Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Updating

Red Hat OpenShift Service Mesh 3.0

Updating OpenShift Service Mesh

Red Hat OpenShift Documentation Team

Abstract

This documentation provides information about how to update OpenShift Service Mesh.

Chapter 1. Updating OpenShift Service Mesh

The strategy you use to deploy a service mesh affects how you can update the mesh.

1.1. Understanding versioning

Red Hat OpenShift Service Mesh follows Semantic Versioning for all product releases. Semantic Versioning uses a three-part version number in the format X.Y.Z to communicate the nature of changes in each release.

X (Major version)
indicates significant updates that might include breaking changes, such as architectural shifts, API changes, or schema modifications.
Y (Minor version)
introduces new features and enhancements while maintaining backward compatibility.
Z (Patch version or z-stream release)
delivers critical bug fixes and security updates, such as Common Vulnerabilities and Exposures (CVEs) resolutions. Patch versions do not include new features.

1.2. Understanding Service Mesh and Istio versions

The most current OpenShift Service Mesh Operator version is 3.0.1. This version supports the features listed in the "Service Mesh 3.0.1 feature support tables". The OpenShift Service Mesh Operator includes additional Istio releases for upgrades but supports only the latest Istio version available for each Operator version. See the "Service Mesh version support tables" to identify the supported Istio version for each Operator release.

Additional resources

1.3. Understanding Operator updates and channels

The Operator Lifecycle Manager (OLM) manages Operators and their associated services by using channels to organize and distribute updates. Channels are a way to group related updates.

To ensure that your OpenShift Service Mesh stays current with the latest security patches, bug fixes, and software updates, keep the OpenShift Service Mesh Operator up to date. The upgrade process depends on the configured channel and approval strategy.

OLM provides the following channels for the OpenShift Service Mesh Operator:

  • Stable channel: tracks the most recent version of the OpenShift Service Mesh 3 Operator and the latest supported version of Istio. This channel enables upgrades to new operator versions and corresponding Istio updates as soon as they are released. Use the stable channel to stay current with the latest features, bug fixes, and security updates.
  • Versioned channel: restricts updates to patch-level releases within a specific minor version. For example, stable-3.0 provides access to the latest 3.0.1 patch version. When a new patch release becomes available, you can upgrade the Operator to the newer patch version. To move to a newer minor release, you must manually switch to a different channel. You can use a versioned channel to maintain a consistent minor version while applying only patch updates.
Note

You can find the update strategy field in the Install Operator section and under the sub-section update approval. The default value for the update strategy is Automatic.

1.3.1. About Operator update process

The OpenShift Service Mesh Operator will upgrade automatically to the latest available version based on the selected channel when the approval strategy field is set to Automatic (default). If the approval strategy field is set to Manual, Operator Lifecycle Manager (OLM) will generate an update request, which a cluster administrator must approve to update the Operator to the latest version.

The Operator update process does not automatically update the Istio control plane unless the Istio resource version is set to an alias (for example, vX.Y-latest) and the updateStrategy is set to InPlace. This triggers a control plane update when a new version is available in the Operator. By default, the Operator will not update the Istio control plane unless the Istio resource is updated with a new version.

1.4. About update strategies

The update strategy affects how the update process is performed. For each mesh, you select one of two strategies:

  • InPlace
  • RevisionBased

The default strategy is the InPlace strategy. For more information, see the following documentation located in "Updating OpenShift Service Mesh":

  • "About InPlace strategy"
  • "About RevisionBased strategy"

1.5. About InPlace strategy

The InPlace strategy runs only one revision of the control plane at all times. When you perform an InPlace update, all of the workloads immediately connect to the new version of the control plane. In order to ensure compatibility between the sidecars and the control plane you cannot upgrade by more than one minor version at a time.

1.5.1. Select InPlace strategy

To select the InPlace strategy, set the spec.updateStrategy.type value in the Istio resource to InPlace.

Example specification to select InPlace update strategy

kind: Istio
spec:
  updateStrategy:
    type: InPlace

You can set this value when you first create the resource or you can edit the resource later. If you choose to edit the resource after it is created, make the change prior to updating the Istio control plane.

1.5.2. Attach workloads to the control plane

When Istio is configured to use the InPlace strategy, the IstioRevision resource that the Operator creates always has the same name as the Istio resource. To attach the workloads to a control plane deployed using the InPlace strategy, you can set the istio.io/rev namespace label to the name of the IstioRevision.

Example istio.io namespace label to attach workloads to a mesh

$ oc label namespace <namespace-name> istio.io/rev=<revision-name>

Alternatively, you can apply the label to the workload pods by modifying the pod template in deployment resource.

Example pod template to attach workloads to a mesh

apiVersion: apps/v1
kind: Deployment
spec:
  template:
    metadata:
      labels:
        istio.io/rev: <revision-name>

If the revision name is default, then you can attach the workloads to the revision by labeling the namespace with the label istio-injection: enabled.

Example istio-injection label to attach workloads to a mesh

oc label namespace <namespace-name> istio-injection=enabled

1.5.3. Performing InPlace update

When updating Istio using the InPlace strategy, you can only increment by one minor version at a time. If you want to update by more than one minor version, then you must increment the version and restart the workloads after each update. This ensures that the sidecar version is compatible with the control plane version. After all the workloads are restarted, the update process is complete.

Prerequisites

  • You are logged in to OpenShift Container Platform as a user with the cluster-admin role.
  • You have installed the Red Hat OpenShift Service Mesh Operator, and deployed Istio.

Procedure

  1. Change the version in the Istio resource: 

    kind: Istio
spec:
  version: v1.24.3
  updateStrategy:
    type: InPlace

    The Service Mesh Operator deploys a new version of the control plane that replaces the old version of the control plane. The sidecars automatically reconnect to the new control plane.

  2. Confirm that the new version of the control plane is running and ready by entering the following command: 

    $ oc get istio <control-plane-name>

  3. Restart the application workloads so that the new version of the sidecar gets injected by entering the following command: 

    $ oc rollout restart deployment <deployment_name>

1.6. About RevisionBased strategy

An update that is performed using the RevisionBased strategy runs two revisions of a control plane. This capability allows you to gradually migrate workloads from the old control plane to the new control plane, making canary upgrades possible. The RevisionBased strategy also allows you to update by more than one minor version.

1.6.1. Select RevisionBased strategy

To deploy Istio with the RevisionBased strategy, create the Istio resource with the following spec.updateStrategy value:

Example specification to select RevisionBased strategy

kind: Istio
spec:
  version: v1.24.3
  updateStrategy:
    type: RevisionBased

After you select the strategy for the Istio resource, the Operator creates a new IstioRevision resource with the name <istio_resource_name>-<version>.

1.6.2. Attach workloads to the control plane by using RevisionBased strategy

To attach the workloads to a control plane deployed by using the RevisionBased strategy, you must set the istio.io/rev namespace label to the name of the IstioRevision resource. Alternatively, you can apply the label to the workload pods.

1.6.3. Performing RevisionBased update

When updating Istio using the RevisionBased strategy, you may increment by more than one minor version at a time because the existing sidecars do not automatically connect to the new revision of the control plane. Instead, you must manually move the workloads to the new control plane.

Prerequisites

  • You have installed the Red Hat OpenShift Service Mesh Operator, and deployed Istio.

Procedure

  1. Change the version in the Istio resource: 

    kind: Istio
spec:
  version: v1.24.3
  updateStrategy:
    type: RevisionBased

    The Service Mesh Operator deploys a new version of the control plane alongside the old version of the control plane. The sidecars remain connected to the old control plane.

  2. Confirm that both revisions of the control plane are running and ready: 

    $ oc get istiorevisions

  3. Move the workloads to the new control plane by updating the istio.io/rev label on the application namespace by running the following command: 

    $ oc label namespace <namespace_name> istio.io/rev=<new_revision_name> --overwrite

  4. Restart the application workloads so that the new version of the sidecar gets injected. 

    $ oc rollout restart deployment <deployment_name>

Legal Notice

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubRedditYoutube

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.