Update Helm Documentation (#1168)

* Modify minimum pin of Istio version with Helm and improve prereqs

* Add section describing briefly how to use helm without tiller

* Change heading description for Helm method and add upgrade warning

* Make common customization options table match current master

* Subsection the two methods for installing with Helm

* Remove Helm keys from .spelling.  Add FQDNs as an acronym.

* Backtick the keys and defaults, values.yaml, and fix 1 spelling error

* Add uninstall instructions for both kubectl and helm with tiller

* Place backticks around architecture platforms and correctly list them

* Show both uninstall methods (kubectl & Helm)

* Remove two extra CRs

* Fix yaml linting errors

* Link to requirements for automatic sidecar injection.

* Change istio-auth to istio for rendering

* Address reviewer comments.

* Fix linting error.

* Notify operator they need capability to install service accounts.

* Fix lint error

.spelling

@@ -53,6 +53,7 @@ ExecAction
 Exfiltrating
 ExternalName
 Fluentd
+FQDNs
 GATEWAY_URL
 GCP-IAM
 GCP_OPTS
@@ -259,24 +260,6 @@ gcloud
 gdb
 getPetsById
 git
-global.hyperkube.hub
-global.hyperkube.tag
-global.ingress.nodeport_port
-global.ingress.use_nodeport
-global.initializer.enabled
-global.mixer.enabled
-global.mixer.hub
-global.mixer.tag
-global.namespace
-global.pilot.enabled
-global.pilot.hub
-global.pilot.tag
-global.proxy.debug
-global.proxy.hub
-global.proxy.tag
-global.security.enabled
-global.security.hub
-global.security.tag
 golang
 googleapis.com
 googlegroups.com

_docs/setup/kubernetes/helm-install.md

@@ -14,15 +14,47 @@ type: markdown
 
 Quick start instructions for the setup and configuration of Istio using the Helm package manager.
 
-* Installation with Helm prior to Istio 0.7 is unstable and not recommended.*
+<img src="{{home}}/img/exclamation-mark.svg" alt="Warning" title="Warning" style="width: 32px; display:inline" />
+Installation of Istio prior to version 0.8.0 with Helm is unstable and not recommended.
 
 ## Prerequisites
 
-The following instructions require you have access to Helm **2.7.2 or newer** in your Kubernetes environment or
-alternately the ability to modify RBAC rules required to install Helm.  Additionally Kubernetes **1.7.3 or newer**
-is also required.
+* Kubernetes **1.7.3 or newer** is required.
+* Helm **2.7.2 or newer** is required.
+* If you want to manage Istio releases with [Tiller](https://github.com/kubernetes/helm#helm-in-a-handbasket),
+the capability to install service accounts is required.
+* Using [automatic sidecar injection]({{home}}/docs/setup/kubernetes/sidecar-injection.html#automatic-sidecar-injection) describes Kubernetes environmental requirements.
 
-## Deploy with Helm
+## Deploy Istio using Helm
+
+There are two techniques for using Helm to deploy Istio.  The first
+technique is to use `helm template` to render a manifest and use `kubectl`
+to create it.
+
+The second technique uses Helm's Tiller service to manage the lifecycle
+of Istio.
+
+### Render Kubernetes manifest with Helm and deploy with kubectl
+
+This is the most heavily tested method of deploying Istio.  During the
+continuous integration automated testing and release process, the
+`helm` binary in `template` mode is used to render the various manifests
+produced for Istio.
+
+1. Create an `istio.yaml` Kubernetes manifest:
+   ```bash
+   helm template install/kubernetes/helm/istio --name istio --set prometheus.enabled=true > $HOME/istio.yaml
+   ```
+
+1. Create the Istio control plane from `istio.yaml` manifest:
+   ```bash
+   kubectl create -f $HOME/istio.yaml
+   ```
+
+### Alternatively, use Helm and Tiller to manage the Istio deployment
+
+<img src="{{home}}/img/exclamation-mark.svg" alt="Warning" title="Warning" style="width: 32px; display:inline" />
+Upgrading Istio using Helm is not validated.
 
 1. If a service account has not already been installed for Helm, please install one:
    ```bash
@@ -48,31 +80,35 @@ may be used in the same Helm operation.
 Helm charts expose configuration options which are currently in alpha.  The currently exposed options are explained in the
 following table:
 
-| Helm Variable                | Possible Values    | Default Value              | Purpose of Key                                 |
-|------------------------------|--------------------|----------------------------|------------------------------------------------|
-| global.namespace             | any Kubernetes ns  | istio-system               | Specifies the namespace for Istio              |
-| global.initializer.enabled   | true/false         | true                       | Specifies whether to use the Initializer       |
-| global.proxy.hub             | registry+namespace | release registry/namespace | Specifies the HUB for the proxy image          |
-| global.proxy.tag             | image tag          | release unique hash        | Specifies the TAG for the proxy image          |
-| global.proxy.debug           | true/false         | false                      | Specifies whether proxy is run in debug mode   |
-| global.pilot.hub             | registry+namespace | release registry/namespace | Specifies the HUB for the pilot image          |
-| global.pilot.tag             | image tag          | release unique hash        | Specifies the TAG for the pilot image          |
-| global.pilot.enabled         | true/false         | true                       | Specifies whether pilot is enabled/disabled    |
-| global.security.hub          | registry+namespace | release registry/namespace | Specifies the HUB for the ca image             |
-| global.security.tag          | image tag          | release unique hash        | Specifies the TAG for the ca image             |
-| global.security.enabled      | true/false         | false                      | Specifies whether security is enabled/disabled |
-| global.mixer.hub             | registry+namespace | release registry/namespace | Specifies the HUB for the mixer image          |
-| global.mixer.tag             | image tag          | release unique hash        | Specifies the TAG for the mixer image          |
-| global.mixer.enabled         | true/false         | true                       | Specifies whether mixer is enabled/disabled    |
-| global.hyperkube.hub         | registry+namespace | quay.io/coreos/hyperkube   | Specifies the HUB for the hyperkube image      |
-| global.hyperkube.tag         | image tag          | v1.7.6_coreos.0            | Specifies the TAG for the hyperkube image      |
-| global.ingress.use_nodeport  | true/false         | false                      | Specifies whether to use nodeport or LB        |
-| global.ingress.nodeport_port | 32000-32767        | 32000                      | If nodeport is used, specifies its port        |
+| Parameter | Description | Values | Default |
+| --- | --- | --- | --- |
+| `global.hub` | Specifies the HUB for most images used by Istio | registry/namespace | `docker.io/istionightly` |
+| `global.tag` | Specifies the TAG for most images used by Istio | valid image tag | `circleci-nightly` |
+| `global.proxy.image` | Specifies the proxy image name | valid proxy name | `proxy` |
+| `global.imagePullPolicy` | Specifies the image pull policy | valid image pull policy | `IfNotPresent` |
+| `global.securityEnabled` | Specifies whether Istio CA should be installed | true/false | `true` |
+| `global.controlPlaneSecurityEnabled` | Specifies whether control plane mTLS is enabled | true/false | `false` |
+| `global.mtls.enabled` | Specifies whether mTLS is enabled by default between services | true/false | `false` |
+| `global.mtls.mtlsExcludedServices` | List of FQDNs to exclude from mTLS | a list of FQDNs | `- kubernetes.default.svc.cluster.local` |
+| `global.rbacEnabled` | Specifies whether to create Istio RBAC rules or not | true/false | `true` |
+| `global.refreshInterval` | Specifies the mesh discovery refresh interval | integer followed by s | `10s` |
+| `global.arch.amd64` | Specifies the scheduling policy for `amd64` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` |
+| `global.arch.s390x` | Specifies the scheduling policy for `s390x` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` |
+| `global.arch.ppc64le` | Specifies the scheduling policy for `ppc64le` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` |
 
-## Uninstalling
+> The Helm chart also offers significant customization options per individual
+service.  Customize these per-service options at your own risk.
+The per-service options are exposed via the
+[`values.yaml` file](https://raw.githubusercontent.com/istio/istio/master/install/kubernetes/helm/istio/values.yaml).
 
-* Uninstall Istio:
+## Uninstall Istio
 
-  ```bash
-  helm delete --purge istio
-  ```
+* Uninstall using kubectl:
+```bash
+kubectl delete -f $HOME/istio.yaml
+```
+
+* Uninstall using Helm:
+```bash
+helm delete --purge istio
+```