istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Improve helm installation instructions (#3655) 

* Improve installation instructions

* spelling

* make work without downloading

* tweak wording
This commit is contained in:
Frank Budinsky 2019-03-12 19:33:34 -04:00 committed by istio-bot
parent 217c56be67
commit c857a07d76
4 changed files with 177 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
content/docs/setup/_index.md
View File

@ -1,6 +1,6 @@
---
title: Setup and Upgrade
description: How to deploy and upgrade Istio in various environments, for example Kubernetes and Consul.
title: Setup
description: How to deploy and upgrade Istio in various environments such as Kubernetes and Consul.
weight: 15
icon: setup
---

32
content/docs/setup/kubernetes/additional-setup/config-profiles/index.md
View File

@ -14,21 +14,29 @@ your specific needs. The following built-in configuration profiles are currently
1. **default**: enables components according to the default [Installation Options](/docs/reference/config/installation-options/)
(recommend for production deployments).
1. **demo**: configuration suitable to run the [Bookinfo](/docs/examples/bookinfo/) application and associated tasks.
1. **demo**: configuration designed to showcase Istio functionality with modest resource requirements.
It is suitable to run the [Bookinfo](/docs/examples/bookinfo/) application and associated tasks.
This is the same configuration that is installed with the [Quick Start](/docs/setup/kubernetes/install/kubernetes/) instructions, only using helm has the advantage
that you can more easily enable additional features if you wish to explore more advanced tasks. This profile comes in two flavors, either with or without authentication enabled.
that you can more easily enable additional features if you later wish to explore more advanced tasks.
This profile comes in two variants, either with or without authentication enabled.
{{< warning >}}
This profile enables high levels of tracing and access logging so it is not suitable for performance tests.
{{< /warning >}}
1. **minimal**: the minimal set of components necessary to use Istio's [traffic management](/docs/tasks/traffic-management/) features.
1. **remote**: creates a service account with minimal access for use by Istio Pilot discovery used in [configuring a multicluster mesh](/docs/examples/multicluster/split-horizon-eds/).
1. **remote**: used for configuring remote clusters of a
multicluster mesh with a [single control plane topology](/docs/concepts/multicluster-deployments/#single-control-plane-topology).
1. **sds**: used to enable [SDS (secret discovery service) for Istio](/docs/tasks/security/auth-sds). This profile comes only with authentication enabled.
1. **sds**: similar to the **default** profile, but also enables Istio's [SDS (secret discovery service)](/docs/tasks/security/auth-sds).
This profile comes only with authentication enabled.
The components marked as **X** are installed within each profile:
| | default | demo | minimal | remote | sds |
| --- | :---: | :---: | :---: | :---: | :---: |
|Profile filename | `values.yaml` | `values-istio-demo.yaml` | `values-istio-minimal.yaml` | `values-istio-remote.yaml` | `values-istio-sds-auth.yaml` |
| Profile filename | `values.yaml` | `values-istio-demo.yaml` | `values-istio-minimal.yaml` | `values-istio-remote.yaml` | `values-istio-sds-auth.yaml` |
| Core components | | | | | |
| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`istio-citadel` | X | X | | X | X |
| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`istio-egressgateway` | | X | | | |
@ -44,10 +52,14 @@ The components marked as **X** are installed within each profile:
| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`istio-tracing` | | X | | | |
| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`kiali` | | X | | | |
| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`prometheus` | X | X | | | X |
| | | | | | |
| The authentication version, adding `-auth`, adds | | | | | |
| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Control Plane Security | | X | | | |
| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Strict Mutual TLS | | X | | | X |
| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;SDS | | | | | X |
Some profiles have an authentication variant, with `-auth` appended to the name, which adds the following
security features to the profile:
| | default | demo | minimal | remote | sds |
| --- | :---: | :---: | :---: | :---: | :---: |
| Control Plane Security | | X | | | |
| Strict Mutual TLS | | X | | | X |
| SDS | | | | | X |
To further customize Istio and install addons, you can add one or more `--set <key>=<value>` options in the `helm template` or `helm install` command that you use when installing Istio. The [Installation Options](/docs/reference/config/installation-options/) lists the complete set of supported installation key and value pairs.

174
content/docs/setup/kubernetes/install/helm/index.md
View File

@ -14,7 +14,13 @@ Follow this flow to install and configure an Istio mesh for in-depth evaluation
This installation flow uses [Helm](https://github.com/helm/helm) charts that provide rich
customization of the Istio control plane and of the sidecars for the Istio data plane.
You can start with one of Istio's built-in [configuration profiles](/docs/setup/kubernetes/additional-setup/config-profiles/)
You can simply use `helm template` to generate the configuration and then install it
using `kubectl apply`, or you can choose to use `helm install` and let
[Tiller](https://github.com/kubernetes/helm/blob/master/docs/architecture.md#components)
completely manage the installation.
Using these instructions, you can select any one of Istio's built-in
[configuration profiles](/docs/setup/kubernetes/additional-setup/config-profiles/)
and then further customize the configuration for your specific needs.
## Prerequisites
@ -50,21 +56,12 @@ the appropriate snapshot. For example, if you want to run with snapshot 6, use
[URL](https://gcsweb.istio.io/gcs/istio-prerelease/prerelease/1.1.0-snapshot.6/charts) in installation step 1 below.
{{< /tip >}}
1. Update Helm's local package cache with the location of the Helm daily release:
1. Update Helm's local package cache with the location of the Helm daily release:
{{< text bash >}}
$ helm repo add istio.io "https://gcsweb.istio.io/gcs/istio-prerelease/daily-build/release-1.1-latest-daily/charts/"
{{< /text >}}
1. Choose one of the following two **mutually exclusive** options described below.
- To deploy Istio without using Tiller, follow the instructions for [option 1](/docs/setup/kubernetes/install/helm/#option-1-install-with-helm-via-helm-template).
- To use [Helm's Tiller pod](https://helm.sh/) to manage your Istio release, follow the instructions for [option 2](/docs/setup/kubernetes/install/helm/#option-2-install-with-helm-and-tiller-via-helm-install).
### Option 1: Install with Helm via `helm template`
Choose this option if your cluster doesn't have [Tiller](https://github.com/kubernetes/helm/blob/master/docs/architecture.md#components) deployed and you don't want to install it.
1. Make an Istio working directory for fetching the charts:
{{< text bash >}}
@ -78,13 +75,25 @@ Choose this option if your cluster doesn't have [Tiller](https://github.com/kube
$ helm fetch istio.io/istio --untar --untardir $HOME/istio-fetch
{{< /text >}}
1. Choose one of the following two **mutually exclusive** options described below.
- To deploy Istio without using Tiller, follow the instructions for [option 1](/docs/setup/kubernetes/install/helm/#option-1-install-with-helm-via-helm-template).
- To use [Helm's Tiller pod](https://helm.sh/) to manage your Istio release, follow the instructions for [option 2](/docs/setup/kubernetes/install/helm/#option-2-install-with-helm-and-tiller-via-helm-install).
### Option 1: Install with Helm via `helm template`
Choose this option if your cluster doesn't have [Tiller](https://github.com/kubernetes/helm/blob/master/docs/architecture.md#components)
deployed and you don't want to install it.
1. Create a namespace for the `istio-system` components:
{{< text bash >}}
$ kubectl create namespace istio-system
{{< /text >}}
1. Install all the Istio's [Custom Resource Definitions or CRDs for short](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions) via `kubectl apply`, and wait a few seconds for the CRDs to be committed to the Kubernetes API server:
1. Install all the Istio
[Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions)
(CRDs) using `kubectl apply`, and wait a few seconds for the CRDs to be committed in the Kubernetes API-server:
{{< text bash >}}
$ helm template $HOME/istio-fetch/istio-init --name istio-init --namespace istio-system | kubectl apply -f -
@ -96,13 +105,10 @@ Choose this option if your cluster doesn't have [Tiller](https://github.com/kube
<p> If you *absolutely have to* delete CRDs, then update Galley deployment settings to explicitly indicate the kinds of deleted CRDs:
{{< text bash >}}
$ kubectl -n istio-system edit deployment istio-galley
{{< /text >}}
{{< text yaml >}}
containers:
- command:
- /usr/local/bin/galley
@ -110,7 +116,6 @@ $ kubectl -n istio-system edit deployment istio-galley
# ...
- --excludedResourceKinds
- noop # exclude CRD w/ kind: noop
{{< /text >}}
{{< /warning >}}
@ -122,12 +127,13 @@ $ kubectl -n istio-system edit deployment istio-galley
58
{{< /text >}}
1. Render and apply Istio's core components corresponding to your chosen profile.
1. Select a [configuration profile](/docs/setup/kubernetes/additional-setup/config-profiles/)
and then render and apply Istio's core components corresponding to your chosen profile.
The **default** profile is recommended for production deployments:
{{< tip >}}
You can further customize the configuration by adding `--set <key>=<value>`
[Installation Options](/docs/reference/config/installation-options/) to the commands.
You can further customize the configuration by adding one or more `--set <key>=<value>`
[Installation Options](/docs/reference/config/installation-options/) to the helm command.
{{< /tip >}}
{{< tabset cookie-name="helm_profile" >}}
@ -149,6 +155,15 @@ $ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system \
{{% /tab %}}
{{% tab name="demo-auth" cookie-value="demo-auth" %}}
{{< text bash >}}
$ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system \
--values $HOME/istio-fetch/istio/values-istio-demo-auth.yaml | kubectl apply -f -
{{< /text >}}
{{% /tab %}}
{{% tab name="minimal" cookie-value="minimal" %}}
{{< text bash >}}
@ -158,6 +173,24 @@ $ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system \
{{% /tab %}}
{{% tab name="remote" cookie-value="remote" %}}
{{< text bash >}}
$ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system \
--values $HOME/istio-fetch/istio/values-istio-remote.yaml | kubectl apply -f -
{{< /text >}}
{{% /tab %}}
{{% tab name="sds" cookie-value="sds" %}}
{{< text bash >}}
$ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system \
--values $HOME/istio-fetch/istio/values-istio-sds-auth.yaml | kubectl apply -f -
{{< /text >}}
{{% /tab %}}
{{< /tabset >}}
### Option 2: Install with Helm and Tiller via `helm install`
@ -168,10 +201,30 @@ to manage the lifecycle of Istio.
{{< boilerplate helm-security-warning >}}
1. If a service account has not already been installed for Tiller, install one:
1. Make sure you have a service account with the `cluster-admin` role defined for Tiller.
If not already defined, create one using following command:
{{< text bash >}}
$ kubectl apply -f @install/kubernetes/helm/helm-service-account.yaml@
$ kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
EOF
{{< /text >}}
1. Install Tiller on your cluster with the service account:
@ -193,12 +246,13 @@ to manage the lifecycle of Istio.
58
{{< /text >}}
1. Install the `istio` chart corresponding to your chosen profile.
1. Select a [configuration profile](/docs/setup/kubernetes/additional-setup/config-profiles/)
and then install the `istio` chart corresponding to your chosen profile.
The **default** profile is recommended for production deployments:
{{< tip >}}
You can further customize the configuration by adding `--set <key>=<value>`
[Installation Options](/docs/reference/config/installation-options/) to the commands.
You can further customize the configuration by adding one or more `--set <key>=<value>`
[Installation Options](/docs/reference/config/installation-options/) to the helm command.
{{< /tip >}}
{{< tabset cookie-name="helm_profile" >}}
@ -220,6 +274,15 @@ $ helm install istio.io/istio --name istio --namespace istio-system \
{{% /tab %}}
{{% tab name="demo-auth" cookie-value="demo-auth" %}}
{{< text bash >}}
$ helm install istio.io/istio --name istio --namespace istio-system \
--values $HOME/istio-fetch/istio/values-istio-demo-auth.yaml
{{< /text >}}
{{% /tab %}}
{{% tab name="minimal" cookie-value="minimal" %}}
{{< text bash >}}
@ -229,8 +292,41 @@ $ helm install istio.io/istio --name istio --namespace istio-system \
{{% /tab %}}
{{% tab name="remote" cookie-value="remote" %}}
{{< text bash >}}
$ helm install istio.io/istio --name istio --namespace istio-system \
--values $HOME/istio-fetch/istio/values-istio-remote.yaml
{{< /text >}}
{{% /tab %}}
{{% tab name="sds" cookie-value="sds" %}}
{{< text bash >}}
$ helm install istio.io/istio --name istio --namespace istio-system \
--values $HOME/istio-fetch/istio/values-istio-sds-auth.yaml
{{< /text >}}
{{% /tab %}}
{{< /tabset >}}
## Verifying the installation
1. Run the following command to verify that all the Kubernetes services corresponding to your selected
[configuration profile](/docs/setup/kubernetes/additional-setup/config-profiles/) have been deployed:
{{< text bash >}}
$ kubectl get svc -n istio-system
{{< /text >}}
1. Ensure the corresponding Kubernetes pods are deployed and have a `STATUS` of `Running`:
{{< text bash >}}
$ kubectl get pods -n istio-system
{{< /text >}}
## Uninstall
1. If you installed Istio with the `helm template`, uninstall with these commands:
@ -256,6 +352,16 @@ $ kubectl delete namespace istio-system
{{% /tab %}}
{{% tab name="demo-auth" cookie-value="demo-auth" %}}
{{< text bash >}}
$ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system \
--values $HOME/istio-fetch/istio/values-istio-demo-auth.yaml | kubectl delete -f -
$ kubectl delete namespace istio-system
{{< /text >}}
{{% /tab %}}
{{% tab name="minimal" cookie-value="minimal" %}}
{{< text bash >}}
@ -266,6 +372,26 @@ $ kubectl delete namespace istio-system
{{% /tab %}}
{{% tab name="remote" cookie-value="remote" %}}
{{< text bash >}}
$ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system \
--values $HOME/istio-fetch/istio/values-istio-remote.yaml | kubectl delete -f -
$ kubectl delete namespace istio-system
{{< /text >}}
{{% /tab %}}
{{% tab name="sds" cookie-value="sds" %}}
{{< text bash >}}
$ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system \
--values $HOME/istio-fetch/istio/values-istio-sds-auth.yaml | kubectl delete -f -
$ kubectl delete namespace istio-system
{{< /text >}}
{{% /tab %}}
{{< /tabset >}}
1. If you installed Istio using `Tiller`, uninstall with these commands:

5
content/docs/setup/kubernetes/install/kubernetes/index.md
View File

@ -8,8 +8,9 @@ aliases:
---
Follow this flow to quickly evaluate Istio in a Kubernetes cluster on any platform.
This flow installs a preconfigured Istio **demo** profile using basic Kubernetes commands
without needing to download or install [Helm](https://github.com/helm/helm).
This flow installs Istio's built-in **demo**
[configuration profile](/docs/setup/kubernetes/additional-setup/config-profiles/)
using basic Kubernetes commands without needing to download or install [Helm](https://github.com/helm/helm).
{{< tip >}}
To install Istio for production use, we recommend using the