Step-by-step instructions for a workaround you can perform to prevent the istio-ingressgateway IP from being changed.
Imagine this scenario: You have a Kubernetes cluster with the Istio add-on installed, and you need to update the Istio version. However, the version of the add-on that you installed is no longer supported and you cannot simply update it. You have to remove the current version and install a new version, but you may have a problem here — when you remove and install it again, you have no guarantee that the IP of istio-ingressgateway will be the same.
So, in this case, if you have that IP set for any NAT (Network Address Translation), firewall rules, or any other situation, you may have problems.
There is a workaround that you can perform and prevent the IP from being changed, and this article will provide step-by-step instructions.
Workaround
To resolve this problem, follow these steps:
- Identify your istio-ingressgateway external IP
- Verify external IPs available for your cluster
- Create dummy load balancer services for all available external IPs (except for the istio-ingressgateway IP)
- Disable the Istio add-on (unsupported version)
- Wait for the istio-system namespace to be deleted
- Enable the Istio add-on (supported version)
- Check the istio-ingressgateway external IP (it should be the desired external IP)
- Delete all the dummy services you created
Step-by-step instructions
Step 1: Identify your istio-ingressgateway external IP
kubectl get service istio-ingressgateway -n istio-system
Take a look at the EXTERNAL-IP column, — it is your IP.
Step 2: Verify all external IPs available for your cluster
kubectl get cm -n kube-system ibm-cloud-provider-vlan-ip-config -o json
Take a look at “vlanipmap.json” — in this field, you have all IPs available for your cluster. You need to count the number of IPs available to find out how many services you will need to create.
For example, if you have 29 IPs available, you will need to create 28 services, because 1 IP is already being used by istio-ingressgateway.
Step 3: Create dummy load balancer services
You will need to create a yaml file with the desired number of services. We are providing an example that contains 28 services, and you can adapt it to your needs.
Example: dummy_svc.yml
---
apiVersion: v1
kind: Service
metadata:
name: example-service-1
spec:
selector:
app: example
ports:
- port: 8765
targetPort: 9365
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-2
spec:
selector:
app: example
ports:
- port: 8766
targetPort: 9366
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-3
spec:
selector:
app: example
ports:
- port: 8767
targetPort: 9367
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-4
spec:
selector:
app: example
ports:
- port: 8768
targetPort: 9368
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-5
spec:
selector:
app: example
ports:
- port: 8769
targetPort: 9369
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-6
spec:
selector:
app: example
ports:
- port: 8770
targetPort: 9370
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-7
spec:
selector:
app: example
ports:
- port: 8771
targetPort: 9371
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-8
spec:
selector:
app: example
ports:
- port: 8772
targetPort: 9372
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-9
spec:
selector:
app: example
ports:
- port: 8773
targetPort: 9373
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-10
spec:
selector:
app: example
ports:
- port: 8774
targetPort: 9374
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-11
spec:
selector:
app: example
ports:
- port: 8775
targetPort: 9375
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-12
spec:
selector:
app: example
ports:
- port: 8776
targetPort: 9376
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-13
spec:
selector:
app: example
ports:
- port: 8777
targetPort: 9377
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-14
spec:
selector:
app: example
ports:
- port: 8778
targetPort: 9378
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-15
spec:
selector:
app: example
ports:
- port: 8779
targetPort: 9379
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-16
spec:
selector:
app: example
ports:
- port: 8780
targetPort: 9380
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-17
spec:
selector:
app: example
ports:
- port: 8781
targetPort: 9381
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-18
spec:
selector:
app: example
ports:
- port: 8782
targetPort: 9382
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-19
spec:
selector:
app: example
ports:
- port: 8783
targetPort: 9383
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-20
spec:
selector:
app: example
ports:
- port: 8784
targetPort: 9384
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-21
spec:
selector:
app: example
ports:
- port: 8785
targetPort: 9385
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-22
spec:
selector:
app: example
ports:
- port: 8786
targetPort: 9386
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-23
spec:
selector:
app: example
ports:
- port: 8787
targetPort: 9387
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-24
spec:
selector:
app: example
ports:
- port: 8788
targetPort: 9388
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-25
spec:
selector:
app: example
ports:
- port: 8789
targetPort: 9389
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-26
spec:
selector:
app: example
ports:
- port: 8790
targetPort: 9390
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-27
spec:
selector:
app: example
ports:
- port: 8791
targetPort: 9391
externalTrafficPolicy: Local
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
name: example-service-28
spec:
selector:
app: example
ports:
- port: 8792
targetPort: 9392
externalTrafficPolicy: Local
type: LoadBalancer
After the file is created, simply create the services:
kubectl apply -f dummy_svc.yml
Confirm that the services were created:
kubectl get services -A -o wide |grep LoadBalancer
Step 4: Disable the Istio add-on
In the IBM Cloud Portal, access your cluster, select the Add-ons option, click Managed Istio, and click on the Uninstall option.
Step 5: Wait for the istio-system namespace to be deleted
kubectl get pods -o wide -n istio-system
Wait until there is no Istio component running.
Step 6: Enable the Istio add-on
ibmcloud ks cluster addon enable istio --version <version> -c <ClusterID>
You must follow the process until the installation is completed. You can follow the status through the IBM Cloud console, in the Add-ons tab on your cluster, or if you prefer, you can follow the creation of the pods through the command line.
You can execute the commands below to follow the creation of pods and services:
kubectl get pods -o wide -n istio-system
kubectl get services -n istio-system
Step 7: Check the istio-ingressgateway external IP (it should be the desired external IP)
kubectl get service istio-ingressgateway -n istio-system
Take a look at the EXTERNAL-IP column — it is your IP.
Step 8: Delete all the dummy services you created
kubectl delete -f dummy_svc.yml
Conclusion
The idea behind this workaround is to allocate all IPs with dummy services so that when removing and installing the Istio add-on, you only have one IP available for use. So we guarantee that when removing and installing, we will keep the same IP.
In this article, we are reporting the procedure for the istio-ingressgateway, as it was a situation that we experienced with one of our customers, but this procedure is not restricted to Istio. If you have any service that you need to recreate and want to ensure that it will go up with the same IP, you can use the same idea exposed in this article.
Learn more