istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Deprecate helm install (#5270) 

* Deprecate helm install

* fix lint

* address review comments

* correction
This commit is contained in:
Frank Budinsky 2019-10-29 09:37:34 -04:00 committed by Istio Automation
parent 0045ba590b
commit f220f655a7
42 changed files with 143 additions and 200 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
content/en/blog/2018/egress-https/index.md
View File

@ -21,7 +21,7 @@ HTTPS traffic and describe the pros and cons of each of the options.
## Initial setting
To demonstrate the scenario of consuming an external web service, I start with a Kubernetes cluster with [Istio installed](/docs/setup/install/kubernetes/#installation-steps). Then I deploy
To demonstrate the scenario of consuming an external web service, I start with a Kubernetes cluster with [Istio installed](/docs/setup/install/kubernetes/). Then I deploy
[Istio Bookinfo Sample Application](/docs/examples/bookinfo/). This application uses the _details_ microservice to fetch
book details, such as the number of pages and the publisher. The original _details_ microservice provides the book
details without consulting any external service.

2
content/en/blog/2018/egress-mongo/index.md
View File

@ -94,7 +94,7 @@ For this task you set up an instance of [MongoDB](https://www.mongodb.com). You
### Initial setting of Bookinfo application
To demonstrate the scenario of using an external database, you start with a Kubernetes cluster with [Istio installed](/docs/setup/install/kubernetes/#installation-steps). Then you deploy the
To demonstrate the scenario of using an external database, you start with a Kubernetes cluster with [Istio installed](/docs/setup/install/kubernetes/). Then you deploy the
[Istio Bookinfo sample application](/docs/examples/bookinfo/), [apply the default destination rules](/docs/examples/bookinfo/#apply-default-destination-rules), and
[change Istio to the blocking-egress-by-default policy](/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy).

2
content/en/blog/2018/egress-tcp/index.md
View File

@ -150,7 +150,7 @@ Now you are ready to deploy a version of the Bookinfo application that will use
### Initial setting of Bookinfo application
To demonstrate the scenario of using an external database, you start with a Kubernetes cluster with [Istio installed](/docs/setup/install/kubernetes/#installation-steps). Then you deploy the
To demonstrate the scenario of using an external database, you start with a Kubernetes cluster with [Istio installed](/docs/setup/install/kubernetes/). Then you deploy the
[Istio Bookinfo sample application](/docs/examples/bookinfo/), [apply the default destination rules](/docs/examples/bookinfo/#apply-default-destination-rules), and [change Istio to the blocking-egress-by-default policy](/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy).
This application uses the `ratings` microservice to fetch

2
content/en/docs/concepts/security/index.md
View File

@ -220,7 +220,7 @@ From these three values, the decision process mirrors that of the [`Sidecar Inje
- Otherwise, if a `ca.istio.io/env: "ns-foo"` label is defined in the service account's namespace, the Citadel instance in namespace `ns-foo` will be used for generating key/cert secrets for workloads in the `ServiceAccount`'s namespace.
- Otherwise, follow the `enableNamespacesByDefault` Helm flag. If it is `true`, the default Citadel instance will be used for generating key/cert secrets for workloads in the `ServiceAccount`'s namespace.
- Otherwise, set `enableNamespacesByDefault` to `true` during installation. If it is `true`, the default Citadel instance will be used for generating key/cert secrets for workloads in the `ServiceAccount`'s namespace.
- Otherwise, no secrets are created for the `ServiceAccount`'s namespace.

3
content/en/docs/examples/microservices-istio/setup-kubernetes-cluster/index.md
View File

@ -38,8 +38,7 @@ proceed to [setting up your local computer](/docs/examples/microservices-istio/s
simultaneously by multiple participants.
{{< /tip >}}
1. Install Istio with strict mutual TLS enabled by selecting the `strict mutual
TLS` tab when you follow [the Kubernetes installation steps](/docs/setup/install/kubernetes/#installation-steps).
1. Install Istio with strict mutual TLS enabled. TODO: add command or point to instructions.
1. [Enable Envoy's access logging](/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging).

8
content/en/docs/ops/common-problems/validation/index.md
View File

@ -177,11 +177,9 @@ webhooks:
(... snip ...)
{{< /text >}}
If the webhook array in `istio-galley-configuration` is empty and
you're using `helm template` or `helm install`, verify `--set
galley.enabled` and `--set global.configValidation=true` options are
set. If you're not using helm, you'll need to find a generate
YAML that includes the populated webhook array.
If the webhook array in `istio-galley-configuration` is empty, verify
the `galley.enabled` and `global.configValidation` installation options are
set.
The `istio-galley` validation configuration is fail-close. If
configuration exists and is scoped properly, the webhook will be

10
content/en/docs/ops/diagnostic-tools/istioctl-analyze/index.md
View File

@ -169,13 +169,5 @@ status:
You can enable this feature with:
{{< text bash >}}
$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
--set galley.enableAnalysis=true | kubectl apply -f -
{{< /text >}}
Or with:
{{< text bash >}}
$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system \
--set galley.enableAnalysis=true
$ istioctl manifest apply --set values.galley.enableAnalysis=true
{{< /text >}}

2
content/en/docs/ops/diagnostic-tools/proxy-cmd/index.md
View File

@ -18,7 +18,7 @@ to inspect Envoy configuration and diagnose the issue.
If you want to try the commands described below, you can either:
* Have a Kubernetes cluster with Istio and Bookinfo installed (e.g use `istio.yaml` as described in
[installation steps](/docs/setup/install/kubernetes/#installation-steps) and
[installation steps](/docs/setup/install/kubernetes/) and
[Bookinfo installation steps](/docs/examples/bookinfo/#deploying-the-application)).
OR

15
content/en/docs/ops/security/harden-docker-images/index.md
View File

@ -21,19 +21,8 @@ For ease of the installation, they are available with a `-distroless` suffix.
## Install distroless images
You should follow the [Installation Steps](/docs/setup/install/helm/) to setup Istio. You can pass the following parameter to `helm` to use the *distroless images*
For [Option 1](/docs/setup/install/helm/#option-1-install-with-helm-via-helm-template) use
{{< text bash >}}
$ helm template [...] --set global.tag={{< istio_full_version >}}-distroless
{{< /text >}}
For [Option 2](/docs/setup/install/helm/#option-2-install-with-helm-and-tiller-via-helm-install)
{{< text bash >}} use
$ helm install [...] --set global.tag={{< istio_full_version >}}-distroless
{{< /text >}}
Follow the [Installation Steps](/docs/setup/install/operator/) to setup Istio.
Add the option `--set tag={{< istio_full_version >}}-distroless` to use the *distroless images*.
## Benefits

15
content/en/docs/ops/setup/app-health-check/index.md
View File

@ -28,7 +28,7 @@ mutual TLS enabled.
* Understand [Kubernetes liveness and readiness probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/), Istio
[authentication policy](/docs/concepts/security/#authentication-policies) and [mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication) concepts.
* Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled (meaning use `istio.yaml` as described in [installation steps](/docs/setup/install/kubernetes/#installation-steps), or set `global.mtls.enabled` to false using [Helm](/docs/setup/install/helm/)).
* Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled.
## Liveness and readiness probes with command option
@ -99,10 +99,9 @@ request to application, and strips the response body only returning the response
You have two ways to enable Istio to rewrite the liveness HTTP probes.
#### Enable via Helm Option Globally
#### Enable globally via install option
[Install Istio](/docs/setup/install/helm/) with the `sidecarInjectorWebhook.rewriteAppHTTPProbe=true`
[Helm installation option](/docs/reference/config/installation-options/#sidecarinjectorwebhook-options).
[Install Istio](/docs/setup/install/operator/) with `--set values.sidecarInjectorWebhook.rewriteAppHTTPProbe=true`.
**Alternatively**, update the configuration map of Istio sidecar injection:
@ -115,14 +114,14 @@ rewrite the Kubernetes pod's spec, so health checks are able to work under mutua
spec by yourself.
{{< warning >}}
The configuration changes above (by Helm or by the configuration map) effect all Istio app deployments.
The configuration changes above (by install or by the configuration map) effect all Istio app deployments.
{{< /warning >}}
#### Use Annotations on Pod
#### Use annotations on pod
<!-- Add samples YAML or kubectl patch? -->
Rather than install Istio with different Helm options, you can [annotate the pod](/docs/reference/config/annotations/) with `sidecar.istio.io/rewriteAppHTTPProbers: "true"`. Make sure you add the annotation to the [pod resource](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) because it will be ignored anywhere else (for example, on an enclosing deployment resource).
Rather than install Istio with different options, you can [annotate the pod](/docs/reference/config/annotations/) with `sidecar.istio.io/rewriteAppHTTPProbers: "true"`. Make sure you add the annotation to the [pod resource](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) because it will be ignored anywhere else (for example, on an enclosing deployment resource).
{{< text yaml >}}
apiVersion: apps/v1
@ -155,7 +154,7 @@ This approach allows you to enable the health check prober rewrite gradually on
#### Re-deploy the liveness health check app
Instructions below assume you turn on the feature via Helm flag globally.
Instructions below assume you turn on the feature globally via install option.
Annotations works the same.
{{< text bash >}}

2
content/en/docs/ops/telemetry/in-proxy-service-telemetry/index.md
View File

@ -24,7 +24,7 @@ To generate service-level metrics directly in the Envoy proxies, follow these st
1. To prevent duplicate telemetry generation, disable calls to `istio-telemetry` in the mesh:
{{< text bash >}}
$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system --set mixer.telemetry.enabled=false --set mixer.policy.enabled=false
$ istioctl manifest apply --set values.mixer.telemetry.enabled=false,values.mixer.policy.enabled=false
{{< /text >}}
{{< tip >}}

2
content/en/docs/ops/traffic-management/locality-load-balancing/index.md
View File

@ -72,7 +72,7 @@ Sometimes, you need to constrain the traffic fail-over to avoid sending traffic
endpoints across the globe when there are not enough healthy endpoints in the
same region. This behavior is useful when sending fail-over traffic across regions
would not improve service health or many other reasons including regulatory controls.
To constrain traffic to a region, configure the `localityLbSetting` option using Helm. See the
To constrain traffic to a region, configure the `values.localityLbSetting` option during install. See the
[Locality load balancing reference guide](/docs/reference/config/istio.mesh.v1alpha1/#LocalityLoadBalancerSetting)
for options.

2
content/en/docs/ops/traffic-management/protocol-selection/index.md
View File

@ -50,5 +50,5 @@ spec:
Istio can automatically detect HTTP and HTTP/2 traffic. If the protocol cannot automatically be determined, traffic will be treated as plain TCP traffic.
This feature is experimental and off by default. It can be turned on by providing the Helm value `--set pilot.enableProtocolSniffingForOutbound=true --set pilot.enableProtocolSniffingForInbound=true`.
This feature is experimental and off by default. It can be turned on by providing the install options `--set values.pilot.enableProtocolSniffingForOutbound=true --set values.pilot.enableProtocolSniffingForInbound=true`.

17
content/en/docs/setup/additional-setup/config-profiles/index.md
View File

@ -8,7 +8,7 @@ keywords: [profiles,install,helm]
---
This page describes the built-in configuration profiles that can be used when
[installing Istio using helm](/docs/setup/install/helm/).
[installing Istio](/docs/setup/install/operator/).
The profiles provide customization of the Istio control plane and of the sidecars for the Istio data plane.
You can start with one of Istios built-in configuration profiles and then further customize the configuration for
your specific needs. The following built-in configuration profiles are currently available:
@ -27,14 +27,13 @@ your specific needs. The following built-in configuration profiles are currently
1. **minimal**: the minimal set of components necessary to use Istio's [traffic management](/docs/tasks/traffic-management/) features.
1. **sds-auth**: similar to the **default** profile, but also enables Istio's [SDS (secret discovery service)](/docs/tasks/security/auth-sds).
1. **sds**: similar to the **default** profile, but also enables Istio's [SDS (secret discovery service)](/docs/tasks/security/auth-sds).
This profile comes with additional authentication features enabled by default (Strict Mutual TLS).
The components marked as **X** are installed within each profile:
| | default | demo | minimal | sds |
| --- | --- | --- | --- | --- |
| Profile filename | `values.yaml` | `values-istio-demo.yaml` | `values-istio-minimal.yaml` | `values-istio-sds-auth.yaml` |
| Core components | | | | | |
| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`istio-citadel` | X | X | | X |
| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`istio-egressgateway` | | X | | |
@ -51,7 +50,10 @@ The components marked as **X** are installed within each profile:
| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`kiali` | | X | | |
| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`prometheus` | X | X | | X |
To further customize Istio and install addons, you can add one or more `--set <key>=<value>` options in the `helm template` or `helm install` command that you use when installing Istio. The [Installation Options](/docs/reference/config/installation-options/) lists the complete set of supported installation key and value pairs.
To further customize Istio and install addons, you can add one or more `--set <key>=<value>` options in the
`istioctl manifest` command that you use when installing Istio.
The [Installation Options](/docs/reference/config/installation-options/) lists the complete set of supported
installation key and value pairs.
## Multicluster profiles
@ -64,15 +66,14 @@ Istio provides two additional built-in configuration profiles that are used excl
1. **multicluster-gateways**: used for configuring clusters of a
multicluster mesh with replicated [control planes]/docs/setup/deployment-models/#control-plane-models).
The **remote** profile is configured using the values file `values-istio-remote.yaml`. This profile installs only two
Istio core components:
The **remote** profile installs only two Istio core components:
1. `istio-citadel`
1. `istio-sidecar-injector`
The **multicluster-gateways** profile is configured using the values file `values-istio-multicluster-gateways.yaml`.
This profile installs the same components as the Istio **default** configuration profile plus two additional components:
The **multicluster-gateways** profile installs the same components as the Istio **default** configuration
profile plus two additional components:
1. The `istio-egressgateway` core component.

5
content/en/docs/setup/install/helm/index.md
View File

@ -19,6 +19,11 @@ window.onload = function(){
}
</script>
{{< warning >}}
The Helm installation approach has been deprecated.
Please use [Installing with {{< istioctl >}}](/docs/setup/install/operator/), instead.
{{< /warning >}}
Follow this guide to install and configure an Istio mesh for in-depth evaluation or production use.
This installation guide uses [Helm](https://github.com/helm/helm) charts that provide rich

42
content/en/docs/setup/install/kubernetes/index.md
View File

@ -1,17 +1,15 @@
---
title: Quick Start Evaluation Install
description: Instructions to install Istio in a Kubernetes cluster for evaluation.
weight: 10
weight: 5
keywords: [kubernetes]
aliases:
- /docs/setup/kubernetes/quick-start/
- /docs/setup/kubernetes/install/kubernetes/
---
This guide installs Istio's built-in **demo** [configuration profile](/docs/setup/additional-setup/config-profiles/)
using basic Kubernetes commands without needing to download or install
[Helm](https://github.com/helm/helm). This installation lets you quickly
evaluate Istio in a Kubernetes cluster on any platform.
This guide installs Istio's built-in **demo** [configuration profile](/docs/setup/additional-setup/config-profiles/).
This installation lets you quickly evaluate Istio in a Kubernetes cluster on any platform.
{{< warning >}}
The demo configuration profile is not suitable for performance evaluation. It
@ -20,7 +18,7 @@ access logging.
{{< /warning >}}
To install Istio for production use, we recommend using the
[Helm Installation guide](/docs/setup/install/helm/)
[Installing with {{< istioctl >}} guide](/docs/setup/install/operator/)
instead, which provides many more options for selecting and managing the Istio
configuration. This permits customization of Istio to operator specific
requirements.
@ -33,21 +31,11 @@ requirements.
1. Check the [Requirements for Pods and Services](/docs/setup/additional-setup/requirements/).
## Installation steps
## Install the demo profile
1. Install all the Istio
[Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions)
(CRDs) using `kubectl apply`, and wait a few seconds for the CRDs to be committed in the Kubernetes API-server:
{{< text bash >}}
$ for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done
{{< /text >}}
1. Install the **demo** profile:
{{< text bash >}}
$ kubectl apply -f install/kubernetes/istio-demo.yaml
{{< /text >}}
{{< text bash >}}
$ istioctl manifest apply --set profile=demo
{{< /text >}}
## Verifying the installation
@ -139,14 +127,6 @@ The uninstall deletes the RBAC permissions, the `istio-system` namespace, and
all resources hierarchically under it. It is safe to ignore errors for
non-existent resources because they may have been deleted hierarchically.
* Uninstall the **demo** profile:
{{< text bash >}}
$ kubectl delete -f install/kubernetes/istio-demo.yaml
{{< /text >}}
* If desired, delete the Istio CRDs:
{{< text bash >}}
$ for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl delete -f $i; done
{{< /text >}}
{{< text bash >}}
$ istioctl manifest generate --set profile=demo | kubectl delete -f -
{{< /text >}}

2
content/en/docs/setup/install/multicluster/shared-vpn/index.md
View File

@ -46,7 +46,7 @@ manifests and Helm charts provided within the Istio repository.
## Deploy the local control plane
Install the [Istio control plane](/docs/setup/install/kubernetes/#installation-steps)
Install the [Istio control plane](/docs/setup/install/kubernetes/)
on **one** Kubernetes cluster.
## Install the Istio remote

4
content/en/docs/setup/install/operator/index.md
View File

@ -1,7 +1,7 @@
---
title: Operator CLI-based Installation
title: Installing with Istioctl
description: Install and configure Istio using the Istio Operator CLI.
weight: 25
weight: 10
keywords: [operator,kubernetes,helm]
---

10
content/en/docs/tasks/observability/distributed-tracing/jaeger/index.md
View File

@ -16,23 +16,23 @@ To learn how Istio handles tracing, visit this task's [overview](../overview/).
## Before you begin
1. To set up Istio, follow the instructions in the [Installation guide](/docs/setup/install/helm)
1. To set up Istio, follow the instructions in the [Installation guide](/docs/setup/install/operator)
and then configure:
a) a demo/test environment by setting the `--set tracing.enabled=true` Helm install option to enable tracing "out of the box"
a) a demo/test environment by setting the `--set values.tracing.enabled=true` install option to enable tracing "out of the box"
b) a production environment by referencing an existing Jaeger instance, e.g. created with the [operator](https://github.com/jaegertracing/jaeger-operator), and then setting the `--set global.tracer.zipkin.address=<jaeger-collector-service>.<jaeger-collector-namespace>:9411` Helm install option.
b) a production environment by referencing an existing Jaeger instance, e.g. created with the [operator](https://github.com/jaegertracing/jaeger-operator), and then setting the `--set values.global.tracer.zipkin.address=<jaeger-collector-service>.<jaeger-collector-namespace>:9411` install option.
{{< warning >}}
When you enable tracing, you can set the sampling rate that Istio uses for tracing.
Use the `pilot.traceSampling` option to set the sampling rate. The default sampling rate is 1%.
Use the `values.pilot.traceSampling` option to set the sampling rate. The default sampling rate is 1%.
{{< /warning >}}
1. Deploy the [Bookinfo](/docs/examples/bookinfo/#deploying-the-application) sample application.
## Accessing the dashboard
[Remotely Accessing Telemetry Addons](/docs/tasks/observability/gateways) details how to configure access to the Istio addons through a gateway. Alternatively, to use a Kubernetes ingress, specify the Helm chart option `--set tracing.ingress.enabled=true` during install.
[Remotely Accessing Telemetry Addons](/docs/tasks/observability/gateways) details how to configure access to the Istio addons through a gateway. Alternatively, to use a Kubernetes ingress, specify the option `--set values.tracing.ingress.enabled=true` during install.
For testing (and temporary access), you may also use port-forwarding. Use the following, assuming you've deployed Jaeger to the `istio-system` namespace:

22
content/en/docs/tasks/observability/distributed-tracing/lightstep/index.md
View File

@ -39,21 +39,17 @@ This task uses the [Bookinfo](/docs/examples/bookinfo/) sample application as an
- `global.tracer.lightstep.secure=true`
- `global.tracer.lightstep.cacertPath="/etc/lightstep/cacert.pem"`
If you are installing via `helm template` you can set these parameters using the `--set key=value` syntax
when you run the `helm` command. For example:
You can set these parameters using the `--set key=value` syntax
when you run the install command. For example:
{{< text bash >}}
$ helm template \
--set pilot.traceSampling=100 \
--set global.proxy.tracer="lightstep" \
--set global.tracer.lightstep.address="<satellite-address>" \
--set global.tracer.lightstep.accessToken="<access-token>" \
--set global.tracer.lightstep.secure=true \
--set global.tracer.lightstep.cacertPath="/etc/lightstep/cacert.pem" \
install/kubernetes/helm/istio \
--name istio --namespace istio-system > $HOME/istio.yaml
$ kubectl create namespace istio-system
$ kubectl apply -f $HOME/istio.yaml
$ istioctl manifest apply \
--set values.pilot.traceSampling=100 \
--set values.global.proxy.tracer="lightstep" \
--set values.global.tracer.lightstep.address="<satellite-address>" \
--set values.global.tracer.lightstep.accessToken="<access-token>" \
--set values.global.tracer.lightstep.secure=true \
--set values.global.tracer.lightstep.cacertPath="/etc/lightstep/cacert.pem"
{{< /text >}}
1. Store your satellite pool's certificate authority certificate as a secret in the default namespace.

4
content/en/docs/tasks/observability/distributed-tracing/overview/index.md
View File

@ -93,9 +93,9 @@ dashboard. This sampling rate is suitable for a test or low traffic
mesh. For a high traffic mesh you can lower the trace sampling
percentage in one of two ways:
* During the mesh setup, use the Helm option `pilot.traceSampling` to
* During the mesh setup, use the option `values.pilot.traceSampling` to
set the percentage of trace sampling. See the
[Helm Install](/docs/setup/install/helm/) documentation for
[Installing with {{< istioctl >}}](/docs/setup/install/operator/) documentation for
details on setting options.
* In a running mesh, edit the `istio-pilot` deployment and
change the environment variable with the following steps:

8
content/en/docs/tasks/observability/distributed-tracing/zipkin/index.md
View File

@ -16,12 +16,12 @@ To learn how Istio handles tracing, visit this task's [overview](../overview/).
## Before you begin
1. To set up Istio, follow the instructions in the [Installation guide](/docs/setup/install/helm)
1. To set up Istio, follow the instructions in the [Installation guide](/docs/setup/install/operator)
and then configure:
a) a demo/test environment by setting the `--set tracing.enabled=true` and `--set tracing.provider=zipkin` Helm install options to enable tracing "out of the box"
a) a demo/test environment by setting the `--set values.tracing.enabled=true` and `--set values.tracing.provider=zipkin` install options to enable tracing "out of the box"
b) a production environment by referencing an existing Zipkin instance and then setting the `--set global.tracer.zipkin.address=<zipkin-collector-service>.<zipkin-collector-namespace>:9411` Helm install option.
b) a production environment by referencing an existing Zipkin instance and then setting the `--set values.global.tracer.zipkin.address=<zipkin-collector-service>.<zipkin-collector-namespace>:9411` install option.
{{< warning >}}
When you enable tracing, you can set the sampling rate that Istio uses for tracing.
@ -32,7 +32,7 @@ To learn how Istio handles tracing, visit this task's [overview](../overview/).
## Accessing the dashboard
[Remotely Accessing Telemetry Addons](/docs/tasks/observability/gateways) details how to configure access to the Istio addons through a gateway. Alternatively, to use a Kubernetes ingress, specify the Helm chart option `--set tracing.ingress.enabled=true` during install.
[Remotely Accessing Telemetry Addons](/docs/tasks/observability/gateways) details how to configure access to the Istio addons through a gateway. Alternatively, to use a Kubernetes ingress, specify the option `--set values.tracing.ingress.enabled=true` during install.
For testing (and temporary access), you may also use port-forwarding. Use the following, assuming you've deployed Zipkin to the `istio-system` namespace:

32
content/en/docs/tasks/observability/gateways/index.md
View File

@ -33,21 +33,21 @@ addons to require authentication when exposing them externally.
1. [Install cert-manager](https://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html) to manage certificates automatically.
1. [Install Istio](/docs/setup) in your cluster and enable the `cert-manager` flag and configure `istio-ingressgateway` to use
1. [Install Istio](/docs/setup/install/operator) in your cluster and enable the `cert-manager` flag and configure `istio-ingressgateway` to use
the [Secret Discovery Service](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret#sds-configuration).
To install Istio accordingly, use the following Helm installation options:
To install Istio accordingly, use the following installation options:
* `--set gateways.enabled=true`
* `--set gateways.istio-ingressgateway.enabled=true`
* `--set gateways.istio-ingressgateway.sds.enabled=true`
* `--set values.gateways.enabled=true`
* `--set values.gateways.istio-ingressgateway.enabled=true`
* `--set values.gateways.istio-ingressgateway.sds.enabled=true`
To additionally install the telemetry addons, use the following Helm installation options:
To additionally install the telemetry addons, use the following installation options:
* Grafana: `--set grafana.enabled=true`
* Kiali: `--set kiali.enabled=true`
* Prometheus: `--set prometheus.enabled=true`
* Tracing: `--set tracing.enabled=true`
* Grafana: `--set values.grafana.enabled=true`
* Kiali: `--set values.kiali.enabled=true`
* Prometheus: `--set values.prometheus.enabled=true`
* Tracing: `--set values.tracing.enabled=true`
1. Configure the DNS records for your domain.
@ -370,14 +370,14 @@ the [Secret Discovery Service](https://www.envoyproxy.io/docs/envoy/latest/confi
### Option 2: Insecure access (HTTP)
1. [Install Istio](/docs/setup/) in your cluster with your desired telemetry addons.
1. [Install Istio](/docs/setup/install/operator) in your cluster with your desired telemetry addons.
To additionally install the telemetry addons, use the following Helm installation options:
To additionally install the telemetry addons, use the following installation options:
* Grafana: `--set grafana.enabled=true`
* Kiali: `--set kiali.enabled=true`
* Prometheus: `--set prometheus.enabled=true`
* Tracing: `--set tracing.enabled=true`
* Grafana: `--set values.grafana.enabled=true`
* Kiali: `--set values.kiali.enabled=true`
* Prometheus: `--set values.prometheus.enabled=true`
* Tracing: `--set values.tracing.enabled=true`
1. Apply networking configuration for the telemetry addons.

2
content/en/docs/tasks/observability/kiali/index.md
View File

@ -26,7 +26,7 @@ To install Kiali without using Helm, follow the [Kiali installation instructions
### Create a secret
{{< idea >}}
If you plan on installing Kiali using the `istio-demo.yaml` file as described in the [Istio Quick Start Installation Steps](/docs/setup/install/kubernetes/#installation-steps) then a default secret will be created for you with a username of `admin` and passphrase of `admin`. You can therefore skip this section.
If you plan on installing Kiali using the Istio demo profile as described in the [Istio Quick Start Installation Steps](/docs/setup/install/kubernetes/) then a default secret will be created for you with a username of `admin` and passphrase of `admin`. You can therefore skip this section.
{{< /idea >}}
Create a secret in your Istio namespace with the credentials that you use to

6
content/en/docs/tasks/observability/logs/access-log/index.md
View File

@ -22,7 +22,7 @@ The standard output of Envoy's containers can then be printed by the `kubectl lo
Edit the `istio` configuration map:
{{< text bash >}}
$ helm template install/kubernetes/helm/istio --namespace=istio-system -x templates/configmap.yaml --set global.proxy.accessLogFile="/dev/stdout" | kubectl replace -f -
$ istioctl manifest apply --set values.global.proxy.accessLogFile="/dev/stdout"
configmap "istio" replaced
{{< /text >}}
@ -32,7 +32,7 @@ You may also want to customize the
[format](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log#format-rules) of the access log by editing `accessLogFormat`.
{{< tip >}}
All three of these parameters may also be configured via [helm values](/docs/reference/config/installation-options/):
All three of these parameters may also be configured via [install options](/docs/reference/config/installation-options/):
{{< /tip >}}
* `global.proxy.accessLogFile`
@ -97,6 +97,6 @@ $ kubectl delete -f @samples/httpbin/httpbin.yaml@
Edit the `istio` configuration map and set `accessLogFile` to `""`.
{{< text bash >}}
$ helm template install/kubernetes/helm/istio --namespace=istio-system -x templates/configmap.yaml | kubectl replace -f -
$ istioctl manifest apply
configmap "istio" replaced
{{< /text >}}

2
content/en/docs/tasks/observability/metrics/using-istio-dashboard/index.md
View File

@ -17,7 +17,7 @@ the example application throughout this task.
## Before you begin
* [Install Istio](/docs/setup) in your cluster. If you are installing using Helm, enable the Grafana add-on `--set grafana.enabled=true` [option](/docs/reference/config/installation-options/).
* [Install Istio](/docs/setup) in your cluster. If not enabled in your chosen configuration profile, enable the Grafana add-on `--set values.grafana.enabled=true` [option](/docs/reference/config/installation-options/).
* Deploy [Bookinfo](/docs/examples/bookinfo/) application.
## Viewing the Istio Dashboard

4
content/en/docs/tasks/policy-enforcement/enabling-policy/index.md
View File

@ -10,7 +10,7 @@ This task shows you how to enable Istio policy enforcement.
## At install time
In the default Istio installation profile, policy enforcement is disabled. To install Istio
with policy enforcement on, use the `--set global.disablePolicyChecks=false` Helm install option.
with policy enforcement on, use the `--set values.global.disablePolicyChecks=false` install option.
Alternatively, you may [install Istio using the demo profile](/docs/setup/install/kubernetes/),
which enables policy checks by default.
@ -31,7 +31,7 @@ which enables policy checks by default.
Execute the following command from the root Istio directory:
{{< text bash >}}
$ helm template install/kubernetes/helm/istio --namespace=istio-system -x templates/configmap.yaml --set global.disablePolicyChecks=false | kubectl -n istio-system replace -f -
$ istioctl manifest apply --set values.global.disablePolicyChecks=false
configmap "istio" replaced
{{< /text >}}

5
content/en/docs/tasks/security/auth-sds/index.md
View File

@ -47,9 +47,8 @@ This approach has the following benefits:
## Before you begin
* Set up Istio by following the instructions using
[Helm](/docs/setup/install/helm/) with SDS setup and global mutual
TLS enabled.
* Follow the [install instructions](/docs/setup/install/operator/)
to set up Istio with SDS and global mutual TLS enabled.
## Service-to-service mutual TLS using key/certificate provisioned through SDS

5
content/en/docs/tasks/security/authn-policy/index.md
View File

@ -15,9 +15,8 @@ the underlying concepts in the [authentication overview](/docs/concepts/security
* Understand Istio [authentication policy](/docs/concepts/security/#authentication-policies) and related
[mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication) concepts.
* Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled (e.g use `install/kubernetes/istio-demo.yaml` as described in
[installation steps](/docs/setup/install/kubernetes/#installation-steps), or set `global.mtls.enabled` to false using
[Helm](/docs/setup/install/helm/)).
* Install Istio on a Kubernetes cluster with global mutual TLS disabled (e.g, use the demo configuration profile, as described in
[installation steps](/docs/setup/install/kubernetes), or set the `global.mtls.enabled` installation option to false).
### Setup

2
content/en/docs/tasks/security/ca-namespace-targeting/index.md
View File

@ -60,7 +60,7 @@ You can observe that no new `istio.io/key-and-cert` secret was generated for the
### Opt-in Service Account secret generation
To make `ServiceAcount` secret generation opt-in (i.e. to disable generating secrets unless otherwise specified)., set the `enableNamespacesByDefault` Helm value to `false`:
Set the `enableNamespacesByDefault` installation option to `false` to make `ServiceAcount` secret generation opt-in (i.e., to disable generating secrets unless otherwise specified):
{{< text yaml >}}
...

12
content/en/docs/tasks/security/health-check/index.md
View File

@ -24,7 +24,7 @@ this feature is not needed if the production setup is not using the
## Before you begin
To complete this task, you can install Istio using [Helm](/docs/setup/install/helm/) to setup Istio by setting the `global.mtls.enabled` flag to `true`.
To complete this task, you can [install Istio](/docs/setup/install/operator/) with the `global.mtls.enabled` option set to `true`.
{{< tip >}}
Use an [authentication policy](/docs/concepts/security/#authentication-policies) to configure mutual TLS for
@ -34,12 +34,10 @@ See the [authentication policy task](/docs/tasks/security/authn-policy/) for det
## Deploying Citadel with health checking
To enable health checking, redeploy Citadel with helm:
To enable health checking, redeploy Citadel:
{{< text bash >}}
$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
-x charts/security/templates/deployment.yaml \
--set global.mtls.enabled=true --set security.citadelHealthCheck=true > citadel-health-check.yaml
$ istioctl manifest generate --set values.global.mtls.enabled=true,values.security.citadelHealthCheck=true > citadel-health-check.yaml
$ kubectl apply -f citadel-health-check.yaml
{{< /text >}}
@ -104,8 +102,6 @@ continuously failed health checks.
* To disable health checking on Citadel:
{{< text bash >}}
$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
-x charts/security/templates/deployment.yaml \
--set global.mtls.enabled=true | kubectl apply -f -
$ istioctl manifest apply --set values.global.mtls.enabled=true
{{< /text >}}

6
content/en/docs/tasks/security/https-overlay/index.md
View File

@ -22,7 +22,7 @@ original HTTPS traffic. And this is the reason Istio can work on HTTPS services.
Set up Istio by following the instructions in the
[quick start](/docs/setup/install/kubernetes/).
Note that default mutual TLS authentication should be **disabled** when installing Istio; e.g. option 1 in the
[quick start](/docs/setup/install/kubernetes/#installation-steps).
[quick start](/docs/setup/install/kubernetes/).
The demo is also assumed to be running in a namespace where automatic sidecar injection is
disabled, and Istio sidecars are instead manually injected with [`istioctl`](/docs/reference/commands/istioctl).
@ -161,12 +161,10 @@ $ kubectl get pod -n istio-system
No resources found.
{{< /text >}}
Follow the [installation instructions](/docs/setup/install/kubernetes/#installation-steps) install CRDs.
Install Istio with the **strict mutual TLS mode** enabled:
{{< text bash >}}
$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system --values install/kubernetes/helm/istio/values-istio-demo.yaml --set global.controlPlaneSecurityEnabled=true --set global.mtls.enabled=true | kubectl delete -f -
$ istioctl manifest apply --set profile=demo,values.global.controlPlaneSecurityEnabled=true,values.global.mtls.enabled=true
{{< /text >}}
Make sure everything is up and running:

3
content/en/docs/tasks/security/mtls-migration/index.md
View File

@ -28,7 +28,8 @@ down once the migration is done.
* Understand Istio [authentication policy](/docs/concepts/security/#authentication-policies) and related [mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication) concepts.
* Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled (e.g use `install/kubernetes/istio-demo.yaml` as described in [installation steps](/docs/setup/install/kubernetes/#installation-steps), or set `global.mtls.enabled` to false using [Helm](/docs/setup/install/helm/)).
* Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled (e.g use the demo configuration profile as described in
[installation steps](/docs/setup/install/kubernetes), or set the `global.mtls.enabled` installation option to false).
* For demo
* Create the following namespaces and deploy [httpbin]({{< github_tree >}}/samples/httpbin) and [sleep]({{< github_tree >}}/samples/sleep) with sidecar on both of them.

6
content/en/docs/tasks/security/plugin-ca-cert/index.md
View File

@ -50,13 +50,11 @@ The following steps enable plugging in the certificates and key into Citadel:
--from-file=samples/certs/cert-chain.pem
{{< /text >}}
1. Redeploy Citadel using Helm with `global.mtls.enabled` set to `true` and `security.selfSigned` to `false`.
1. Redeploy Citadel with `global.mtls.enabled` set to `true` and `security.selfSigned` to `false`.
Citadel will read certificates and key from the secret-mount files.
{{< text bash >}}
$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system -x charts/security/templates/deployment.yaml \
--set global.mtls.enabled=true --set security.selfSigned=false > $HOME/citadel-plugin-cert.yaml
$ kubectl apply -f $HOME/citadel-plugin-cert.yaml
$ istioctl manifest apply --set values.global.mtls.enabled=true,values.security.selfSigned=false
{{< /text >}}
1. To make sure the workloads obtain the new certificates promptly,

2
content/en/docs/tasks/security/rbac-groups/index.md
View File

@ -22,7 +22,7 @@ concepts.
* Create a Kubernetes cluster with Istio installed and mutual TLS enabled.
To fulfill this prerequisite you can follow the Kubernetes
[installation instructions](/docs/setup/install/kubernetes/#installation-steps).
[installation instructions](/docs/setup/install/kubernetes/).
## Setup the required namespace and services

9
content/en/docs/tasks/traffic-management/egress/egress-control/index.md
View File

@ -404,12 +404,11 @@ Update your `istio-sidecar-injector` configuration map using the IP ranges speci
For example, if the range is 10.0.0.1&#47;24, use the following command:
{{< text bash >}}
$ helm template install/kubernetes/helm/istio <the flags you used to install Istio> --set global.proxy.includeIPRanges="10.0.0.1/24" -x templates/sidecar-injector-configmap.yaml | kubectl apply -f -
$ istioctl manifest apply <the flags you used to install Istio> --set values.global.proxy.includeIPRanges="10.0.0.1/24"
{{< /text >}}
Use the same Helm command that you used to [install Istio](/docs/setup/install/helm),
specifically, ensure you use the same value for the `--namespace` flag and
add these flags: `--set global.proxy.includeIPRanges="10.0.0.1/24" -x templates/sidecar-injector-configmap.yaml`.
Use the same command that you used to [install Istio](/docs/setup/install/operator) and
add `--set values.global.proxy.includeIPRanges="10.0.0.1/24"`.
### Access the external services
@ -444,7 +443,7 @@ Update the `istio-sidecar-injector.configmap.yaml` configuration map to redirect
proxies:
{{< text bash >}}
$ helm template install/kubernetes/helm/istio <the flags you used to install Istio> -x templates/sidecar-injector-configmap.yaml | kubectl apply -f -
$ istioctl manifest apply <the flags you used to install Istio>
{{< /text >}}
## Understanding what happened

28
content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md
View File

@ -635,20 +635,20 @@ to hold the configuration of the NGINX server:
you used for generating your `istio.yaml`:
{{< text bash >}}
$ helm template install/kubernetes/helm/istio/ --name istio --namespace istio-system -x charts/gateways/templates/deployment.yaml --set gateways.istio-ingressgateway.enabled=false \
--set gateways.istio-egressgateway.enabled=true \
--set 'gateways.istio-egressgateway.secretVolumes[0].name'=egressgateway-certs \
--set 'gateways.istio-egressgateway.secretVolumes[0].secretName'=istio-egressgateway-certs \
--set 'gateways.istio-egressgateway.secretVolumes[0].mountPath'=/etc/istio/egressgateway-certs \
--set 'gateways.istio-egressgateway.secretVolumes[1].name'=egressgateway-ca-certs \
--set 'gateways.istio-egressgateway.secretVolumes[1].secretName'=istio-egressgateway-ca-certs \
--set 'gateways.istio-egressgateway.secretVolumes[1].mountPath'=/etc/istio/egressgateway-ca-certs \
--set 'gateways.istio-egressgateway.secretVolumes[2].name'=nginx-client-certs \
--set 'gateways.istio-egressgateway.secretVolumes[2].secretName'=nginx-client-certs \
--set 'gateways.istio-egressgateway.secretVolumes[2].mountPath'=/etc/nginx-client-certs \
--set 'gateways.istio-egressgateway.secretVolumes[3].name'=nginx-ca-certs \
--set 'gateways.istio-egressgateway.secretVolumes[3].secretName'=nginx-ca-certs \
--set 'gateways.istio-egressgateway.secretVolumes[3].mountPath'=/etc/nginx-ca-certs > \
$ istioctl manifest generate --set values.gateways.istio-ingressgateway.enabled=false \
--set values.gateways.istio-egressgateway.enabled=true \
--set 'values.gateways.istio-egressgateway.secretVolumes[0].name'=egressgateway-certs \
--set 'values.gateways.istio-egressgateway.secretVolumes[0].secretName'=istio-egressgateway-certs \
--set 'values.gateways.istio-egressgateway.secretVolumes[0].mountPath'=/etc/istio/egressgateway-certs \
--set 'values.gateways.istio-egressgateway.secretVolumes[1].name'=egressgateway-ca-certs \
--set 'values.gateways.istio-egressgateway.secretVolumes[1].secretName'=istio-egressgateway-ca-certs \
--set 'values.gateways.istio-egressgateway.secretVolumes[1].mountPath'=/etc/istio/egressgateway-ca-certs \
--set 'values.gateways.istio-egressgateway.secretVolumes[2].name'=nginx-client-certs \
--set 'values.gateways.istio-egressgateway.secretVolumes[2].secretName'=nginx-client-certs \
--set 'values.gateways.istio-egressgateway.secretVolumes[2].mountPath'=/etc/nginx-client-certs \
--set 'values.gateways.istio-egressgateway.secretVolumes[3].name'=nginx-ca-certs \
--set 'values.gateways.istio-egressgateway.secretVolumes[3].secretName'=nginx-ca-certs \
--set 'values.gateways.istio-egressgateway.secretVolumes[3].mountPath'=/etc/nginx-ca-certs > \
./istio-egressgateway.yaml
{{< /text >}}

11
content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md
View File

@ -49,15 +49,12 @@ controlled way.
If no pods are returned, deploy the Istio egress gateway by performing the next step.
1. Use `helm template` (or `helm install` with the corresponding flags):
1. Run the following command:
{{< text bash >}}
$ helm template install/kubernetes/helm/istio --name istio-egressgateway --namespace istio-system \
-x charts/gateways/templates/deployment.yaml -x charts/gateways/templates/service.yaml \
-x charts/gateways/templates/serviceaccount.yaml -x charts/gateways/templates/autoscale.yaml \
-x charts/gateways/templates/role.yaml -x charts/gateways/templates/rolebindings.yaml \
--set global.istioNamespace=istio-system --set gateways.istio-ingressgateway.enabled=false \
--set gateways.istio-egressgateway.enabled=true | kubectl apply -f -
$ istioctl manifest apply --set values.global.istioNamespace=istio-system \
--set values.gateways.istio-ingressgateway.enabled=false \
--set values.gateways.istio-egressgateway.enabled=true
{{< /text >}}
{{< warning >}}

2
content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/index.md
View File

@ -299,7 +299,7 @@ The SNI proxy will forward the traffic to port `443`.
1. The following command will generate `istio-egressgateway-with-sni-proxy.yaml` which you can optionally edit and then deploy.
{{< text bash >}}
$ cat <<EOF | helm template install/kubernetes/helm/istio/ --name istio-egressgateway-with-sni-proxy --namespace istio-system -x charts/gateways/templates/deployment.yaml -x charts/gateways/templates/service.yaml -x charts/gateways/templates/serviceaccount.yaml -x charts/gateways/templates/autoscale.yaml -x charts/gateways/templates/role.yaml -x charts/gateways/templates/rolebindings.yaml --set global.istioNamespace=istio-system -f - > ./istio-egressgateway-with-sni-proxy.yaml
$ cat <<EOF | istioctl manifest generate --set values.global.istioNamespace=istio-system -f - > ./istio-egressgateway-with-sni-proxy.yaml
gateways:
enabled: true
istio-ingressgateway:

14
content/en/docs/tasks/traffic-management/ingress/ingress-certmgr/index.md
View File

@ -13,16 +13,14 @@ You will start with a clean Istio installation, create an example service, expos
## Before you begin
1. [Install Istio](/docs/setup/) making sure to enable ingress [gateway](/docs/reference/config/networking/gateway) with Kubernetes Ingress support, [SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret). Here's an example of how to do this for the [helm template](/docs/setup/install/helm/#option-1-install-with-helm-via-helm-template) installation path:
1. [Install Istio](/docs/setup/) making sure to enable ingress [gateway](/docs/reference/config/networking/gateway) with Kubernetes Ingress support, [SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret). Here's an example of how to do it:
{{< text bash >}}
$ helm template $HOME/istio-fetch/istio \
--namespace=istio-system \
--set gateways.istio-ingressgateway.sds.enabled=true \
--set global.k8sIngress.enabled=true \
--set global.k8sIngress.enableHttps=true \
--set global.k8sIngress.gatewayName=ingressgateway \
> $HOME/istio-fetch/istio.yaml
$ istioctl manifest apply \
--set values.gateways.istio-ingressgateway.sds.enabled=true \
--set values.global.k8sIngress.enabled=true \
--set values.global.k8sIngress.enableHttps=true \
--set values.global.k8sIngress.gatewayName=ingressgateway
{{< /text >}}
{{< tip >}}

10
content/en/docs/tasks/traffic-management/ingress/secure-ingress-sds/index.md
View File

@ -103,14 +103,12 @@ need to create secrets for multiple hosts and update the gateway definitions.
1. Enable SDS at ingress gateway and deploy the ingress gateway agent.
Since this feature is disabled by default, you need to enable the
[`istio-ingressgateway.sds.enabled` flag]({{<github_blob>}}/install/kubernetes/helm/istio/charts/gateways/values.yaml) in helm,
and then generate the `istio-ingressgateway.yaml` file:
`istio-ingressgateway.sds.enabled` installation option and generate the `istio-ingressgateway.yaml` file:
{{< text bash >}}
$ helm template install/kubernetes/helm/istio/ --name istio \
--namespace istio-system -x charts/gateways/templates/deployment.yaml \
--set gateways.istio-egressgateway.enabled=false \
--set gateways.istio-ingressgateway.sds.enabled=true > \
$ istioctl manifest generate \
--set values.gateways.istio-egressgateway.enabled=false \
--set values.gateways.istio-ingressgateway.sds.enabled=true > \
$HOME/istio-ingressgateway.yaml
$ kubectl apply -f $HOME/istio-ingressgateway.yaml
{{< /text >}}

1
layouts/shortcodes/istioctl.html Normal file
View File

@ -0,0 +1 @@
istioctl