consul/website/content/docs/api-gateway/upgrade-specific-versions.mdx

441 lines
17 KiB
Plaintext
Raw Normal View History

2022-04-22 18:06:32 +00:00
---
layout: docs
2022-04-27 18:03:14 +00:00
page_title: Upgrades
2022-04-22 18:06:32 +00:00
description: >-
2022-04-27 18:03:14 +00:00
This topic describes how to upgrade Consul API Gateway.
2022-04-22 18:06:32 +00:00
---
2022-04-27 18:03:14 +00:00
# Upgrades
2022-04-22 18:06:32 +00:00
2022-04-27 18:03:14 +00:00
This topic describes how to upgrade Consul API Gateway.
2022-04-26 22:56:50 +00:00
## v0.3.0
2022-06-21 20:56:57 +00:00
Consul API Gateway v0.3.0 introduces a breaking change for people upgrading from lower versions. Gateways with `listner` with a `certificateRef` defined in a different namespace now require a [`ReferencePolicy`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.ReferencePolicy) that explicitly allows `Gateways` from the gateway's namesapce to use `certificateRef` in the `certificateRef`'s namespace.
### Requirements
Ensure that the following requirements are met prior to upgrading:
- Consul API Gateway should be running version v0.2.1 or lower.
- You should have the ability to run `kubectl` CLI commands.
- `kubectl` should be configured to point to the cluster containing the installation you are upgrading.
- You should have the following permission rights on your Kubernetes cluster:
- `Gateway.read`
2022-06-20 19:25:15 +00:00
- `ReferencePolicy.create`
2022-06-21 21:26:46 +00:00
- (Optional) The [jq](https://stedolan.github.io/jq/download/) command line processor for JSON can be installed, which will ease gateway retrieval during the upgrade process.
### Procedure
1. Verify the current version of the `consul-api-gateway-controller` `Deployment`:
```shell-session
$ kubectl get deployment --namespace consul consul-api-gateway-controller --output=jsonpath= "{@.spec.template.spec.containers[?(@.name=='api-gateway-controller')].image}"
```
You should receive a response similar to the following:
```log
2022-06-16 20:36:27 +00:00
"hashicorp/consul-api-gateway:0.2.1"
```
2022-06-21 20:56:57 +00:00
1. Retrieve all gateways that have a `certificateRef` in a different namespace. If you have installed the [`jq`](https://stedolan.github.io/jq/) utility, you can skip to [step 4](#jq-command-secrets). Otherwise, issue the following command to get all `Gateways` across all namespaces:
```shell-session
$ kubectl get Gateway --output json --all-namespaces
```
If you have any active `Gateways`, you will receive output similar to the following response. The output has been truncated to show only relevant fields:
```yaml
2022-06-21 20:56:57 +00:00
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
name: example-gateway
namespace: gateway-namespace
spec:
gatewayClassName: "consul-api-gateway"
listeners:
- name: https
port: 443
protocol: HTTPS
allowedRoutes:
namespaces:
from: All
tls:
certificateRefs:
- group: ""
kind: Secret
name: example-certificate
namespace: certificate-namespace
```
2022-06-21 20:56:57 +00:00
1. Inspect the `certificateRefs` entries for each of the routes.
2022-06-21 21:33:11 +00:00
If a `namespace` field is not defined in the `certificateRef` or if the namespace matches the namespace of the parent `Gateway`, then no additional action is required for the `certificateRef`. Otherwise, note the `namespace` field values for `certificateRef` configurations that have a `namespace` defined that do not match the namespace of the parent `Gateway`. You must also note the `namespace` of the parent gateway. You will need these to create a `ReferencePolicy` that explicitly allows each cross-namespace certificateRef-to-gateway pair. (see [step 5](#create-secret-reference-policy)).
After completing this step, you will have a list of all secrets similar to the following:
<CodeBlockConfig hideClipboard>
```yaml hideClipboard
2022-06-21 20:56:57 +00:00
example-certificate:
- namespace: certificate-namespace
parentNamespace: gateway-namespace
```
</CodeBlockConfig>
Proceed with the [standard-upgrade](#standard-upgrade) if your list is empty.
2022-06-21 21:21:29 +00:00
<a name="jq-command-secrets"/>
2022-06-20 19:25:15 +00:00
1. If you have installed [`jq`](https://stedolan.github.io/jq/), issue the following command to get all `Gateways` and filter for secrets that require a `ReferencePolicy`.
```shell-session
2022-06-21 21:21:29 +00:00
2022-06-21 15:05:38 +00:00
$ kubectl get Gateway -o json -A | jq -r '.items[] | {gateway_name: .metadata.name, gateway_namespace: .metadata.namespace, kind: .kind, crossNamespaceSecrets: ( .metadata.namespace as $parentnamespace | .spec.listeners[] | select(has("tls")) | .tls.certificateRefs[] | select(.namespace != null and .namespace != $parentnamespace ) )} '
2022-06-21 21:21:29 +00:00
```
2022-06-20 19:25:15 +00:00
The output will resemble the following response if gateways that require a new `ReferencePolicy` are returned:
<CodeBlockConfig hideClipboard>
```log hideClipboard
{
"gateway_name": "example-gateway",
"gateway_namespace": "gateway-namespace",
"kind": "Gateway",
"crossNamespaceSecrets": {
"group": "",
"kind": "Secret",
2022-06-21 20:56:57 +00:00
"name": "cexample-certificate",
"namespace": "certificate-namespace"
}
}
```
</CodeBlockConfig>
If your output is empty, proceed with the [standard-upgrade](#standard-upgrade).
2022-06-20 20:33:49 +00:00
<a name="create-secret-reference-policy"/>
2022-06-20 19:25:15 +00:00
1. Using the list of secrets you created earlier as a guide, create a [`ReferencePolicy`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.ReferencePolicy) to allow each gateway cross namespace secret access.
2022-06-21 20:56:57 +00:00
The `ReferencePolicy` explicitly allows each cross-namespace gateway to secret pair. The `ReferencePolicy` must be created in the same `namespace` as the `certificateRef`.
2022-06-20 19:25:15 +00:00
Skip to the next step if you've already created a `ReferencePolicy`.
<!---
TODO: add link to our docs on Cross Namespace Reference Policies, once we have written then, and tell the user to see them for more details on how to create these policies.
--->
2022-06-21 20:56:57 +00:00
The following example `ReferencePolicy` enables `example-gateway` in `gateway-namespace` to utilize `certificateRefs` in the `certificate-namespace` namespace:
2022-06-20 19:25:15 +00:00
<CodeBlockConfig filename="referencepolicy.yaml">
```yaml
apiVersion: gateway.networking.k8s.io/v1alpha2
2022-06-20 19:25:15 +00:00
kind: ReferencePolicy
metadata:
name: reference-policy
2022-06-21 20:56:57 +00:00
namespace: certificate-namespace
spec:
from:
- group: gateway.networking.k8s.io
kind: Gateway
namespace: gateway-namespace
to:
- group: ""
kind: Secret
```
</CodeBlockConfig>
2022-06-21 20:56:57 +00:00
1. If you have already created a `ReferencePolicy`, modify it to allow your gateway to access your `certificateRef` and save it as `referencepolicy.yaml`. Note that each `ReferencePolicy` only supports one `to` field and one `from` field (refer the [`ReferencePolicy`](https://gateway-api.sigs.k8s.io/v1alpha2/api-types/referencepolicy/#api-design-decisions) documentation). As a result, you may need to create multiple `ReferencePolicy`s.
1. Issue the following command to apply it to your cluster:
```shell-session
2022-06-20 19:25:15 +00:00
$ kubectl apply --filename referencepolicy.yaml
```
2022-06-21 20:56:57 +00:00
Repeat this step as needed until each of your cross-namespace `certificateRefs` have a corresponding `ReferencePolicy`.
2022-06-21 20:56:57 +00:00
Proceed with the [standard-upgrade](#standard-upgrade).
## v0.2.0
2022-06-20 19:25:15 +00:00
Consul API Gateway v0.2.0 introduces a breaking change for people upgrading from Consul API Gateway v0.1.0. Routes with a `backendRef` defined in a different namespace now require a [`ReferencePolicy`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.ReferencePolicy) that explicitly allows traffic from the route's namespace to the `backendRef`'s namespace.
2022-04-22 18:06:32 +00:00
### Requirements
2022-04-22 18:06:32 +00:00
2022-04-27 18:03:14 +00:00
Ensure that the following requirements are met prior to upgrading:
2022-04-22 18:06:32 +00:00
- Consul API Gateway should be running version v0.1.0.
2022-04-27 18:03:14 +00:00
- You should have the ability to run `kubectl` CLI commands.
- `kubectl` should be configured to point to the cluster containing the installation you are upgrading.
- You should have the following permission rights on your Kubernetes cluster:
2022-04-29 16:52:00 +00:00
- `HTTPRoute.read`
- `TCPRoute.read`
2022-06-20 19:25:15 +00:00
- `ReferencePolicy.create`
- (Optional) The [jq](https://stedolan.github.io/jq/download/) command line processor for JSON can be installed, which will ease route retrieval during the upgrade process.
2022-04-22 18:06:32 +00:00
### Procedure
2022-04-22 18:06:32 +00:00
2022-04-29 16:52:00 +00:00
2022-04-27 18:03:14 +00:00
1. Verify the current version of the `consul-api-gateway-controller` `Deployment`:
2022-04-22 18:06:32 +00:00
2022-04-27 18:03:14 +00:00
```shell-session
$ kubectl get deployment --namespace consul consul-api-gateway-controller --output=jsonpath= "{@.spec.template.spec.containers[?(@.name=='api-gateway-controller')].image}"
```
2022-04-26 22:56:50 +00:00
2022-04-27 18:03:14 +00:00
You should receive the following response:
2022-04-22 18:06:32 +00:00
2022-04-27 18:03:14 +00:00
```log
"hashicorp/consul-api-gateway:0.1.0"
```
2022-04-22 18:06:32 +00:00
1. Retrieve all routes that have a backend in a different namespace. If you have installed the [`jq`](https://stedolan.github.io/jq/) utility, you can skip to [step 4](#jq-command). Otherwise, issue the following command to get all `HTTPRoutes` and `TCPRoutes` across all namespaces:
2022-04-22 18:06:32 +00:00
2022-04-27 18:03:14 +00:00
```shell-session
$ kubectl get HTTPRoute,TCPRoute --output json --all-namespaces
2022-04-27 18:03:14 +00:00
```
2022-04-29 16:52:00 +00:00
2022-04-27 18:03:14 +00:00
Note that the command only retrieves `HTTPRoutes` and `TCPRoutes`. `TLSRoutes` and `UDPRoutes` are not supported in v0.1.0.
2022-04-27 18:03:14 +00:00
If you have any active `HTTPRoutes` or `TCPRoutes`, you will receive output similar to the following response. The output has been truncated to show only relevant fields:
2022-04-27 18:03:14 +00:00
```yaml
apiVersion: v1
items:
- apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
name: example-http-route,
namespace: example-namespace,
2022-04-26 22:56:50 +00:00
...
2022-04-27 18:03:14 +00:00
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway
namespace: gw-ns
rules:
- backendRefs:
- group: ""
kind: Service
name: web-backend
namespace: gateway-namespace
...
...
- apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
name: example-tcp-route,
namespace: a-different-namespace,
2022-04-26 22:56:50 +00:00
...
2022-04-27 18:03:14 +00:00
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway
2022-04-26 22:56:50 +00:00
namespace: gateway-namespace
2022-04-27 18:03:14 +00:00
rules:
- backendRefs:
- group: ""
kind: Service
name: web-backend
namespace: gateway-namespace
...
...
```
2022-04-29 16:52:00 +00:00
1. Inspect the `backendRefs` entries for each of the routes.
If a `namespace` field is not defined in the `backendRef` or if the namespace matches the namespace of the route, then no additional action is required for the `backendRef`. Otherwise, note the `group`, `kind`, `name`, and `namespace` field values for `backendRef` configurations that have a `namespace` defined that do not match the namespace of the parent route. You must also note the `kind` and `namespace` of the parent route. You will need these to create a `ReferencePolicy` that explicitly allows each cross-namespace route-to-service pair to prevent the route from breaking (see [step 5](#create-reference-policy)).
2022-04-27 18:03:14 +00:00
After completing this step, you will have a list of all routes similar to the following:
<CodeBlockConfig hideClipboard>
2022-04-27 18:03:14 +00:00
```yaml hideClipboard
2022-04-27 18:03:14 +00:00
example-http-route:
- namespace: example-namespace
kind: HTTPRoute
backendReferences:
- group : ""
kind: Service
name: web-backend
namespace: gateway-namespace
example-tcp-route:
- namespace: a-different-namespace
kind: HTTPRoute
backendReferences:
- group : ""
kind: Service
name: web-backend
namespace: gateway-namespace
```
2022-04-29 16:52:00 +00:00
</CodeBlockConfig>
2022-04-27 18:03:14 +00:00
Proceed with [standard-upgrade](#standard-upgrade) if your list is empty.
2022-04-27 18:03:14 +00:00
<a name="jq-command"/>
2022-06-20 19:25:15 +00:00
1. If you have installed [`jq`](https://stedolan.github.io/jq/), issue the following command to get all `HTTPRoutes` and `TCPRoutes` and filter for routes that require a `ReferencePolicy`.
2022-04-27 18:03:14 +00:00
```shell-session
$ kubectl get HTTPRoute,TCPRoute -o json -A | jq -r '.items[] | {name: .metadata.name, namespace: .metadata.namespace, kind: .kind, crossNamespaceBackendReferences: ( .metadata.namespace as $parentnamespace | .spec.rules[] .backendRefs[] | select(.namespace != null and .namespace != $parentnamespace ) )} '
```
2022-04-27 18:03:14 +00:00
Note that the command retrieves all `HTTPRoutes` and `TCPRoutes`. `TLSRoutes` and `UDPRoutes` are not supported in v0.1.0.
2022-06-20 19:25:15 +00:00
The output will resemble the following response if routes that require a new `ReferencePolicy` are returned:
2022-04-27 18:03:14 +00:00
<CodeBlockConfig hideClipboard>
```log hideClipboard
2022-04-27 18:03:14 +00:00
{
"name": "example-http-route",
"namespace": "example-namespace",
"kind": "HTTPRoute",
"crossNamespaceBackendReferences": {
"group": "",
"kind": "Service",
"name": "web-backend",
"namespace": "gateway-namespace",
"port": 8080,
"weight": 1
}
2022-04-22 18:06:32 +00:00
}
2022-04-27 18:03:14 +00:00
{
"name": "example-tcp-route",
"namespace": "a-different-namespace",
"kind": "TCPRoute",
"crossNamespaceBackendReferences": {
"group": "",
"kind": "Service",
"name": "web-backend",
"namespace": "gateway-namespace",
"port": 8080,
"weight": 1
}
2022-04-22 18:06:32 +00:00
}
2022-04-27 18:03:14 +00:00
```
2022-04-29 16:52:00 +00:00
</CodeBlockConfig>
If your output is empty, proceed with the [standard-upgrade](#standard-upgrade).
<a name="create-reference-policy"/>
2022-04-22 18:06:32 +00:00
2022-06-20 19:25:15 +00:00
1. Using the list of routes you created earlier as a guide, create a [`ReferencePolicy`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.ReferencePolicy) to allow cross namespace traffic for each route service pair.
The `ReferencePolicy` explicitly allows each cross-namespace route to service pair to prevent the route from breaking. The `ReferencePolicy` must be created in the same `namespace` as the backend `Service`.
2022-04-22 18:06:32 +00:00
2022-06-20 19:25:15 +00:00
Skip to the next step if you've already created a `ReferencePolicy`.
2022-04-27 18:03:14 +00:00
<!---
TODO: add link to our docs on Cross Namespace Reference Policies, once we have written then, and tell the user to see them for more details on how to create these policies.
--->
2022-06-20 19:25:15 +00:00
The following example `ReferencePolicy` enables `HTTPRoute` traffic from the `example-namespace` to Kubernetes Services in the `web-backend` namespace:
2022-04-22 18:06:32 +00:00
2022-06-20 19:25:15 +00:00
<CodeBlockConfig filename="referencepolicy.yaml">
2022-04-22 18:06:32 +00:00
2022-04-27 18:03:14 +00:00
```yaml
apiVersion: gateway.networking.k8s.io/v1alpha2
2022-06-20 19:25:15 +00:00
kind: ReferencePolicy
2022-04-27 18:03:14 +00:00
metadata:
name: reference-policy
2022-04-27 18:03:14 +00:00
namespace: gateway-namespace
spec:
from:
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespace: example-namespace
to:
- group: ""
kind: Service
name: web-backend
```
2022-04-29 16:52:00 +00:00
2022-04-27 18:03:14 +00:00
</CodeBlockConfig>
2022-04-22 18:06:32 +00:00
2022-06-20 19:25:15 +00:00
1. If you have already created a `ReferencePolicy`, modify it to allow your route and save it as `referencepolicy.yaml`. Note that each `ReferencePolicy` only supports one `to` field and one `from` field (refer the [`ReferencePolicy`](https://gateway-api.sigs.k8s.io/v1alpha2/api-types/referencepolicy/#api-design-decisions) documentation). As a result, you may need to create multiple `ReferencePolicy`s.
2022-04-22 18:06:32 +00:00
2022-04-27 18:03:14 +00:00
1. Issue the following command to apply it to your cluster:
2022-04-22 18:06:32 +00:00
2022-04-27 18:03:14 +00:00
```shell-session
2022-06-20 19:25:15 +00:00
$ kubectl apply --filename referencepolicy.yaml
2022-04-27 18:03:14 +00:00
```
2022-04-22 18:06:32 +00:00
2022-06-20 19:25:15 +00:00
Repeat this step as needed until each of your cross-namespace routes have a corresponding `ReferencePolicy`.
2022-06-21 20:56:57 +00:00
Proceed with the [standard-upgrade](#standard-upgrade).
## Standard Upgrade
~> **Note:** When you see `VERSION` in examples of commands or configuration settings, replace `VERSION` with the version number of the release you are installing, like `0.2.0`. If there is a lower case "v" in front of `VERSION` the version number needs to follow the "v" as is `v0.2.0`
### Requirements
Ensure that the following requirements are met prior to upgrading:
- You should have the ability to run `kubectl` CLI commands.
- `kubectl` should be configured to point to the cluster containing the installation you are upgrading.
### Procedure
This is the upgrade path to use when there are no version specific steps to take.
<a name="standard-upgrade"/>
2022-04-22 18:06:32 +00:00
2022-04-29 16:52:00 +00:00
1. Issue the following command to install the new version of CRDs into your cluster:
2022-04-22 18:06:32 +00:00
2022-04-27 18:03:14 +00:00
``` shell-session
2022-04-29 16:52:00 +00:00
$ kubectl apply --kustomize="github.com/hashicorp/consul-api-gateway/config/crd?ref=vVERSION"
2022-04-27 18:03:14 +00:00
```
2022-04-22 18:06:32 +00:00
1. Update `apiGateway.image` in `values.yaml`:
<CodeBlockConfig hideClipboard filename="values.yaml">
```yaml
...
apiGateway:
2022-04-29 16:52:00 +00:00
image: hashicorp/consul-api-gateway:VERSION
...
```
2022-04-29 16:52:00 +00:00
</CodeBlockConfig>
2022-04-27 18:03:14 +00:00
1. Issue the following command to upgrade your Consul installation:
2022-04-22 18:06:32 +00:00
2022-04-27 18:03:14 +00:00
```shell-session
2022-06-16 20:36:27 +00:00
$ helm upgrade --values values.yaml --namespace consul --version <NEW_VERSION> <DEPLOYMENT_NAME> hashicorp/consul
2022-04-27 18:03:14 +00:00
```
2022-04-27 18:03:14 +00:00
Note that the upgrade will cause the Consul API Gateway controller shut down and restart with the new version.
2022-04-22 18:06:32 +00:00
1. According to the Kubernetes Gateway API specification, [Gateway Class](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io%2fv1alpha2.GatewayClass) configurations should only be applied to a gateway upon creation. To see the effects on preexisting gateways after upgrading your CRD installation, delete and recreate any gateways by issuing the following commands:
2022-04-22 18:06:32 +00:00
2022-04-27 18:03:14 +00:00
```shell-session
$ kubectl delete --filename <path_to_gateway_config.yaml>
$ kubectl create --filename <path_to_gateway_config.yaml>
2022-04-27 18:03:14 +00:00
```
<!---
2022-04-22 18:06:32 +00:00
remove this warning once updating a gateway triggers reconciliation on child routes
2022-04-27 18:03:14 +00:00
--->
2022-04-22 18:06:32 +00:00
2022-04-27 18:03:14 +00:00
1. (Optional) Delete and recreate your routes. Note that it may take several minutes for attached routes to reconcile and start reporting bind errors.
2022-04-29 16:52:00 +00:00
2022-04-27 18:03:14 +00:00
```shell-session
$ kubectl delete --filename <path_to_route_config.yaml>
$ kubectl create --filename <path_to_route_config.yaml>
2022-04-27 18:03:14 +00:00
```
2022-04-22 18:06:32 +00:00
### Post-Upgrade Configuration Changes
2022-04-22 18:06:32 +00:00
2022-04-29 16:52:00 +00:00
No additional configuration changes are required for this upgrade.