Perform an uninstallation#

Introduction#

The following instructions describe how to perform an uninstallation of Citadel.

Warning

Completely uninstalling Citadel must be performed very carefully to avoid outages and is not recommended for production clusters.

To fully uninstall Citadel, perform the following tasks in order:

  • If you’ve configured any off-mesh workloads to use a service account’s Citadel workload certificate, configure those workloads to no longer use a Citadel workload certificate, and disable Citadel workload certificates for each namespace:

    • Off-mesh, on-cluster non-gateway workloads: Reconfigure off-mesh, on-cluster non-gateway workloads to not use a Citadel workload certificate. If the off-mesh, on-cluster non-gateway workloads are clients that communicate with on-mesh non-gateway server workloads, set the mTLS mode to PERMISSIVE in the peer-authentication policies for the server workloads. If the off-mesh, on-cluster non-gateway workloads are servers that communicate with off-mesh, on-cluster non-gateway client workloads or on-mesh non-gateway client workloads, rewrite the applications in the client workloads to use an unencrypted connection.

    • Istio gateways: Reconfigure the off-mesh interfaces of the pods in Istio gateway workloads to use certificates that you manage manually instead of certificates managed by Citadel.

  • Delete all Citadel workload certificates (in the form of secrets named istio.<serviceAccountName>) from all namespaces.

  • Uninstall Citadel.

Uninstall Citadel#

Warning

If you uninstall Citadel, Citadel will no longer rotate its workload certificates (in the form of secrets named istio.<serviceAccountName>), and they’ll eventually expire. After a Citadel workload certificate expires, any workload that depends on that certificate to perform certificate or identity validation will no longer be able to connect.

  • Uninstall Citadel:

    $ helm uninstall citadel --namespace istio-system