I’d like to know how to upgrade istio in k8s without service down.
To minimize downtime, please ensure your Istio control plane components and your applications are highly available with multiple replicas (as multi-replica Citadel is still under development, Citadel should be deployed with one replica).
Citadel does not support multiple instances. Running multiple Citadel instances may introduce race conditions and lead to system outages.
In my understanding,
- Any istio components excepting citadel can be upgraded without service down, if they are with mulpiple replicas and good update strategy.
- But when citadel is upgraded, citadel get down and it cause bad effect to traffic in service mesh in terms of AuthN/AuthZ, because citadel does not support multiple instances. It is risk to cause service down.
Are there any way to upgrade istio especially citadel without service down?