Installation with Helm

Quick start instructions for the setup and configuration of Istio using Helm. This is the recommended install method for installing Istio to your production environment as it offers rich customization to the Istio control plane and the sidecars for the Istio data plane.

Warning Installation of Istio prior to version 0.8.0 with Helm is unstable and not recommended.

Prerequisites

  1. Download the latest Istio release.

  2. Install the Helm client.

Option 1: Install with Helm via helm template

  1. Render Istio’s core components to a Kubernetes manifest called istio.yaml:

    • With automatic sidecar injection (requires Kubernetes >=1.9.0):

      $ helm template @install/kubernetes/helm/istio@ --name istio --namespace istio-system > $HOME/istio.yaml
      
    • Without the sidecar injection webhook:

      $ helm template @install/kubernetes/helm/istio@ --name istio --namespace istio-system --set sidecarInjectorWebhook.enabled=false > $HOME/istio.yaml
      
  2. Install the components via the manifest:

    $ kubectl create namespace istio-system
    $ kubectl create -f $HOME/istio.yaml
    

Option 2: Install with Helm and Tiller via helm install

This option allows Helm and Tiller to manage the lifecycle of Istio.

Warning Upgrading Istio using Helm has not been fully tested.

  1. If a service account has not already been installed for Tiller, install one:

    $ kubectl create -f @install/kubernetes/helm/helm-service-account.yaml@
    
  2. Install Tiller on your cluster with the service account:

    $ helm init --service-account tiller
    
  3. Install Istio:

    • With automatic sidecar injection (requires Kubernetes >=1.9.0):

      $ helm install @install/kubernetes/helm/istio@ --name istio --namespace istio-system
      
    • Without the sidecar injection webhook:

      $ helm install @install/kubernetes/helm/istio@ --name istio --namespace istio-system --set sidecarInjectorWebhook.enabled=false
      

Customization with Helm

The Helm chart ships with reasonable defaults. There may be circumstances in which defaults require overrides. To override Helm values, use --set key=value argument during the helm install command. Multiple --set operations may be used in the same Helm operation.

Helm charts expose configuration options which are currently in alpha. The currently exposed options are explained in the following table:

ParameterDescriptionValuesDefault
global.hubSpecifies the HUB for most images used by Istioregistry/namespacedocker.io/istionightly
global.tagSpecifies the TAG for most images used by Istiovalid image tagcircleci-nightly
global.proxy.imageSpecifies the proxy image namevalid proxy nameproxyv2
global.proxy.includeIPRangesSpecifies the IP ranges for which outbound traffic is redirected to EnvoyList of IP ranges in CIDR notation separated by the escaped comma \, . Use * to redirect all outbound traffic to Envoy*
global.imagePullPolicySpecifies the image pull policyvalid image pull policyIfNotPresent
global.controlPlaneSecurityEnabledSpecifies whether control plane mTLS is enabledtrue/falsefalse
global.mtls.enabledSpecifies whether mTLS is enabled by default between servicestrue/falsefalse
global.mtls.mtlsExcludedServicesList of FQDNs to exclude from mTLSa list of FQDNs- kubernetes.default.svc.cluster.local
global.rbacEnabledSpecifies whether to create Istio RBAC rules or nottrue/falsetrue
global.refreshIntervalSpecifies the mesh discovery refresh intervalinteger followed by s10s
global.arch.amd64Specifies the scheduling policy for amd64 architectures0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred2
global.arch.s390xSpecifies the scheduling policy for s390x architectures0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred2
global.arch.ppc64leSpecifies the scheduling policy for ppc64le architectures0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred2
galley.enabledSpecifies whether Galley should be installed for server-side config validation. Requires k8s >= 1.9true/falsefalse

The Helm chart also offers significant customization options per individual service. Customize these per-service options at your own risk. The per-service options are exposed via the values.yaml file.

What’s next

See the sample Bookinfo application.

Uninstall

  • For option 1, uninstall using kubectl:

    $ kubectl delete -f $HOME/istio.yaml
    
  • For option 2, uninstall using Helm:

    $ helm delete --purge istio
    

    If your helm version is less than 2.9.0, then you need to manually cleanup extra job resource before redeploy new version of Istio chart:

    $ kubectl -n istio-system delete job --all