Install with Helm

Follow this guide to install and configure an Istio mesh using Helm.

The Helm charts used in this guide are the same underlying charts used when installing Istio via Istioctl or the Operator.

Prerequisites

  1. Perform any necessary platform-specific setup.

  2. Check the Requirements for Pods and Services.

  3. Install the Helm client, version 3.6 or above.

  4. Configure the Helm repository:

$ helm repo add istio https://istio-release.storage.googleapis.com/charts
$ helm repo update

Installation steps

This section describes the procedure to install Istio using Helm. The general syntax for helm installation is:

$ helm install <release> <chart> --namespace <namespace> --create-namespace [--set <other_parameters>]

The variables specified in the command are as follows:

  • <chart> A path to a packaged chart, a path to an unpacked chart directory or a URL.
  • <release> A name to identify and manage the Helm chart once installed.
  • <namespace> The namespace in which the chart is to be installed.

Default configuration values can be changed using one or more --set <parameter>=<value> arguments. Alternatively, you can specify several parameters in a custom values file using the --values <file> argument.

  1. Create the namespace, istio-system, for the Istio components:

    $ kubectl create namespace istio-system
    
  2. Install the Istio base chart which contains cluster-wide Custom Resource Definitions (CRDs) which must be installed prior to the deployment of the Istio control plane:

    $ helm install istio-base istio/base -n istio-system
    
  3. Validate the CRD installation with the helm ls command:

    $ helm ls -n istio-system
    NAME       NAMESPACE    REVISION UPDATED         STATUS   CHART        APP VERSION
    istio-base istio-system 1        ... ... ... ... deployed base-1.16.1  1.16.1
    

    In the output locate the entry for istio-base and make sure the status is set to deployed.

  4. Install the Istio discovery chart which deploys the istiod service:

    $ helm install istiod istio/istiod -n istio-system --wait
    
  5. Verify the Istio discovery chart installation:

    $ helm ls -n istio-system
    NAME       NAMESPACE    REVISION UPDATED         STATUS   CHART         APP VERSION
    istio-base istio-system 1        ... ... ... ... deployed base-1.16.1   1.16.1
    istiod     istio-system 1        ... ... ... ... deployed istiod-1.16.1 1.16.1
    
  6. Get the status of the installed helm chart to ensure it is deployed:

    $ helm status istiod -n istio-system
    NAME: istiod
    LAST DEPLOYED: Fri Jan 20 22:00:44 2023
    NAMESPACE: istio-system
    STATUS: deployed
    REVISION: 1
    TEST SUITE: None
    NOTES:
    "istiod" successfully installed!
    
    To learn more about the release, try:
      $ helm status istiod
      $ helm get all istiod
    
    Next steps:
      * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/
      * Try out our tasks to get started on common configurations:
        * https://istio.io/latest/docs/tasks/traffic-management
        * https://istio.io/latest/docs/tasks/security/
        * https://istio.io/latest/docs/tasks/policy-enforcement/
        * https://istio.io/latest/docs/tasks/policy-enforcement/
      * Review the list of actively supported releases, CVE publications and our hardening guide:
        * https://istio.io/latest/docs/releases/supported-releases/
        * https://istio.io/latest/news/security/
        * https://istio.io/latest/docs/ops/best-practices/security/
    
    For further documentation see https://istio.io website
    
    Tell us how your install/upgrade experience went at https://forms.gle/99uiMML96AmsXY5d6
    
  7. Check istiod service is successfully installed and its pods are running:

    $ kubectl get deployments -n istio-system --output wide
    NAME     READY   UP-TO-DATE   AVAILABLE   AGE   CONTAINERS   IMAGES                         SELECTOR
    istiod   1/1     1            1           10m   discovery    docker.io/istio/pilot:1.16.1   istio=pilot
    
  8. (Optional) Install an ingress gateway:

    $ kubectl create namespace istio-ingress
    $ helm install istio-ingress istio/gateway -n istio-ingress --wait
    

    See Installing Gateways for in-depth documentation on gateway installation.

Updating your Istio configuration

You can provide override settings specific to any Istio Helm chart used above and follow the Helm upgrade workflow to customize your Istio mesh installation. The available configurable options can be found by using helm show values istio/<chart>; for example helm show values istio/gateway.

Migrating from non-Helm installations

If you’re migrating from a version of Istio installed using istioctl or Operator to Helm (Istio 1.5 or earlier), you need to delete your current Istio control plane resources and re-install Istio using Helm as described above. When deleting your current Istio installation, you must not remove the Istio Custom Resource Definitions (CRDs) as that can lead to loss of your custom Istio resources.

You can follow steps mentioned in the Istioctl uninstall guide or Operator uninstall guide depending upon your installation method.

Uninstall

You can uninstall Istio and its components by uninstalling the charts installed above.

  1. List all the Istio charts installed in istio-system namespace:

    $ helm ls -n istio-system
    NAME       NAMESPACE    REVISION UPDATED         STATUS   CHART        APP VERSION
    istio-base istio-system 1        ... ... ... ... deployed base-1.0.0   1.0.0
    istiod     istio-system 1        ... ... ... ... deployed istiod-1.0.0 1.0.0
    
  2. (Optional) Delete any Istio gateway chart installations:

    $ helm delete istio-ingress -n istio-ingress
    $ kubectl delete namespace istio-ingress
    
  3. Delete Istio discovery chart:

    $ helm delete istiod -n istio-system
    
  4. Delete Istio base chart:

    $ helm delete istio-base -n istio-system
    
  5. Delete the istio-system namespace:

    $ kubectl delete namespace istio-system
    

Uninstall stable revision label resources

If you decide to continue using the old control plane, instead of completing the update, you can uninstall the newer revision and its tag by first issuing helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags={prod-canary} --set revision=canary -n istio-system | kubectl delete -f -. You must them uninstall the revision of Istio that it pointed to by following the uninstall procedure above.

If you installed the gateway(s) for this revision using in-place upgrades, you must also reinstall the gateway(s) for the previous revision manually, Removing the previous revision and its tags will not automatically revert the previously in-place upgraded gateway(s).

(Optional) Deleting CRDs installed by Istio

Deleting CRDs permanently removes any Istio resources you have created in your cluster. To permanently delete Istio CRDs installed in your cluster:

$ kubectl get crd -oname | grep --color=never 'istio.io' | xargs kubectl delete
Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!