How to Use the Same IP on istio-ingressgateway After Disabling and Re-Enabling the Istio Add-On

3 min read

Step-by-step instructions for a workaround you can perform to prevent the istio-ingressgateway IP from being changed.

Imagine this scenario: You have a Kubernetes cluster with the Istio add-on installed, and you need to update the Istio version. However, the version of the add-on that you installed is no longer supported and you cannot simply update it. You have to remove the current version and install a new version, but you may have a problem here — when you remove and install it again, you have no guarantee that the IP of istio-ingressgateway will be the same.

So, in this case, if you have that IP set for any NAT (Network Address Translation), firewall rules, or any other situation, you may have problems.

There is a workaround that you can perform and prevent the IP from being changed, and this article will provide step-by-step instructions.

Workaround

To resolve this problem, follow these steps:

  1. Identify your istio-ingressgateway external IP
  2. Verify external IPs available for your cluster 
  3. Create dummy load balancer services for all available external IPs (except for the istio-ingressgateway IP)
  4. Disable the Istio add-on (unsupported version)
  5. Wait for the istio-system namespace to be deleted 
  6. Enable the Istio add-on (supported version)
  7. Check the istio-ingressgateway external IP (it should be the desired external IP)
  8. Delete all the dummy services you created 

Step-by-step instructions

Step 1: Identify your istio-ingressgateway external IP

kubectl get service istio-ingressgateway -n istio-system

Take a look at the EXTERNAL-IP column, — it is your IP.

Step 2: Verify all external IPs available for your cluster

kubectl get cm -n kube-system ibm-cloud-provider-vlan-ip-config -o json

Take a look at "vlanipmap.json" — in this field, you have all IPs available for your cluster. You need to count the number of IPs available to find out how many services you will need to create. 

For example, if you have 29 IPs available, you will need to create 28 services, because 1 IP is already being used by istio-ingressgateway.

Step 3: Create dummy load balancer services

You will need to create a yaml file with the desired number of services. We are providing an example that contains 28 services, and you can adapt it to your needs.

Example: dummy_svc.yml

---
apiVersion: v1
kind: Service
metadata:
  name: example-service-1
spec:
  selector:
    app: example
  ports:
    - port: 8765
      targetPort: 9365
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-2
spec:
  selector:
    app: example
  ports:
    - port: 8766
      targetPort: 9366
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-3
spec:
  selector:
    app: example
  ports:
    - port: 8767
      targetPort: 9367
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-4
spec:
  selector:
    app: example
  ports:
    - port: 8768
      targetPort: 9368
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-5
spec:
  selector:
    app: example
  ports:
    - port: 8769
      targetPort: 9369
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-6
spec:
  selector:
    app: example
  ports:
    - port: 8770
      targetPort: 9370
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-7
spec:
  selector:
    app: example
  ports:
    - port: 8771
      targetPort: 9371
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-8
spec:
  selector:
    app: example
  ports:
    - port: 8772
      targetPort: 9372
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-9
spec:
  selector:
    app: example
  ports:
    - port: 8773
      targetPort: 9373
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-10
spec:
  selector:
    app: example
  ports:
    - port: 8774
      targetPort: 9374
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-11
spec:
  selector:
    app: example
  ports:
    - port: 8775
      targetPort: 9375
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-12
spec:
  selector:
    app: example
  ports:
    - port: 8776
      targetPort: 9376
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-13
spec:
  selector:
    app: example
  ports:
    - port: 8777
      targetPort: 9377
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-14
spec:
  selector:
    app: example
  ports:
    - port: 8778
      targetPort: 9378
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-15
spec:
  selector:
    app: example
  ports:
    - port: 8779
      targetPort: 9379
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-16
spec:
  selector:
    app: example
  ports:
    - port: 8780
      targetPort: 9380
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-17
spec:
  selector:
    app: example
  ports:
    - port: 8781
      targetPort: 9381
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-18
spec:
  selector:
    app: example
  ports:
    - port: 8782
      targetPort: 9382
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-19
spec:
  selector:
    app: example
  ports:
    - port: 8783
      targetPort: 9383
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-20
spec:
  selector:
    app: example
  ports:
    - port: 8784
      targetPort: 9384
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-21
spec:
  selector:
    app: example
  ports:
    - port: 8785
      targetPort: 9385
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-22
spec:
  selector:
    app: example
  ports:
    - port: 8786
      targetPort: 9386
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-23
spec:
  selector:
    app: example
  ports:
    - port: 8787
      targetPort: 9387
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-24
spec:
  selector:
    app: example
  ports:
    - port: 8788
      targetPort: 9388
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-25
spec:
  selector:
    app: example
  ports:
    - port: 8789
      targetPort: 9389
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-26
spec:
  selector:
    app: example
  ports:
    - port: 8790
      targetPort: 9390
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-27
spec:
  selector:
    app: example
  ports:
    - port: 8791
      targetPort: 9391
  externalTrafficPolicy: Local
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: example-service-28
spec:
  selector:
    app: example
  ports:
    - port: 8792
      targetPort: 9392
  externalTrafficPolicy: Local
  type: LoadBalancer

After the file is created, simply create the services:

kubectl apply -f dummy_svc.yml

Confirm that the services were created:

kubectl get services -A -o wide |grep LoadBalancer

Step 4: Disable the Istio add-on 

In the IBM Cloud Portal, access your cluster, select the Add-ons option, click Managed Istio, and click on the Uninstall option.

Uninstall Istio
bz2

Step 5: Wait for the istio-system namespace to be deleted 

kubectl get pods -o wide -n istio-system

Wait until there is no Istio component running.

Step 6: Enable the Istio add-on

ibmcloud ks cluster addon enable istio --version <version> -c <ClusterID>

You must follow the process until the installation is completed. You can follow the status through the IBM Cloud console, in the Add-ons tab on your cluster, or if you prefer, you can follow the creation of the pods through the command line.

You can execute the commands below to follow the creation of pods and services:

kubectl get pods -o wide -n istio-system
kubectl get services -n istio-system

Step 7: Check the istio-ingressgateway external IP (it should be the desired external IP)  

kubectl get service istio-ingressgateway -n istio-system

Take a look at the EXTERNAL-IP column — it is your IP.

Step 8: Delete all the dummy services you created 

kubectl delete -f dummy_svc.yml

Conclusion

The idea behind this workaround is to allocate all IPs with dummy services so that when removing and installing the Istio add-on, you only have one IP available for use. So we guarantee that when removing and installing, we will keep the same IP.

In this article, we are reporting the procedure for the istio-ingressgateway, as it was a situation that we experienced with one of our customers, but this procedure is not restricted to Istio. If you have any service that you need to recreate and want to ensure that it will go up with the same IP, you can use the same idea exposed in this article.

Learn more

Be the first to hear about news, product updates, and innovation from IBM Cloud