Install with Helm
Follow this guide to install and configure an Istio mesh using Helm.
The Helm charts used in this guide are the same underlying charts used when installing Istio via Istioctl or the Operator.Prerequisites
Perform any necessary platform-specific setup.
Check the Requirements for Pods and Services.
Install the Helm client, version 3.6 or above.
Configure the Helm repository:
$ helm repo add istio https://istio-release.storage.googleapis.com/charts
$ helm repo update
Installation steps
This section describes the procedure to install Istio using Helm. The general syntax for helm installation is:
$ helm install <release> <chart> --namespace <namespace> --create-namespace [--set <other_parameters>]
The variables specified in the command are as follows:
<chart>
A path to a packaged chart, a path to an unpacked chart directory or a URL.<release>
A name to identify and manage the Helm chart once installed.<namespace>
The namespace in which the chart is to be installed.
Default configuration values can be changed using one or more --set <parameter>=<value>
arguments. Alternatively, you can specify several parameters in a custom values file using the --values <file>
argument.
Create the namespace,
istio-system
, for the Istio components:$ kubectl create namespace istio-system
Install the Istio base chart which contains cluster-wide Custom Resource Definitions (CRDs) which must be installed prior to the deployment of the Istio control plane:
$ helm install istio-base istio/base -n istio-system
Validate the CRD installation with the
helm ls
command:$ helm ls -n istio-system NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION istio-base istio-system 1 ... ... ... ... deployed base-1.16.1 1.16.1
In the output locate the entry for
istio-base
and make sure the status is set todeployed
.Install the Istio discovery chart which deploys the
istiod
service:$ helm install istiod istio/istiod -n istio-system --wait
Verify the Istio discovery chart installation:
$ helm ls -n istio-system NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION istio-base istio-system 1 ... ... ... ... deployed base-1.16.1 1.16.1 istiod istio-system 1 ... ... ... ... deployed istiod-1.16.1 1.16.1
Get the status of the installed helm chart to ensure it is deployed:
$ helm status istiod -n istio-system NAME: istiod LAST DEPLOYED: Fri Jan 20 22:00:44 2023 NAMESPACE: istio-system STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: "istiod" successfully installed! To learn more about the release, try: $ helm status istiod $ helm get all istiod Next steps: * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ * Try out our tasks to get started on common configurations: * https://istio.io/latest/docs/tasks/traffic-management * https://istio.io/latest/docs/tasks/security/ * https://istio.io/latest/docs/tasks/policy-enforcement/ * https://istio.io/latest/docs/tasks/policy-enforcement/ * Review the list of actively supported releases, CVE publications and our hardening guide: * https://istio.io/latest/docs/releases/supported-releases/ * https://istio.io/latest/news/security/ * https://istio.io/latest/docs/ops/best-practices/security/ For further documentation see https://istio.io website Tell us how your install/upgrade experience went at https://forms.gle/99uiMML96AmsXY5d6
Check
istiod
service is successfully installed and its pods are running:$ kubectl get deployments -n istio-system --output wide NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR istiod 1/1 1 1 10m discovery docker.io/istio/pilot:1.16.1 istio=pilot
(Optional) Install an ingress gateway:
$ kubectl create namespace istio-ingress $ helm install istio-ingress istio/gateway -n istio-ingress --wait
See Installing Gateways for in-depth documentation on gateway installation.
Updating your Istio configuration
You can provide override settings specific to any Istio Helm chart used above
and follow the Helm upgrade workflow to customize your Istio mesh installation.
The available configurable options can be found by using helm show values istio/<chart>
;
for example helm show values istio/gateway
.
Migrating from non-Helm installations
If you’re migrating from a version of Istio installed using istioctl
or
Operator to Helm (Istio 1.5 or earlier), you need to delete your current Istio
control plane resources and re-install Istio using Helm as described above. When
deleting your current Istio installation, you must not remove the Istio Custom Resource
Definitions (CRDs) as that can lead to loss of your custom Istio resources.
You can follow steps mentioned in the Istioctl uninstall guide or Operator uninstall guide depending upon your installation method.
Uninstall
You can uninstall Istio and its components by uninstalling the charts installed above.
List all the Istio charts installed in
istio-system
namespace:$ helm ls -n istio-system NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION istio-base istio-system 1 ... ... ... ... deployed base-1.0.0 1.0.0 istiod istio-system 1 ... ... ... ... deployed istiod-1.0.0 1.0.0
(Optional) Delete any Istio gateway chart installations:
$ helm delete istio-ingress -n istio-ingress $ kubectl delete namespace istio-ingress
Delete Istio discovery chart:
$ helm delete istiod -n istio-system
Delete Istio base chart:
$ helm delete istio-base -n istio-system
Delete the
istio-system
namespace:$ kubectl delete namespace istio-system
Uninstall stable revision label resources
If you decide to continue using the old control plane, instead of completing the update,
you can uninstall the newer revision and its tag by first issuing
helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags={prod-canary} --set revision=canary -n istio-system | kubectl delete -f -
.
You must them uninstall the revision of Istio that it pointed to by following the uninstall procedure above.
If you installed the gateway(s) for this revision using in-place upgrades, you must also reinstall the gateway(s) for the previous revision manually, Removing the previous revision and its tags will not automatically revert the previously in-place upgraded gateway(s).
(Optional) Deleting CRDs installed by Istio
Deleting CRDs permanently removes any Istio resources you have created in your cluster. To permanently delete Istio CRDs installed in your cluster:
$ kubectl get crd -oname | grep --color=never 'istio.io' | xargs kubectl delete