diff --git a/content/boilerplates/helm-security-warning.md b/content/boilerplates/helm-security-warning.md index 417377d4c6..0dc61da613 100644 --- a/content/boilerplates/helm-security-warning.md +++ b/content/boilerplates/helm-security-warning.md @@ -1,7 +1,7 @@ --- --- {{< warning >}} -The instructions for using Helm with Tiller do not use secure defaults. See -the [Helm Security Guidelines](https://helm.sh/docs/using_helm/#securing-your-helm-installation) +The instructions for using Helm with Tiller do not use secure defaults. +See the [Helm Security Guidelines](https://helm.sh/docs/using_helm/#securing-your-helm-installation) for further steps to secure a Tiller-based installation. {{< /warning >}} diff --git a/content/docs/setup/kubernetes/install/helm/index.md b/content/docs/setup/kubernetes/install/helm/index.md index a7607e2694..78834eef0f 100644 --- a/content/docs/setup/kubernetes/install/helm/index.md +++ b/content/docs/setup/kubernetes/install/helm/index.md @@ -25,61 +25,37 @@ and then further customize the configuration for your specific needs. ## Prerequisites +1. [Download the Istio release](/docs/setup/kubernetes/download/). + 1. Perform any necessary [platform-specific setup](/docs/setup/kubernetes/prepare/platform-setup/). -1. Check the [Requirements for Pods and Services](/docs/setup/kubernetes/prepare/requirements/) on Pods and Services. +1. Check the [Requirements for Pods and Services](/docs/setup/kubernetes/prepare/requirements/). -1. [Install a Helm client with a version higher than 2.10](https://github.com/helm/helm/blob/master/docs/install.md). - -1. Istio by default uses `LoadBalancer` service object types. Some platforms do not support `LoadBalancer` - service objects. For platforms lacking `LoadBalancer` support, install Istio with `NodePort` support - instead with the flags `--set gateways.istio-ingressgateway.type=NodePort` - appended to the end of the Helm instructions in the installation steps below. +1. [Install a Helm client](https://github.com/helm/helm/blob/master/docs/install.md) with a version higher than 2.10. {{< tip >}} These instructions assume the `istio-init` container will be used to setup `iptables` to redirect network traffic to/from Envoy sidecars. If you plan to customize the configuration to use `--set istio_cni.enabled=true`, you also -need to ensure that a CNI plugin is enabled. Refer to [CNI Setup](/docs/setup/kubernetes/additional-setup/cni/) +need to ensure that a CNI plugin is deployed. Refer to [CNI Setup](/docs/setup/kubernetes/additional-setup/cni/) for details. {{< /tip >}} ## Installation steps -The following commands may be run from any directory. We use Helm to obtain the charts via a secure -HTTPS endpoint hosted in Istio's infrastructure throughout this document. +The following commands use the Helm charts that are included in the Istio release image. +Change directory to the root of the release and then +choose one of the following two **mutually exclusive** options: + +1. To deploy Istio without using Tiller, follow the instructions for [option 1](/docs/setup/kubernetes/install/helm/#option-1-install-with-helm-via-helm-template). +1. To use [Helm's Tiller pod](https://helm.sh/) to manage your Istio release, follow the instructions for [option 2](/docs/setup/kubernetes/install/helm/#option-2-install-with-helm-and-tiller-via-helm-install). {{< tip >}} -The techniques in this document use Istio's daily build of Istio 1.1 Helm packages. These -Helm charts may be slightly ahead of any particular snapshot as the project finishes the release -candidates prior to 1.1 release. To use a snapshot-specific release, change the repo add URL to -the appropriate snapshot. For example, if you want to run with snapshot 6, use the -[URL](https://gcsweb.istio.io/gcs/istio-prerelease/prerelease/1.1.0-snapshot.6/charts) in installation step 1 below. +Istio, by default, uses `LoadBalancer` service object types. Some platforms do not support `LoadBalancer` +service objects. For platforms lacking `LoadBalancer` support, install Istio with `NodePort` support +instead with the flags `--set gateways.istio-ingressgateway.type=NodePort` +appended to the end of the Helm instructions in the installation steps below. {{< /tip >}} -1. Update Helm's local package cache with the location of the Helm daily release: - - {{< text bash >}} - $ helm repo add istio.io "https://gcsweb.istio.io/gcs/istio-prerelease/daily-build/release-1.1-latest-daily/charts/" - {{< /text >}} - -1. Make an Istio working directory for fetching the charts: - - {{< text bash >}} - $ mkdir -p $HOME/istio-fetch - {{< /text >}} - -1. Fetch the helm templates needed for installation: - - {{< text bash >}} - $ helm fetch istio.io/istio-init --untar --untardir $HOME/istio-fetch - $ helm fetch istio.io/istio --untar --untardir $HOME/istio-fetch - {{< /text >}} - -1. Choose one of the following two **mutually exclusive** options described below. - - - To deploy Istio without using Tiller, follow the instructions for [option 1](/docs/setup/kubernetes/install/helm/#option-1-install-with-helm-via-helm-template). - - To use [Helm's Tiller pod](https://helm.sh/) to manage your Istio release, follow the instructions for [option 2](/docs/setup/kubernetes/install/helm/#option-2-install-with-helm-and-tiller-via-helm-install). - ### Option 1: Install with Helm via `helm template` Choose this option if your cluster doesn't have [Tiller](https://github.com/kubernetes/helm/blob/master/docs/architecture.md#components) @@ -96,31 +72,10 @@ deployed and you don't want to install it. (CRDs) using `kubectl apply`, and wait a few seconds for the CRDs to be committed in the Kubernetes API-server: {{< text bash >}} - $ helm template $HOME/istio-fetch/istio-init --name istio-init --namespace istio-system | kubectl apply -f - + $ helm template install/kubernetes/helm/istio-init --name istio-init --namespace istio-system | kubectl apply -f - {{< /text >}} - {{< warning >}} - Do not manually delete Custom Resource Definitions from the generated yaml. Doing so will cause precondition - checks on various components to fail and will stop Istio from starting up correctly. -

If you *absolutely have to* delete CRDs, then update Galley deployment settings to explicitly indicate the kinds of deleted CRDs: - -{{< text bash >}} -$ kubectl -n istio-system edit deployment istio-galley -{{< /text >}} - -{{< text yaml >}} - containers: - - command: - - /usr/local/bin/galley - - server - # ... - - --excludedResourceKinds - - noop # exclude CRD w/ kind: noop -{{< /text >}} - - {{< /warning >}} - -1. Verify all `58` Istio CRDs were committed to the Kubernetes API-server using the following command: +1. Verify that all `58` Istio CRDs were committed to the Kubernetes api-server using the following command: {{< text bash >}} $ kubectl get crds | grep 'istio.io\|certmanager.k8s.io' | wc -l @@ -141,7 +96,7 @@ $ kubectl -n istio-system edit deployment istio-galley {{% tab name="default" cookie-value="default" %}} {{< text bash >}} -$ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system | kubectl apply -f - +$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system | kubectl apply -f - {{< /text >}} {{% /tab %}} @@ -149,8 +104,8 @@ $ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system | {{% tab name="demo" cookie-value="demo" %}} {{< text bash >}} -$ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system \ - --values $HOME/istio-fetch/istio/values-istio-demo.yaml | kubectl apply -f - +$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \ + --values install/kubernetes/helm/istio/values-istio-demo.yaml | kubectl apply -f - {{< /text >}} {{% /tab %}} @@ -158,8 +113,8 @@ $ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system \ {{% tab name="demo-auth" cookie-value="demo-auth" %}} {{< text bash >}} -$ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system \ - --values $HOME/istio-fetch/istio/values-istio-demo-auth.yaml | kubectl apply -f - +$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \ + --values install/kubernetes/helm/istio/values-istio-demo-auth.yaml | kubectl apply -f - {{< /text >}} {{% /tab %}} @@ -167,8 +122,8 @@ $ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system \ {{% tab name="minimal" cookie-value="minimal" %}} {{< text bash >}} -$ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system \ - --values $HOME/istio-fetch/istio/values-istio-minimal.yaml | kubectl apply -f - +$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \ + --values install/kubernetes/helm/istio/values-istio-minimal.yaml | kubectl apply -f - {{< /text >}} {{% /tab %}} @@ -176,8 +131,8 @@ $ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system \ {{% tab name="remote" cookie-value="remote" %}} {{< text bash >}} -$ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system \ - --values $HOME/istio-fetch/istio/values-istio-remote.yaml | kubectl apply -f - +$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \ + --values install/kubernetes/helm/istio/values-istio-remote.yaml | kubectl apply -f - {{< /text >}} {{% /tab %}} @@ -185,8 +140,8 @@ $ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system \ {{% tab name="sds" cookie-value="sds" %}} {{< text bash >}} -$ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system \ - --values $HOME/istio-fetch/istio/values-istio-sds-auth.yaml | kubectl apply -f - +$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \ + --values install/kubernetes/helm/istio/values-istio-sds-auth.yaml | kubectl apply -f - {{< /text >}} {{% /tab %}} @@ -205,26 +160,7 @@ to manage the lifecycle of Istio. If not already defined, create one using following command: {{< text bash >}} - $ kubectl apply -f - <}} 1. Install Tiller on your cluster with the service account: @@ -236,7 +172,7 @@ to manage the lifecycle of Istio. 1. Install the `istio-init` chart to bootstrap all the Istio's CRDs: {{< text bash >}} - $ helm install istio.io/istio-init --name istio-init --namespace istio-system + $ helm install install/kubernetes/helm/istio-init --name istio-init --namespace istio-system {{< /text >}} 1. Verify that all `58` Istio CRDs were committed to the Kubernetes api-server using the following command: @@ -260,7 +196,7 @@ to manage the lifecycle of Istio. {{% tab name="default" cookie-value="default" %}} {{< text bash >}} -$ helm install istio.io/istio --name istio --namespace istio-system +$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system {{< /text >}} {{% /tab %}} @@ -268,8 +204,8 @@ $ helm install istio.io/istio --name istio --namespace istio-system {{% tab name="demo" cookie-value="demo" %}} {{< text bash >}} -$ helm install istio.io/istio --name istio --namespace istio-system \ - --values $HOME/istio-fetch/istio/values-istio-demo.yaml +$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system \ + --values install/kubernetes/helm/istio/values-istio-demo.yaml {{< /text >}} {{% /tab %}} @@ -277,8 +213,8 @@ $ helm install istio.io/istio --name istio --namespace istio-system \ {{% tab name="demo-auth" cookie-value="demo-auth" %}} {{< text bash >}} -$ helm install istio.io/istio --name istio --namespace istio-system \ - --values $HOME/istio-fetch/istio/values-istio-demo-auth.yaml +$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system \ + --values install/kubernetes/helm/istio/values-istio-demo-auth.yaml {{< /text >}} {{% /tab %}} @@ -286,8 +222,8 @@ $ helm install istio.io/istio --name istio --namespace istio-system \ {{% tab name="minimal" cookie-value="minimal" %}} {{< text bash >}} -$ helm install istio.io/istio --name istio --namespace istio-system \ - --values $HOME/istio-fetch/istio/values-istio-minimal.yaml +$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system \ + --values install/kubernetes/helm/istio/values-istio-minimal.yaml {{< /text >}} {{% /tab %}} @@ -295,8 +231,8 @@ $ helm install istio.io/istio --name istio --namespace istio-system \ {{% tab name="remote" cookie-value="remote" %}} {{< text bash >}} -$ helm install istio.io/istio --name istio --namespace istio-system \ - --values $HOME/istio-fetch/istio/values-istio-remote.yaml +$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system \ + --values install/kubernetes/helm/istio/values-istio-remote.yaml {{< /text >}} {{% /tab %}} @@ -304,8 +240,8 @@ $ helm install istio.io/istio --name istio --namespace istio-system \ {{% tab name="sds" cookie-value="sds" %}} {{< text bash >}} -$ helm install istio.io/istio --name istio --namespace istio-system \ - --values $HOME/istio-fetch/istio/values-istio-sds-auth.yaml +$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system \ + --values install/kubernetes/helm/istio/values-istio-sds-auth.yaml {{< /text >}} {{% /tab %}} @@ -314,8 +250,9 @@ $ helm install istio.io/istio --name istio --namespace istio-system \ ## Verifying the installation -1. Run the following command to verify that all the Kubernetes services corresponding to your selected -[configuration profile](/docs/setup/kubernetes/additional-setup/config-profiles/) have been deployed: +1. Referring to components table in + [configuration profiles](/docs/setup/kubernetes/additional-setup/config-profiles/), + verify that the Kubernetes services corresponding to your selected profile have been deployed. {{< text bash >}} $ kubectl get svc -n istio-system @@ -329,14 +266,14 @@ $ helm install istio.io/istio --name istio --namespace istio-system \ ## Uninstall -1. If you installed Istio with the `helm template`, uninstall with these commands: +* If you installed Istio using the `helm template` command, uninstall with these commands: {{< tabset cookie-name="helm_profile" >}} {{% tab name="default" cookie-value="default" %}} {{< text bash >}} -$ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system | kubectl delete -f - +$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system | kubectl delete -f - $ kubectl delete namespace istio-system {{< /text >}} @@ -345,8 +282,8 @@ $ kubectl delete namespace istio-system {{% tab name="demo" cookie-value="demo" %}} {{< text bash >}} -$ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system \ - --values $HOME/istio-fetch/istio/values-istio-demo.yaml | kubectl delete -f - +$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \ + --values install/kubernetes/helm/istio/values-istio-demo.yaml | kubectl delete -f - $ kubectl delete namespace istio-system {{< /text >}} @@ -355,8 +292,8 @@ $ kubectl delete namespace istio-system {{% tab name="demo-auth" cookie-value="demo-auth" %}} {{< text bash >}} -$ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system \ - --values $HOME/istio-fetch/istio/values-istio-demo-auth.yaml | kubectl delete -f - +$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \ + --values install/kubernetes/helm/istio/values-istio-demo-auth.yaml | kubectl delete -f - $ kubectl delete namespace istio-system {{< /text >}} @@ -365,8 +302,8 @@ $ kubectl delete namespace istio-system {{% tab name="minimal" cookie-value="minimal" %}} {{< text bash >}} -$ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system \ - --values $HOME/istio-fetch/istio/values-istio-minimal.yaml | kubectl delete -f - +$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \ + --values install/kubernetes/helm/istio/values-istio-minimal.yaml | kubectl delete -f - $ kubectl delete namespace istio-system {{< /text >}} @@ -375,8 +312,8 @@ $ kubectl delete namespace istio-system {{% tab name="remote" cookie-value="remote" %}} {{< text bash >}} -$ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system \ - --values $HOME/istio-fetch/istio/values-istio-remote.yaml | kubectl delete -f - +$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \ + --values install/kubernetes/helm/istio/values-istio-remote.yaml | kubectl delete -f - $ kubectl delete namespace istio-system {{< /text >}} @@ -385,8 +322,8 @@ $ kubectl delete namespace istio-system {{% tab name="sds" cookie-value="sds" %}} {{< text bash >}} -$ helm template $HOME/istio-fetch/istio --name istio --namespace istio-system \ - --values $HOME/istio-fetch/istio/values-istio-sds-auth.yaml | kubectl delete -f - +$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \ + --values install/kubernetes/helm/istio/values-istio-sds-auth.yaml | kubectl delete -f - $ kubectl delete namespace istio-system {{< /text >}} @@ -394,7 +331,7 @@ $ kubectl delete namespace istio-system {{< /tabset >}} -1. If you installed Istio using `Tiller`, uninstall with these commands: +* If you installed Istio using Helm and Tiller, uninstall with these commands: {{< text bash >}} $ helm delete --purge istio @@ -412,15 +349,10 @@ configuration data rather than unexpectedly lose it. Deleting CRDs permanently deletes any configuration changes that you have made to Istio. {{< /warning >}} -The `istio-init` chart contains all raw CRDs in the `istio-init/files` directory. After fetching this -chart, you can simply delete the CRDs using `kubectl`. - -1. To permanently delete Istio's CRDs and the entire Istio configuration, run: +The `istio-init` chart contains all raw CRDs in the `istio-init/files` directory. +You can simply delete the CRDs using `kubectl`. +To permanently delete Istio's CRDs and the entire Istio configuration, run: {{< text bash >}} - - $ mkdir -p $HOME/istio-fetch - $ helm fetch istio.io/istio-init --untar --untardir $HOME/istio-fetch - $ kubectl delete -f $HOME/istio-fetch/istio-init/files - + $ kubectl delete -f install/kubernetes/helm/istio-init/files {{< /text >}} diff --git a/content/docs/setup/kubernetes/install/kubernetes/index.md b/content/docs/setup/kubernetes/install/kubernetes/index.md index 3d8f14952f..84fc5ff01e 100644 --- a/content/docs/setup/kubernetes/install/kubernetes/index.md +++ b/content/docs/setup/kubernetes/install/kubernetes/index.md @@ -23,20 +23,7 @@ This permits customization of Istio to operator specific requirements. 1. [Download the Istio release](/docs/setup/kubernetes/download/). -1. [Kubernetes platform setup](/docs/setup/kubernetes/prepare/platform-setup/): - - * [Alibaba Cloud](/docs/setup/kubernetes/prepare/platform-setup/alicloud/) - * [Azure](/docs/setup/kubernetes/prepare/platform-setup/azure/) - * [Docker For Desktop](/docs/setup/kubernetes/prepare/platform-setup/docker/) - * [Google Container Engine (GKE)](/docs/setup/kubernetes/prepare/platform-setup/gke/) - * [IBM Cloud](/docs/setup/kubernetes/prepare/platform-setup/ibm/) - * [Minikube](/docs/setup/kubernetes/prepare/platform-setup/minikube/) - * [OpenShift Origin](/docs/setup/kubernetes/prepare/platform-setup/openshift/) - * [Oracle Cloud Infrastructure (OKE)](/docs/setup/kubernetes/prepare/platform-setup/oci/) - - {{< tip >}} - Istio {{< istio_version >}} has been tested with these Kubernetes releases: {{< supported_kubernetes_versions >}}. - {{< /tip >}} +1. Perform any necessary [platform-specific setup](/docs/setup/kubernetes/prepare/platform-setup/). 1. Check the [Requirements for Pods and Services](/docs/setup/kubernetes/prepare/requirements/). diff --git a/content/docs/setup/kubernetes/prepare/requirements/index.md b/content/docs/setup/kubernetes/prepare/requirements/index.md index f1dbb7f6e4..d9c838b1a8 100644 --- a/content/docs/setup/kubernetes/prepare/requirements/index.md +++ b/content/docs/setup/kubernetes/prepare/requirements/index.md @@ -23,11 +23,11 @@ cluster must satisfy the following requirements: - `tls` - `udp` - For example, `name: http2-foo` or `name: http` are valid port names, but - `name: http2foo` is not. If the port name does not begin with a recognized - prefix or if the port is unnamed, traffic on the port is treated as - plain TCP traffic unless the port [explicitly](https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service) - uses `Protocol: UDP` to signify a UDP port. + For example, `name: http2-foo` or `name: http` are valid port names, but + `name: http2foo` is not. If the port name does not begin with a recognized + prefix or if the port is unnamed, traffic on the port is treated as + plain TCP traffic unless the port [explicitly](https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service) + uses `Protocol: UDP` to signify a UDP port. - **Pod ports**: Pods must include an explicit list of the ports each container listens on. Use a `containerPort` configuration in the container