Perform an uninstallation#

Introduction#

The following instructions describe how to perform an uninstallation of Aspen Mesh. Perform the tasks in order.

When to perform an uninstallation#

Perform an uninstallation when either of the following is true:

  • You no longer want to use Aspen Mesh on your cluster.

  • You want to temporarily uninstall Aspen Mesh so you can perform a clean installation.

You don’t need to perform an uninstallation if you want to perform an upgrade.

Uninstall the control plane and gateway components#

  1. Did you previously install the Istio egress gateway?

    • Yes:

      • Uninstall the Istio egress gateway:

        $ helm uninstall istio-egress --namespace <egressNamespaceName>

      • Go to step 2.

    • No:

      • Go to step 2.

  2. Uninstall the Istio ingress gateway:

    $ helm uninstall istio-ingress --namespace <ingressNamespaceName>

  3. Uninstall the Istio control plane:

    $ helm uninstall istiod --namespace istio-system

(OpenShift only) Uninstall the Istio CNI plugin#

Important

Perform this task only if Aspen Mesh is installed in an OpenShift cluster.

  1. In each namespace that has an istio-cni network-attachment definition, delete the istio-cni network-attachment definition:

    $ kubectl delete network-attachment-definition istio-cni --namespace <namespaceName>

  2. In each namespace in which both the anyuid and privileged security context constraints (SCCs) were added to all service accounts to allow sidecar injection (this excludes the istio-system namespace), remove those SCCs:

    $ oc adm policy remove-scc-from-group anyuid "system:serviceaccounts:<namespaceName>"
$ oc adm policy remove-scc-from-group privileged "system:serviceaccounts:<namespaceName>"

  3. In the istio-system namespace, remove the anyuid SCC:

    $ oc adm policy remove-scc-from-group anyuid "system:serviceaccounts:istio-system"

  4. Uninstall the Istio CNI plugin:

    $ helm uninstall istio-cni --namespace kube-system

Uninstall the control-plane dependencies#

  1. Uninstall the cluster-wide objects used by the Istio control plane in the istio-system namespace:

    $ helm uninstall istio-base --namespace istio-system

  2. Delete the istio-system namespace:

    $ kubectl delete namespace istio-system

    Note

    If you previously plugged in CA certificates, deleting the istio-system namespace will delete the cacerts certificate secret in the istio-system namespace.

Delete the Istio CRDs#

  1. List all remaining custom Istio objects:

    $ kubectl get istio-io --all-namespaces

    Note

    At this point, all custom Istio objects (objects based on the Istio CRDs) that were created during a clean installation or an upgrade of Aspen Mesh have already been deleted. Therefore, this command lists only any custom Istio objects that were not created during a clean installation or an upgrade of Aspen Mesh.

  2. Are there any remaining custom Istio objects?

    • Yes:

      • If there’s a possibility you’ll need to re-create these remaining custom Istio objects later (for example, after performing a clean installation of Aspen Mesh), make sure you have a manifest for each one.

      • Go to step 3.

    • No:

      • Go to step 3.

  3. Delete the Istio CRDs:

    $ kubectl get crds --output name | grep 'istio.io' | xargs kubectl delete

    Note

    Helm does not delete or upgrade CRDs. If you don’t delete the Istio CRDs and then later perform a clean installation of Aspen Mesh, the clean installation will not upgrade (or downgrade) the versions of the Istio CRDs.