Customizable Install with Helm
The Helm installation approach will be deprecated in the future.We recommend Installing with istioctl, instead.
Follow this guide to install and configure an Istio mesh for in-depth evaluation or production use.
This installation guide uses Helm charts that provide richcustomization of the Istio control plane and of the sidecars for the Istio data plane.You can simply use helm template
to generate the configuration and then install itusing kubectl apply
, or you can choose to use helm install
and letTillercompletely manage the installation.
Using these instructions, you can select any one of Istio’s built-inconfiguration profilesand then further customize the configuration for your specific needs.
Prerequisites
Perform any necessary platform-specific setup.
Check the Requirements for Pods and Services.
Install a Helm client with a version higher than 2.10.
Use a 2.x version of Helm. Helm 3 is not supported.
Helm chart release repositories
The commands in this guide use the Helm charts that are included in the Istio release image.If you want to use the Istio release Helm chart repository instead, adjust the commands accordingly andadd the Istio release repository as follows:
$ helm repo add istio.io https://storage.googleapis.com/istio-release/releases/1.4.2/charts/
Installation steps
Change directory to the root of the release and thenchoose one of the following two mutually exclusive options:
- To deploy Istio without using Tiller, follow the instructions for option 1.
- To use Helm’s Tiller pod to manage your Istio release, follow the instructions for option 2.
Istio, by default, uses LoadBalancer
service object types. Some platforms do not support LoadBalancer
service objects. For platforms lacking LoadBalancer
support, install Istio with NodePort
supportinstead with the flags —set gateways.istio-ingressgateway.type=NodePort
appended to the end of the Helm instructions in the installation steps below.
Option 1: Install with Helm via helm template
Choose this option if your cluster doesn’t have Tillerdeployed and you don’t want to install it.
- Create a namespace for the
istio-system
components:
$ kubectl create namespace istio-system
- Install all the IstioCustom Resource Definitions(CRDs) using
kubectl apply
:
$ helm template install/kubernetes/helm/istio-init --name istio-init --namespace istio-system | kubectl apply -f -
- Wait for all Istio CRDs to be created:
$ kubectl -n istio-system wait --for=condition=complete job --all
- Select a configuration profileand then render and apply Istio’s core components corresponding to your chosen profile.The default profile is recommended for production deployments:
You can further customize the configuration by adding one or more —set <key>=<value>
Installation Options to the helm command.
$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system | kubectl apply -f -
$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
--values install/kubernetes/helm/istio/values-istio-demo.yaml | kubectl apply -f -
$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
--values install/kubernetes/helm/istio/values-istio-minimal.yaml | kubectl apply -f -
$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
--values install/kubernetes/helm/istio/values-istio-sds-auth.yaml | kubectl apply -f -
Enable mutual TLS in Istio by setting options global.controlPlaneSecurityEnabled=true
and global.mtls.enabled=true
, in addition to the specifying the Helm values filecorresponding to your chosen profile.
For example, to configure the demo
profile with mutual TLS enabled:
$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
--values install/kubernetes/helm/istio/values-istio-demo.yaml \
--set global.controlPlaneSecurityEnabled=true \
--set global.mtls.enabled=true | kubectl apply -f -
Install the Istio CNI components:
$ helm template install/kubernetes/helm/istio-cni --name=istio-cni --namespace=kube-system | kubectl apply -f -
Enable CNI in Istio by setting —set istio_cni.enabled=true
in addition to the settings for your chosen profile.For example, to configure the default profile:
$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
--set istio_cni.enabled=true | kubectl apply -f -
Option 2: Install with Helm and Tiller via helm install
This option allows Helm andTillerto manage the lifecycle of Istio.
The instructions for using Helm with Tiller do not use secure defaults.See the Securing your Helm Installationfor further steps to secure a Tiller-based installation.
- Make sure you have a service account with the
cluster-admin
role defined for Tiller.If not already defined, create one using following command:
$ kubectl apply -f @install/kubernetes/helm/helm-service-account.yaml@
- Install Tiller on your cluster with the service account:
$ helm init --service-account tiller
- Install the
istio-init
chart to bootstrap all the Istio’s CRDs:
$ helm install install/kubernetes/helm/istio-init --name istio-init --namespace istio-system
- Wait for all Istio CRDs to be created:
$ kubectl -n istio-system wait --for=condition=complete job --all
- Select a configuration profileand then install the
istio
chart corresponding to your chosen profile.The default profile is recommended for production deployments:
You can further customize the configuration by adding one or more —set <key>=<value>
Installation Options to the helm command.
$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system
$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system \
--values install/kubernetes/helm/istio/values-istio-demo.yaml
$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system \
--values install/kubernetes/helm/istio/values-istio-minimal.yaml
$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system \
--values install/kubernetes/helm/istio/values-istio-sds-auth.yaml
Enable mutual TLS in Istio by setting options global.controlPlaneSecurityEnabled=true
and global.mtls.enabled=true
, in addition to the specifying the Helm values filecorresponding to your chosen profile.
For example, to configure the demo profile with mutual TLS enabled:
$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system \
--values install/kubernetes/helm/istio/values-istio-demo.yaml \
--set global.controlPlaneSecurityEnabled=true \
--set global.mtls.enabled=true | kubectl apply -f -
Install the Istio CNI chart:
$ helm install install/kubernetes/helm/istio-cni --name istio-cni --namespace kube-system
Enable CNI in Istio by setting —set istio_cni.enabled=true
in addition to the settings for your chosen profile.For example, to configure the default profile:
$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system --set istio_cni.enabled=true
Verifying the installation
- Referring to components table inconfiguration profiles,verify that the Kubernetes services corresponding to your selected profile have been deployed.
$ kubectl get svc -n istio-system
- Ensure the corresponding Kubernetes pods are deployed and have a
STATUS
ofRunning
:
$ kubectl get pods -n istio-system
Uninstall
- If you installed Istio using the
helm template
command, uninstall with these commands:
$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system | kubectl delete -f -
$ kubectl delete namespace istio-system
$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
--values install/kubernetes/helm/istio/values-istio-demo.yaml | kubectl delete -f -
$ kubectl delete namespace istio-system
$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
--values install/kubernetes/helm/istio/values-istio-minimal.yaml | kubectl delete -f -
$ kubectl delete namespace istio-system
$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
--values install/kubernetes/helm/istio/values-istio-sds-auth.yaml | kubectl delete -f -
$ kubectl delete namespace istio-system
Follow the instructions corresponding to your selected configuration profile.
Follow the instructions corresponding to your selected configuration profileand then execute the following command to uninstall the CNI plug-in:
$ helm template install/kubernetes/helm/istio-cni --name=istio-cni --namespace=kube-system | kubectl delete -f -
- If you installed Istio using Helm and Tiller, uninstall with these commands:
$ helm delete --purge istio
$ helm delete --purge istio-init
$ helm delete --purge istio-cni
$ kubectl delete namespace istio-system
Deleting CRDs and Istio Configuration
Istio, by design, expects Istio’s Custom Resources contained within CRDs to leak into theKubernetes environment. CRDs contain the runtime configuration set by the operator.Because of this, we consider it better for operators to explicitly delete the runtimeconfiguration data rather than unexpectedly lose it.
Deleting CRDs permanently deletes any configuration changes that you have made to Istio.
The istio-init
chart contains all raw CRDs in the istio-init/files
directory.You can simply delete the CRDs using kubectl
.To permanently delete Istio’s CRDs and the entire Istio configuration, run:
$ kubectl delete -f install/kubernetes/helm/istio-init/files
See also
Details the Helm chart installation options differences between Istio 1.0 and Istio 1.1.
Details the Helm chart installation options differences between Istio 1.2 and Istio 1.3.
Details the Helm chart installation options differences between Istio 1.1 and Istio 1.2.
Install Istio with the Istio CNI plugin
Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege.
Describes the options available when installing Istio using Helm charts.
Provision and manage DNS certificates in Istio.