From bd3cea092e82d3788d85e43ab94248776e079f47 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Fri, 21 Feb 2025 18:48:53 -0600
Subject: [PATCH 01/17] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.../using-bigbang/migrating-istio-in-bb3.0.md | 118 ++++++++++++++++++
1 file changed, 118 insertions(+)
create mode 100644 docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
diff --git a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
new file mode 100644
index 0000000000..b42a00cbba
--- /dev/null
+++ b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
@@ -0,0 +1,118 @@
+# Upgrading from the Istio Operator to Helm based Istio
+
+### *The new service mesh is BETA in Big Bang 2.x and is planned to be completely stable in 3.0!*
+
+### Step 1 : Remove Istio from your deployment
+Before upgrading to version 3.0 of Big Bang with the new Helm-based Istio packages, we first need to disable Istio and Istio's Operator packages in our 2.x deployment of Big Bang. We do this by disabling the two obsolete [Istio packages in our Gitops configuration](https://repo1.dso.mil/kipten/template/-/blob/main/package-strategy/configmap.yaml?ref_type=heads#L18-22).
+```yaml
+istio:
+ enabled: false
+istioOperator:
+ enabled: false
+```
+After a few minutes, all pods in both the `istio-system` and `istio-operator` namespaces should have terminated. However, due due to Istio's finalizer, it's likely that the `istio-system` namespace will be stuck in the `terminating` state. We can force the deletion of this namespace with the following:
+```bash
+kubectl get ns istio-system -o json | jq '.spec.finalizers = []' | kubectl replace --raw "/api/v1/namespaces/istio-system/finalize" -f -
+```
+Both namespaces are now removed yet other remnants of Istio still linger in the cluster including custom resources. These also need to be removed as they will be re-instantiated via the helm deployment of Istio. There are various methods to accomplish this feat, but by far the easiest way to do this is by using the [istioctl CLI tool](https://istio.io/latest/docs/ops/diagnostic-tools/istioctl/).
+
+If you're on Mac or Linux, you can quickly install it with:
+```bash
+brew install istioctl
+```
+To complete the removal of the Istio remnants, purge [as per Istio's documentation](https://istio.io/latest/docs/setup/install/istioctl/#uninstall-istio):
+```bash
+istioctl uninstall --purge
+```
+Accept the prompt and these remnants are removed:
+```bash
+All Istio resources will be pruned from the cluster
+Proceed? (y/N) y
+ Removed admissionregistration.k8s.io/v1, Kind=MutatingWebhookConfiguration/istio-revision-tag-default..
+ Removed admissionregistration.k8s.io/v1, Kind=MutatingWebhookConfiguration/istio-sidecar-injector..
+ Removed admissionregistration.k8s.io/v1, Kind=ValidatingWebhookConfiguration/istio-validator-istio-system..
+ Removed admissionregistration.k8s.io/v1, Kind=ValidatingWebhookConfiguration/istiod-default-validator..
+ Removed rbac.authorization.k8s.io/v1, Kind=ClusterRole/istio-reader-clusterrole-istio-system..
+ Removed rbac.authorization.k8s.io/v1, Kind=ClusterRole/istiod-clusterrole-istio-system..
+ Removed rbac.authorization.k8s.io/v1, Kind=ClusterRole/istiod-gateway-controller-istio-system..
+ Removed rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding/istio-reader-clusterrole-istio-system..
+ Removed rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding/istiod-clusterrole-istio-system..
+ Removed rbac.authorization.k8s.io/v1, Kind=ClusterRoleBinding/istiod-gateway-controller-istio-system..
+ Removed apiextensions.k8s.io/v1, Kind=CustomResourceDefinition/authorizationpolicies.security.istio.io..
+ Removed apiextensions.k8s.io/v1, Kind=CustomResourceDefinition/destinationrules.networking.istio.io..
+ Removed apiextensions.k8s.io/v1, Kind=CustomResourceDefinition/envoyfilters.networking.istio.io..
+ Removed apiextensions.k8s.io/v1, Kind=CustomResourceDefinition/gateways.networking.istio.io..
+ Removed apiextensions.k8s.io/v1, Kind=CustomResourceDefinition/peerauthentications.security.istio.io..
+ Removed apiextensions.k8s.io/v1, Kind=CustomResourceDefinition/proxyconfigs.networking.istio.io..
+ Removed apiextensions.k8s.io/v1, Kind=CustomResourceDefinition/requestauthentications.security.istio.io..
+ Removed apiextensions.k8s.io/v1, Kind=CustomResourceDefinition/serviceentries.networking.istio.io..
+ Removed apiextensions.k8s.io/v1, Kind=CustomResourceDefinition/sidecars.networking.istio.io..
+ Removed apiextensions.k8s.io/v1, Kind=CustomResourceDefinition/telemetries.telemetry.istio.io..
+ Removed apiextensions.k8s.io/v1, Kind=CustomResourceDefinition/virtualservices.networking.istio.io..
+ Removed apiextensions.k8s.io/v1, Kind=CustomResourceDefinition/wasmplugins.extensions.istio.io..
+ Removed apiextensions.k8s.io/v1, Kind=CustomResourceDefinition/workloadentries.networking.istio.io..
+ Removed apiextensions.k8s.io/v1, Kind=CustomResourceDefinition/workloadgroups.networking.istio.io..
+✔ Uninstall complete
+```
+
+### Step 2 : Deploy the new Helm based version of Istio
+Enabling the Helm based version of Istio entails enabling the `istioCore` package that provides both the `istio-base` and `istiod` charts. The `istioGatewayPublic` package provides the default ingress gateway for most packages and the `istioGatewayPassthrough` provides a secondary non-TLS gated gateway for specific apps that require this like Keycloak.
+```yaml
+istioCore:
+ enabled: true
+istioGatewayPublic:
+ enabled: true
+istioGatewayPassthrough:
+ enabled: true
+```
+You can check that new gateway recieves an external IP (from MetalLB or AWS LB) with:
+```bash
+kubectl get svc -n istio-gateway
+NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)
+public-ingressgateway LoadBalancer 10.43.110.109 172.16.88.88 15021:31155/TCP,80:31302/TCP,443:31046/TCP
+```
+You'll notice at this point that services are unreachable with errors like:
+```
+upstream connect error or disconnect/reset before headers. retried and the latest reset reason: remote connection failure, transport failure reason: TLS_error:|268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:TLS_error_end
+```
+The reason for this is becuase we now need to cycle istio-injected pods so that they connect to the new service mesh. The simple bash script below will iterate through all istio-injected namespaces and cycles all pods therein:
+```bash
+# in istio-injected namespaces, recycle pods
+for namespace in `kubectl get ns -o custom-columns=:.metadata.name --no-headers -l istio-injection=enabled`
+do
+ echo -e "\nâ™»ï¸ recycling pods in namespace: $namespace"
+ for pod in `kubectl get pods -o custom-columns=:.metadata.name --no-headers -n $namespace`
+ do
+ kubectl delete pod $pod -n $namespace
+ done
+done
+```
+### Optionally reconcile Helm Releases
+You may also need to initiate a reconciliation to all of Big Bang's helm releases managed by `flux`.
+
+This step does require that `flux` is [installed locally](https://fluxcd.io/flux/installation/). Linux and Mac users can simply:
+```bash
+brew install fluxcd/tap/flux
+```
+This simple bash script will iterate through all of Big Bang managed Helm release and prompt `flux` to [reconcile](https://fluxcd.io/flux/cmd/flux_reconcile_helmrelease) each HR one at a time waiting for them to complete. Typically, this can be useful when managing a Gitops deployment of Big Bang during upgrades or when helm and its dependencies get out of sync.
+```bash
+# reconcile all of big bang's helm releases w/ flux
+for hr in `kubectl get hr --no-headers -n bigbang | awk '{ print $1 }'`
+do
+ echo -e '\nâ˜¸ï¸ reconciling hr:' $hr
+ flux reconcile hr $hr -n bigbang --with-source
+done
+```
+### Enjoy your new helm based deploymenbt of Istio!
+At this point all services in the cluster should be reachable via the new service mesh.
+
+# Other Notes
+
+- The Istio Operator has reached its end of life not supporting versions of Istio after 1.23
+- An LTS release, Istio 1.23 is only supported [through May 2025](https://istio.io/latest/docs/releases/supported-releases/#:~:text=1.25%2C%201.26%2C%201.27-,1.23,-Yes)
+- The migration from Operator to Helm maintains a consistent version 1.23 to reduce the complexity of the process
+- In order to continue utilizing Istio in Big Bang releases >=3.0 this migration is required
+- An upgrade to version 1.24 of Istio will soon follow in version 3.1 or version 3.2 of Big Bang in mid-2025
+- A rollback from Helm Istio to Operator Istio is possible by reversing the migration steps process
+- [Diagnostic Tools for Istio](https://istio.io/latest/docs/ops/diagnostic-tools) and [Troubleshooting tips](https://github.com/istio/istio/wiki/Troubleshooting-Istio) can be of assistance for troubled migrations
+- Similarly, there is [an Istio manifest tool](https://github.com/istio/istio/pull/52281) that can be used to compare pre and post upgrades
\ No newline at end of file
--
GitLab
From e7d4b1935492b60b45015497608d0c659427f351 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Tue, 11 Mar 2025 17:20:18 -0500
Subject: [PATCH 02/17] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
docs/guides/using-bigbang/migrating-istio-in-bb3.0.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
index b42a00cbba..a79e507c94 100644
--- a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
+++ b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
@@ -1,6 +1,6 @@
# Upgrading from the Istio Operator to Helm based Istio
-### *The new service mesh is BETA in Big Bang 2.x and is planned to be completely stable in 3.0!*
+### *The new Istio Helm packages are BETA in Big Bang 2.x and will be stable in 3.0*
### Step 1 : Remove Istio from your deployment
Before upgrading to version 3.0 of Big Bang with the new Helm-based Istio packages, we first need to disable Istio and Istio's Operator packages in our 2.x deployment of Big Bang. We do this by disabling the two obsolete [Istio packages in our Gitops configuration](https://repo1.dso.mil/kipten/template/-/blob/main/package-strategy/configmap.yaml?ref_type=heads#L18-22).
--
GitLab
From 30a64f7fd75830c39f0f037e34c8235e63159479 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Tue, 11 Mar 2025 17:22:42 -0500
Subject: [PATCH 03/17] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
docs/guides/using-bigbang/migrating-istio-in-bb3.0.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
index a79e507c94..b7ed8ab391 100644
--- a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
+++ b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
@@ -2,8 +2,8 @@
### *The new Istio Helm packages are BETA in Big Bang 2.x and will be stable in 3.0*
-### Step 1 : Remove Istio from your deployment
-Before upgrading to version 3.0 of Big Bang with the new Helm-based Istio packages, we first need to disable Istio and Istio's Operator packages in our 2.x deployment of Big Bang. We do this by disabling the two obsolete [Istio packages in our Gitops configuration](https://repo1.dso.mil/kipten/template/-/blob/main/package-strategy/configmap.yaml?ref_type=heads#L18-22).
+### Step 1 : Remove Istio from your current deployment
+Before upgrading to the new Helm-based Istio packages, first disable the Istio and Istio's Operator packages.
```yaml
istio:
enabled: false
--
GitLab
From de87a7dc4d8bdd35fdcc2b6d60ce626539789a00 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Tue, 11 Mar 2025 17:24:58 -0500
Subject: [PATCH 04/17] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
docs/guides/using-bigbang/migrating-istio-in-bb3.0.md | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
index b7ed8ab391..74ac46a0bc 100644
--- a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
+++ b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
@@ -3,18 +3,20 @@
### *The new Istio Helm packages are BETA in Big Bang 2.x and will be stable in 3.0*
### Step 1 : Remove Istio from your current deployment
-Before upgrading to the new Helm-based Istio packages, first disable the Istio and Istio's Operator packages.
+Before upgrading to the new Helm-based Istio packages, first disable the Istio and Istio's Operator packages:
```yaml
istio:
enabled: false
istioOperator:
enabled: false
```
-After a few minutes, all pods in both the `istio-system` and `istio-operator` namespaces should have terminated. However, due due to Istio's finalizer, it's likely that the `istio-system` namespace will be stuck in the `terminating` state. We can force the deletion of this namespace with the following:
+After a few minutes, all pods in both the `istio-system` and `istio-operator` namespaces will have terminated. However, due due to Istio's finalizer, the `istio-system` namespace will be stuck in the `terminating` state.
+
+Force the deletion of this namespace:
```bash
kubectl get ns istio-system -o json | jq '.spec.finalizers = []' | kubectl replace --raw "/api/v1/namespaces/istio-system/finalize" -f -
```
-Both namespaces are now removed yet other remnants of Istio still linger in the cluster including custom resources. These also need to be removed as they will be re-instantiated via the helm deployment of Istio. There are various methods to accomplish this feat, but by far the easiest way to do this is by using the [istioctl CLI tool](https://istio.io/latest/docs/ops/diagnostic-tools/istioctl/).
+Both Istio namespaces are now removed yet other remnants of Istio still linger in the cluster including custom resources. These also need to be removed as they will be re-instantiated via the helm deployment of Istio. There are various methods to accomplish this feat, but by far the easiest way to do this is by using the [istioctl CLI tool](https://istio.io/latest/docs/ops/diagnostic-tools/istioctl/).
If you're on Mac or Linux, you can quickly install it with:
```bash
--
GitLab
From ded5cb8f378b7c3edb41c00b536ef84e85bc1100 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Tue, 11 Mar 2025 17:28:31 -0500
Subject: [PATCH 05/17] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
docs/guides/using-bigbang/migrating-istio-in-bb3.0.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
index 74ac46a0bc..2e5ebee0d5 100644
--- a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
+++ b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
@@ -16,7 +16,7 @@ Force the deletion of this namespace:
```bash
kubectl get ns istio-system -o json | jq '.spec.finalizers = []' | kubectl replace --raw "/api/v1/namespaces/istio-system/finalize" -f -
```
-Both Istio namespaces are now removed yet other remnants of Istio still linger in the cluster including custom resources. These also need to be removed as they will be re-instantiated via the helm deployment of Istio. There are various methods to accomplish this feat, but by far the easiest way to do this is by using the [istioctl CLI tool](https://istio.io/latest/docs/ops/diagnostic-tools/istioctl/).
+Both Istio namespaces are now removed yet other remnants of Istio still linger in the cluster including custom resources. Remove them as they will be recreated via the helm deployment of Istio. The quickest way to do this is by using the [istioctl CLI tool](https://istio.io/latest/docs/ops/diagnostic-tools/istioctl/).
If you're on Mac or Linux, you can quickly install it with:
```bash
--
GitLab
From 8f5a73c7375c063065be299494d92fc64be09805 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Tue, 11 Mar 2025 17:36:23 -0500
Subject: [PATCH 06/17] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.../using-bigbang/migrating-istio-in-bb3.0.md | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
index 2e5ebee0d5..e6f65a68bc 100644
--- a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
+++ b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
@@ -18,15 +18,15 @@ kubectl get ns istio-system -o json | jq '.spec.finalizers = []' | kubectl repla
```
Both Istio namespaces are now removed yet other remnants of Istio still linger in the cluster including custom resources. Remove them as they will be recreated via the helm deployment of Istio. The quickest way to do this is by using the [istioctl CLI tool](https://istio.io/latest/docs/ops/diagnostic-tools/istioctl/).
-If you're on Mac or Linux, you can quickly install it with:
+If you're on Mac or Linux, you can install it with:
```bash
brew install istioctl
```
-To complete the removal of the Istio remnants, purge [as per Istio's documentation](https://istio.io/latest/docs/setup/install/istioctl/#uninstall-istio):
+To complete the removal of remaining Istio components, purge as per [Istio's documentation](https://istio.io/latest/docs/setup/install/istioctl/#uninstall-istio):
```bash
istioctl uninstall --purge
```
-Accept the prompt and these remnants are removed:
+Accept the prompt to proceed:
```bash
All Istio resources will be pruned from the cluster
Proceed? (y/N) y
@@ -57,14 +57,12 @@ Proceed? (y/N) y
✔ Uninstall complete
```
-### Step 2 : Deploy the new Helm based version of Istio
-Enabling the Helm based version of Istio entails enabling the `istioCore` package that provides both the `istio-base` and `istiod` charts. The `istioGatewayPublic` package provides the default ingress gateway for most packages and the `istioGatewayPassthrough` provides a secondary non-TLS gated gateway for specific apps that require this like Keycloak.
+### Step 2 : Deploy the new Helm Istio package
+Enabling the Helm based version of Istio entails enabling the `istioCore` package that provides both the `istio-base` and `istiod` charts. The `istioGateway` package provides the ability to add one or more egress gateways:
```yaml
istioCore:
enabled: true
-istioGatewayPublic:
- enabled: true
-istioGatewayPassthrough:
+istioGateway:
enabled: true
```
You can check that new gateway recieves an external IP (from MetalLB or AWS LB) with:
--
GitLab
From 29c8dde9ae6e39831abf407d39b3513a1d76dcb1 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Tue, 11 Mar 2025 17:40:19 -0500
Subject: [PATCH 07/17] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
docs/guides/using-bigbang/migrating-istio-in-bb3.0.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
index e6f65a68bc..73872077f7 100644
--- a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
+++ b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
@@ -65,6 +65,8 @@ istioCore:
istioGateway:
enabled: true
```
+When migrating gateway configurations from Operator to Operatorless, see [the examples here](https://repo1.dso.mil/big-bang/bigbang/-/blob/master/chart/values.yaml#L209-263) as a reference for the supported values formatting.
+
You can check that new gateway recieves an external IP (from MetalLB or AWS LB) with:
```bash
kubectl get svc -n istio-gateway
--
GitLab
From 82deb9db78ff9e0d9f0be5c1f51b6492fd827c13 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Tue, 11 Mar 2025 17:45:32 -0500
Subject: [PATCH 08/17] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
docs/guides/using-bigbang/migrating-istio-in-bb3.0.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
index 73872077f7..827d08488f 100644
--- a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
+++ b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
@@ -65,19 +65,19 @@ istioCore:
istioGateway:
enabled: true
```
-When migrating gateway configurations from Operator to Operatorless, see [the examples here](https://repo1.dso.mil/big-bang/bigbang/-/blob/master/chart/values.yaml#L209-263) as a reference for the supported values formatting.
+When migrating gateway configurations from Operator to Operatorless, see [the examples here](https://repo1.dso.mil/big-bang/bigbang/-/blob/master/chart/values.yaml#L209-263) as a reference to format values.
-You can check that new gateway recieves an external IP (from MetalLB or AWS LB) with:
+After deployment, check that new gateway recieves an external IP (from MetalLB or AWS LB) with:
```bash
kubectl get svc -n istio-gateway
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)
public-ingressgateway LoadBalancer 10.43.110.109 172.16.88.88 15021:31155/TCP,80:31302/TCP,443:31046/TCP
```
-You'll notice at this point that services are unreachable with errors like:
+Notice that services are now unreachable with errors like:
```
upstream connect error or disconnect/reset before headers. retried and the latest reset reason: remote connection failure, transport failure reason: TLS_error:|268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:TLS_error_end
```
-The reason for this is becuase we now need to cycle istio-injected pods so that they connect to the new service mesh. The simple bash script below will iterate through all istio-injected namespaces and cycles all pods therein:
+To resolve this issue, cycle all istio-injected pods allowing their connection to the new service mesh. This simple bash script will iterate through all `istio-injected` namespaces and cycle all respective pods:
```bash
# in istio-injected namespaces, recycle pods
for namespace in `kubectl get ns -o custom-columns=:.metadata.name --no-headers -l istio-injection=enabled`
--
GitLab
From 7ed320c729d76cdd0edbc234d5bd97494e2626aa Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Tue, 11 Mar 2025 17:48:00 -0500
Subject: [PATCH 09/17] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
docs/guides/using-bigbang/migrating-istio-in-bb3.0.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
index 827d08488f..5c024fec3a 100644
--- a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
+++ b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
@@ -77,7 +77,9 @@ Notice that services are now unreachable with errors like:
```
upstream connect error or disconnect/reset before headers. retried and the latest reset reason: remote connection failure, transport failure reason: TLS_error:|268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:TLS_error_end
```
-To resolve this issue, cycle all istio-injected pods allowing their connection to the new service mesh. This simple bash script will iterate through all `istio-injected` namespaces and cycle all respective pods:
+To resolve this issue, cycle all Istio injected pods allowing their reconnection to the new service mesh.
+
+This simple bash script will iterate through all `istio-injected` namespaces and recycle pods:
```bash
# in istio-injected namespaces, recycle pods
for namespace in `kubectl get ns -o custom-columns=:.metadata.name --no-headers -l istio-injection=enabled`
--
GitLab
From 40553b2f9e1f34ea2b472f06d82ed56c99c0e462 Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Tue, 11 Mar 2025 17:58:44 -0500
Subject: [PATCH 10/17] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
docs/guides/using-bigbang/migrating-istio-in-bb3.0.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
index 5c024fec3a..02a4d9041a 100644
--- a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
+++ b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
@@ -18,7 +18,7 @@ kubectl get ns istio-system -o json | jq '.spec.finalizers = []' | kubectl repla
```
Both Istio namespaces are now removed yet other remnants of Istio still linger in the cluster including custom resources. Remove them as they will be recreated via the helm deployment of Istio. The quickest way to do this is by using the [istioctl CLI tool](https://istio.io/latest/docs/ops/diagnostic-tools/istioctl/).
-If you're on Mac or Linux, you can install it with:
+On macOS or Linux install it with:
```bash
brew install istioctl
```
@@ -92,13 +92,13 @@ do
done
```
### Optionally reconcile Helm Releases
-You may also need to initiate a reconciliation to all of Big Bang's helm releases managed by `flux`.
+It may be necessary, but not likely, to synchronize helm releases managed by Flux. Typically, this can occur when a Gitops deployment of Big Bang sees its helm resources get out of sync during an upgrade.
-This step does require that `flux` is [installed locally](https://fluxcd.io/flux/installation/). Linux and Mac users can simply:
+This step requires `flux` to be [installed locally](https://fluxcd.io/flux/installation/). Install it on macOS and Linux with:
```bash
brew install fluxcd/tap/flux
```
-This simple bash script will iterate through all of Big Bang managed Helm release and prompt `flux` to [reconcile](https://fluxcd.io/flux/cmd/flux_reconcile_helmrelease) each HR one at a time waiting for them to complete. Typically, this can be useful when managing a Gitops deployment of Big Bang during upgrades or when helm and its dependencies get out of sync.
+This bash script iterates through all helm releases managed by Big Bang and has `flux` initiate a [reconciliation](https://fluxcd.io/flux/cmd/flux_reconcile_helmrelease) on each HR one by one:
```bash
# reconcile all of big bang's helm releases w/ flux
for hr in `kubectl get hr --no-headers -n bigbang | awk '{ print $1 }'`
--
GitLab
From ce37049d2f0abc3b0bad10f64444489d3292efac Mon Sep 17 00:00:00 2001
From: Greg <miernicki_gregory@bah.com>
Date: Tue, 11 Mar 2025 18:10:48 -0500
Subject: [PATCH 11/17] =?UTF-8?q?=20=E2=9B=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.../using-bigbang/migrating-istio-in-bb3.0.md | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
index 02a4d9041a..c067a1207b 100644
--- a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
+++ b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
@@ -94,7 +94,7 @@ done
### Optionally reconcile Helm Releases
It may be necessary, but not likely, to synchronize helm releases managed by Flux. Typically, this can occur when a Gitops deployment of Big Bang sees its helm resources get out of sync during an upgrade.
-This step requires `flux` to be [installed locally](https://fluxcd.io/flux/installation/). Install it on macOS and Linux with:
+The `flux` CLI must be [installed locally](https://fluxcd.io/flux/installation/) -- on macOS and Linux:
```bash
brew install fluxcd/tap/flux
```
@@ -107,16 +107,14 @@ do
flux reconcile hr $hr -n bigbang --with-source
done
```
-### Enjoy your new helm based deploymenbt of Istio!
-At this point all services in the cluster should be reachable via the new service mesh.
-# Other Notes
+At this point all services in the cluster should be reachable via the new service mesh.
-- The Istio Operator has reached its end of life not supporting versions of Istio after 1.23
+## Other Notes
+
+- The Istio Operator has reached its end of life and does not support versions of Istio after 1.23
- An LTS release, Istio 1.23 is only supported [through May 2025](https://istio.io/latest/docs/releases/supported-releases/#:~:text=1.25%2C%201.26%2C%201.27-,1.23,-Yes)
-- The migration from Operator to Helm maintains a consistent version 1.23 to reduce the complexity of the process
-- In order to continue utilizing Istio in Big Bang releases >=3.0 this migration is required
-- An upgrade to version 1.24 of Istio will soon follow in version 3.1 or version 3.2 of Big Bang in mid-2025
-- A rollback from Helm Istio to Operator Istio is possible by reversing the migration steps process
+- In order to continue utilizing Istio in Big Bang releases beyond 3.0, this migration is required
+- An upgrade to version 1.25 of Istio will soon follow in version 3.1 or version 3.2 of Big Bang in mid-2025
+- A rollback from Helm Istio to Operator Istio is possible by reversing the migration process above
- [Diagnostic Tools for Istio](https://istio.io/latest/docs/ops/diagnostic-tools) and [Troubleshooting tips](https://github.com/istio/istio/wiki/Troubleshooting-Istio) can be of assistance for troubled migrations
-- Similarly, there is [an Istio manifest tool](https://github.com/istio/istio/pull/52281) that can be used to compare pre and post upgrades
\ No newline at end of file
--
GitLab
From 3d40f6f3493ff5321933f16ed9690da72feb5b51 Mon Sep 17 00:00:00 2001
From: Greg M <26463-kipten@users.noreply.gitlab.example.com>
Date: Wed, 12 Mar 2025 14:33:00 +0000
Subject: [PATCH 12/17] Edit migrating-istio-in-bb3.0.md
---
docs/guides/using-bigbang/migrating-istio-in-bb3.0.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
index c067a1207b..8f3d59b51c 100644
--- a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
+++ b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
@@ -3,7 +3,7 @@
### *The new Istio Helm packages are BETA in Big Bang 2.x and will be stable in 3.0*
### Step 1 : Remove Istio from your current deployment
-Before upgrading to the new Helm-based Istio packages, first disable the Istio and Istio's Operator packages:
+Before upgrading to the new helm-based Istio packages, first disable the istio and istioOperator packages:
```yaml
istio:
enabled: false
--
GitLab
From ae063ce074ee13d83c48e5ac8da030f5528439c6 Mon Sep 17 00:00:00 2001
From: Greg M <26463-kipten@users.noreply.gitlab.example.com>
Date: Wed, 12 Mar 2025 14:33:44 +0000
Subject: [PATCH 13/17] Edit migrating-istio-in-bb3.0.md
---
docs/guides/using-bigbang/migrating-istio-in-bb3.0.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
index 8f3d59b51c..dc442077d9 100644
--- a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
+++ b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
@@ -10,7 +10,7 @@ istio:
istioOperator:
enabled: false
```
-After a few minutes, all pods in both the `istio-system` and `istio-operator` namespaces will have terminated. However, due due to Istio's finalizer, the `istio-system` namespace will be stuck in the `terminating` state.
+After a few minutes, all pods in both the `istio-system` and `istio-operator` namespaces will have terminated. However, due to Istio's finalizer, the `istio-system` namespace will be stuck in the `terminating` state.
Force the deletion of this namespace:
```bash
--
GitLab
From 57104cbeec1bf63e5e6a8189fc4b0aa61f70fbe5 Mon Sep 17 00:00:00 2001
From: Greg M <26463-kipten@users.noreply.gitlab.example.com>
Date: Wed, 12 Mar 2025 14:34:25 +0000
Subject: [PATCH 14/17] Edit migrating-istio-in-bb3.0.md
---
docs/guides/using-bigbang/migrating-istio-in-bb3.0.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
index dc442077d9..1e2b5d7f73 100644
--- a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
+++ b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
@@ -10,7 +10,7 @@ istio:
istioOperator:
enabled: false
```
-After a few minutes, all pods in both the `istio-system` and `istio-operator` namespaces will have terminated. However, due to Istio's finalizer, the `istio-system` namespace will be stuck in the `terminating` state.
+After a few minutes, all pods in both the `istio-system` and `istio-operator` namespaces will have terminated. However, due to Istio's finalizer, the `istio-system` namespace will be stuck in the **terminating** state.
Force the deletion of this namespace:
```bash
--
GitLab
From 75e62beb0a5c9cc8366ad281fdc3eca472c4799e Mon Sep 17 00:00:00 2001
From: Greg M <26463-kipten@users.noreply.gitlab.example.com>
Date: Wed, 12 Mar 2025 14:34:49 +0000
Subject: [PATCH 15/17] Edit migrating-istio-in-bb3.0.md
---
docs/guides/using-bigbang/migrating-istio-in-bb3.0.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
index 1e2b5d7f73..d2a5a9d749 100644
--- a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
+++ b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
@@ -10,7 +10,7 @@ istio:
istioOperator:
enabled: false
```
-After a few minutes, all pods in both the `istio-system` and `istio-operator` namespaces will have terminated. However, due to Istio's finalizer, the `istio-system` namespace will be stuck in the **terminating** state.
+After a few minutes, all pods in both the `istio-system` and `istio-operator` namespaces will have terminated. However, due to Istio's finalizer, the `istio-system` namespace will be stuck in the _**terminating**_ state.
Force the deletion of this namespace:
```bash
--
GitLab
From 4bd3adcb4600f3c83ba8b2f64e04f0d7a3023216 Mon Sep 17 00:00:00 2001
From: Greg M <26463-kipten@users.noreply.gitlab.example.com>
Date: Wed, 12 Mar 2025 14:36:16 +0000
Subject: [PATCH 16/17] Edit migrating-istio-in-bb3.0.md
---
docs/guides/using-bigbang/migrating-istio-in-bb3.0.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
index d2a5a9d749..3480445aee 100644
--- a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
+++ b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
@@ -16,7 +16,7 @@ Force the deletion of this namespace:
```bash
kubectl get ns istio-system -o json | jq '.spec.finalizers = []' | kubectl replace --raw "/api/v1/namespaces/istio-system/finalize" -f -
```
-Both Istio namespaces are now removed yet other remnants of Istio still linger in the cluster including custom resources. Remove them as they will be recreated via the helm deployment of Istio. The quickest way to do this is by using the [istioctl CLI tool](https://istio.io/latest/docs/ops/diagnostic-tools/istioctl/).
+Both Istio namespaces are now removed yet other remnants still linger, not limited to, but including custom resources. Remove them as they will be recreated via the helm deployment of Istio. The quickest way to do this is by using the [istioctl CLI tool](https://istio.io/latest/docs/ops/diagnostic-tools/istioctl/).
On macOS or Linux install it with:
```bash
--
GitLab
From 79575948904eec6aa5717c0967d9ab5c1bf13c41 Mon Sep 17 00:00:00 2001
From: Greg M <26463-kipten@users.noreply.gitlab.example.com>
Date: Wed, 12 Mar 2025 14:39:23 +0000
Subject: [PATCH 17/17] Edit migrating-istio-in-bb3.0.md
---
docs/guides/using-bigbang/migrating-istio-in-bb3.0.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
index 3480445aee..38691112d7 100644
--- a/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
+++ b/docs/guides/using-bigbang/migrating-istio-in-bb3.0.md
@@ -92,7 +92,7 @@ do
done
```
### Optionally reconcile Helm Releases
-It may be necessary, but not likely, to synchronize helm releases managed by Flux. Typically, this can occur when a Gitops deployment of Big Bang sees its helm resources get out of sync during an upgrade.
+It may (but unlikely) be necessary to synchronize the helm releases managed by Flux. Typically, this can occur when a Gitops deployment of Big Bang has its helm resources get out of sync during an upgrade.
The `flux` CLI must be [installed locally](https://fluxcd.io/flux/installation/) -- on macOS and Linux:
```bash
--
GitLab