istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/gateways/istio-ingress/NOTES.txt (about)

     1  
     2  Changes:
     3  - separate namespace allows:
     4  -- easier reconfig of just the gateway
     5  -- TLS secrets and domain name management is isolated, for better security
     6  -- simplified configuration
     7  -- multiple versions of the ingress can be used, to minimize upgrade risks
     8  
     9  - the new chart uses the default namespace service account, and doesn't require
    10  additional RBAC permissions.
    11  
    12  - simplified label and chart structure.
    13  - ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades
    14  and allows a bit more flexibility.
    15  - the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress.
    16  
    17  # Port and basic host configuration
    18  
    19  In order to configure the Service object, the install/upgrade needs to provide a list of all ports.
    20  In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured
    21  both in upgrade, Gateway and VirtualService.
    22  
    23  The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports,
    24  Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual
    25  config for the rest.
    26  
    27  All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism.
    28  
    29  # Migration from istio-system
    30  
    31  Istio 1.0 includes the gateways in istio-system. Since the external IP is associated
    32  with the Service and bound to the namespace, it is recommended to:
    33  
    34  1. Install the new gateway in a new namespace.
    35  2. Copy any TLS certificate to the new namespace, and configure the domains.
    36  3. Checking the new gateway work - for example by overriding the IP in /etc/hosts
    37  4. Modify the DNS server to add the A record of the new namespace
    38  5. Check traffic
    39  6. Delete the A record corresponding to the gateway in istio-system
    40  7. Upgrade istio-system, disabling the ingressgateway
    41  8. Delete the domain TLS certs from istio-system.
    42  
    43  If using certmanager, all Certificate and associated configs must be moved as well.