Add ambient helm installation guide (#13871)

* Add helm installation guide to ambient

* fix lint

* fix lint

* fix lint again

* fix lint again

* Update content/en/docs/ops/ambient/helm-installation/index.md

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

* revise based on comments and ambient values

* make commands consistent

* try text import with lint

* revise to link to files

* Update content/en/docs/ops/ambient/helm-installation/index.md

Co-authored-by: Ben Leggett <854255+bleggett@users.noreply.github.com>

* add prerequisite

* Update content/en/docs/ops/ambient/helm-installation/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/docs/ops/ambient/helm-installation/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/docs/ops/ambient/helm-installation/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/docs/ops/ambient/helm-installation/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/docs/ops/ambient/helm-installation/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/docs/ops/ambient/helm-installation/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/docs/ops/ambient/helm-installation/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/docs/ops/ambient/helm-installation/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/docs/ops/ambient/helm-installation/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/docs/ops/ambient/helm-installation/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* Update content/en/docs/ops/ambient/helm-installation/index.md

Co-authored-by: Daniel Hawton <daniel@hawton.org>

* add verifying with sample, and uninstall parts

* fix lint

* fix lint

* add snips

* add tests

* try to fix lint...

* change test order

* try deploy cni to istio-system to pass test

* revise based on dhawton's comments

* lint

* try verify after installation

* revise test again

* make gen

* lint

* revise revision section back

* move directory

* make gen

* revise test order

* fix tests

* fix lint

* update test

* Update content/en/docs/ops/ambient/usage/helm-installation/index.md

Co-authored-by: Faseela K <k.faseela@gmail.com>

* Update content/en/docs/ops/ambient/usage/helm-installation/index.md

Co-authored-by: Faseela K <k.faseela@gmail.com>

* revise based on comments

* make gen

* fix lint

* Update content/en/docs/ops/ambient/install/helm-installation/index.md

Co-authored-by: Faseela K <k.faseela@gmail.com>

* Update index.md

* make gen

---------

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
Co-authored-by: Ben Leggett <854255+bleggett@users.noreply.github.com>
Co-authored-by: Daniel Hawton <daniel@hawton.org>
Co-authored-by: Faseela K <k.faseela@gmail.com>

content/en/docs/ops/ambient/install/_index.md

@@ -2,8 +2,6 @@
 title: Installation Guide
 description: Installation guide for Istio Ambient mesh.
 weight: 2
-owner: istio/wg-networking-maintainers
-test: no
+owner: istio/wg-environment-maintainers
+test: n/a
 ---
--
-- This page is under construction.

content/en/docs/ops/ambient/install/helm-installation/index.md

@@ -0,0 +1,165 @@
+---
+title: Install with Helm
+description: How to install Ambient Mesh with Helm.
+weight: 4
+owner: istio/wg-environments-maintainers
+test: yes
+---
+
+This guide shows you how to install ambient mesh with Helm.
+Besides the demo in [Getting Started with Ambient Mesh](/docs/ops/ambient/getting-started/),
+we **encourage** you to follow this guide to install ambient mesh.
+Helm helps you manage components separately, and you can easily upgrade the components to the latest version.
+
+## Prerequisites
+
+1. Perform any necessary [platform-specific setup](/docs/setup/platform-setup/).
+
+1. Check the [Requirements for Pods and Services](/docs/ops/deployment/requirements/).
+
+1. [Install the Helm client](https://helm.sh/docs/intro/install/), version 3.6 or above.
+
+1. Configure the Helm repository:
+
+    {{< text syntax=bash snip_id=configure_helm >}}
+    $ helm repo add istio https://istio-release.storage.googleapis.com/charts
+    $ helm repo update
+    {{< /text >}}
+
+*See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation.*
+
+## Installing the Components
+
+### Installing the base Component
+
+The `base` chart contains the basic CRDs and cluster roles required to set up Istio.
+This should be installed prior to any other Istio component.
+
+{{< text syntax=bash snip_id=install_base >}}
+$ helm install istio-base istio/base -n istio-system --create-namespace
+{{< /text >}}
+
+### Installing the CNI Component
+
+The **CNI** chart installs the Istio CNI Plugin. It is responsible for detecting the pods that belong to the ambient mesh,
+and configuring the traffic redirection between the ztunnel DaemonSet, which will be installed later.
+
+{{< text syntax=bash snip_id=install_cni >}}
+$ helm install istio-cni istio/cni -n istio-system \
+  -f @manifests/charts/istio-cni/ambient-values.yaml@
+{{< /text >}}
+
+### Installing the discovery Component
+
+The `istiod` chart installs a revision of Istiod. Istiod is the control plane component that manages and
+configures the proxies to route traffic within the mesh.
+
+{{< text syntax=bash snip_id=install_discovery >}}
+$ helm install istiod istio/istiod --namespace istio-system \
+  -f @manifests/charts/istio-control/istio-discovery/ambient-values.yaml@
+{{< /text >}}
+
+### Installing the ztunnel component
+
+The `ztunnel` chart installs the ztunnel DaemonSet, which is the node-proxy component of ambient.
+
+{{< text syntax=bash snip_id=install_ztunnel >}}
+$ helm install ztunnel istio/ztunnel -n istio-system
+{{< /text >}}
+
+## Configuration
+
+To view support configuration options and documentation, run:
+
+{{< text syntax=bash >}}
+$ helm show values istio/istiod
+{{< /text >}}
+
+## Verifying the Installation
+
+### Verifying the workload status
+
+After installing all the components, you can check the Helm deployment status with:
+
+{{< text syntax=bash snip_id=show_components >}}
+$ helm list -n istio-system
+{{< /text >}}
+
+You can check the status of the deployed pods with:
+
+{{< text syntax=bash snip_id=check_pods >}}
+$ kubectl get pods -n istio-system
+{{< /text >}}
+
+### Verifying with the Sample Application
+
+After installing ambient with Helm, you can follow
+[Deploy the sample application](/docs/ops/ambient/getting-started/#bookinfo)
+guide to deploy the sample application and ingress gateways, and then you can
+[add your application to ambient](/docs/ops/ambient/getting-started/#addtoambient).
+
+## Uninstall
+
+You can uninstall Istio and its components by uninstalling the charts
+installed above.
+
+1. List all the Istio charts installed in `istio-system` namespace:
+
+    {{< text syntax=bash >}}
+    $ helm ls -n istio-system
+    NAME       NAMESPACE    REVISION UPDATED         STATUS   CHART        APP VERSION
+    istio-base istio-system 1        ... ... ... ... deployed base-1.0.0   1.0.0
+    istiod     istio-system 1        ... ... ... ... deployed istiod-1.0.0 1.0.0
+    {{< /text >}}
+
+1. (Optional) Delete any Istio gateway chart installations:
+
+    {{< text syntax=bash >}}
+    $ helm delete istio-ingress -n istio-ingress
+    $ kubectl delete namespace istio-ingress
+    {{< /text >}}
+
+1. Delete Istio CNI chart:
+
+    {{< text syntax=bash snip_id=delete_cni >}}
+    $ helm delete istio-cni -n istio-system
+    {{< /text >}}
+
+1. Delete Istio ztunnel chart:
+
+    {{< text syntax=bash snip_id=delete_ztunnel >}}
+    $ helm delete ztunnel -n istio-system
+    {{< /text >}}
+
+1. Delete Istio discovery chart:
+
+    {{< text syntax=bash snip_id=delete_discovery >}}
+    $ helm delete istiod -n istio-system
+    {{< /text >}}
+
+1. Delete Istio base chart:
+
+    {{< tip >}}
+    By design, deleting a chart via Helm doesn't delete the installed Custom
+    Resource Definitions (CRDs) installed via the chart.
+    {{< /tip >}}
+
+    {{< text syntax=bash snip_id=delete_base >}}
+    $ helm delete istio-base -n istio-system
+    {{< /text >}}
+
+1. Delete CRDs Installed by Istio (Optional)
+
+    {{< warning >}}
+    This will delete all created Istio resources.
+    {{< /warning >}}
+
+    {{< text syntax=bash >}}
+    $ kubectl get crd -oname | grep --color=never 'istio.io' | xargs kubectl delete
+    {{< /text >}}
+
+1. Delete the `istio-system` namespace:
+
+    {{< text syntax=bash snip_id=delete_system_namespace >}}
+    $ kubectl delete namespace istio-system
+    {{< /text >}}

content/en/docs/ops/ambient/install/helm-installation/snips.sh

@@ -0,0 +1,95 @@
+#!/bin/bash
+# shellcheck disable=SC2034,SC2153,SC2155,SC2164
+
+# Copyright Istio Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+####################################################################################################
+# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
+#          docs/ops/ambient/install/helm-installation/index.md
+####################################################################################################
+
+snip_configure_helm() {
+helm repo add istio https://istio-release.storage.googleapis.com/charts
+helm repo update
+}
+
+snip_install_base() {
+helm install istio-base istio/base -n istio-system --create-namespace
+}
+
+snip_install_cni() {
+helm install istio-cni istio/cni -n istio-system \
+  -f manifests/charts/istio-cni/ambient-values.yaml
+}
+
+snip_install_discovery() {
+helm install istiod istio/istiod --namespace istio-system \
+  -f manifests/charts/istio-control/istio-discovery/ambient-values.yaml
+}
+
+snip_install_ztunnel() {
+helm install ztunnel istio/ztunnel -n istio-system
+}
+
+snip_configuration_1() {
+helm show values istio/istiod
+}
+
+snip_show_components() {
+helm list -n istio-system
+}
+
+snip_check_pods() {
+kubectl get pods -n istio-system
+}
+
+snip_uninstall_1() {
+helm ls -n istio-system
+}
+
+! read -r -d '' snip_uninstall_1_out <<\ENDSNIP
+NAME       NAMESPACE    REVISION UPDATED         STATUS   CHART        APP VERSION
+istio-base istio-system 1        ... ... ... ... deployed base-1.0.0   1.0.0
+istiod     istio-system 1        ... ... ... ... deployed istiod-1.0.0 1.0.0
+ENDSNIP
+
+snip_uninstall_2() {
+helm delete istio-ingress -n istio-ingress
+kubectl delete namespace istio-ingress
+}
+
+snip_delete_cni() {
+helm delete istio-cni -n istio-system
+}
+
+snip_delete_ztunnel() {
+helm delete ztunnel -n istio-system
+}
+
+snip_delete_discovery() {
+helm delete istiod -n istio-system
+}
+
+snip_delete_base() {
+helm delete istio-base -n istio-system
+}
+
+snip_uninstall_7() {
+kubectl get crd -oname | grep --color=never 'istio.io' | xargs kubectl delete
+}
+
+snip_delete_system_namespace() {
+kubectl delete namespace istio-system
+}

content/en/docs/ops/ambient/install/helm-installation/test.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+set -u
+
+set -o pipefail
+
+# @setup profile=none
+
+snip_configure_helm
+_rewrite_helm_repo snip_install_base
+
+_rewrite_helm_repo snip_install_discovery
+_wait_for_deployment istio-system istiod
+
+_rewrite_helm_repo snip_install_cni
+_wait_for_daemonset istio-system istio-cni-node
+
+_rewrite_helm_repo snip_install_ztunnel
+_wait_for_daemonset istio-system ztunnel
+
+# shellcheck disable=SC2154
+_verify_contains snip_check_pods "istiod"
+_verify_contains snip_check_pods "istio-cni-node"
+_verify_contains snip_check_pods "ztunnel"
+
+# @cleanup
+snip_delete_cni
+snip_delete_ztunnel
+snip_delete_discovery
+snip_delete_base
+snip_delete_system_namespace

content/en/docs/ops/ambient/usage/ztunnel/index.md

@@ -61,7 +61,7 @@ Ztunnel proxies are automatically installed when one of the supported installati
 
 The examples in this guide used a deployment of Istio version `1.19.0` on a `kind` cluster of version `0.20.0` running Kubernetes version `1.27.3`.
 
-The minimum Istio version needed for ambient functions is 1.18.0 and the minimum Kubernetes version needed is `1.24.0`. The examples below require a cluster with more than 1 worker node in order to explain how cross-node traffic operates. Refer to the [installation user guide](/docs/ops/ambient/usage/install/) or [getting started guide](/docs/ops/ambient/getting-started/) for information on installing Istio in ambient mode on a Kubernetes cluster.
+The minimum Istio version needed for ambient functions is 1.18.0 and the minimum Kubernetes version needed is `1.24.0`. The examples below require a cluster with more than 1 worker node in order to explain how cross-node traffic operates. Refer to the [installation user guide](/docs/ops/ambient/install/) or [getting started guide](/docs/ops/ambient/getting-started/) for information on installing Istio in ambient mode on a Kubernetes cluster.
 
 ## Functional Overview {#functionaloverview}