DocsEdge StackUpgrade Ambassador Edge Stack 3.4.X to Ambassador Edge Stack 3.11.1 (Helm)
Upgrade Ambassador Edge Stack 3.4.X to Ambassador Edge Stack 3.11.1 (Helm)
Since Ambassador Edge Stack's configuration is entirely stored in Kubernetes resources, upgrading between versions is straightforward.
Ambassador Edge Stack 3 is functionally compatible with Ambassador Edge Stack 2.x, but with any major upgrade there are some changes to consider. Such as, Envoy removing support for V2 Transport Protocol features. Below we will outline some of these changes and things to consider when upgrading.
Resources to check before migrating to 3.11.1.
Ambassador Edge Stack 3.X has been upgraded from Envoy 1.17.X to Envoy 1.22 which removed support for the Envoy V2 Transport Protocol. This means all AuthService
, RatelimitService
, LogServices
, and External Filters
must be updated to use the V3 Protocol. Additionally support for some of the runtime bootstrap flags has been removed.
You can refer to the Major changes in Ambassador Edge Stack 3.x guide for an overview of the changes.
Ambassador Edge Stack 3.2 fixed a bug with
Host.spec.selector\mappingSelector
andListener.spec.selector
not being properly enforced. In previous versions, if only a single label from the selector was present on the resource then they would be associated. Additionally, when associatingHosts
withMappings
, if theMapping
configured ahostname
that matched thehostname
of theHost
then they would be associated regardless of the configuration of theselector\mappingSelector
on theHost
.Before upgrading, review your Ambassador resources, and if you make use of the selectors, ensure that every other resource you want it to be associated with contains all the required labels.
The environment variable
DISABLE_STRICT_LABEL_SELECTORS
can be set to"true"
on the Ambassador Edge Stack deployment to revert to the old incorrect behavior to help prevent any configuration issues after upgrading in the event that not all manifests making use of the selectors have been corrected yet.For more information on
DISABLE_STRICT_LABEL_SELECTORS
see the Environment Variables page.
Check Transport Protocol usage on all resources before migrating.
The
AuthService
,RatelimitService
,LogServices
, and ExternalFilters
that use thegrpc
protocol will now need to explicilty setprotocol_version: "v3"
. If not set or set tov2
then an error will be posted and a static response will be returned.protocol_version
should be updated tov3
for all of the above resources while still running Ambassador Edge Stack 2.5.1. As of version2.3.z
+, support forprotocol_version
v2
andv3
is supported in order to allow migration fromprotocol_version
v2
tov3
before upgrading to Ambassador Edge Stack 3.11.1 where support forv2
is removed.Upgrading any application code for your own implementations of these services is very straightforward.
The following imports simply need to be updated to switch from Envoy's Transport Protocol
v2
tov3
, and then the configuration for these resources can be updated to add theprotocl_version: "v3"
when the updated service is deployed.v2
Imports:v3
Imports:Check removed runtime changes
Support for LightStep tracing driver removed
Ambassador Edge Stack 3.4 is based on Envoy 1.24.1 which removed support for the LightStep
tracing driver. The team at LightStep and the maintainers of Envoy-Proxy recommend that users instead leverage the OpenTelemetry Collector to send tracing information to LightStep. We have written a guide which can be found here Distributed Tracing with OpenTelemetry and Lightstep that outlines how to set this up. It is important that you follow this upgrade path prior to upgrading or you will drop tracing data.
Migration Steps
Install new CRDs.
After reviewing the changes in 3.x and confirming that you are ready to upgrade, the process is the same as upgrading minor versions in previous version of Ambassador Edge Stack and does not require the complex migration steps that the migration from 1.x to 2.x required.
Before installing Ambassador Edge Stack 3.11.1 itself, you need to update the CRDs in your cluster; Helm will not do this for you. This is mandatory during any upgrade of Ambassador Edge Stack.
Create an Ambassador Cloud Connect Token
Ambassador Edge Stack requires a license to operate. Licenses are obtained and refreshed automatically using an API Token. If your installation of Ambassador Edge Stack is already connected to the cloud then you can skip this step. Otherwise, you can create a Cloud Connect Token in Ambassador Cloud and apply it using the
Helm upgrade
command below. For more information on licensing please refer to the license page.Install Ambassador Edge Stack 3.11.1.
After installing the new CRDs, use Helm to install Ambassador Edge Stack 3.11.1. Start by making sure that your
datawire
Helm repo is set correctly:Then, update your Ambassador Edge Stack installation in the
ambassador
namespace. If necessary for your installation (e.g. if you were running withAMBASSADOR_SINGLE_NAMESPACE
set), you can choose a different namespace.