector field in your istio-csr deployment.

If you are not using gateways, you can complete your migration with cert-manager.

Completing the Migration

Chapter 4. Cluster-wide migration guide

4.1. Cluster-wide migration guide

This guide is for users who are running a cluster-wide deployment of Red Hat OpenShift Service Mesh 2.6.7 and are migrating to OpenShift Service Mesh 3.0.

Important

You must complete the premigration checklists before you start migrating your deployment.

4.1.1. Control plane configuration migration requirements

During the migration process, two cluster-wide control planes run in the same cluster while the data plane namespaces are gradually migrated to the Red Hat OpenShift Service Mesh 3.0 installation. One control plane is associated with the Red Hat OpenShift Service Mesh 2.6.7 installation and the other is associated with the OpenShift Service Mesh 3.0 installation. You must carefully plan the migration steps to avoid possible conflicts between the two control planes.

4.1.1.1. Root certificate

During the migration, both control planes must share a root certificate. To share a root certificate between both control planes, you install the 3.0 control plane into the same namespace as 2.6 control plane. The migration procedures show how to verify that the root certificate is shared.

4.1.1.2. Discovery selectors and namespace access

Both control planes must have access to all namespaces in the mesh. During the migration, some proxies are controlled by the 3.0 control plane while other proxies remain controlled by the 2.6 control plane. To ensure that mesh communication works during the migration, both control planes must detect the same set of services. Service discovery is provided by istiod component, which runs in the control plane namespace.

In the OpenShift Service Mesh 3.0 installation, you can control how Istio discovers services by using discovery selectors. When you use discovery selectors, ensure that the discoverySelectors expression that is defined in the OpenShift Service Mesh 3.0 Istio resource match the namespaces that comprise the OpenShift Service Mesh 2.6 mesh. You might have to add additional labels to the OpenShift Service Mesh 2.6 application namespaces to ensure that they are captured in the OpenShift Service Mesh 3.0 installation. For more information, see "Scoping the service mesh with DiscoverySelectors".

Note

In OpenShift Service Mesh 2.6 installations, the maistra.io/member-of label is automatically created. This label cannot be used because it is automatically removed during the migration process.

4.1.1.3. Network policies

By default, OpenShift Service Mesh 2.6 manages network policies that block traffic to the 3.0 control plane.

For both control planes, during the migration ensure that network policies do not block traffic between the following entities:

The control plane and the data plane namespaces
The data plane namespaces and the control plane
The data plane namespaces themselves

In the premigration checklist, you are instructed to disable network policies. However, you can manually re-create them. Manually created network policies must allow traffic for both control planes. When a data plane namespace is migrated to 3.0, the maistra.io/member-of label is automatically removed. Do not use this label in network policies. For more information, see "Set up network policies to use during migration".

Note

In OpenShift Service Mesh 2.6 installations, the maistra.io/member-of label is automatically created. This label cannot be used because it is automatically removed during the migration process.

Incorrectly configured network policies can disrupt mesh traffic. When you run the migration, be careful when you create network policies to prevent traffic disruption. For more information, see "Set up network policies to use during migration".

4.1.1.4. Sidecar injection

If both control planes try to perform sidecar injection, the proxy will not start and the migration cannot be completed. To ensure that only one control plane performs sidecar injection during the migration, use injection labels. For more information, see "Installing the Sidecar".

Note

During the migration, you must disable the 2.6 injector. Use the maistra.io/ignore-namespace: "true" label to prevent the 2.6 control plane from injecting a proxy in the namespace.

4.1.1.5. Label selection

For OpenShift Service Mesh 3.0, you must decide if you want to use the istio.io/rev label or the istio-injection label to configure sidecar injection. For more information, see "About sidecar injection".

In the OpenShift Service Mesh 2.6 installation, the member selection configuration in the ServiceMeshMemberRoll resource can impact how injection labels are used in the OpenShift Service Mesh 3.0 installation.

By default, in a 2.6 installation, the spec.memberSelectors field in the ServiceMeshMemberRoll resource is configured to match the istio-injection=enabled label and all of the data plane namespaces in a 2.6 installation have the istio-injection=enabled label applied. If you are using the default 2.6 installation settings, you can keep using that label or switch to the istio.io/rev label for the 3.0 installation.

If the spec.memberSelectors field in the ServiceMeshMemberRoll resource is not configured to match the istio-injection=enabled label and the 2.6 data plane namespace uses a custom label, you must add the istio.io/rev label or the istio-injection label during the migration. The custom labels defined in the spec.memberSelectors parameter of the ServiceMeshMemberRoll resource have no effect on sidecar injection in the OpenShift Service Mesh 3 installation and cannot be used.

If projects in the 2.6 installation were added to the mesh by manually creating the ServiceMeshMember resource, you must add the istio.io/rev or istio-injection label to the project namespaces during the migration.

Additional resources

4.1.2. Cluster-wide migration methods

You can migrate the control plane from Red Hat OpenShift Service Mesh 2.6.7 to OpenShift Service Mesh 3.0 by using one of the following methods:

Applying the istio.io/rev label
Applying the istio-injection=enabled label
Performing a simple migration by using the istio-injection=enabled label
Note
The simple migration method might introduce traffic disruptions.

To select the best migration method for your OpenShift Service Mesh installation, you must understand the difference between the istio.io/rev and istio-injection labels. Read through all the migration methods before choosing the one that best fits your needs.

4.1.3. Migrating a cluster-wide deployment by using the Istio revision label

You can perform a canary upgrade with the gradual migration of data plane namespaces for a cluster-wide deployment by using the istio.io/rev label.

The bookinfo example application is being used for demonstration purposes with a minimal example for the Istio resource. For more information on configuration differences between the OpenShift Service Mesh 2 ServiceMeshControlPlane resource and the OpenShift Service Mesh 3 Istio resource, see "Configuration fields mapping between Service Mesh 2 and Service Mesh 3".

You can follow these same steps with your own workloads.

Prerequisites

You have deployed OpenShift Container Platform 4.14 or later.
You are logged in to the OpenShift Container Platform web console as a user with the cluster-admin role.
You have completed the premigration checklists.
You have the OpenShift Service Mesh 2.6.7 Operator installed.
You have the OpenShift Service Mesh 3 Operator installed.
You created an IstioCNI resource.
You have the istioctl tool installed.
You are running a cluster-wide Service Mesh control plane.
You have installed the bookinfo application.

Procedure

Identify the namespaces that contain a 2.6 control plane by running the following command:

$ oc get smcp -A

Example output

NAMESPACE      NAME                   READY   STATUS            PROFILES      VERSION       AGE
istio-system   install-istio-system   6/6     ComponentsReady   ["default"]   2.6.6         115m

Create a YAML file named ossm-3.yaml that creates the Istio resource for the 3.0 installation in the same namespace as the ServiceMeshControlPlane resource for the 2.6 installation.
Note
In the following example configuration, the Istio control plane has access to all namespaces on the cluster. If you want limit the namespaces the control plan has access to, you must define discovery selectors. All data plane namespaces that you plan to migrate from version 2.6 must be matched.
Example Istio resource
```
apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: ossm-3 1
spec:
  updateStrategy:
    type: RevisionBased
  namespace: istio-system 2
  version: v1.24.3
  values:  3
    meshConfig:
      extensionProviders:
        - name: prometheus
          prometheus: {}
        - name: otel
          opentelemetry:
            port: 4317
            service: otel-collector.opentelemetrycollector-3.svc.cluster.local
```
1
The name, updateStrategy and version fields specify how the IstioRevision resource name is created. For more information, see "Identifying the revision name".
2
The 3.0 and 2.6 control planes must run in the same namespace.
3
If you are migrating metrics and tracing, update the extensionProviders fields according to your tracing and metrics configurations.
Apply the YAML file by running the following command:
```
$ oc apply -f ossm-3.yaml
```

Verify that the new istiod resource uses the existing root certificate by running the following command:

$ oc logs deployments/istiod-ossm-3-v1-24-3 -n istio-system | grep 'Load signing key and cert from existing secret'

Example output

2024-12-18T08:13:53.788959Z	info	pkica	Load signing key and cert from existing secret istio-system/istio-ca-secret

4.1.3.1. Migrating workloads by using the Istio revision label

Now you can migrate your workloads from the OpenShift Service Mesh 2.6 control plane to the OpenShift Service Mesh 3.0 control plane.

Revision tags are not used in this example for simplicity. When migrating large meshes, you can use revision tags to avoid re-labeling all namespaces during future version 3 updates.

Note

You can migrate workloads and gateways separately, and in any order. For more information, see "Migrating gateways".

Procedure

Find the current IstioRevision for your OpenShift Service Mesh 3.0 control plane by running the following command:

$ oc get istios

Example output

NAME             REVISIONS   READY   IN USE   ACTIVE REVISION   STATUS    VERSION   AGE
ossm-3           1           1       0        ossm-3-v1-24-3    Healthy   v1.24.3   30s

Copy the value in the ACTIVE REVISION column to use as your istio.io/rev label in the next step.
Note
The naming format of your revisions depends on which upgrade strategy you choose for your Istio instance.
Update the injection labels on the dataplane namespace by running the following command:
```
$ oc label ns bookinfo istio.io/rev=ossm-3-v1-24-3 maistra.io/ignore-namespace="true" istio-injection- --overwrite=true
```
Running the command performs the following actions:
1. Removes the istio-injection label: This label prevents the 3.0 control plane from injecting the proxy. The istio-injection label takes precedence over istio.io/rev label.
2. Adds the istio.io/rev=ossm-3-v1-24-3 label: This label ensures that any newly created or restarted pods in the namespace connect to the OpenShift Service Mesh 3.0 proxy.
3. Adds the maistra.io/ignore-namespace: "true" label: This label disables sidecar injection for OpenShift Service Mesh 2.6 proxies in the namespace. With the label applied, OpenShift Service Mesh 2.6 stops injecting proxies in this namespace, and any new proxies are injected by OpenShift Service Mesh 3.0. Without this label, the OpenShift Service Mesh 2.6 injection webhook tries to inject the pod and the injected sidecar proxy refuses to start since it will have both the OpenShift Service Mesh 2.6 and the OpenShift Service Mesh 3.0 Container Network Interface(CNI) annotations.
  Note
  Once you apply the maistra.io/ignore-namespace label, any new pod that gets created in the namespace connects to the OpenShift Service Mesh 3.0 proxy. Workloads can still communicate with each other regardless of which control plane they are connected to.
Restart the workloads by using one of the following options:
1. To restart all the workloads at once so that the new pods are injected with the OpenShift Service Mesh 3.0 proxy, run the following command:
  Example command for bookinfo application
```
$ oc rollout restart deployments -n bookinfo
```
2. To restart each workload individually, run the following command for each workload:
  Example command with bookinfo application
```
$ oc rollout restart deployments productpage-v1 -n bookinfo
```
Wait for the productpage application to restart by running the following command:
```
$ oc rollout status deployment productpage-v1 -n bookinfo
```

Verification

Ensure that expected workloads are managed by the new control plane by running the following command:

$ istioctl ps -n bookinfo

Example output

$ istioctl ps -n bookinfo
NAME                                          CLUSTER        CDS             LDS             EDS             RDS             ECDS         ISTIOD                                           VERSION
details-v1-7f46897b-d497c.bookinfo            Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
productpage-v1-74bfbd4d65-vsxqm.bookinfo      Kubernetes     SYNCED (4s)     SYNCED (4s)     SYNCED (3s)     SYNCED (4s)     IGNORED      istiod-ossm-3-v1-24-3-797bb4d78f-xpchx           1.24.3
ratings-v1-559b64556-c5ppg.bookinfo           Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
reviews-v1-847fb7c54d-qxt5d.bookinfo          Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
reviews-v2-5c7ff5b77b-8jbhd.bookinfo          Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
reviews-v3-5c5d764c9b-rrx8w.bookinfo          Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8

The previous output shows that the productpage-v1 deployment is the only deployment that restarted and was injected with the 3.0 proxy. Even if there are different versions of the proxies, communication between services still works.

If the 2.6 installation contains additional data plane namespaces, migrate the next namespace now.
Note
Do not remove the maistra.io/ignore-namespace="true" label until the 2.6 control plane is uninstalled.

4.1.4. Next steps

If you are using gateways, you must migrate them before you complete the migration process.

Migrating gateways

If you are not using gateways, and have verified your cluster-wide migration, you can proceed to complete the migration and remove OpenShift Service Mesh 2 resources.

Completing the Migration

4.1.5. Migrating a cluster-wide deployment by using the Istio revision label with cert-manager

You can perform a canary upgrade with the gradual migration of data plane namespaces for a cluster-wide deployment by using the istio.io/rev label with cert-manager.

The bookinfo application is used as an example for the Istio resource. For more information on configuration differences between the OpenShift Service Mesh 2 ServiceMeshControlPlane resource and the OpenShift Service Mesh 3 Istio resource, see "Configuration fields mapping between Service Mesh 2 and Service Mesh 3."

You can follow these same steps with your own workloads.

Prerequisites

You have deployed OpenShift Container Platform 4.14 or later.
You are logged in to the OpenShift Container Platform web console as a user with the cluster-admin role.
You have completed the premigration checklists.
You have installed the OpenShift Service Mesh 2.6.7 Operator.
You have installed the OpenShift Service Mesh 3 Operator.
You have created an IstioCNI resource.
You have installed the istioctl tool.
You are using the cert-manager and istio-csr tools in a cluster-wide deployment.
Your OpenShift Service Mesh 2 ServiceMeshControlPlane resource is configured with the cert-manager tool.

Procedure

Check that your OpenShift Service Mesh 2 ServiceMeshControlPlane resource is configured with the cert-manager tool.

Example ServiceMeshControlPlane cert-manager configuration

apiVersion: maistra.io/v2
kind: ServiceMeshControlPlane
metadata:
  name: basic
  namespace: istio-system
spec:
  ...
  security:
    certificateAuthority:
      cert-manager:
        address: cert-manager-istio-csr.istio-system.svc:443
      type: cert-manager
    dataPlane:
      mtls: true
    identity:
      type: ThirdParty
    manageNetworkPolicy: false

Update the istio-csr deployment to include your OpenShift Service Mesh 3 control plane by running the following command:
```
  helm upgrade cert-manager-istio-csr jetstack/cert-manager-istio-csr \
      --install \
      --reuse-values \
      --namespace istio-system \
      --wait \
      --set "app.istio.revisions={basic,ossm-3-v1-24-3}" 1
```
1
The app.istio.revisions field must include your OpenShift Service Mesh 3.0 control plane revision before you create your Istio resource so that proxies can properly communicate with the OpenShift Service Mesh 3.0 control plane.

Identify the namespaces that contain a 2.6 control plane by running the following command:

$ oc get smcp -A

Example output:

NAMESPACE      NAME                   READY   STATUS            PROFILES      VERSION       AGE
istio-system   install-istio-system   6/6     ComponentsReady   ["default"]   2.6.6         115m

Create a YAML file named ossm-3.yaml. This procedure creates the Istio resource for the 3.0 installation in the same namespace as the ServiceMeshControlPlane resource for the 2.6 installation:

Example Istio resource

apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: ossm-3 1
spec:
  updateStrategy:
    type: RevisionBased
  namespace: istio-system 2
  version: v1.24.3
  values:
    meshConfig:
      extensionProviders: 3
        - name: prometheus
          prometheus: {}
        - name: otel
          opentelemetry:
            port: 4317
            service: otel-collector.opentelemetrycollector-3.svc.cluster.local
    global:
      caAddress: cert-manager-istio-csr.istio-system.svc:443
    pilot:
      env:
        ENABLE_CA_SERVER: "false"

1: The name, updateStrategy, and version fields specify how the IstioRevision resource name is created. For more information, see "Identifying the revision name."
2: The 3.0 and 2.6 control planes must run in the same namespace.
3: If you are migrating metrics and tracing, update the extensionProviders fields according to your tracing and metrics configurations.

Apply the YAML file by running the following command:
```
$ oc apply -f ossm-3.yaml
```

Verify that the new istiod resource uses the existing root certificate by running the following command:

$ oc logs deployments/istiod-ossm-3-v1-24-3 -n istio-system | grep 'Load signing key and cert from existing secret'

Example output:

2024-12-18T08:13:53.788959Z	info	pkica	Load signing key and cert from existing secret istio-system/istio-ca-secret

4.1.5.1. Migrating workloads by using the Istio revision label with cert-manager

After migrating a cluster-wide deployment, you can migrate your workloads workloads from the OpenShift Service Mesh 2.6 control plane to the OpenShift Service Mesh 3.0 control plane.

To maintain simplicity, revision tags are not used in this example. When migrating large meshes, you can use revision tags to avoid re-labeling all namespaces during future 3.y.z upgrades.

Note

You can migrate workloads and gateways separately, and in any order. For more information, see "Migrating gateways."

Procedure

Find the current IstioRevision resource for your OpenShift Service Mesh 3.0 control plane by running the following command:

$ oc get istios

Example output

NAME             REVISIONS   READY   IN USE   ACTIVE REVISION   STATUS    VERSION   AGE
ossm-3           1           1       0        ossm-3-v1-24-3    Healthy   v1.24.3   30s

Copy the value in the ACTIVE REVISION column to use as your istio.io/rev label in the next step.
Note
The naming format of your revisions depends on which upgrade strategy you choose for your Istio instance.
Update the injection labels on the dataplane namespace by running the following command:
```
$ oc label ns bookinfo istio.io/rev=ossm-3-v1-24-3 maistra.io/ignore-namespace="true" istio-injection- --overwrite=true
```
Running the oc label command performs the following actions:
1. Removes the istio-injection label: This label prevents the 3.0 control plane from injecting the proxy. The istio-injection label takes precedence over istio.io/rev label.
2. Adds the istio.io/rev=ossm-3-v1-24-3 label: This label ensures that any newly created or restarted pods in the namespace connect to the OpenShift Service Mesh 3.0 proxy.
3. Adds the maistra.io/ignore-namespace: "true" label: This label disables sidecar injection for OpenShift Service Mesh 2.6 proxies in the namespace. With the label applied, OpenShift Service Mesh 2.6 stops injecting proxies in this namespace, and any new proxies are injected by OpenShift Service Mesh 3.0. Without this label, the OpenShift Service Mesh 2.6 injection webhook tries to inject the pod and the injected sidecar proxy refuses to start since it will have both the OpenShift Service Mesh 2.6 and the OpenShift Service Mesh 3.0 Container Network Interface(CNI) annotations.
Note
Once you apply the maistra.io/ignore-namespace label, any new pod created in the namespace connects to the OpenShift Service Mesh 3.0 proxy. Workloads can still communicate with each other regardless of which control plane they are connected to.
Restart the workloads by using one of the following options:
1. To restart all the workloads at once so that the new pods are injected with the OpenShift Service Mesh 3.0 proxy, run the following command:
  Example command for bookinfo application
```
$ oc rollout restart deployments -n bookinfo
```
2. To restart each workload individually, run the following command for each workload:
  Example command for bookinfo application
```
$ oc rollout restart deployments productpage-v1 -n bookinfo
```
Wait for the productpage application to restart by running the following command:
```
$ oc rollout status deployment productpage-v1 -n bookinfo
```

Verification

Verify that the expected workloads are managed by the new control plane by running the following command:

$ istioctl ps -n bookinfo

Example output:

NAME                                          CLUSTER        CDS             LDS             EDS             RDS             ECDS         ISTIOD                                           VERSION
details-v1-7f46897b-d497c.bookinfo            Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
productpage-v1-74bfbd4d65-vsxqm.bookinfo      Kubernetes     SYNCED (4s)     SYNCED (4s)     SYNCED (3s)     SYNCED (4s)     IGNORED      istiod-ossm-3-v1-24-1-797bb4d78f-xpchx           1.24.3
ratings-v1-559b64556-c5ppg.bookinfo           Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
reviews-v1-847fb7c54d-qxt5d.bookinfo          Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
reviews-v2-5c7ff5b77b-8jbhd.bookinfo          Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
reviews-v3-5c5d764c9b-rrx8w.bookinfo          Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8

The output shows that the productpage-v1 deployment is the only deployment that restarted and was injected with the 3.0 proxy. Even if there are different versions of the proxies, communication between services still works.

If the 2.6 installation contains additional data plane namespaces, migrate the next namespace now.
Note
Remove the maistra.io/ignore-namespace="true" label only after the 2.6 control plane has been uninstalled.

4.1.6. Next steps

If you are using gateways, you must migrate them before you complete the migration process.

Migrating gateways

If you are not using gateways, and have verified your cluster-wide migration, you can proceed to complete the migration and remove OpenShift Service Mesh 2 resources.

Completing the Migration

4.1.7. Migrating a cluster-wide deployment by using the istio injection label

You can perform a canary upgrade with the gradual migration of data plane namespaces for a cluster-wide deployment by using the istio-injection=enabled label and the default revision tag.

You must re-label all of the data plane namespaces. However, it is safe to restart any of the workloads at any point during the migration process.

The bookinfo application is used as an example for the Istio resource. For more information about configuration differences between the OpenShift Service Mesh 2 ServiceMeshControlPlane resource and the OpenShift Service Mesh 3 Istio resource, see "ServiceMeshControlPlane resource to Istio resource fields mapping".

Prerequisites

You have deployed OpenShift Container Platform 4.14 or later.
You are logged in to the OpenShift Container Platform web console as a user with the cluster-admin role.
You have completed the premigration checklists.
You have the OpenShift Service Mesh 2.6.7 Operator installed.
You have the OpenShift Service Mesh 3 Operator installed.
You have created an IstioCNI resource.
You have installed the istioctl tool.
You are running a cluster-wide Service Mesh control plane resource.
You have installed the bookinfo application.

Procedure

Identify the namespaces that contain a 2.6 control plane by running the following command:

$ oc get smcp -A

Example output

NAMESPACE      NAME                   READY   STATUS            PROFILES      VERSION   AGE
istio-system   install-istio-system   6/6     ComponentsReady   ["default"]   2.6.6     115m

Create a YAML file named ossm-3.yaml. This procedure creates the Istio resource for the 3.0 installation in the same namespace as the ServiceMeshControlPlane resource for the 2.6 installation.
Note
In the following example configuration, the Istio control plane has access to all namespaces on the cluster. If you want to limit the namespaces the control plan has access to, you must define discovery selectors. You must match all the data plane namespaces that you plan to migrate from version 2.6.
Example Istio resource
```
apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: ossm-3 1
spec:
  updateStrategy:
    type: RevisionBased
  namespace: istio-system 2
  version: v1.24.3
  values:
    meshConfig:
      extensionProviders: 3
        - name: prometheus
          prometheus: {}
        - name: otel
          opentelemetry:
            port: 4317
            service: otel-collector.opentelemetrycollector-3.svc.cluster.local
```
1
The name, updateStrategy and version fields specify how the IstioRevision resource name is created. For more information, see "Identifying the revision name".
2
The 3.0 and 2.6 control planes must run in the same namespace.
3
Optional: If you are migrating metrics and tracing, update the extensionProviders fields according to your tracing and metrics configurations.
Note
To prevent the OpenShift Service Mesh 3.0 control plane from injecting proxies in the namespaces that have the istio-injection=enabled label applied and are still managed by OpenShift Service Mesh 2.6 control plane, do not use use the default name for the Istio resource, and do not create the default revision tag in the following steps. You create the default revision tag later in this procedure.
Apply the YAML file by running the following command:
```
$ oc apply -f ossm-3.yaml
```

Verification

Verify that the new istiod resource uses the existing root certificate by running the following command:

$ oc logs deployments/istiod-ossm-3-v1-24-3 -n istio-system | grep 'Load signing key and cert from existing secret'

Example output

2024-12-18T08:13:53.788959Z	info	pkica	Load signing key and cert from existing secret istio-system/istio-ca-secret

4.1.7.1. Migrating workloads by using the istio injection label

Now you can migrate your workloads from the OpenShift Service Mesh 2.6 control plane to the OpenShift Service Mesh 3.0 control plane.

Note

You can migrate workloads and gateways separately, and in any order. For more information, see "Migrating gateways".

Procedure

Find the current IstioRevision resource for your OpenShift Service Mesh 3.0 control plane by running the following command:

$ oc get istios

Example output

NAME             REVISIONS   READY   IN USE   ACTIVE REVISION   STATUS    VERSION   AGE
ossm-3           1           1       0        ossm-3-v1-24-3    Healthy   v1.24.3   30s

Copy the ACTIVE REVISION value to use as your istio.io/rev label in the next step.
Note
The naming format of your revisions depends on which upgrade strategy you choose for your Istio instance.
Update the injection labels on the data plane namespace by running the following command:
```
$ oc label ns bookinfo istio.io/rev=ossm-3-v1-24-3 maistra.io/ignore-namespace="true" istio-injection- --overwrite=true
```
The oc label command performs the following actions:
1. Removes the istio-injection label: This label prevents the 3.0 control plane from injecting the proxy. The istio-injection label takes precedence over the istio.io/rev label. You must temporarily remove the istio-injection=enabled because you cannot create the default IstioRevisionTag tag yet. Leaving the istio-injection=enabled label applied would prevent the 3.0 control plane from performing proxy injection.
2. Adds the istio.io/rev=ossm-3-v1-24-3 label: This label ensures that any newly created or restarted pods in the namespace connect to the OpenShift Service Mesh 3.0 proxy.
3. Adds the maistra.io/ignore-namespace: "true" label: This label disables sidecar injection for OpenShift Service Mesh 2.6 proxies in the namespace. With the label applied, OpenShift Service Mesh 2.6 stops injecting proxies in this namespace, and any new proxies are injected by OpenShift Service Mesh 3.0. Without this label, the OpenShift Service Mesh 2.6 injection webhook tries to inject the pod and the injected sidecar proxy refuses to start since it will has both the OpenShift Service Mesh 2.6 and the OpenShift Service Mesh 3.0 Container Network Interface(CNI) annotations.
  Note
  After you apply the maistra.io/ignore-namespace label, any new pod that gets created in the namespace connects to the OpenShift Service Mesh 3.0 proxy. Workloads can still communicate with each other regardless of which control plane they are connected to.
Restart the workloads by using one of the following options:
1. To restart all the workloads at the same time so that the new pods are injected with the OpenShift Service Mesh 3.0 proxy, run the following command:
  Example command for bookinfo application
```
$ oc rollout restart deployments -n bookinfo
```
2. To restart each workload individually, run the following command for each workload:
  Example command for bookinfo application
```
$ oc rollout restart deployments productpage-v1 -n bookinfo
```
Wait for the productpage application to restart by running the following command:
```
$ oc rollout status deployment productpage-v1 -n bookinfo
```

Verification

Verify that the the new control plane manages the expected workloads by running the following command:

$ istioctl ps -n bookinfo

Example output:

NAME                                          CLUSTER        CDS             LDS             EDS             RDS             ECDS         ISTIOD                                           VERSION
details-v1-7f46897b-d497c.bookinfo            Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
productpage-v1-74bfbd4d65-vsxqm.bookinfo      Kubernetes     SYNCED (4s)     SYNCED (4s)     SYNCED (3s)     SYNCED (4s)     IGNORED      istiod-ossm-3-v1-24-3-797bb4d78f-xpchx           1.24.3
ratings-v1-559b64556-c5ppg.bookinfo           Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
reviews-v1-847fb7c54d-qxt5d.bookinfo          Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
reviews-v2-5c7ff5b77b-8jbhd.bookinfo          Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
reviews-v3-5c5d764c9b-rrx8w.bookinfo          Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8

The output shows that the productpage-v1 deployment is the only deployment that has been restarted and was injected with the 3.0 proxy. Even if there are different versions of the proxies, communication between the services still works.

If the 2.6 installation contains additional namespaces, migrate the next namespace now.
Note
Remove the maistra.io/ignore-namespace="true" label only after the 2.6 control plane has been uninstalled.

4.1.8. Next steps

If you are using gateways, you must migrate them before you complete the migration process.

Migrating gateways

If you are not using gateways, and have verified your cluster-wide migration, create a default revision tag and relabel namespaces.

4.1.8.1. Creating the default revision tag and relabeling the namespaces

You can create the default revision tag and relabel the namespaces after you have completed the OpenShift Service Mesh 2 to OpenShift Service Mesh 3 cluster-wide migration process by using the Istio injection label.

The bookinfo application is used as an example.

Prerequisites

You have completed the OpenShift Service Mesh 2 to OpenShift Service Mesh 3 cluster-wide migration process by using Istio injection label.

Procedure

Create a YAML file called rev-tag.yaml that defines the IstioRevisionTag resource:

Example IstioRevisionTag resource

apiVersion: sailoperator.io/v1
kind: IstioRevisionTag
metadata:
  name: default
spec:
  targetRef:
    kind: IstioRevision
    name: ossm-3-v1-24-3

Apply the YAML file by running the following command:
```
$ oc apply -f rev-tag.yaml
```

Verify the status of the IstioRevisionTag resource by running the following command:

$ oc get istiorevisiontags

Example output

NNAME      STATUS                    IN USE   REVISION        AGE
default    NotReferencedByAnything   False    ossm-3-v1-24-3  18s

Add the istio-injection=enabled label to the bookinfo namespace, and remove the istio.io/rev label by running the following command:
```
$ oc label ns bookinfo istio-injection=enabled istio.io/rev-
```
Note
Remove the maistra.io/ignore-namespace="true" label only after the 2.6 control plane has been uninstalled.
Restart the workloads by running the following command:
```
$ oc rollout restart deployments -n bookinfo
```
Note
Repeat steps 4 and 5 for each namespace you are migrating.

Verification

Verify that the IstioRevisionTag resource is in use by running the following command:

$ oc get istiorevisiontags

Example output

NAME      STATUS    IN USE   REVISION        AGE
default   Healthy   True     ossm-3-v1-24-3  28s

Ensure that expected workloads are managed by the new control plane by running the following command:

$ istioctl ps -n bookinfo

Example output

NAME                                         CLUSTER        CDS              LDS              EDS             RDS              ECDS        ISTIOD                                     VERSION
details-v1-79dfbd6fff-t5lzm.bookinfo         Kubernetes     SYNCED (57s)     SYNCED (57s)     SYNCED (3s)     SYNCED (57s)     IGNORED     istiod-ossm-3-v1-24-3-6595bf8695-s8ktn     1.24.3
details-v1-7cb48d8bb-6rjq8.bookinfo          Kubernetes     SYNCED (3s)      SYNCED (3s)      SYNCED (3s)     SYNCED (3s)      IGNORED     istiod-ossm-3-v1-24-3-6595bf8695-s8ktn     1.24.3
productpage-v1-7d9cdf655d-cqk48.bookinfo     Kubernetes     SYNCED (10s)     SYNCED (10s)     SYNCED (3s)     SYNCED (10s)     IGNORED     istiod-ossm-3-v1-24-3-6595bf8695-s8ktn     1.24.3
ratings-v1-5b67b59fcb-w4whk.bookinfo         Kubernetes     SYNCED (18s)     SYNCED (18s)     SYNCED (3s)     SYNCED (18s)     IGNORED     istiod-ossm-3-v1-24-3-6595bf8695-s8ktn     1.24.3
reviews-v1-585fc84dbb-fvm2h.bookinfo         Kubernetes     SYNCED (11s)     SYNCED (11s)     SYNCED (3s)     SYNCED (11s)     IGNORED     istiod-ossm-3-v1-24-3-6595bf8695-s8ktn     1.24.3
reviews-v2-65cb66b45c-6ggp9.bookinfo         Kubernetes     SYNCED (57s)     SYNCED (57s)     SYNCED (3s)     SYNCED (57s)     IGNORED     istiod-ossm-3-v1-24-3-6595bf8695-s8ktn     1.24.3
reviews-v2-698b86b848-v92xq.bookinfo         Kubernetes     SYNCED (3s)      SYNCED (3s)      SYNCED (3s)     SYNCED (3s)      IGNORED     istiod-ossm-3-v1-24-3-6595bf8695-s8ktn     1.24.3
reviews-v3-6cbc49c8c8-v4jck.bookinfo         Kubernetes     SYNCED (11s)     SYNCED (11s)     SYNCED (3s)     SYNCED (11s)     IGNORED     istiod-ossm-3-v1-24-3-6595bf8695-s8ktn     1.24.3

4.1.9. Next steps

You can proceed to complete the migration and remove OpenShift Service Mesh 2 resources.

Completing the Migration

Important

Before creating a default revision tag and relabelling the namespaces, you must migrate all remaining workload namespaces, including gateways.

4.1.10. Migrating a cluster-wide deployment by using the Istio injection label with cert-manager

You can perform a canary upgrade with the gradual migration of data plane namespaces for a cluster-wide deployment by using the istio-injection=enabled label and the default revision tag.

You must relabel all of the data plane namespaces. However, it is safe to restart any of the workloads at any point during the migration process.

Prerequisites

You have deployed OpenShift Container Platform 4.14 or later.
You have logged in to the OpenShift Container Platform web console as a user with the cluster-admin role.
You have completed the premigration checklists.
You have the OpenShift Service Mesh 2.6.7 Operator installed.
You have the OpenShift Service Mesh 3 Operator installed.
You have created an IstioCNI resource.
You have installed the istioctl tool.
You are using the cert-manager and istio-csr tools in a cluster-wide deployment.
Your OpenShift Service Mesh 2.6.7 ServiceMeshControlPlane resource is configured with the cert-manager tool.
You have installed the bookinfo application.

Procedure

Check that your OpenShift Service Mesh 2 ServiceMeshControlPlane resource is configured with the cert-manager-tool:

Example ServiceMeshControlPlane cert-manager configuration

apiVersion: maistra.io/v2
kind: ServiceMeshControlPlane
metadata:
  name: basic
  namespace: istio-system
spec:
  ...
  security:
    certificateAuthority:
      cert-manager:
        address: cert-manager-istio-csr.istio-system.svc:443
      type: cert-manager
    dataPlane:
      mtls: true
    identity:
      type: ThirdParty
    manageNetworkPolicy: false

Update the istio-csr deployment to include your OpenShift Service Mesh 3 control plane by running the following command:
```
  helm upgrade cert-manager-istio-csr jetstack/cert-manager-istio-csr \
      --install \
      --reuse-values \
      --namespace istio-system \
      --wait \
      --set "app.istio.revisions={basic,ossm-3-v1-24-3}" 1
```
1
The app.istio.revisions field needs to include your OpenShift Service Mesh 3.0 control plane revision before you create your Istio resource so that proxies can properly communicate with the OpenShift Service Mesh 3.0 control plane.

Identify the namespaces that contain a 2.6 control plane by running the following command:

$ oc get smcp -A

Example output:

NAMESPACE      NAME                   READY   STATUS            PROFILES      VERSION   AGE
istio-system   install-istio-system   6/6     ComponentsReady   ["default"]   2.6.6     115m

Create a YAML file named ossm-3.yaml. This procedure creates the Istio resource for the 3.0 installation in the same namespace as the ServiceMeshControlPlane resource for the 2.6 installation.
Note
In the following example configuration, the Istio control plane has access to all namespaces on the cluster. If you want to limit the namespaces the control plan has access to, you must define discovery selectors. You must match all the data plane namespaces that you plan to migrate from version 2.6.
Example Istio resource
```
apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: ossm-3 1
spec:
  updateStrategy:
    type: RevisionBased
  namespace: istio-system 2
  version: v1.24.3
  values:
    meshConfig:
      extensionProviders: 3
        - name: prometheus
          prometheus: {}
        - name: otel
          opentelemetry:
            port: 4317
            service: otel-collector.opentelemetrycollector-3.svc.cluster.local
    global:
      caAddress: cert-manager-istio-csr.istio-system.svc:443
    pilot:
      env:
        ENABLE_CA_SERVER: "false"
```
1
The name, updateStrategy, and version fields specify how the IstioRevision resource name is created. For more information, see "Identifying the revision name".
2
The 3.0 and 2.6 control planes must run in the same namespace.
3
If you are migrating metrics and tracing, update the extensionProviders fields according to your tracing and metrics configurations.
Note
The proxies with the istio-injection=enabled label applied and are still managed by OpenShift Service Mesh 2.6 control plane. To prevent the OpenShift Service Mesh 3.0 control plane from injecting proxies in the namespaces that are still managed by OpenShift Service Mesh 2.6 control plane, do not use the default name for the Istio resource, and do not create the default revision tag in the following steps. You create the default revision tag later in this procedure.
Apply the YAML file by running the following command:
```
$ oc apply -f ossm-3.yaml
```

Verify that the new istiod resource uses the existing root certificate by running the following command:

$ oc logs deployments/istiod-ossm-3-v1-24-3 -n istio-system | grep 'Load signing key and cert from existing secret'

Example output:

2024-12-18T08:13:53.788959Z	info	pkica	Load signing key and cert from existing secret istio-system/istio-ca-secret

4.1.10.1. Migrating workloads by using the Istio injection label with cert-manager

After migrating a cluster-wide deployment, you can migrate your workloads from the OpenShift Service Mesh 2.6 control plane to the OpenShift Service Mesh 3.0 control plane.

Note

You can migrate workloads and gateways separately, and in any order. For more information, see "Migrating gateways".

Procedure

Find the current IstioRevision resource for your OpenShift Service Mesh 3.0 control plane by running the following command:

$ oc get istios

Example output

NAME             REVISIONS   READY   IN USE   ACTIVE REVISION   STATUS    VERSION   AGE
ossm-3           1           1       0        ossm-3-v1-24-3    Healthy   v1.24.3   30s

Copy the ACTIVE REVISION value to use as your istio.io/rev label in the next step.
Note
The naming format of your revisions depends on which upgrade strategy you choose for your Istio instance.
Update the injection labels on the data plane namespace by running the following command:
```
$ oc label ns bookinfo istio.io/rev=ossm-3-v1-24-3 maistra.io/ignore-namespace="true" istio-injection- --overwrite=true
```
The oc label command performs the following actions:
1. Removes the istio-injection label: This label prevents the 3.0 control plane from injecting the proxy. The istio-injection label takes precedence over the istio.io/rev label. You must temporarily remove the istio-injection=enabled because you cannot create the default IstioRevisionTag tag yet. Leaving the istio-injection=enabled label applied would prevent the 3.0 control plane from performing proxy injection.
2. Adds the istio.io/rev=ossm-3-v1-24-3 label: This label ensures that any newly created or restarted pods in the namespace connect to the OpenShift Service Mesh 3.0 proxy.
3. Adds the maistra.io/ignore-namespace: "true" label: This label disables sidecar injection for OpenShift Service Mesh 2.6 proxies in the namespace. With the label applied, OpenShift Service Mesh 2.6 stops injecting proxies in this namespace, and any new proxies are injected by OpenShift Service Mesh 3.0. Without this label, the OpenShift Service Mesh 2.6 injection webhook tries to inject the pod and the injected sidecar proxy refuses to start since it will has both the OpenShift Service Mesh 2.6 and the OpenShift Service Mesh 3.0 Container Network Interface(CNI) annotations.
  Note
  After you apply the maistra.io/ignore-namespace label, any new pod that gets created in the namespace connects to the OpenShift Service Mesh 3.0 proxy. Workloads can still communicate with each other regardless of which control plane they are connected to.
Restart the workloads by using one of the following options:
1. To restart all the workloads at the same time so that the new pods are injected with the OpenShift Service Mesh 3.0 proxy, run the following command:
  Example command for bookinfo application
```
$ oc rollout restart deployments -n bookinfo
```
2. To restart each workload individually, run the following command for each workload:
  Example command for bookinfo application
```
$ oc rollout restart deployments productpage-v1 -n bookinfo
```
Wait for the productpage application to restart by running the following command:
```
$ oc rollout status deployment productpage-v1 -n bookinfo
```

Verification

Verify that the the new control plane manages the expected workloads by running the following command:

$ istioctl ps -n bookinfo

Example output:

NAME                                          CLUSTER        CDS             LDS             EDS             RDS             ECDS         ISTIOD                                           VERSION
details-v1-7f46897b-d497c.bookinfo            Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
productpage-v1-74bfbd4d65-vsxqm.bookinfo      Kubernetes     SYNCED (4s)     SYNCED (4s)     SYNCED (3s)     SYNCED (4s)     IGNORED      istiod-ossm-3-v1-24-3-797bb4d78f-xpchx           1.24.3
ratings-v1-559b64556-c5ppg.bookinfo           Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
reviews-v1-847fb7c54d-qxt5d.bookinfo          Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
reviews-v2-5c7ff5b77b-8jbhd.bookinfo          Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
reviews-v3-5c5d764c9b-rrx8w.bookinfo          Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8

If the 2.6 installation contains additional namespaces, migrate the next namespace now.
Note
Remove the maistra.io/ignore-namespace="true" label only after the 2.6 control plane has been uninstalled.

4.1.11. Next steps

If you are using gateways, you must migrate them before you complete the migration process.

Migrating gateways

If you are not using gateways, and have verified your cluster-wide migration, create a default revision tag and relabel namespaces.

Important

Before creating a default revision tag and relabelling the namespaces, you must migrate all remaining workload namespaces, including gateways.

4.1.11.1. Creating the default revision tag and relabeling the namespaces with cert manager

The bookinfo application is used as an example.

Prerequisites

You have completed the OpenShift Service Mesh 2 to OpenShift Service Mesh 3 cluster-wide migration process by using Istio injection label.

Procedure

Create a YAML file called rev-tag.yaml that defines the IstioRevisionTag resource:

Example IstioRevisionTag resource

apiVersion: sailoperator.io/v1
kind: IstioRevisionTag
metadata:
  name: default
spec:
  targetRef:
    kind: IstioRevision
    name: ossm-3-v1-24-3

Apply the YAML file by running the following command:
```
$ oc apply -f rev-tag.yaml
```

Verify the status of the IstioRevisionTag resource by running the following command:

$ oc get istiorevisiontags

Example output

NNAME      STATUS                    IN USE   REVISION        AGE
default    NotReferencedByAnything   False    ossm-3-v1-24-3  18s

Add the istio-injection=enabled label to the bookinfo namespace, and remove the istio.io/rev label by running the following command:
```
$ oc label ns bookinfo istio-injection=enabled istio.io/rev-
```
Note
Remove the maistra.io/ignore-namespace="true" label only after the 2.6 control plane has been uninstalled.
Restart the workloads by running the following command:
```
$ oc rollout restart deployments -n bookinfo
```
Note
Repeat steps 4 and 5 for each namespace you are migrating.

Verification

Verify that the IstioRevisionTag resource is in use by running the following command:

$ oc get istiorevisiontags

Example output

NAME      STATUS    IN USE   REVISION        AGE
default   Healthy   True     ossm-3-v1-24-3  28s

Ensure that expected workloads are managed by the new control plane by running the following command:

$ istioctl ps -n bookinfo

Example output

NAME                                         CLUSTER        CDS              LDS              EDS             RDS              ECDS        ISTIOD                                     VERSION
details-v1-79dfbd6fff-t5lzm.bookinfo         Kubernetes     SYNCED (57s)     SYNCED (57s)     SYNCED (3s)     SYNCED (57s)     IGNORED     istiod-ossm-3-v1-24-3-6595bf8695-s8ktn     1.24.3
details-v1-7cb48d8bb-6rjq8.bookinfo          Kubernetes     SYNCED (3s)      SYNCED (3s)      SYNCED (3s)     SYNCED (3s)      IGNORED     istiod-ossm-3-v1-24-3-6595bf8695-s8ktn     1.24.3
productpage-v1-7d9cdf655d-cqk48.bookinfo     Kubernetes     SYNCED (10s)     SYNCED (10s)     SYNCED (3s)     SYNCED (10s)     IGNORED     istiod-ossm-3-v1-24-3-6595bf8695-s8ktn     1.24.3
ratings-v1-5b67b59fcb-w4whk.bookinfo         Kubernetes     SYNCED (18s)     SYNCED (18s)     SYNCED (3s)     SYNCED (18s)     IGNORED     istiod-ossm-3-v1-24-3-6595bf8695-s8ktn     1.24.3
reviews-v1-585fc84dbb-fvm2h.bookinfo         Kubernetes     SYNCED (11s)     SYNCED (11s)     SYNCED (3s)     SYNCED (11s)     IGNORED     istiod-ossm-3-v1-24-3-6595bf8695-s8ktn     1.24.3
reviews-v2-65cb66b45c-6ggp9.bookinfo         Kubernetes     SYNCED (57s)     SYNCED (57s)     SYNCED (3s)     SYNCED (57s)     IGNORED     istiod-ossm-3-v1-24-3-6595bf8695-s8ktn     1.24.3
reviews-v2-698b86b848-v92xq.bookinfo         Kubernetes     SYNCED (3s)      SYNCED (3s)      SYNCED (3s)     SYNCED (3s)      IGNORED     istiod-ossm-3-v1-24-3-6595bf8695-s8ktn     1.24.3
reviews-v3-6cbc49c8c8-v4jck.bookinfo         Kubernetes     SYNCED (11s)     SYNCED (11s)     SYNCED (3s)     SYNCED (11s)     IGNORED     istiod-ossm-3-v1-24-3-6595bf8695-s8ktn     1.24.3

4.1.12. Migrating a cluster-wide deployment by using the simple migration method

You can perform a canary upgrade with the gradual migration of data plane namespaces for a cluster-wide deployment by using the simple migration method. In an OpenShift Service Mesh 2.6.7 installation, if the istio-injection=enabled label is already applied to the data plane namespaces, the simple migration method is the easiest way to migrate from the OpenShift Service Mesh 2 installation to the OpenShift Service Mesh 3 installation.

The simple migration method should not be used in production environments.

Note

Using the simple migration method to migrate from OpenShift Service Mesh 2 to OpenShift Service Mesh 3 might result in traffic disruption to the services running on a mesh. There are two methods to perform the cluster-wide migration without disrupting traffic. See "Migrating a cluster-wide deployment by using the istio injection label" or "Migrating a cluster-wide deployment by using the Istio revision label" for more information.

Prerequisites

You have deployed OpenShift Container Platform 4.14 or later.
You are logged in to the OpenShift Container Platform web console as a user with the cluster-admin role.
You have completed the premigration checklists.
You have the OpenShift Service Mesh 2.6.7 Operator installed.
You have the OpenShift Service Mesh 3 Operator installed.
You have created an IstioCNI resource.
You have installed the istioctl tool.
You are running a cluster-wide Service Mesh control plane resource.
You have installed the bookinfo application.

Procedure

Identify the namespaces that contain a 2.6 control plane by running the following command:

$ oc get smcp -A

Example output

NAMESPACE      NAME                   READY   STATUS            PROFILES      VERSION   AGE
istio-system   install-istio-system   6/6     ComponentsReady   ["default"]   2.6.6     115m

Create a YAML file named ossm-3.yaml. This procedure creates the Istio resource for the 3.0 installation in the same namespace as the ServiceMeshControlPlane resource for the 2.6 installation.
Note
In the following example configuration, the Istio control plane has access to all namespaces on the cluster. If you want to limit the namespaces the control plane has access to, you must define discovery selectors. You must match all the data plane namespaces that you plan to migrate from version 2.6.
Example Istio resource
```
apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: default 1
spec:
  updateStrategy:
    type: InPlace
  namespace: istio-system 2
  version: v1.24.3
  values:
    meshConfig:
      extensionProviders: 3
        - name: prometheus
          prometheus: {}
        - name: otel
          opentelemetry:
            port: 4317
            service: otel-collector.opentelemetrycollector-3.svc.cluster.local
```
1
The name, updateStrategy and version fields specify how the IstioRevision resource name is created. For more information, see "Identifying the revision name."
2
The 3.0 and 2.6 control planes must run in the same namespace.
3
If you are migrating metrics and tracing, update the extensionProviders fields according to your tracing and metrics configurations.
Note
If the Istio resource is named default, and the installation uses the InPlace update strategy, you can use the istio-injection=enabled label without creating the IstioRevisionTag tag. If you use a different name for the Istio resource or you use the RevisionBased update strategy, you must configure the default IstioRevisionTag tag. For more information, see "Creating the default revision tag and relabeling the namespaces."
Apply the YAML file by running the following command:
```
$ oc apply -f ossm-3.yaml
```
Note
After you apply the YAML file, any time the workloads are restarted, both the OpenShift Service Mesh 2.6 and the OpenShift Service Mesh 3.0 control planes will try to inject side cars to all pods in namespaces that have the istio-injection=enabled label applied and to all pods that have the sidecar.istio.io/inject="true" label applied. This causes a traffic disruption. To prevent traffic disruption, restart the workloads only after the maistra.io/ignore-namespace: "true" label is added.

Verification

Verify that the new istiod resource uses the existing root certificate by running the following command:

$ oc logs deployments/istiod -n istio-system | grep 'Load signing key and cert from existing secret'

Example output

2024-12-18T08:13:53.788959Z	info	pkica	Load signing key and cert from existing secret istio-system/istio-ca-secret

4.1.12.1. Migrating workloads by using the simple migration method

After migrating a cluster-wide deployment, you can migrate your workloads from the OpenShift Service Mesh 2.6 control plane to the OpenShift Service Mesh 3.0 control plane.

Note

You can migrate workloads and gateways separately, and in any order. For more information, see "Migrating gateways."

Procedure

Add the maistra.io/ignore-namespace: "true" label to the data plane namespace by running the following command:
```
$ oc label ns bookinfo maistra.io/ignore-namespace="true"
```
The maistra.io/ignore-namespace: "true" label disables sidecar injection for OpenShift Service Mesh 2.6 proxies in the namespace. With the label applied, OpenShift Service Mesh 2.6 stops injecting proxies in this namespace, and any new proxies are injected by OpenShift Service Mesh 3.0. Without this label, the OpenShift Service Mesh 2.6 injection webhook tries to inject the pod and the injected sidecar proxy refuses to start since it has both the OpenShift Service Mesh 2.6 and the OpenShift Service Mesh 3.0 Container Network Interface(CNI) annotations.
Note
After you apply the maistra.io/ignore-namespace label, any new pod that gets created or restarted in the namespace connects to the OpenShift Service Mesh 3.0 proxy. Workloads can still communicate with each other regardless of which control plane they are connected to.
Restart the workloads by using one of the following options:
1. To restart all the workloads at the same time so that the new pods are injected with the OpenShift Service Mesh 3.0 proxy, run the following command:
  Example command for bookinfo application
```
$ oc rollout restart deployments -n bookinfo
```
2. To restart each workload individually, run the following command for each workload:
  Example command for bookinfo application
```
$ oc rollout restart deployments productpage-v1 -n bookinfo
```
Wait for the productpage application to restart by running the following command:
```
$ oc rollout status deployment productpage-v1 -n bookinfo
```

Verification

Verify that the the new control plane manages the expected workloads by running the following command:

$ istioctl ps -n bookinfo

Example output:

NAME                                          CLUSTER        CDS             LDS             EDS             RDS             ECDS         ISTIOD                                           VERSION
details-v1-7f46897b-d497c.bookinfo            Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
productpage-v1-74bfbd4d65-vsxqm.bookinfo      Kubernetes     SYNCED (4s)     SYNCED (4s)     SYNCED (3s)     SYNCED (4s)     IGNORED      istiod-797bb4d78f-xpchx           1.24.3
ratings-v1-559b64556-c5ppg.bookinfo           Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
reviews-v1-847fb7c54d-qxt5d.bookinfo          Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
reviews-v2-5c7ff5b77b-8jbhd.bookinfo          Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8
reviews-v3-5c5d764c9b-rrx8w.bookinfo          Kubernetes     SYNCED          SYNCED          SYNCED          SYNCED          NOT SENT     istiod-install-istio-system-866b57d668-6lpcr     1.20.8

If the 2.6 installation contains additional namespaces, migrate the next namespace now.
Note
Remove the maistra.io/ignore-namespace="true" label only after the 2.6 control plane has been uninstalled.

4.1.13. Next steps

If you are using gateways, you must migrate them before you complete the migration process.

Migrating gateways

If you are not using gateways, you can complete your migration.

Completing the Migration

4.1.14. Additional resources

Identifying the revision name

Chapter 5. Migrating gateways

5.1. Migrating gateways

If you are using gateways with Red Hat OpenShift Service Mesh 2.6.7 and migrating them to OpenShift Service Mesh 3.0, you can migrate gateways from OpenShift Service Mesh 2 to OpenShift Service Mesh 3 just like regular workloads.

Use one of the following two methods for migrating gateways from Red Hat OpenShift Service Mesh 2 to OpenShift Service Mesh 3:

Gateway canary migration
Gateway in place migration

5.1.1. Gateway canary migration

Use the gateway canary migration method when you want a gradual rollout. It uses multiple gateway versions with maximum control over your gateway rollout.

Note

The label for the gateway namespace differs between mulitenant and cluster-wide meshes. To understand which labels to use in your specific migration case and the maistra.io/ignore-namespace: "true" label requirement, see the "Multitenant migration guide" or the "Cluster-wide migration guide" section.

Procedure

Run the following command to label the gateway namespace to ensure that gateway injection is enabled from the new mesh and add the maistra.io/ignore-namespace: "true" label:
```
$ oc label namespace <gateway_namespace> istio.io/rev=<istio_revision_name> maistra.io/ignore-namespace="true"
```
1. Remove the istio-injection=enabled label, if needed.

Deploy a canary gateway by using the following example:

Example YAML for canary gateway

apiVersion: apps/v1
kind: Deployment
metadata:
  name: istio-ingressgateway-canary
  namespace: istio-ingress 1
spec:
   selector:
     matchLabels:
       istio: ingressgateway 2
   template:
     metadata:
       annotations:
         inject.istio.io/templates: gateway
       labels:
         istio: ingressgateway
         istio.io/rev: canary 3
     spec:
       containers:
       - name: istio-proxy
         image: auto

1: Your Deployment resource must be in in the same namespace as your existing gateway.
2: Your spec.selector.matchlabels.istio parameter must match your existing gateway service selector.
3: Set your OpenShift Service Mesh 3.0 control plane revision as the value of the istio.io/rev label.

Ensure that the new gateway deployment is running with the new revision and is handling requests:
1. Check that pods are running and in the Ready status.
2. Check that the gateway is running the new revision by running the following command:
```
$ istioctl ps -n istio-ingress
```
3. Test a sample route through the gateway.
Gradually shift traffic between deployments:
1. Increase replicas for new gateway by running the following command:
```
$ oc scale -n istio-ingress deployment/<new_gateway_deployment> --replicas <new_number_of_replicas>
```
2. Decrease replicas for old gateway by running the following command:
```
$ oc scale -n istio-ingress deployment/<old_gateway_deployment> --replicas <new_number_of_replicas>
```
3. Repeat this process, incrementally adjusting replica counts until the new gateway handles all traffic to the gateway Service.

Next steps

Completing your migration

5.1.2. Gateway in place migration

If you need less detailed control over your gateway migration, you can perform gateway in place migration. This method applies to namespaces with dedicated gateways and to environments using a centralized gateway shared across multiple namespaces.

Note

Procedure

Run the following command to label the gateway namespace to ensure that gateway injection is enabled from the new mesh and add the maistra.io/ignore-namespace: "true" label:
```
$ oc label namespace <gateway_namespace> istio.io/rev=<istio_revision_name> maistra.io/ignore-namespace="true"
```
1. Remove the istio-injection=enabled label, if needed.

Restart the gateway deployment by running the following command:

$ oc -n ${app_namespace} rollout restart deployment ${gateway_name}

Verification

Check that the gateway is running the new revision by running the following command:
```
$ istioctl ps -n istio-ingress
```
Test application-specific routes.

Next steps

Completing your migration

Chapter 6. Completing the migration

6.1. Completing the Migration

At this stage, you have completed the migration process. It is safe to remove OpenShift Service Mesh 2.6.7.

Optionally, if you already have Kiali installed, before you delete OpenShift Service Mesh 2.6.7, you can verify that all data plane namespaces have been migrated by checking the Kiali Mesh page. To learn more about the Kiali Mesh page, see "Istio infrastructure status (Kiali.io)".

6.1.1. Migrating network policies after migrating deployment and workloads

If you did not re-create your network policies before you migrated your deployment and workloads, you can re-create your network policies after migrating.

Prerequisites

You have migrated your deployment.
You have migrated your workloads.

Procedure

Recreate necessary network policies in the new OpenShift Service Mesh 3 control plane namespace.
Recreate network policies for each namespace that was part of the OpenShift Service Mesh 2 mesh.
Update labels.
1. Update corresponding network policy selectors to match the new labels.
  Note
  Use a label scoped specifically to your mesh that you can reuse for discovery selectors.

6.1.2. Completing a multitenant deployment with cert-manager

Prerequisites

You have migrated a multitenant deployment with the cert-manager and istio-csr tools.

Procedure

Verify that your new injection label is present in all workload namespaces.

Update the app.controller.configmapNamespaceSelector field by running the following command:

helm upgrade cert-manager-istio-csr jetstack/cert-manager-istio-csr \
   --install \
   --reuse-values \
   --namespace istio-system \
   --wait \
   --set "app.controller.configmapNamespaceSelector=tenant=tenant-a"

Next steps

Remove OpenShift Service Mesh 2

6.1.3. Remove the Service Mesh 2.6 control plane

After you have migrated all your workloads and gateways, you can remove the OpenShift Service Mesh 2.x control plane.

Prerequisites

You have completed migrating your workloads.
You have completed migrating your gateways.
You are logged in to the OpenShift Container Platform web console as a user with the cluster-admin role.

Note

Depending on how you created ServiceMeshMember and ServiceMeshMemberRoll resources, those resources might be removed automatically with removal of the ServiceMeshControlPlane resource.

Procedure

Find all Service Mesh 2.6 resources by running the following command:
```
$ oc get smcp,smm,smmr -A
```
Remove all ServiceMeshControlPlane resources by running the following command:
```
$ oc delete smcp --all -A
```
Remove all ServiceMeshMemberRoll resources by running the following command:
```
$ oc delete smmr --all -A
```
Remove all ServiceMeshMember resources by running the following command:
```
$ oc delete smm --all -A
```
Verify that all resources were removed by running the following command:
```
$ oc get smcp,smm,smmr -A
```
Example output
```
No resources found
```

6.1.4. Remove the Service Mesh 2.6 operator and custom resource definitions

After you remove the Red Hat OpenShift Service Mesh 2 ServiceMeshControlplane resource, and all other OpenShift Service Mesh 2 resources, you can remove the OpenShift Service Mesh 2.6 Operator and custom resource definitions (CRDs).

Prerequisites

You have completed migrating your workloads.
You have completed migrating your gateways.
You have removed the OpenShift Service Mesh 2 ServiceMeshControlPlane resource.
You have removed all other OpenShift Service Mesh 2 resources.
You are logged in to the OpenShift Container Platform web console as a user with the cluster-admin role.

Procedure

Check that there are no Red Hat OpenShift Service Mesh 2.6 resources left by running the following command:
```
$ oc get smcp,smm,smmr -A
```
Example output
```
No resources found
```

Remove the Operator by running the following commands:

Find the Operator subscription:

csv=$(oc get subscription servicemeshoperator -n openshift-operators -o yaml | grep currentCSV | cut -f 2 -d ':')

Delete the subscription:

$ oc delete subscription servicemeshoperator -n openshift-operators

Delete the clusterserviceversion CSV:

$ oc delete clusterserviceversion $csv -n openshift-operators

Remove maistra CRDs by running the following command:

$ oc get crds -o name | grep ".*\.maistra\.io" | xargs -r -n 1 oc delete

6.1.5. Remove the Maistra labels

After you have removed all OpenShift Service Mesh 2 resources, removed the OpenShift Service Mesh 2 Operator, and OpenShift Service Mesh 2 custom resource definitions (CRDs), you can choose to remove namespace labels created during the migration.

Prerequisites

You have completed migrating your workloads.
You have completed migrating your gateways.
You have removed the OpenShift Service Mesh 2 ServiceMeshControlPlane resource.
You have removed all other OpenShift Service Mesh 2 resources.
You have removed the OpenShift Service Mesh 2 Operator.
You have removed the OpenShift Service Mesh 2 CRDs.
You are logged in to the OpenShift Container Platform web console as a user with the cluster-admin role.

Procedure

Verify that all OpenShift Service Mesh 2.6 resources have been removed by running the following command:
```
$ oc get smcp,smm,smmr -A
```
Example output
```
No resources found
```
Find namespaces with the maistra.io/ignore-namespace="true" label by running the following command:
```
$ oc get namespace -l maistra.io/ignore-namespace="true"
```
Example output
```
NAME       STATUS   AGE
bookinfo   Active   127m
```

Remove the label by running the following command:

$ oc label namespace bookinfo maistra.io/ignore-namespace-

Example output

namespace/bookinfo unlabeled

6.1.6. Additional Resources

Istio infrastructure status (Kiali.io documentation)

Chapter 7. Reference

7.1. Migrating references

Many configuration options in the OpenShift Service Mesh 2 ServiceMeshControlPlane resource have changed location in the OpenShift Service Mesh 3 Istio resource. The following tables provide guidance for creating a new Istio resource in OpenShift Service Mesh 3 based on your existing OpenShift Service Mesh 2 ServiceMeshControlPlane resource.

7.1.1. Configuration fields mapping between Service Mesh 2 and Service Mesh 3

Many of the spec fields in the OpenShift Service Mesh 2 ServiceMeshControlPlane can be configured in the the OpenShift Service Mesh 3 Istio resource.

The following tables provide guidance for configuring your Istio resource in OpenShift Service Mesh 3.

7.1.1.1. Cluster configurations

SMCP 2.6 configuration	Istio 3.0 configuration
spec.cluster.multiCluster.enabled	spec.values.global.multiCluster.enabled
spec.cluster.multiCluster.meshNetworks	spec.values.global.meshNetworks
spec.cluster.multiCluster.meshNetworks.endpoints	spec.values.global.meshNetworks.endpoints
spec.cluster.multiCluster.meshNetworks.endpoints.fromCID	spec.values.global.meshNetworks.endpoints.fromCidr
spec.cluster.multiCluster.meshNetworks.endpoints.fromRegistry	spec.values.global.meshNetworks.endpoints.fromRegistry
spec.cluster.multiCluster.meshNetworks.gateways	spec.values.global.meshNetworks.gateways
spec.cluster.multiCluster.meshNetworks.gateways.address	spec.values.global.meshNetworks.gateways.address
spec.cluster.multiCluster.meshNetworks.gateways.port	spec.values.global.meshNetworks.gateways.port
spec.cluster.multiCluster.meshNetworks.gateways.registryServiceName	spec.values.global.meshNetworks.gateways.registryServiceName
spec.cluster.name	spec.values.global.multiCluster.clusterName
spec.cluster.network	spec.values.global.network

7.1.1.2. General configurations

SMCP 2.6 configuration	Istio 3.0 configuration
spec.general.logging.componentLevels	spec.values.global.logging.levels
spec.general.logging.logAsJSON	spec.values.global.logAsJson
spec.general.validationMessages	spec.values.global.istiod.enableAnalysis

7.1.1.3. MeshConfig configurations

SMCP 2.6 configuration	Istio 3.0 configuration
spec.values.meshConfig.discoverySelectors	spec.values.meshConfig.discoverySelectors
spec.values.meshConfig.extensionProviders	spec.values.meshConfig.extensionProviders

7.1.1.4. Mode configurations

The mode configurations in the OpenShift Service Mesh 2 ServiceMeshControlPlane resource were:

Multitenant
Cluster-wide
Federation

In OpenShift Service Mesh 3, the mode is not configured by using a single field in the Istio resource.

By default, the OpenShift Service Mesh 3 control plane has access to all namespaces which is equivalent to cluster-wide mode in OpenShift Service Mesh 2. For a similar configuration to MultiTenant mode in OpenShift Service Mesh 2 in OpenShift Service Mesh 3, you must use the discoverySelectors field. For more information, see "Deploying multiple service meshes on a single cluster".

7.1.1.5. Profile configurations

The profile configuration options for OpenShift Service Mesh 3 are:

ambient
default
demo
empty
openshift-ambient
openshift
preview
stable

7.1.1.6. Proxy configurations

7.1.1.6.1. Access logging configuration fields

SMCP 2.6 configuration	Istio 3.0 configuration
spec.proxy.accessLogging.envoyService.address	spec.values.meshConfig.defaultConfig.envoyAccessLogService.address
spec.proxy.accessLogging.envoyService.enabled	spec.values.meshConfig.enableEnvoyAccessLogService
spec.proxy.accessLogging.envoyService.tcpKeepalive	spec.values.meshConfig.defaultConfig.envoyAccessLogService.tcpKeepalive
spec.proxy.accessLogging.envoyService.tcpKeepalive.interval	spec.values.meshConfig.defaultConfig.envoyAccessLogService.tcpKeepalive.interval
spec.proxy.accessLogging.envoyService.tcpKeepalive.probes	spec.values.meshConfig.defaultConfig.envoyAccessLogService.tcpKeepalive.probes
spec.proxy.accessLogging.envoyService.tcpKeepalive.time	spec.values.meshConfig.defaultConfig.envoyAccessLogService.tcpKeepalive.time
spec.proxy.accessLogging.envoyService.tlsSettings	spec.values.meshConfig.defaultConfig.envoyAccessLogService.tlsSettings
spec.proxy.accessLogging.file.encoding	spec.values.meshConfig.accessLogEncoding
spec.proxy.accessLogging.file.format	spec.values.meshConfig.accessLogFormat
spec.proxy.accessLogging.file.name	spec.values.meshConfig.accessLogFile

7.1.1.6.2. Basic proxy configuration fields

SMCP 2.6 configuration	Istio 3.0 configuration
spec.proxy.adminPort	spec.values.meshConfig.defaultConfig.proxyAdminPort
spec.proxy.concurrency	spec.values.meshConfig.defaultConfig.concurrency

7.1.1.6.3. Envoy metrics service fields

SMCP 2.6 configuration	Istio 3.0 configuration
spec.proxy.envoyMetricsService.address	spec.values.meshConfig.defaultConfig.envoyMetricsService.address
spec.proxy.envoyMetricsService.enabled	spec.values.meshConfig.enableEnvoyAccessLogService
spec.proxy.envoyMetricsService.tcpKeepalive	spec.values.meshConfig.defaultConfig.envoyMetricsService.tcpKeepalive
spec.proxy.envoyMetricsService.tlsSettings	spec.values.meshConfig.defaultConfig.envoyMetricsService.tlsSettings

7.1.1.6.4. Injection configuration fields

SMCP 2.6 configuration	Istio 3.0 configuration
spec.proxy.injection.alwaysInjectSelector	spec.values.sidecarInjectorWebhook.alwaysInjectSelector
spec.proxy.injection.neverInjectSelector	spec.values.sidecarInjectorWebhook.neverInjectSelector
spec.proxy.injection.injectedAnnotations	spec.values.sidecarInjectorWebhook.injectedAnnotations
spec.proxy.injection.autoInject	spec.values.global.proxy.autoInject

7.1.1.6.5. Proxy logging configuration fields

SMCP 2.6 configuration	Istio 3.0 configuration
spec.proxy.logging.componentLevels	spec.values.global.proxy.componentLogLevel
spec.proxy.logging.level	spec.values.global.logging.level

7.1.1.6.6. Proxy networking configuration fields

SMCP 2.6 configuration	Istio 3.0 configuration
spec.proxy.networking.clusterDomain	spec.values.global.proxy.clusterDomain
spec.proxy.networking.connectionTimeout	spec.values.meshConfig.connectTimeout
spec.proxy.networking.dns.refreshRate	spec.values.meshConfig.dnsRefreshRate
spec.proxy.networking.dns.searchSuffixes	spec.values.global.podDNSSearchNamespaces
spec.proxy.networking.initialization.initContainer.runtime.imageName	spec.values.global.proxy_init.image
spec.proxy.networking.initialization.initContainer.runtime.imagePullPolicy	spec.values.global.imagePullPolicy
spec.proxy.networking.initialization.initContainer.runtime.imagePullSecrets	spec.values.global.imagePullSecrets
spec.proxy.networking.initialization.initContainer.runtime.imageRegistry	spec.values.global.hub
spec.proxy.networking.initialization.initContainer.runtime.imageTag	spec.values.global.tag
spec.proxy.networking.initialization.initContainer.runtime.resources	spec.values.global.proxy_init.resources
spec.proxy.networking.maxConnectionAge	spec.values.pilot.keepaliveMaxServerConnectionAge
spec.proxy.networking.protocol.timeout	spec.values.meshConfig.protocolDetectionTimeout

7.1.1.6.7. Traffic control configuration fields

SMCP 2.6 configuration	Istio 3.0 configuration
spec.proxy.networking.trafficControl.inbound.excludedPorts	spec.values.global.proxy.excludeInboundPorts
spec.proxy.networking.trafficControl.inbound.includedPorts	spec.values.global.proxy.includeInboundPorts
spec.proxy.networking.trafficControl.inbound.interceptionMode	spec.values.meshConfig.defaultConfig.interceptionMode
spec.proxy.networking.trafficControl.outbound.excludedIPRanges	spec.values.global.proxy.excludeIPRanges
spec.proxy.networking.trafficControl.outbound.excludedPorts	spec.values.global.proxy.excludeOutboundPorts
spec.proxy.networking.trafficControl.outbound.includedIPRanges	spec.values.global.proxy.includeIPRanges
spec.proxy.networking.trafficControl.outbound.policy	spec.values.meshConfig.outboundTrafficPolicy.mode

7.1.1.6.8. Proxy runtime configuration fields

SMCP 2.6 configuration	Istio 3.0 configuration
spec.proxy.runtime.container.env	spec.values.meshConfig.defaultConfig.proxyMetadata
spec.proxy.runtime.container.imageName	spec.values.global.proxy.image
spec.proxy.runtime.container.imagePullPolicy	spec.values.global.imagePullPolicy
spec.proxy.runtime.container.imagePullSecrets	spec.values.global.imagePullSecrets
spec.proxy.runtime.container.imageRegistry	spec.values.global.hub
spec.proxy.runtime.container.imageTag	spec.values.global.tag
spec.proxy.runtime.container.resources	spec.values.global.proxy.resources
spec.proxy.runtime.readiness.failureThreshold	spec.values.global.proxy.readinessFailureThreshold
spec.proxy.runtime.readiness.initialDelaySeconds	spec.values.global.proxy.readinessInitialDelaySeconds
spec.proxy.runtime.readiness.periodSeconds	spec.values.global.proxy.readinessPeriodSeconds
spec.proxy.runtime.readiness.rewriteApplicationProbes	spec.values.sidecarInjectorWebhook.rewriteAppHTTPProbe
spec.proxy.runtime.readiness.statusPort	spec.values.global.proxy.statusPort

7.1.1.7. Runtime configurations

7.1.1.7.1. Container configuration fields

SMCP 2.6 configuration	Istio 3.0 configuration
spec.runtime.components.container.env	spec.values.pilot.env
spec.runtime.components.container.imageName	spec.values.pilot.image
spec.runtime.components.container.imagePullPolicy	spec.values.global.imagePullPolicy
spec.runtime.components.container.imagePullSecrets	spec.values.global.imagePullSecrets
spec.runtime.components.container.imageRegistry	spec.values.global.hub
spec.runtime.components.container.imageTag	spec.values.pilot.tag
spec.runtime.components.container.resources	spec.values.pilot.resources

7.1.1.7.2. Deployment configuration fields

SMCP 2.6 configuration	Istio 3.0 configuration
spec.runtime.components.deployment.autoScaling.enabled	spec.values.pilot.autoscaleEnabled
spec.runtime.components.deployment.autoScaling.maxReplicas	spec.values.pilot.autoscaleMax
spec.runtime.components.deployment.autoScaling.minReplicas	spec.values.pilot.autoscaleMin
spec.runtime.components.deployment.autoScaling.targetCPUUtilizationPercentage	spec.values.pilot.cpu.targetAverageUtilization
spec.runtime.components.deployment.replicas	spec.values.pilot.replicaCount
spec.runtime.components.deployment.strategy.rollingUpdate.maxSurge	spec.values.pilot.rollingMaxSurge
spec.runtime.components.deployment.strategy.rollingUpdate.maxUnavailable	spec.values.pilot.rollingMaxUnavailable

7.1.1.7.3. Pod configuration fields

SMCP 2.6 configuration	Istio 3.0 configuration
spec.runtime.components.pod.affinity	spec.values.pilot.affinity
spec.runtime.components.pod.affinity.nodeAffinity	spec.values.pilot.affinity.nodeAffinity
spec.runtime.components.pod.affinity.podAffinity	spec.values.pilot.affinity.podAffinity
spec.runtime.components.pod.affinity.podAntiAffinity	spec.values.pilot.affinity.podAntiAffinity
spec.runtime.components.pod.metadata.annotations	spec.values.pilot.podAnnotations
spec.runtime.components.pod.metadata.labels	spec.values.pilot.podLabels
spec.runtime.components.pod.nodeSelector	spec.values.pilot.nodeSelector
spec.runtime.components.pod.tolerations	spec.values.pilot.tolerations

7.1.1.7.4. Defaults configuration fields

SMCP 2.6 configuration	Istio 3.0 configuration
spec.runtime.defaults.container.imagePullPolicy	spec.values.global.imagePullPolicy
spec.runtime.defaults.container.imagePullSecrets	spec.values.global.imagePullSecrets
spec.runtime.defaults.container.imageRegistry	spec.values.global.hub
spec.runtime.defaults.container.imageTag	spec.values.global.tag
spec.runtime.defaults.container.resources	spec.values.global.defaultResources
spec.runtime.defaults.deployment.podDisruption.enabled	spec.values.global.defaultPodDisruptionBudget.enabled
spec.runtime.defaults.pod.nodeSelector	spec.values.global.defaultNodeSelector
spec.runtime.defaults.pod.tolerations	spec.values.global.defaultTolerations

7.1.1.8. Security configurations

7.1.1.8.1. Certificate Authority (CA) fields

SMCP 2.6 configuration	Istio 3.0 configuration
spec.security.certificateAuthority.cert-manager	spec.values.meshConfig.ca AND spec.values.global.pilotCertProvider
spec.security.certificateAuthority.cert-manager.address	spec.values.meshConfig.ca.address
spec.security.certificateAuthority.custom.address	spec.values.meshConfig.ca.address

7.1.1.8.2. Istiod CA fields

SMCP 2.6 configuration	Istio 3.0 configuration
spec.security.certificateAuthority.istiod.type	spec.values.global.pilotCertProvider

7.1.1.8.3. Control plane security fields

SMCP 2.6 configuration	Istio 3.0 configuration
spec.security.controlPlane.certProvider	spec.values.global.pilotCertProvider
spec.security.controlPlane.mtls	spec.values.meshConfig.enableAutoMtls
spec.security.controlPlane.tls.cipherSuites	spec.values.meshConfig.tlsDefaults.cipherSuites
spec.security.controlPlane.tls.ecdhCurves	spec.values.meshConfig.tlsDefaults.ecdhCurves
spec.security.controlPlane.tls.minProtocolVersion	spec.values.meshConfig.tlsDefaults.minProtocolVersion

7.1.1.8.4. Data plane security fields

SMCP 2.6 configuration	Istio 3.0 configuration
spec.security.dataPlane.automtls	spec.values.meshConfig.enableAutoMtls
spec.security.dataPlane.mtls	spec.values.meshConfig.meshMTLS

7.1.1.8.5. Identity configuration fields

SMCP 2.6 configuration	Istio 3.0 configuration
spec.security.identity.thirdParty.audience	spec.values.global.sds.token.aud

7.1.1.8.6. Other security fields

SMCP 2.6 configuration	Istio 3.0 configuration
spec.security.jwksResolverCA	spec.values.pilot.jwksResolverExtraRootCA
spec.security.trust.domain	spec.values.meshConfig.trustDomain
spec.security.trust.additionalDomains	spec.values.meshConfig.trustDomainAliases

7.1.1.9. Tracing configurations

SMCP 2.6 configuration	Istio 3.0 configuration
spec.tracing.sampling	spec.values.pilot.traceSampling

7.1.2. Unsupported configuration fields in Service Mesh 3

The following tables list OpenShift Service Mesh 2 ServiceMeshControlPlane configuration fields that are not supported in Red Hat OpenShift Service Mesh 3. This does not necessarily mean the functionality has been removed. In some cases, such as add ons, you need to install the application separately and configure it separately.

7.1.2.1. Unsupported add-on configurations

Add-ons, such as Red Hat OpenShift distributed tracing platform, Kiali Operator provided by Red Hat, and others, are managed and configured separately in OpenShift Service Mesh 3. For more information, see "Observability and Service Mesh".

spec.addons.3scale

spec.addons.grafana

spec.addons.jaeger

spec.addons.kiali

spec.addons.prometheus

spec.addons.stackdriver

7.1.2.2. Unsupported cluster configurations

spec.cluster.meshExpansion.ilbGateway,

spec.cluster.multiCluster.meshNetworks.gateways.service

7.1.2.3. Unsupported Gateways configurations

Gateways are managed separately in OpenShift Service Mesh 3.

7.1.2.4. Unsupported policy configurations

spec.policy.type

spec.policy.mixer

spec.policy.remote

7.1.2.5. Unsupported Proxy configurations

7.1.2.5.1. Unsupported Proxy networking configuration fields

spec.proxy.networking.initialization.type

spec.proxy.networking.initialization.initContainer.runtime.env

spec.proxy.networking.protocol.autoDetect

spec.proxy.networking.protocol.inbound

spec.proxy.networking.protocol.outbound

7.1.2.6. Unsupported runtime configurations

7.1.2.6.1. Unsupported deployment configuration fields

spec.runtime.components.deployment.strategy.type

7.1.2.6.2. Unsupported defaults configuration fields

spec.runtime.defaults.deployment.podDisruption.maxUnavailable

spec.runtime.defaults.deployment.podDisruption.minAvailable

7.1.2.7. Unsupported security configurations

7.1.2.7.1. Unsupported certificate Authority (CA) fields

spec.security.certificateAuthority.cert-manager.pilotSecretName

spec.security.certificateAuthority.cert-manager.rootCAConfigMapName

7.1.2.7.2. Unsupported Istiod CA fields

spec.security.certificateAuthority.istiod.privateKey.rootCADir

spec.security.certificateAuthority.istiod.selfSigned.checkPeriod

spec.security.certificateAuthority.istiod.selfSigned.enableJitter

spec.security.certificateAuthority.istiod.selfSigned.gracePeriod

spec.security.certificateAuthority.istiod.selfSigned.ttl

spec.security.certificateAuthority.istiod.workloadCertTTLDefault

spec.security.certificateAuthority.istiod.workloadCertTTLMax

7.1.2.7.3. Unsupported control plane security fields

spec.security.controlPlane.tls.maxProtocolVersion

7.1.2.7.4. Unsupported identity configuration fields

spec.security.identity.thirdParty.issuer

spec.security.identity.type

7.1.2.8. Unsupported Telemetry configurations

spec.telemetry.type

spec.telemetry.mixer

spec.telemetry.remote

7.1.3. Additional Resources

Observability and Service Mesh

Legal Notice

The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the United States and other countries.

Java® is a registered trademark of Oracle and/or its affiliates.

XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.

MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.

Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.

The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.

All other trademarks are the property of their respective owners.