Customizable Install with Helm

6 minute read

Follow this guide to install and configure an Istio mesh for in-depth evaluation or production use.

This installation guide uses Helm charts that provide rich customization of the Istio control plane and of the sidecars for the Istio data plane. You can simply use helm template to generate the configuration and then install it using kubectl apply, or you can choose to use helm install and let Tiller completely manage the installation.

Using these instructions, you can select any one of Istio’s built-in configuration profiles and then further customize the configuration for your specific needs.

Prerequisites

Download the Istio release.
Perform any necessary platform-specific setup.
Check the Requirements for Pods and Services.
Install a Helm client with a version higher than 2.10.

Helm chart release repositories

The commands in this guide use the Helm charts that are included in the Istio release image. If you want to use the Istio release Helm chart repository instead, adjust the commands accordingly and add the Istio release repository as follows:

$ helm repo add istio.io https://storage.googleapis.com/istio-release/releases/1.3.5/charts/

Installation steps

Change directory to the root of the release and then choose one of the following two mutually exclusive options:

To deploy Istio without using Tiller, follow the instructions for option 1.
To use Helm’s Tiller pod to manage your Istio release, follow the instructions for option 2.

Option 1: Install with Helm via `helm template`

Choose this option if your cluster doesn’t have Tiller deployed and you don’t want to install it.

Create a namespace for the istio-system components:
```
$ kubectl create namespace istio-system
```
Install all the Istio Custom Resource Definitions (CRDs) using kubectl apply, and wait a few seconds for the CRDs to be committed in the Kubernetes API-server:
```
$ helm template install/kubernetes/helm/istio-init --name istio-init --namespace istio-system | kubectl apply -f -
```
Verify that all 23 Istio CRDs were committed to the Kubernetes api-server using the following command:
```
$ kubectl get crds | grep 'istio.io' | wc -l
23
```
Select a configuration profile and then render and apply Istio’s core components corresponding to your chosen profile. The default profile is recommended for production deployments:
You can further customize the configuration by adding one or more --set <key>=<value> Installation Options to the helm command.

$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system | kubectl apply -f -

$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
    --values install/kubernetes/helm/istio/values-istio-demo.yaml | kubectl apply -f -

$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
    --values install/kubernetes/helm/istio/values-istio-demo-auth.yaml | kubectl apply -f -

$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
    --values install/kubernetes/helm/istio/values-istio-minimal.yaml | kubectl apply -f -

$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
    --values install/kubernetes/helm/istio/values-istio-sds-auth.yaml | kubectl apply -f -

Install the Istio CNI components:

$ helm template install/kubernetes/helm/istio-cni --name=istio-cni --namespace=kube-system | kubectl apply -f -

Enable CNI in Istio by setting --set istio_cni.enabled=true in addition to the settings for your chosen profile. For example, to configure the default profile:

$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
    --set istio_cni.enabled=true | kubectl apply -f -

Option 2: Install with Helm and Tiller via `helm install`

This option allows Helm and Tiller to manage the lifecycle of Istio.

Make sure you have a service account with the cluster-admin role defined for Tiller. If not already defined, create one using following command:
Zip
```
$ kubectl apply -f @install/kubernetes/helm/helm-service-account.yaml@
```
Install Tiller on your cluster with the service account:
```
$ helm init --service-account tiller
```

Install the istio-init chart to bootstrap all the Istio’s CRDs:

$ helm install install/kubernetes/helm/istio-init --name istio-init --namespace istio-system

Verify that all 23 Istio CRDs were committed to the Kubernetes api-server using the following command:
```
$ kubectl get crds | grep 'istio.io' | wc -l
23
```
Select a configuration profile and then install the istio chart corresponding to your chosen profile. The default profile is recommended for production deployments:
You can further customize the configuration by adding one or more --set <key>=<value> Installation Options to the helm command.

$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system

$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system \
    --values install/kubernetes/helm/istio/values-istio-demo.yaml

$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system \
    --values install/kubernetes/helm/istio/values-istio-demo-auth.yaml

$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system \
    --values install/kubernetes/helm/istio/values-istio-minimal.yaml

$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system \
    --values install/kubernetes/helm/istio/values-istio-sds-auth.yaml

Install the Istio CNI chart:

$ helm install install/kubernetes/helm/istio-cni --name istio-cni --namespace kube-system

Enable CNI in Istio by setting --set istio_cni.enabled=true in addition to the settings for your chosen profile. For example, to configure the default profile:

$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system --set istio_cni.enabled=true

Verifying the installation

Referring to components table in configuration profiles, verify that the Kubernetes services corresponding to your selected profile have been deployed.
```
$ kubectl get svc -n istio-system
```
Ensure the corresponding Kubernetes pods are deployed and have a STATUS of Running:
```
$ kubectl get pods -n istio-system
```

Uninstall

If you installed Istio using the helm template command, uninstall with these commands:

$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system | kubectl delete -f -
$ kubectl delete namespace istio-system

$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
    --values install/kubernetes/helm/istio/values-istio-demo.yaml | kubectl delete -f -
$ kubectl delete namespace istio-system

$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
    --values install/kubernetes/helm/istio/values-istio-demo-auth.yaml | kubectl delete -f -
$ kubectl delete namespace istio-system

$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
    --values install/kubernetes/helm/istio/values-istio-minimal.yaml | kubectl delete -f -
$ kubectl delete namespace istio-system

$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
    --values install/kubernetes/helm/istio/values-istio-sds-auth.yaml | kubectl delete -f -
$ kubectl delete namespace istio-system

$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
    --set istio_cni.enabled=true | kubectl delete -f -

$ helm template install/kubernetes/helm/istio-cni --name=istio-cni --namespace=kube-system | kubectl delete -f -

If you installed Istio using Helm and Tiller, uninstall with these commands:

$ helm delete --purge istio
$ helm delete --purge istio-init
$ helm delete --purge istio-cni
$ kubectl delete namespace istio-system

Deleting CRDs and Istio Configuration

Istio, by design, expects Istio’s Custom Resources contained within CRDs to leak into the Kubernetes environment. CRDs contain the runtime configuration set by the operator. Because of this, we consider it better for operators to explicitly delete the runtime configuration data rather than unexpectedly lose it.

The istio-init chart contains all raw CRDs in the istio-init/files directory. You can simply delete the CRDs using kubectl. To permanently delete Istio’s CRDs and the entire Istio configuration, run:

$ kubectl delete -f install/kubernetes/helm/istio-init/files