Step-by-step instructions for a workaround you can perform to prevent the istio-ingressgateway IP from being changed.
Imagine this scenario: You have a Kubernetes cluster with the Istio add-on installed, and you need to update the Istio version. However, the version of the add-on that you installed is no longer supported and you cannot simply update it. You have to remove the current version and install a new version, but you may have a problem here — when you remove and install it again, you have no guarantee that the IP of istio-ingressgateway will be the same.
So, in this case, if you have that IP set for any NAT (Network Address Translation), firewall rules, or any other situation, you may have problems.
There is a workaround that you can perform and prevent the IP from being changed, and this article will provide step-by-step instructions.
To resolve this problem, follow these steps:
- Identify your istio-ingressgateway external IP
- Verify external IPs available for your cluster
- Create dummy load balancer services for all available external IPs (except for the istio-ingressgateway IP)
- Disable the Istio add-on (unsupported version)
- Wait for the istio-system namespace to be deleted
- Enable the Istio add-on (supported version)
- Check the istio-ingressgateway external IP (it should be the desired external IP)
- Delete all the dummy services you created
Step 1: Identify your istio-ingressgateway external IP
Take a look at the EXTERNAL-IP column, — it is your IP.
Step 2: Verify all external IPs available for your cluster
Take a look at “vlanipmap.json” — in this field, you have all IPs available for your cluster. You need to count the number of IPs available to find out how many services you will need to create.
For example, if you have 29 IPs available, you will need to create 28 services, because 1 IP is already being used by istio-ingressgateway.
Step 3: Create dummy load balancer services
You will need to create a yaml file with the desired number of services. We are providing an example that contains 28 services, and you can adapt it to your needs.
After the file is created, simply create the services:
Confirm that the services were created:
Step 4: Disable the Istio add-on
In the IBM Cloud Portal, access your cluster, select the Add-ons option, click Managed Istio, and click on the Uninstall option.
Step 5: Wait for the istio-system namespace to be deleted
Wait until there is no Istio component running.
Step 6: Enable the Istio add-on
You must follow the process until the installation is completed. You can follow the status through the IBM Cloud console, in the Add-ons tab on your cluster, or if you prefer, you can follow the creation of the pods through the command line.
You can execute the commands below to follow the creation of pods and services:
Step 7: Check the istio-ingressgateway external IP (it should be the desired external IP)
Take a look at the EXTERNAL-IP column — it is your IP.
Step 8: Delete all the dummy services you created
The idea behind this workaround is to allocate all IPs with dummy services so that when removing and installing the Istio add-on, you only have one IP available for use. So we guarantee that when removing and installing, we will keep the same IP.
In this article, we are reporting the procedure for the istio-ingressgateway, as it was a situation that we experienced with one of our customers, but this procedure is not restricted to Istio. If you have any service that you need to recreate and want to ensure that it will go up with the same IP, you can use the same idea exposed in this article.