Install with Helm

This guide shows you how to install Istio in ambient mode with Helm. Aside from following the demo in Getting Started with Ambient Mode, we encourage the use of Helm to install Istio for use in ambient mode. Helm helps you manage components separately, and you can easily upgrade the components to the latest version.

Prerequisites

  1. Check the Platform-Specific Prerequisites.

  2. Check the Requirements for Pods and Services.

  3. Install the Helm client, version 3.6 or above.

  4. Configure the Helm repository:

    1. $ helm repo add istio https://istio-release.storage.googleapis.com/charts
    2. $ helm repo update

See helm repo for command documentation.

Installing the components

Installing the base component

The base chart contains the basic CRDs and cluster roles required to set up Istio. This should be installed prior to any other Istio component.

  1. $ helm install istio-base istio/base -n istio-system --create-namespace

Installing the CNI Component

The cni chart installs the Istio CNI plugin. It is responsible for detecting the pods that belong to the ambient mesh, and configuring the traffic redirection between pods and the ztunnel node proxy (which will be installed later).

  1. $ helm install istio-cni istio/cni -n istio-system --set profile=ambient

Installing the discovery component

The istiod chart installs a revision of Istiod. Istiod is the control plane component that manages and configures the proxies to route traffic within the mesh.

  1. $ helm install istiod istio/istiod --namespace istio-system --set profile=ambient

Installing the ztunnel component

The ztunnel chart installs the ztunnel DaemonSet, which is the node proxy component of Istio’s ambient mode.

  1. $ helm install ztunnel istio/ztunnel -n istio-system

Install an ingress gateway (optional)

The namespace the gateway is deployed in must not have a istio-injection=disabled label. See Controlling the injection policy for more info.

  1. $ helm install istio-ingress istio/gateway -n istio-ingress --wait --create-namespace

See Installing Gateways for in-depth documentation on gateway installation.

Configuration

To view supported configuration options and documentation, run:

  1. $ helm show values istio/istiod

Verifying the installation

Verifying the workload status

After installing all the components, you can check the Helm deployment status with:

  1. $ helm ls -n istio-system
  2. NAME            NAMESPACE       REVISION    UPDATED         STATUS      CHART           APP VERSION
  3. istio-base      istio-system    1           ... ... ... ... deployed    base-1.0.0      1.0.0
  4. istio-cni       istio-system    1           ... ... ... ... deployed    cni-1.0.0       1.0.0
  5. istiod          istio-system    1           ... ... ... ... deployed    istiod-1.0.0    1.0.0
  6. ztunnel         istio-system    1           ... ... ... ... deployed    ztunnel-1.0.0   1.0.0

You can check the status of the deployed pods with:

  1. $ kubectl get pods -n istio-system
  2. NAME                             READY   STATUS    RESTARTS   AGE
  3. istio-cni-node-g97z5             1/1     Running   0          10m
  4. istiod-5f4c75464f-gskxf          1/1     Running   0          10m
  5. ztunnel-c2z4s                    1/1     Running   0          10m

Verifying with the sample application

After installing ambient mode with Helm, you can follow the Deploy the sample application guide to deploy the sample application and ingress gateways, and then you can add your application to the ambient mesh.

Uninstall

You can uninstall Istio and its components by uninstalling the charts installed above.

  1. List all the Istio charts installed in istio-system namespace:

    1. $ helm ls -n istio-system
    2. NAME            NAMESPACE       REVISION    UPDATED         STATUS      CHART           APP VERSION
    3. istio-base      istio-system    1           ... ... ... ... deployed    base-1.0.0      1.0.0
    4. istio-cni       istio-system    1           ... ... ... ... deployed    cni-1.0.0       1.0.0
    5. istiod          istio-system    1           ... ... ... ... deployed    istiod-1.0.0    1.0.0
    6. ztunnel         istio-system    1           ... ... ... ... deployed    ztunnel-1.0.0   1.0.0

  2. (Optional) Delete any Istio gateway chart installations:

    1. $ helm delete istio-ingress -n istio-ingress
    2. $ kubectl delete namespace istio-ingress

  3. Delete the Istio CNI chart:

    1. $ helm delete istio-cni -n istio-system

  4. Delete the Istio ztunnel chart:

    1. $ helm delete ztunnel -n istio-system

  5. Delete the Istio discovery chart:

    1. $ helm delete istiod -n istio-system

  6. Delete the Istio base chart:

    By design, deleting a chart via Helm doesn’t delete the installed Custom Resource Definitions (CRDs) installed via the chart.

    1. $ helm delete istio-base -n istio-system

  7. Delete CRDs installed by Istio (optional)

    This will delete all created Istio resources.

    1. $ kubectl get crd -oname | grep --color=never 'istio.io' | xargs kubectl delete

  8. Delete the istio-system namespace:

    1. $ kubectl delete namespace istio-system