1.14 to latest 2.x
We’re pleased to introduce Emissary $versionTwoX$! The 2.X family introduces a number of changes to allow Emissary to more gracefully handle larger installations (including multitenant or multiorganizational installations), reduce memory footprint, and improve performance. In keeping with SemVer, Emissary 2.X introduces some changes that aren’t backward-compatible with 1.X. These changes are detailed in Major Changes in Emissary 2.X.
Migration Overview
The recommended strategy for migration is to run Emissary 1.14 and Emissary $versionTwoX$ side-by-side in the same cluster. This gives Emissary $versionTwoX$ and Emissary 1.14 access to all the same configuration resources, with some important caveats:
-
Emissary 1.14 will not see any
getambassador.io/v3alpha1
resources.This is intentional; it provides a way to apply configuration only to Emissary $versionTwoX$, while not interfering with the operation of your Emissary 1.14 installation.
-
If needed, you can use labels to further isolate configurations.
If you need to prevent your Emissary $versionTwoX$ installation from seeing a particular bit of Emissary 1.14 configuration, you can apply a Kubernetes label to the configuration resources that should be seen by your Emissary $versionTwoX$ installation, then set its
AMBASSADOR_LABEL_SELECTOR
environment variable to restrict its configuration to only the labelled resources.For example, you could apply a
version-two: true
label to all resources that should be visible to Emissary $versionTwoX$, then setAMBASSADOR_LABEL_SELECTOR=version-two=true
in its Deployment. -
Be careful about label selectors on Kubernetes Services!
If you have services in Emissary 1.14 that use selectors that will match Pods from Emissary $versionTwoX$, traffic will be erroneously split between Emissary 1.14 and Emissary $versionTwoX$. The labels used by Emissary $versionTwoX$ include:
app.kubernetes.io/name: emissary-ingress app.kubernetes.io/instance: emissary-ingress app.kubernetes.io/part-of: emissary-ingress app.kubernetes.io/managed-by: getambassador.io product: aes profile: main
-
Be careful to only have one Emissary Agent running at a time.
The Emissary Agent is responsible for communications between Emissary and Ambassador Cloud. If multiple versions of the Agent are running simultaneously, Ambassador Cloud could see conflicting information about your cluster.
The migration YAML used below to install Emissary $versionTwoX$ will not install a duplicate agent. If you are building your own YAML, make sure not to include a duplicate agent.
You can also migrate by installing Emissary $versionTwoX$ in a separate cluster. This permits absolute certainty that your Emissary 1.14 configuration will not be affected by changes meant for Emissary $versionTwoX$, and it eliminates concerns about ACME, but it is more effort.
Side-by-Side Migration Steps
Migration is a seven-step process:
-
Make sure that older configuration resources are not present.
Emissary 2.X does not support
getambassador.io/v0
orgetambassador.io/v1
resources, and Kubernetes will not permit removing support for CRD versions that are still in use for stored resources. To verify that no resources older thangetambassador.io/v2
are active, runkubectl get crds -o 'go-template={{range .items}}{{.metadata.name}}={{.status.storedVersions}}{{"\n"}}{{end}}' | fgrep getambassador.io
If
v1
is present in the output, do not begin migration. The old resources must be converted togetambassador.io/v2
and thestoredVersion
information in the cluster must be updated. If necessary, contact Ambassador Labs on Slack for more information. -
Install new CRDs.
Before installing Emissary $versionTwoX$ itself, you must configure your Kubernetes cluster to support its new
getambassador.io/v3alpha1
configuration resources. Note thatgetambassador.io/v2
resources are still supported, but you must install support forgetambassador.io/v3alpha1
to run Emissary $versionTwoX$, even if you intend to continue using onlygetambassador.io/v2
resources for some time.kubectl apply -f https://app.getambassador.io/yaml/emissary/$versionTwoX$/emissary-crds.yaml kubectl wait --timeout=90s --for=condition=available deployment emissary-apiext -n emissary-system
Emissary $versionTwoX$ includes a Deployment in the `emissary-system` namespace called emissary-apiext
. This is the APIserver extension that supports converting Emissary CRDs betweengetambassador.io/v2
andgetambassador.io/v3alpha1
. This Deployment needs to be running at all times.If the emissary-apiext
Deployment's Pods all stop running, you will not be able to usegetambassador.io/v3alpha1
CRDs until restarting theemissary-apiext
Deployment.There is a known issue with the emissary-apiext
service that impacts all Emissary 2.x and 3.x users. Specifically, the TLS certificate used by apiext expires one year after creation and does not auto-renew. All users who are running Emissary/Ambassador Edge Stack 2.x or 3.x with the apiext service should proactively renew their certificate as soon as practical by runningkubectl delete --all secrets --namespace=emissary-system
to delete the existing certificate, and then restart theemissary-apiext
deployment withkubectl rollout restart deploy/emissary-apiext -n emissary-system
. This will create a new certificate with a one year expiration. We will issue a software patch to address this issue well before the one year expiration. Note that certificate renewal will not cause any downtime. -
Install Emissary $versionTwoX$.
After installing the new CRDs, you need to install Emissary $versionTwoX$ itself in the same namespace as your existing Emissary 1.14 installation. It’s important to use the same namespace so that the two installations can see the same secrets, etc.
We publish two manifests for different namespaces. Use only the one that matches the namespace into which you installed Emissary 1.14:
emissary-emissaryns.yaml
for theemissary
namespace; oremissary-defaultns.yaml
for thedefault
namespace.
If you installed Emissary 1.14 into some other namespace, you’ll need to download one of the files and edit it to match your namespace.
If you need to set
AMBASSADOR_LABEL_SELECTOR
, you’ll need to download your chosen file and and edit it to do so.Assuming that you’re using the
default
namespace:kubectl apply -f https://app.getambassador.io/yaml/emissary/$versionTwoX$/emissary-defaultns.yaml && \ kubectl rollout status -n default deployment/edge-stack -w
Emissary $versionTwoX$ includes a Deployment in the $productNamespace$ namespace called emissary-apiext
. This is the APIserver extension that supports converting Emissary CRDs betweengetambassador.io/v2
andgetambassador.io/v3alpha1
. This Deployment needs to be running at all times.If the emissary-apiext
Deployment's Pods all stop running, you will not be able to usegetambassador.io/v3alpha1
CRDs until restarting theemissary-apiext
Deployment. -
Install
Listener
s andHost
s as needed.An important difference between Emissary 1.14 and Emissary $versionTwoX$ is the new mandatory
Listener
CRD. Also, when running both installations side by side, you will need to make sure that aHost
is present for the new Emissary $versionTwoX$ Service. For example:kubectl apply -f - <<EOF --- apiVersion: getambassador.io/v3alpha1 kind: Listener metadata: name: ambassador-http-listener spec: port: 8080 protocol: HTTPS securityModel: XFP hostBinding: namespace: from: ALL --- apiVersion: getambassador.io/v3alpha1 kind: Listener metadata: name: ambassador-https-listener spec: port: 8443 protocol: HTTPS securityModel: XFP hostBinding: namespace: from: ALL --- apiVersion: getambassador.io/v3alpha1 kind: Host metadata: name: emissary-host spec: hostname: $EMISSARY_HOSTNAME tlsSecret: name: $EMISSARY_TLS_SECRET EOF
This example requires that you know the hostname for the Emissary Service (
$EMISSARY_HOSTNAME
) and that you have created a TLS Secret for it in$EMISSARY_TLS_SECRET
. -
Test!
Your Emissary $versionTwoX$ installation can support the
getambassador.io/v2
configuration resources used by Emissary 1.14, but you may need to make some changes to the configuration, as detailed in the documentation on configuring Emissary Communications and updating CRDs togetambassador.io/v3alpha1
.Kubernetes will not allow you to have a getambassador.io/v3alpha1
resource with the same name as agetambassador.io/v2
resource or vice versa: only one version can be stored at a time.
If you find that your Emissary $versionTwoX$ installation and your Emissary 1.14 installation absolutely must have resources that are only seen by one version or the other way, see overview section 2, "If needed, you can use labels to further isolate configurations".If you find that you need to roll back, just reinstall your 1.14 CRDs and delete your installation of Emissary $versionTwoX$.
-
When ready, switch over to Emissary $versionTwoX$.
You can run Emissary 1.14 and Emissary $versionTwoX$ side-by-side as long as you care to. However, taking full advantage of Emissary 2.X’s capabilities requires updating your configuration to use
getambassador.io/v3alpha1
configuration resources, since some useful features in Emissary $versionTwoX$ are only available usinggetambassador.io/v3alpha1
resources.When you’re ready to have Emissary $versionTwoX$ handle traffic on its own, switch your original Emissary 1.14 Service to point to Emissary $versionTwoX$. Use
kubectl edit service ambassador
and change theselectors
to:app.kubernetes.io/instance: emissary-ingress app.kubernetes.io/name: emissary-ingress profile: main
Repeat using
kubectl edit service ambassador-admin
for theambassador-admin
Service.
Congratulations! At this point, Emissary $versionTwoX$ is fully running and it’s safe to remove the ambassador
and ambassador-agent
Deployments:
kubectl delete deployment/ambassador deployment/ambassador-agent
Once Emissary 1.14 is no longer running, you may convert
any remaining getambassador.io/v2
resources to getambassador.io/v3alpha1
.
You may also want to redirect DNS to the edge-stack
Service and remove the
ambassador
Service.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.