Customizable Install with Helm

The Helm installation approach will be deprecated in the future.We recommend Installing with istioctl, instead.

Follow this guide to install and configure an Istio mesh for in-depth evaluation or production use.

This installation guide uses Helm charts that provide richcustomization of the Istio control plane and of the sidecars for the Istio data plane.You can simply use helm template to generate the configuration and then install itusing kubectl apply, or you can choose to use helm install and letTillercompletely manage the installation.

Using these instructions, you can select any one of Istio’s built-inconfiguration profilesand then further customize the configuration for your specific needs.

Prerequisites

Use a 2.x version of Helm. Helm 3 is not supported.

Helm chart release repositories

The commands in this guide use the Helm charts that are included in the Istio release image.If you want to use the Istio release Helm chart repository instead, adjust the commands accordingly andadd the Istio release repository as follows:

  1. $ helm repo add istio.io https://storage.googleapis.com/istio-release/releases/1.4.2/charts/

Installation steps

Change directory to the root of the release and thenchoose one of the following two mutually exclusive options:

Istio, by default, uses LoadBalancer service object types. Some platforms do not support LoadBalancerservice objects. For platforms lacking LoadBalancer support, install Istio with NodePort supportinstead with the flags —set gateways.istio-ingressgateway.type=NodePortappended to the end of the Helm instructions in the installation steps below.

Option 1: Install with Helm via helm template

Choose this option if your cluster doesn’t have Tillerdeployed and you don’t want to install it.

  • Create a namespace for the istio-system components:
  1. $ kubectl create namespace istio-system
  1. $ helm template install/kubernetes/helm/istio-init --name istio-init --namespace istio-system | kubectl apply -f -
  • Wait for all Istio CRDs to be created:
  1. $ kubectl -n istio-system wait --for=condition=complete job --all
  • Select a configuration profileand then render and apply Istio’s core components corresponding to your chosen profile.The default profile is recommended for production deployments:

You can further customize the configuration by adding one or more —set <key>=<value>Installation Options to the helm command.

  1. $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system | kubectl apply -f -
  1. $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
  2. --values install/kubernetes/helm/istio/values-istio-demo.yaml | kubectl apply -f -
  1. $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
  2. --values install/kubernetes/helm/istio/values-istio-minimal.yaml | kubectl apply -f -
  1. $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
  2. --values install/kubernetes/helm/istio/values-istio-sds-auth.yaml | kubectl apply -f -

Enable mutual TLS in Istio by setting options global.controlPlaneSecurityEnabled=trueand global.mtls.enabled=true, in addition to the specifying the Helm values filecorresponding to your chosen profile.

For example, to configure the demo profile with mutual TLS enabled:

  1. $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
  2. --values install/kubernetes/helm/istio/values-istio-demo.yaml \
  3. --set global.controlPlaneSecurityEnabled=true \
  4. --set global.mtls.enabled=true | kubectl apply -f -

Install the Istio CNI components:

  1. $ helm template install/kubernetes/helm/istio-cni --name=istio-cni --namespace=kube-system | kubectl apply -f -

Enable CNI in Istio by setting —set istio_cni.enabled=true in addition to the settings for your chosen profile.For example, to configure the default profile:

  1. $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
  2. --set istio_cni.enabled=true | kubectl apply -f -

Option 2: Install with Helm and Tiller via helm install

This option allows Helm andTillerto manage the lifecycle of Istio.

The instructions for using Helm with Tiller do not use secure defaults.See the Securing your Helm Installationfor further steps to secure a Tiller-based installation.

  • Make sure you have a service account with the cluster-admin role defined for Tiller.If not already defined, create one using following command:

Zip

  1. $ kubectl apply -f @install/kubernetes/helm/helm-service-account.yaml@
  • Install Tiller on your cluster with the service account:
  1. $ helm init --service-account tiller
  • Install the istio-init chart to bootstrap all the Istio’s CRDs:
  1. $ helm install install/kubernetes/helm/istio-init --name istio-init --namespace istio-system
  • Wait for all Istio CRDs to be created:
  1. $ kubectl -n istio-system wait --for=condition=complete job --all
  • Select a configuration profileand then install the istio chart corresponding to your chosen profile.The default profile is recommended for production deployments:

You can further customize the configuration by adding one or more —set <key>=<value>Installation Options to the helm command.

  1. $ helm install install/kubernetes/helm/istio --name istio --namespace istio-system
  1. $ helm install install/kubernetes/helm/istio --name istio --namespace istio-system \
  2. --values install/kubernetes/helm/istio/values-istio-demo.yaml
  1. $ helm install install/kubernetes/helm/istio --name istio --namespace istio-system \
  2. --values install/kubernetes/helm/istio/values-istio-minimal.yaml
  1. $ helm install install/kubernetes/helm/istio --name istio --namespace istio-system \
  2. --values install/kubernetes/helm/istio/values-istio-sds-auth.yaml

Enable mutual TLS in Istio by setting options global.controlPlaneSecurityEnabled=trueand global.mtls.enabled=true, in addition to the specifying the Helm values filecorresponding to your chosen profile.

For example, to configure the demo profile with mutual TLS enabled:

  1. $ helm install install/kubernetes/helm/istio --name istio --namespace istio-system \
  2. --values install/kubernetes/helm/istio/values-istio-demo.yaml \
  3. --set global.controlPlaneSecurityEnabled=true \
  4. --set global.mtls.enabled=true | kubectl apply -f -

Install the Istio CNI chart:

  1. $ helm install install/kubernetes/helm/istio-cni --name istio-cni --namespace kube-system

Enable CNI in Istio by setting —set istio_cni.enabled=true in addition to the settings for your chosen profile.For example, to configure the default profile:

  1. $ helm install install/kubernetes/helm/istio --name istio --namespace istio-system --set istio_cni.enabled=true

Verifying the installation

  • Referring to components table inconfiguration profiles,verify that the Kubernetes services corresponding to your selected profile have been deployed.
  1. $ kubectl get svc -n istio-system
  • Ensure the corresponding Kubernetes pods are deployed and have a STATUS of Running:
  1. $ kubectl get pods -n istio-system

Uninstall

  • If you installed Istio using the helm template command, uninstall with these commands:
  1. $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system | kubectl delete -f -
  2. $ kubectl delete namespace istio-system
  1. $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
  2. --values install/kubernetes/helm/istio/values-istio-demo.yaml | kubectl delete -f -
  3. $ kubectl delete namespace istio-system
  1. $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
  2. --values install/kubernetes/helm/istio/values-istio-minimal.yaml | kubectl delete -f -
  3. $ kubectl delete namespace istio-system
  1. $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
  2. --values install/kubernetes/helm/istio/values-istio-sds-auth.yaml | kubectl delete -f -
  3. $ kubectl delete namespace istio-system

Follow the instructions corresponding to your selected configuration profile.

Follow the instructions corresponding to your selected configuration profileand then execute the following command to uninstall the CNI plug-in:

  1. $ helm template install/kubernetes/helm/istio-cni --name=istio-cni --namespace=kube-system | kubectl delete -f -
  • If you installed Istio using Helm and Tiller, uninstall with these commands:
  1. $ helm delete --purge istio
  2. $ helm delete --purge istio-init
  3. $ helm delete --purge istio-cni
  4. $ kubectl delete namespace istio-system

Deleting CRDs and Istio Configuration

Istio, by design, expects Istio’s Custom Resources contained within CRDs to leak into theKubernetes environment. CRDs contain the runtime configuration set by the operator.Because of this, we consider it better for operators to explicitly delete the runtimeconfiguration data rather than unexpectedly lose it.

Deleting CRDs permanently deletes any configuration changes that you have made to Istio.

The istio-init chart contains all raw CRDs in the istio-init/files directory.You can simply delete the CRDs using kubectl.To permanently delete Istio’s CRDs and the entire Istio configuration, run:

  1. $ kubectl delete -f install/kubernetes/helm/istio-init/files

See also

Helm Changes

Details the Helm chart installation options differences between Istio 1.0 and Istio 1.1.

Helm Changes

Details the Helm chart installation options differences between Istio 1.2 and Istio 1.3.

Helm Changes

Details the Helm chart installation options differences between Istio 1.1 and Istio 1.2.

Install Istio with the Istio CNI plugin

Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege.

Installation Options (Helm)

Describes the options available when installing Istio using Helm charts.

DNS Certificate Management

Provision and manage DNS certificates in Istio.