Lykon Engineering

How to upgrade to istio 1.2.4 using Helmfile

italolelis profile image Italo Vietro ・3 min read

We’ve faced an interesting challenge with our istio installation. We were running the istio version 1.1.7 for a while and wanted to upgrade to the most recent stable version. This is an easy task if you follow the upgrade instructions in the istio website.

We use helmfile to manage the multiple standard applications in our cluster. In this helmfile is our istio installation. Unfortunately, I wasn’t able to find a straightforward way of running helmfile sync and having the istio installation upgraded.

I’d like to share with you our step-by-step on how we upgraded our istio version.


Prior to the migration, we had a helmfile that declared our istio installation like this:

  kubeContext: my_cluster
  atomic: true

- name: incubator
  url: https://kubernetes-charts-incubator.storage.googleapis.com/
- name: istio
  url: https://storage.googleapis.com/istio-release/releases/1.1.7/charts/

  - name: istio-init
    namespace: istio-system
    chart: istio/istio-init

  - name: istio
    namespace: istio-system
    chart: istio/istio
    version: ~1.1.7
    values: [./istio/values.yaml]

Before jumping into the migration itself I recommend reading the istio upgrade notes.

Step 1 - Check your Custom Resource Definition (CRD)

If you have set up in your file the istio-init chart, like we did, then you might bump into the famous error of not being able to install the new charts because of existing CRD.

For us the simplest way was to drop some of them and let the istio chart recreate them.

Note that it’s recommended that you backup your current custom resource data, before proceeding with the upgrade.

$ kubectl get crds | grep ‘istio.io\|certmanager.k8s.io’ | cut -f1-1 -d “.” | \
    xargs -n1 -I{} sh -c “kubectl get —all-namespaces -oyaml {}; echo —“ > $HOME/ISTIO_1_0_RESTORE_CRD_DATA.yaml

Now let’s change our helmfile to pull the new istio version:

- name: incubator
  url: https://kubernetes-charts-incubator.storage.googleapis.com/
- name: istio
  url: https://storage.googleapis.com/istio-release/releases/1.2.4/charts/

  - name: istio-init
    namespace: istio-system
    chart: istio/istio-init

  - name: istio
    namespace: istio-system
    chart: istio/istio
    version: ~1.2.4
    values: [./istio/values.yaml]

We’ve written a simple script that will try to cleanup a few things like ClusterRole, ClusterRoleBinding, Attributes, Metrics definitions and PodDisruptionBudget. Be careful here, please take some time to read the script and only delete what you can.


# Download the most recent version of the charts
curl -L https://git.io/getLatestIstio | ISTIO_VERSION=1.2.4 sh -

cd istio-1.2.4

# install the new version’s CRDs
helm upgrade --install --force istio-init install/kubernetes/helm/istio-init --namespace istio-system

## Check if all jobs are done
kubectl get job --namespace istio-system | grep istio-init-crd

# Here is where the cleanup will start
# First we have to remove the current istio’s cluster roles
kubectl delete clusterrole istio-egressgateway-istio-system istio-ingressgateway-istio-system

# Now the cluster role bindings
kubectl delete clusterrolebinding istio-egressgateway-istio-system istio-ingressgateway-istio-system istio-kiali-admin-role-binding-istio-system

# Moving on, to remove the Kubernetes attributes
kubectl delete kubernetes attributes

# Next, we delete all metric CDRs that istio had installed
kubectl delete metric requestcount requestduration requestsize responsesize tcpbytereceived tcpbytesent tcpconnectionsopened tcpconnectionsclosed

# Finally we remove the PodDisruptionBudget
kubectl delete poddisruptionbudget istio-egressgateway istio-egressgateway istio-ingressgateway istio-pilot istio-policy istio-telemetry

Note that the commands in this script can return something like:

Error from server (NotFound): metrics.config.istio.io "requestcount" not found

This means you don’t have the CRD installed, and when you run the istio upgrade, it will install it for you.

Updating istio

Finally, run the helmfile sync command to upgrade your istio installation.

$ helmfile -f helmfile.yaml sync

To confirm if everything worked run:

$ istioctl version

client version: 1.2.4
citadel version: 1.2.4
egressgateway version: 94746ccd404a8e056483dd02e4e478097b950da6-dirty
galley version: 1.2.4
ingressgateway version: 94746ccd404a8e056483dd02e4e478097b950da6-dirty
pilot version: 1.2.4
policy version: 1.2.4
sidecar-injector version: 1.2.4
telemetry version: 1.2.4

Check your Kiali installation and new dashboard

kubectl -n istio-system port-forward (kubectl -n istio-system get pod -l app=kiali -o jsonpath='{.items[0].metadata.name}') 20001:20001

Go to Kiali Console and see your new version.


That is it, a simple istio upgrade. I’m sure there are better ways of doing this, but this one was the easiest and quickest that worked well for us.

If you know better ways of doing this, please share it as it will be very helpful.

Thanks 👋

Posted on by:

italolelis profile

Italo Vietro


SRE Enthusiast, Distributed Systems Engineer, and Coffee Lover

Lykon Engineering

Lykon is defining the Healthcare Industry by developing digital applications to become your personalised healthy lifestyle companion. Our vision is to empower people to live a healthy life.


Editor guide