Unable to upgrade to TAS v2.11 with Service Mesh enabled
Article ID: 298289
Updated On:
Products
VMware Tanzu Application Service for VMs
Issue/Introduction
When attempting to upgrade to TAS 2.11, the following error message is shown:
{"errors":["Could not apply migrations. '202008271411_enforce_service_mesh_disabled.js' has javascript errors 'attempt to upgrade to PAS 2.11+ with Service Mesh enabled, please disable Service Mesh prior to upgrade by setting \".properties.istio\" to \"disable\"'. Please contact your VMware representative."]}Environment
Product Version: 2.11
Resolution
The Service Mesh feature was removed in TAS v2.11. To disable this for the upgrade, the following steps must be performed with the om cli:
1. Retrieve the staged configuration of the TAS tile with om staged-config --product-name=cf > /tmp/cf-config.yml
2. Open the cf-config.yml file. It will contain a section as follows:
Change this to:
3. The next section is .istio_router.static_ips, which will look like the following:
4. You will also need to remove the current VMs deployed by Service Mesh. These are istio_control, istio_router, and route_syncer. Under the resource-config section of the file, change the instances: value for these three VMs to 0.
5. After saving the file, configure these changes with om configure-product -c /tmp/cf-config.yml
6. Perform an apply changes against the TAS deployment. This will disable Service Mesh.
Note:
If a certificate for istio gorouter was configured when enabling Service Mesh it may still be there as well. That will cause no harm but when the certificate is about to expire, Ops Man will show a "certificate expiring" warning. To know if there is a certificate associated to Service Mesh, credhub can be used as follows.
1. Retrieve the staged configuration of the TAS tile with om staged-config --product-name=cf > /tmp/cf-config.yml
2. Open the cf-config.yml file. It will contain a section as follows:
.properties.istio:
selected_option: enable
value: enable
Change this to:
.properties.istio:
selected_option: disable
value: disable
3. The next section is .istio_router.static_ips, which will look like the following:
.istio_router.static_ips:
value: <IPS>
You can delete both of these lines from the file.
4. You will also need to remove the current VMs deployed by Service Mesh. These are istio_control, istio_router, and route_syncer. Under the resource-config section of the file, change the instances: value for these three VMs to 0.
5. After saving the file, configure these changes with om configure-product -c /tmp/cf-config.yml
6. Perform an apply changes against the TAS deployment. This will disable Service Mesh.
Note:
If a certificate for istio gorouter was configured when enabling Service Mesh it may still be there as well. That will cause no harm but when the certificate is about to expire, Ops Man will show a "certificate expiring" warning. To know if there is a certificate associated to Service Mesh, credhub can be used as follows.
credhub find -n "istio"If it returns entries that contain something like following
- name: /opsmgr/cf-fb013cc733a0cc2ddb2b/istio_frontend_tls_keypairs/0/certificate version_created_at: "2021-05-11T11:33:25Z"it means that a certificate was configured with Service Mesh. In order to delete it, follow instructions in this KB article
Feedback
Yes
No
Powered by
