Advanced Helm Chart Customization
Prerequisites
Before you begin, check the following prerequisites:
- Download the Istio release.
- Perform any necessary platform-specific setup.
- Check the Requirements for Pods and Services.
- Usage of helm for Istio installation.
- Helm version that supports post rendering. (>= 3.1)
- kubectl or kustomize.
Advanced Helm Chart Customization
Istio’s helm chart tries to incorporate most of the attributes needed by users for their specific requirements. However, it does not contain every possible Kubernetes value you may want to tweak. While it is not practical to have such a mechanism in place, in this document we will demonstrate a method which would allow you to do some advanced helm chart customization without the need to directly modify Istio’s helm chart.
Using Helm with kustomize to post-render Istio charts
Using the Helm post-renderer
capability, you can tweak the installation manifests to meet your requirements easily.
Post-rendering
gives the flexibility to manipulate, configure, and/or validate rendered manifests before they are installed by Helm.
This enables users with advanced configuration needs to use tools like Kustomize to apply configuration changes without the need
for any additional support from the original chart maintainers.
Adding a value to an already existing chart
In this example, we will add a sysctl
value to Istio’s ingress-gateway
deployment. We are going to:
- Create a
sysctl
deployment customization patch template. - Apply the patch using Helm
post-rendering
. - Verify that the
sysctl
patch was correctly applied to the pods.
Create the Kustomization
First, we create a sysctl
patch file, adding a securityContext
to the ingress-gateway
pod with the additional attribute:
$ cat > sysctl-ingress-gw-customization.yaml <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: istio-ingress
namespace: istio-ingress
spec:
template:
spec:
securityContext:
sysctls:
- name: net.netfilter.nf_conntrack_tcp_timeout_close_wait
value: "10"
EOF
The below shell script helps to bridge the gap between Helm post-renderer
and Kustomize, as the former works with stdin/stdout
and the latter works with files.
$ cat > kustomize.sh <<EOF
#!/bin/sh
cat > base.yaml
exec kubectl kustomize # you can also use "kustomize build ." if you have it installed.
EOF
$ chmod +x ./kustomize.sh
Finally, let us create the kustomization
yaml file, which is the input for kustomize
with the set of resources and associated customization details.
$ cat > kustomization.yaml <<EOF
resources:
- base.yaml
patchesStrategicMerge:
- sysctl-ingress-gw-customization.yaml
EOF
Apply the Kustomization
Now that the Kustomization file is ready, let us use Helm to make sure this gets applied properly.
Add the Helm repository for Istio
$ helm repo add istio https://istio-release.storage.googleapis.com/charts
$ helm repo update
Render and Verify using Helm Template
We can use Helm post-renderer
to validate rendered manifests before they are installed by Helm
$ helm template istio-ingress istio/gateway --namespace istio-ingress --post-renderer ./kustomize.sh | grep -B 2 -A 1 netfilter.nf_conntrack_tcp_timeout_close_wait
In the output, check for the newly added sysctl
attribute for ingress-gateway
pod:
securityContext:
sysctls:
- name: net.netfilter.nf_conntrack_tcp_timeout_close_wait
value: "10"
Apply the patch using Helm Post-Renderer
Use the below command to install an Istio ingress-gateway, applying our customization using Helm post-renderer
:
$ kubectl create ns istio-ingress
$ helm upgrade -i istio-ingress istio/gateway --namespace istio-ingress --wait --post-renderer ./kustomize.sh
Verify the Kustomization
Examine the ingress-gateway deployment, you will see the newly manipulated sysctl
value:
$ kubectl -n istio-ingress get deployment istio-ingress -o yaml
apiVersion: apps/v1
kind: Deployment
metadata:
…
name: istio-ingress
namespace: istio-ingress
spec:
template:
metadata:
…
spec:
securityContext:
sysctls:
- name: net.netfilter.nf_conntrack_tcp_timeout_close_wait
value: "10"
Additional Information
For further detailed information about the concepts and techniques described in this document, please refer to: