istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/gateways/istio-egress/NOTES.txt (about)

     1  
     2  Changes:
     3  - separate namespace allows:
     4  -- easier reconfig of just the gateway
     5  -- TLS secrets and domain name management is isolated, for better security
     6  -- simplified configuration
     7  -- multiple versions of the ingress can be used, to minize upgrade risks
     8  
     9  - the new chart uses the default namespace service account, and doesn't require
    10  additional RBAC permissions.
    11  
    12  - simplified label structure. Label change is not supported on upgrade.
    13  
    14  - for 'internal load balancer' you should deploy a separate gateway, in a different
    15  namespace.
    16  
    17  All ingress gateway have a "app:ingressgateway" label, used to identify it as an
    18  ingress, and an "istio: ingressgateway$SUFFIX" label of Gateway selection.
    19  
    20  The Gateways use "istio: ingressgateway$SUFFIX" selectors.
    21  
    22  
    23  # Multiple gateway versions
    24  
    25  
    26  
    27  # Using different pilot versions
    28  
    29  
    30  
    31  # Migration from istio-system
    32  
    33  Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
    34  with the Service and bound to the namespace, it is recommended to:
    35  
    36  1. Install the new gateway in a new namespace.
    37  2. Copy any TLS certificate to the new namespace, and configure the domains.
    38  3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
    39  4. Modify the DNS server to add the A record of the new namespace
    40  5. Check traffic
    41  6. Delete the A record corresponding to the gateway in istio-system
    42  7. Upgrade istio-system, disabling the ingressgateway
    43  8. Delete the domain TLS certs from istio-system.
    44  
    45  If using certmanager, all Certificate and associated configs must be moved as well.