Change multicluster and CNI instructions to use istioctl (#5273)

* Change multicluster and CNI instructions to use istioctl * Lint * Lint * Update content/en/docs/setup/additional-setup/cni/index.md Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com> * Update content/en/docs/setup/additional-setup/cni/index.md Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com> * Update content/en/docs/setup/additional-setup/cni/index.md Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com> * Update content/en/docs/setup/install/multicluster/shared-gateways/index.md Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com> * Update content/en/docs/setup/install/multicluster/gateways/index.md Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com> * Update content/en/docs/setup/install/multicluster/shared-vpn/index.md Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com> * Update content/en/docs/setup/install/multicluster/shared-vpn/index.md Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com> * Update content/en/docs/setup/install/multicluster/gateways/index.md Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com> * Update content/en/docs/setup/install/multicluster/shared-vpn/index.md Co-Authored-By: Frank Budinsky <frankb@ca.ibm.com>
2019-10-28 20:07:34 -07:00 · 2019-10-28 20:07:34 -07:00 · c6bba52018
parent c1aa9858ab
commit c6bba52018
4 changed files with 95 additions and 216 deletions
--- a/content/en/docs/setup/additional-setup/cni/index.md
+++ b/content/en/docs/setup/additional-setup/cni/index.md
@ -47,15 +47,15 @@ replaces the functionality provided by the `istio-init` container.
 1.  Determine the Kubernetes environment's CNI plugin `--cni-bin-dir` and `--cni-conf-dir` settings.
    Refer to [Hosted Kubernetes settings](#hosted-kubernetes-settings) for any non-default settings required.

-1.  Install Istio CNI and Istio using Helm.
-    Refer to the [Customizable Install with Helm](/docs/setup/install/helm/#cni) instructions and the
-    **Istio CNI enabled** profile.
-    Pass `--set cniBinDir=...` and/or `--set cniConfDir=...` options when installing `istio-cni` if non-default,
+1.  Install Istio CNI and Istio using `istioctl`.
+    Refer to the [Istio install](/docs/setup/install/kubernetes/) instructions and pass `--set cni.enabled=true`
+    and `--set cni.components.cni.enabled=true` options.
+    Pass `--set values.cni.cniBinDir=...` and/or `--set values.cni.cniConfDir=...` options when installing `istio-cni` if non-default,
    as determined in the previous step.

 ### Helm chart parameters

-The following table shows all the options that the `istio-cni` Helm chart supports:
+The following table shows all the options that the `istio-cni` configuration supports:

 | Option | Values | Default | Description |
 |--------|--------|---------|-------------|
@ -69,6 +69,9 @@ The following table shows all the options that the `istio-cni` Helm chart suppor
 | `cniConfFileName` | | | Leave unset to auto-find the first file in the `cni-conf-dir` (as `kubelet` does).  Primarily used for testing `install-cni` plugin configuration.  If set, `install-cni` will inject the plugin configuration into this file in the `cni-conf-dir`. |
 | `psp_cluster_role` | | | This value refers to a `ClusterRole` and can be used to create a `RoleBinding` in the namespace of `istio-cni`. This is useful if you use [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy) and want to allow `istio-cni` to run as `priviliged` Pods. |

+These options are accessed through `values.cni.<option-name>` in `istioctl manifest` commands, either as a `--set` flag,
+or the corresponding path in a custom overlay file.
+
 ### Excluding specific Kubernetes namespaces

 This example uses Helm to perform the following tasks:
@ -83,12 +86,15 @@ This example uses Helm to perform the following tasks:
 Refer to the [Customizable Install with Helm](/docs/setup/install/helm/#cni) for complete instructions.

 Use the following command to render and apply Istio CNI components and override the default configuration of the
-`istio-cni` Helm chart's `logLevel` and `excludeNamespaces` parameters:
+`logLevel` and `excludeNamespaces` parameters for `istio-cni`:

 {{< text bash >}}
-$ helm template install/kubernetes/helm/istio-cni --name=istio-cni --namespace=kube-system \
-    --set logLevel=info \
-    --set excludeNamespaces={"istio-system,kube-system,foo_ns,bar_ns"} | kubectl apply -f -
+$ istioctl manifest apply \
+    --set <flags you used to install Istio>
+    --set cni.enabled=true \
+    --set cni.components.cni.enabled=true \
+    --set values.cni.logLevel=info \
+    --set values.cni.excludeNamespaces={"istio-system,kube-system,foo_ns,bar_ns"}
 {{< /text >}}

 ### Hosted Kubernetes settings
--- a/content/en/docs/setup/install/multicluster/gateways/index.md
+++ b/content/en/docs/setup/install/multicluster/gateways/index.md
@ -31,7 +31,7 @@ Cross-cluster communication occurs over Istio gateways of the respective cluster

 * Two or more Kubernetes clusters with versions: {{< supported_kubernetes_versions >}}.

-* Authority to deploy the [Istio control plane using Helm](/docs/setup/install/helm/)
+* Authority to [deploy the Istio control plane](/docs/setup/install/operator/)
  on **each** Kubernetes cluster.

 * The IP address of the `istio-ingressgateway` service in each cluster must be accessible
@ -60,16 +60,6 @@ Cross-cluster communication occurs over Istio gateways of the respective cluster
    you would likely use a different CA certificate for each cluster, all signed
    by a common root CA.

-1. Generate a multicluster-gateways Istio configuration file using `helm`:
-
-    {{< text bash >}}
-    $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
-        -f @install/kubernetes/helm/istio/example-values/values-istio-multicluster-gateways.yaml@ > $HOME/istio.yaml
-    {{< /text >}}
-
-    For further details and customization options, refer to the
-    [Installation with Helm](/docs/setup/install/helm/) instructions.
-
 1. Run the following commands in **every cluster** to deploy an identical Istio control plane
    configuration in all of them.

@ -100,22 +90,16 @@ Cross-cluster communication occurs over Istio gateways of the respective cluster
            --from-file=@samples/certs/cert-chain.pem@
        {{< /text >}}

-    * Install all the Istio
-    [Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions)
-    (CRDs) using `kubectl apply`:
-
-    {{< text bash >}}
-    $ helm template install/kubernetes/helm/istio-init --name istio-init --namespace istio-system | kubectl apply -f -
-    {{< /text >}}
-
-    * {{< boilerplate verify-crds >}}
-
-    * Use the Istio installation yaml file generated in a previous step to install Istio:
+    * Install Istio:

        {{< text bash >}}
-        $ kubectl apply -f $HOME/istio.yaml
+        $ istioctl manifest apply \
+            -f install/kubernetes/operator/examples/multicluster/istio-gateway.yaml
        {{< /text >}}

+    For further details and customization options, refer to the
+    [Installation with Istioctl](/docs/setup/install/kubernetes/) instructions.
+
 ## Setup DNS

 Providing DNS resolution for services in remote clusters will allow
--- a/content/en/docs/setup/install/multicluster/shared-gateways/index.md
+++ b/content/en/docs/setup/install/multicluster/shared-gateways/index.md
@ -29,7 +29,7 @@ No VPN connectivity nor direct network access between workloads in different clu

 * Two or more Kubernetes clusters with versions: {{< supported_kubernetes_versions >}}.

-* Authority to deploy the [Istio control plane using Helm](/docs/setup/install/helm/)
+* Authority to [deploy the Istio control plane](/docs/setup/install/operator/)

 * Two Kubernetes clusters (referred to as `cluster1` and `cluster2`).

@ -51,7 +51,7 @@ This will be used to access pilot on `cluster1` securely using the ingress gatew

 ### Setup cluster 1 (primary)

-1. Use Helm to create the Istio deployment YAML for `cluster1`:
+1. Deploy Istio to `cluster1`:

    {{< warning >}}
    When you enable the additional components necessary for multicluster operation, the resource footprint
@ -62,21 +62,22 @@ This will be used to access pilot on `cluster1` securely using the ingress gatew
    {{< /warning >}}

    {{< text bash >}}
-    $ helm template --name=istio --namespace=istio-system \
-      --set global.mtls.enabled=true \
+    $ kubectl create --context=$CTX_CLUSTER1 ns istio-system
+    $ kubectl create --context=$CTX_CLUSTER1 secret generic cacerts -n istio-system --from-file=samples/certs/ca-cert.pem --from-file=samples/certs/ca-key.pem --from-file=samples/certs/root-cert.pem --from-file=samples/certs/cert-chain.pem
+    $ istioctl manifest apply --context=$CTX_CLUSTER1 \
+      --set values.global.mtls.enabled=true \
      --set security.selfSigned=false \
-      --set global.controlPlaneSecurityEnabled=true \
-      --set global.proxy.accessLogFile="/dev/stdout" \
-      --set global.meshExpansion.enabled=true \
-      --set 'global.meshNetworks.network1.endpoints[0].fromRegistry'=Kubernetes \
-      --set 'global.meshNetworks.network1.gateways[0].address'=0.0.0.0 \
-      --set 'global.meshNetworks.network1.gateways[0].port'=443 \
-      --set gateways.istio-ingressgateway.env.ISTIO_META_NETWORK="network1" \
-      --set global.network="network1" \
-      --set 'global.meshNetworks.network2.endpoints[0].fromRegistry'=n2-k8s-config \
-      --set 'global.meshNetworks.network2.gateways[0].address'=0.0.0.0 \
-      --set 'global.meshNetworks.network2.gateways[0].port'=443 \
-      install/kubernetes/helm/istio > istio-auth.yaml
+      --set values.global.controlPlaneSecurityEnabled=true \
+      --set values.global.proxy.accessLogFile="/dev/stdout" \
+      --set values.global.meshExpansion.enabled=true \
+      --set 'values.global.meshNetworks.network1.endpoints[0].fromRegistry'=Kubernetes \
+      --set 'values.global.meshNetworks.network1.gateways[0].address'=0.0.0.0 \
+      --set 'values.global.meshNetworks.network1.gateways[0].port'=443 \
+      --set values.gateways.istio-ingressgateway.env.ISTIO_META_NETWORK="network1" \
+      --set values.global.network="network1" \
+      --set 'values.global.meshNetworks.network2.endpoints[0].fromRegistry'=n2-k8s-config \
+      --set 'values.global.meshNetworks.network2.gateways[0].address'=0.0.0.0 \
+      --set 'values.global.meshNetworks.network2.gateways[0].port'=443
    {{< /text >}}

    {{< warning >}}
@ -85,15 +86,6 @@ This will be used to access pilot on `cluster1` securely using the ingress gatew
    in the following section.
    {{< /warning >}}

-1. Deploy Istio to `cluster1`:
-
-    {{< text bash >}}
-    $ kubectl create --context=$CTX_CLUSTER1 ns istio-system
-    $ kubectl create --context=$CTX_CLUSTER1 secret generic cacerts -n istio-system --from-file=samples/certs/ca-cert.pem --from-file=samples/certs/ca-key.pem --from-file=samples/certs/root-cert.pem --from-file=samples/certs/cert-chain.pem
-    $ for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply --context=$CTX_CLUSTER1 -f $i; done
-    $ kubectl apply --context=$CTX_CLUSTER1 -f istio-auth.yaml
-    {{< /text >}}
-
    Wait for the Istio pods on `cluster1` to become ready:

    {{< text bash >}}
@ -194,31 +186,24 @@ This will be used to access pilot on `cluster1` securely using the ingress gatew
    The command fails if the load balancer configuration doesn't include an IP address. The implementation of DNS name support is pending.
    {{< /warning >}}

-1. Use Helm to create the Istio deployment YAML for `cluster2`:
-
-    {{< text bash >}}
-    $ helm template --name istio-remote --namespace=istio-system \
-      --values @install/kubernetes/helm/istio/values-istio-remote.yaml@ \
-      --set global.mtls.enabled=true \
-      --set gateways.enabled=true \
-      --set security.selfSigned=false \
-      --set global.controlPlaneSecurityEnabled=true \
-      --set global.createRemoteSvcEndpoints=true \
-      --set global.remotePilotCreateSvcEndpoint=true \
-      --set global.remotePilotAddress=${LOCAL_GW_ADDR} \
-      --set global.remotePolicyAddress=${LOCAL_GW_ADDR} \
-      --set global.remoteTelemetryAddress=${LOCAL_GW_ADDR} \
-      --set gateways.istio-ingressgateway.env.ISTIO_META_NETWORK="network2" \
-      --set global.network="network2" \
-      install/kubernetes/helm/istio > istio-remote-auth.yaml
-    {{< /text >}}
-
 1. Deploy Istio to `cluster2`:

    {{< text bash >}}
    $ kubectl create --context=$CTX_CLUSTER2 ns istio-system
    $ kubectl create --context=$CTX_CLUSTER2 secret generic cacerts -n istio-system --from-file=samples/certs/ca-cert.pem --from-file=samples/certs/ca-key.pem --from-file=samples/certs/root-cert.pem --from-file=samples/certs/cert-chain.pem
-    $ kubectl apply --context=$CTX_CLUSTER2 -f istio-remote-auth.yaml
+    $ istioctl manifest apply --context=$CTX_CLUSTER2 \
+      --set profile=remote \
+      --set values.global.mtls.enabled=true \
+      --set values.gateways.enabled=true \
+      --set values.security.selfSigned=false \
+      --set values.global.controlPlaneSecurityEnabled=true \
+      --set values.global.createRemoteSvcEndpoints=true \
+      --set values.global.remotePilotCreateSvcEndpoint=true \
+      --set values.global.remotePilotAddress=${LOCAL_GW_ADDR} \
+      --set values.global.remotePolicyAddress=${LOCAL_GW_ADDR} \
+      --set values.global.remoteTelemetryAddress=${LOCAL_GW_ADDR} \
+      --set values.gateways.istio-ingressgateway.env.ISTIO_META_NETWORK="network2" \
+      --set values.global.network="network2"
    {{< /text >}}

    Wait for the Istio pods on `cluster2`, except for `istio-ingressgateway`, to become ready:
--- a/content/en/docs/setup/install/multicluster/shared-vpn/index.md
+++ b/content/en/docs/setup/install/multicluster/shared-vpn/index.md
@ -58,23 +58,15 @@ cluster. You can install the component in one of two ways:

 {{< tab name="Helm+kubectl" cookie-value="Helm+kubectl" >}}

-1.  Use the following `helm template` command on the remote cluster to specify
+1.  Use the following command on the remote cluster to install
    the Istio control plane service endpoints:

    {{< text bash >}}
-    $ helm template install/kubernetes/helm/istio --namespace istio-system \
-    --name istio-remote \
-    --values install/kubernetes/helm/istio/values-istio-remote.yaml \
-    --set global.remotePilotAddress=${PILOT_POD_IP} \
-    --set global.remotePolicyAddress=${POLICY_POD_IP} \
-    --set global.remoteTelemetryAddress=${TELEMETRY_POD_IP} > $HOME/istio-remote.yaml
-    {{< /text >}}
-
-1.  Create an `istio-system` namespace for remote Istio with the following
-    command:
-
-    {{< text bash >}}
-    $ kubectl create ns istio-system
+    $ istioctl manifest apply \
+    --set profile=remote \
+    --set values.global.remotePilotAddress=${PILOT_POD_IP} \
+    --set values.global.remotePolicyAddress=${POLICY_POD_IP} \
+    --set values.global.remoteTelemetryAddress=${TELEMETRY_POD_IP}
    {{< /text >}}

    {{< tip >}}
@ -84,13 +76,6 @@ cluster. You can install the component in one of two ways:
    all clusters.
    {{< /tip >}}

-1.  Instantiate the remote cluster's connection to the Istio control plane with
-    the following command:
-
-    {{< text bash >}}
-    $ kubectl apply -f $HOME/istio-remote.yaml
-    {{< /text >}}
-
 1.  The following command example labels the `default` namespace. Use similar
    commands to label all the remote cluster's namespaces requiring automatic
    sidecar injection.
@ -104,38 +89,6 @@ cluster. You can install the component in one of two ways:

 {{< /tab >}}

-{{< tab name="Helm+Tiller" cookie-value="Helm+Tiller" >}}
-
-{{< boilerplate helm-security-warning >}}
-
-1. If you haven't installed a service account for Helm, install one with the
-   following command:
-
-    {{< text bash >}}
-    $ kubectl apply -f install/kubernetes/helm/helm-service-account.yaml
-    {{< /text >}}
-
-1. Initialize Helm with the following command:
-
-    {{< text bash >}}
-    $ helm init --service-account tiller
-    {{< /text >}}
-
-1. Install the Helm chart for the `istio-remote` with the following command:
-
-    {{< text bash >}}
-    $ helm install install/kubernetes/helm/istio \
-    --name istio-remote --namespace istio-system \
-    --values install/kubernetes/helm/istio/values-istio-remote.yaml \
-    --set global.remotePilotAddress=${PILOT_POD_IP} \
-    --set global.remotePolicyAddress=${POLICY_POD_IP} \
-    --set global.remoteTelemetryAddress=${TELEMETRY_POD_IP}
-    {{< /text >}}
-
-{{< /tab >}}
-
-{{< /tabset >}}
-
 ### Set environment variables {#environment-var}

 Wait for the Istio control plane to finish initializing before following the
@ -145,10 +98,6 @@ You must run these operations on the Istio control plane cluster to capture the
 Istio control plane service endpoints, for example, the Pilot and Policy Pod IP
 endpoints.

-If you use Helm with Tiller on each remote, you must copy the environment
-variables to each node before using Helm to connect the remote
-cluster to the Istio control plane.
-
 Set the environment variables with the following commands:

 {{< text bash >}}
@ -160,24 +109,23 @@ $ export TELEMETRY_POD_IP=$(kubectl -n istio-system get pod -l istio-mixer-type=
 Normally, automatic sidecar injection on the remote clusters is enabled. To
 perform a manual sidecar injection refer to the [manual sidecar example](#manual-sidecar)

-### Helm chart configuration parameters
+### Installation configuration parameters

 You must configure the remote cluster's sidecars interaction with the Istio
-control plane including the following endpoints in the `istio-remote` Helm
-chart: `pilot`, `policy`, `telemetry` and tracing service.  The chart
+control plane including the following endpoints in the `istio-remote` profile:
+`pilot`, `policy`, `telemetry` and tracing service.  The profile
 enables automatic sidecar injection in the remote cluster by default. You can
-disable the automatic sidecar injection via a chart variable.
+disable the automatic sidecar injection via a separate setting.

-The following table shows the accepted `istio-remote` Helm chart's
-configuration values:
+The following table shows the `istioctl` configuration values for remote clusters:

-| Helm Variable | Accepted Values | Default | Purpose of Value |
+| Install setting | Accepted Values | Default | Purpose of Value |
 | --- | --- | --- | --- |
-| `global.remotePilotAddress` | A valid IP address or hostname | None | Specifies the Istio control plane's pilot Pod IP address or remote cluster DNS resolvable hostname |
-| `global.remotePolicyAddress` | A valid IP address or hostname | None | Specifies the Istio control plane's policy Pod IP address or remote cluster DNS resolvable hostname |
-| `global.remoteTelemetryAddress` | A valid IP address or hostname | None | Specifies the Istio control plane's telemetry Pod IP address or remote cluster DNS resolvable hostname |
-| `sidecarInjectorWebhook.enabled` | true, false | true | Specifies whether to enable automatic sidecar injection on the remote cluster |
-| `global.remotePilotCreateSvcEndpoint` | true, false | false | If set, a selector-less service and endpoint for `istio-pilot` are created with the `remotePilotAddress` IP, which ensures the `istio-pilot.<namespace>` is DNS resolvable in the remote cluster. |
+| `values.global.remotePilotAddress` | A valid IP address or hostname | None | Specifies the Istio control plane's pilot Pod IP address or remote cluster DNS resolvable hostname |
+| `values.global.remotePolicyAddress` | A valid IP address or hostname | None | Specifies the Istio control plane's policy Pod IP address or remote cluster DNS resolvable hostname |
+| `values.global.remoteTelemetryAddress` | A valid IP address or hostname | None | Specifies the Istio control plane's telemetry Pod IP address or remote cluster DNS resolvable hostname |
+| `values.sidecarInjectorWebhook.enabled` | true, false | true | Specifies whether to enable automatic sidecar injection on the remote cluster |
+| `values.global.remotePilotCreateSvcEndpoint` | true, false | false | If set, a selector-less service and endpoint for `istio-pilot` are created with the `remotePilotAddress` IP, which ensures the `istio-pilot.<namespace>` is DNS resolvable in the remote cluster. |

 ## Generate configuration files for remote clusters {#kubeconfig}

@ -185,11 +133,6 @@ The Istio control plane requires access to all clusters in the mesh to
 discover services, endpoints, and pod attributes. The following steps
 describe how to generate a `kubeconfig` configuration file for the Istio control plane to use a remote cluster.

-The `istio-remote` Helm chart creates a Kubernetes service account named
-`istio-multi` in the remote cluster with the minimal required RBAC access. This
-procedure generates the remote cluster's `kubeconfig` file using
-the credentials of said `istio-multi` service account.
-
 Perform this procedure on each remote cluster to add the cluster to the service
 mesh. This procedure requires the `cluster-admin` user access permission to
 the remote cluster.
@ -292,35 +235,16 @@ filename simply by changing the filename to conform with the format.

 ## Uninstalling the remote cluster

-You must uninstall remote clusters using the same method you used to install
-them. Use either `kubectl and Helm` or `Tiller and Helm` as appropriate.
-
-{{< tabset cookie-name="install-istio-remote" >}}
-
-{{< tab name="kubectl" cookie-value="Helm+kubectl" >}}
-
-To uninstall the cluster, you must remove the configuration made with the
-`istio-remote` .YAML file. To uninstall the cluster run the following command:
+To uninstall the cluster run the following command:

 {{< text bash >}}
-$ kubectl delete -f $HOME/istio-remote.yaml
+    $ istioctl manifest apply \
+    --set profile=remote \
+    --set values.global.remotePilotAddress=${PILOT_POD_IP} \
+    --set values.global.remotePolicyAddress=${POLICY_POD_IP} \
+    --set values.global.remoteTelemetryAddress=${TELEMETRY_POD_IP} | kubectl delete -f -
 {{< /text >}}

-{{< /tab >}}
-
-{{< tab name="Tiller" cookie-value="Helm+Tiller" >}}
-
-To uninstall the cluster, you must remove the configuration made with the
-`istio-remote` .YAML file. To uninstall the cluster run the following command:
-
-{{< text bash >}}
-$ helm delete --purge istio-remote
-{{< /text >}}
-
-{{< /tab >}}
-
-{{< /tabset >}}
-
 ## Manual sidecar injection example {#manual-sidecar}

 The following example shows how to use the `helm template` command to generate
@ -334,29 +258,15 @@ Perform the following procedure against the remote cluster.
 Before you begin, set the endpoint IP environment variables as described in the
 [set the environment variables section](#environment-var)

-1. Use the `helm template` command on the remote cluster to specify the Istio
-   control plane service endpoints:
+1. Install the Istio remote profile:

    {{< text bash >}}
-    $ helm template install/kubernetes/helm/istio \
-    --namespace istio-system --name istio-remote \
-    --values install/kubernetes/helm/istio/values-istio-remote.yaml \
-    --set global.remotePilotAddress=${PILOT_POD_IP} \
-    --set global.remotePolicyAddress=${POLICY_POD_IP} \
-    --set global.remoteTelemetryAddress=${TELEMETRY_POD_IP} \
-    --set sidecarInjectorWebhook.enabled=false > $HOME/istio-remote_noautoinj.yaml
-    {{< /text >}}
-
-1. Create the `istio-system` namespace for remote Istio:
-
-    {{< text bash >}}
-    $ kubectl create ns istio-system
-    {{< /text >}}
-
-1. Instantiate the remote cluster's connection to the Istio control plane:
-
-    {{< text bash >}}
-    $ kubectl apply -f $HOME/istio-remote_noautoinj.yaml
+    $ istioctl manifest apply \
+    --set profile=remote \
+    --set values.global.remotePilotAddress=${PILOT_POD_IP} \
+    --set values.global.remotePolicyAddress=${POLICY_POD_IP} \
+    --set values.global.remoteTelemetryAddress=${TELEMETRY_POD_IP} \
+    --set values.sidecarInjectorWebhook.enabled=false
    {{< /text >}}

 1. [Generate](#kubeconfig) the `kubeconfig` configuration file for each remote
@ -540,13 +450,10 @@ and endpoint to allow the remote sidecars to resolve the
   and the application pod:

    {{< text bash >}}
-    $ helm template --namespace=istio-system \
-      --values install/kubernetes/helm/istio/values.yaml \
-      --set global.mtls.enabled=true \
-      --set security.selfSigned=false \
-      --set global.controlPlaneSecurityEnabled=true \
-      install/kubernetes/helm/istio > ${HOME}/istio-auth.yaml
-    $ kubectl apply -f ${HOME}/istio-auth.yaml
+    $ istioctl manifest apply
+      --set values.global.mtls.enabled=true \
+      --set values.security.selfSigned=false \
+      --set values.global.controlPlaneSecurityEnabled=true
    {{< /text >}}

 #### Remote Cluster: Deploy Istio components
@ -568,18 +475,15 @@ and endpoint to allow the remote sidecars to resolve the
   DNS entry in the remote cluster.

    {{< text bash >}}
-    $ helm template install/kubernetes/helm/istio \
-      --name istio-remote \
-      --namespace istio-system \
-      --values install/kubernetes/helm/istio/values-istio-remote.yaml \
-      --set global.mtls.enabled=true \
-      --set security.selfSigned=false \
-      --set global.controlPlaneSecurityEnabled=true \
-      --set global.remotePilotCreateSvcEndpoint=true \
-      --set global.remotePilotAddress=${PILOT_POD_IP} \
-      --set global.remotePolicyAddress=${POLICY_POD_IP} \
-      --set global.remoteTelemetryAddress=${TELEMETRY_POD_IP} > ${HOME}/istio-remote-auth.yaml
-    $ kubectl apply -f ${HOME}/istio-remote-auth.yaml
+    $ istioctl manifest apply \
+      --set profile=remote \
+      --set values.global.mtls.enabled=true \
+      --set values.security.selfSigned=false \
+      --set values.global.controlPlaneSecurityEnabled=true \
+      --set values.global.remotePilotCreateSvcEndpoint=true \
+      --set values.global.remotePilotAddress=${PILOT_POD_IP} \
+      --set values.global.remotePolicyAddress=${POLICY_POD_IP} \
+      --set values.global.remoteTelemetryAddress=${TELEMETRY_POD_IP}
    {{< /text >}}

 1. To generate the `kubeconfig` configuration file for the remote cluster,