diff --git a/content/en/blog/2018/egress-https/index.md b/content/en/blog/2018/egress-https/index.md index 7e8ed6848d..4c5c680b6f 100644 --- a/content/en/blog/2018/egress-https/index.md +++ b/content/en/blog/2018/egress-https/index.md @@ -21,7 +21,7 @@ HTTPS traffic and describe the pros and cons of each of the options. ## Initial setting -To demonstrate the scenario of consuming an external web service, I start with a Kubernetes cluster with [Istio installed](/docs/setup/install/kubernetes/#installation-steps). Then I deploy +To demonstrate the scenario of consuming an external web service, I start with a Kubernetes cluster with [Istio installed](/docs/setup/install/kubernetes/). Then I deploy [Istio Bookinfo Sample Application](/docs/examples/bookinfo/). This application uses the _details_ microservice to fetch book details, such as the number of pages and the publisher. The original _details_ microservice provides the book details without consulting any external service. diff --git a/content/en/blog/2018/egress-mongo/index.md b/content/en/blog/2018/egress-mongo/index.md index 26b0475460..6f9c979019 100644 --- a/content/en/blog/2018/egress-mongo/index.md +++ b/content/en/blog/2018/egress-mongo/index.md @@ -94,7 +94,7 @@ For this task you set up an instance of [MongoDB](https://www.mongodb.com). You ### Initial setting of Bookinfo application -To demonstrate the scenario of using an external database, you start with a Kubernetes cluster with [Istio installed](/docs/setup/install/kubernetes/#installation-steps). Then you deploy the +To demonstrate the scenario of using an external database, you start with a Kubernetes cluster with [Istio installed](/docs/setup/install/kubernetes/). Then you deploy the [Istio Bookinfo sample application](/docs/examples/bookinfo/), [apply the default destination rules](/docs/examples/bookinfo/#apply-default-destination-rules), and [change Istio to the blocking-egress-by-default policy](/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy). diff --git a/content/en/blog/2018/egress-tcp/index.md b/content/en/blog/2018/egress-tcp/index.md index 022417cde1..91a1ea8857 100644 --- a/content/en/blog/2018/egress-tcp/index.md +++ b/content/en/blog/2018/egress-tcp/index.md @@ -150,7 +150,7 @@ Now you are ready to deploy a version of the Bookinfo application that will use ### Initial setting of Bookinfo application -To demonstrate the scenario of using an external database, you start with a Kubernetes cluster with [Istio installed](/docs/setup/install/kubernetes/#installation-steps). Then you deploy the +To demonstrate the scenario of using an external database, you start with a Kubernetes cluster with [Istio installed](/docs/setup/install/kubernetes/). Then you deploy the [Istio Bookinfo sample application](/docs/examples/bookinfo/), [apply the default destination rules](/docs/examples/bookinfo/#apply-default-destination-rules), and [change Istio to the blocking-egress-by-default policy](/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy). This application uses the `ratings` microservice to fetch diff --git a/content/en/docs/concepts/security/index.md b/content/en/docs/concepts/security/index.md index 5d61c93b24..0cc258416c 100644 --- a/content/en/docs/concepts/security/index.md +++ b/content/en/docs/concepts/security/index.md @@ -220,7 +220,7 @@ From these three values, the decision process mirrors that of the [`Sidecar Inje - Otherwise, if a `ca.istio.io/env: "ns-foo"` label is defined in the service account's namespace, the Citadel instance in namespace `ns-foo` will be used for generating key/cert secrets for workloads in the `ServiceAccount`'s namespace. -- Otherwise, follow the `enableNamespacesByDefault` Helm flag. If it is `true`, the default Citadel instance will be used for generating key/cert secrets for workloads in the `ServiceAccount`'s namespace. +- Otherwise, set `enableNamespacesByDefault` to `true` during installation. If it is `true`, the default Citadel instance will be used for generating key/cert secrets for workloads in the `ServiceAccount`'s namespace. - Otherwise, no secrets are created for the `ServiceAccount`'s namespace. diff --git a/content/en/docs/examples/microservices-istio/setup-kubernetes-cluster/index.md b/content/en/docs/examples/microservices-istio/setup-kubernetes-cluster/index.md index 49d8327071..e2eca88a1d 100644 --- a/content/en/docs/examples/microservices-istio/setup-kubernetes-cluster/index.md +++ b/content/en/docs/examples/microservices-istio/setup-kubernetes-cluster/index.md @@ -38,8 +38,7 @@ proceed to [setting up your local computer](/docs/examples/microservices-istio/s simultaneously by multiple participants. {{< /tip >}} -1. Install Istio with strict mutual TLS enabled by selecting the `strict mutual - TLS` tab when you follow [the Kubernetes installation steps](/docs/setup/install/kubernetes/#installation-steps). +1. Install Istio with strict mutual TLS enabled. TODO: add command or point to instructions. 1. [Enable Envoy's access logging](/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging). diff --git a/content/en/docs/ops/common-problems/validation/index.md b/content/en/docs/ops/common-problems/validation/index.md index 3ebf8f8946..64d79d69b3 100644 --- a/content/en/docs/ops/common-problems/validation/index.md +++ b/content/en/docs/ops/common-problems/validation/index.md @@ -177,11 +177,9 @@ webhooks: (... snip ...) {{< /text >}} -If the webhook array in `istio-galley-configuration` is empty and -you're using `helm template` or `helm install`, verify `--set -galley.enabled` and `--set global.configValidation=true` options are -set. If you're not using helm, you'll need to find a generate -YAML that includes the populated webhook array. +If the webhook array in `istio-galley-configuration` is empty, verify +the `galley.enabled` and `global.configValidation` installation options are +set. The `istio-galley` validation configuration is fail-close. If configuration exists and is scoped properly, the webhook will be diff --git a/content/en/docs/ops/diagnostic-tools/istioctl-analyze/index.md b/content/en/docs/ops/diagnostic-tools/istioctl-analyze/index.md index 6e9ff3d0f7..bae8498588 100644 --- a/content/en/docs/ops/diagnostic-tools/istioctl-analyze/index.md +++ b/content/en/docs/ops/diagnostic-tools/istioctl-analyze/index.md @@ -169,13 +169,5 @@ status: You can enable this feature with: {{< text bash >}} -$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \ - --set galley.enableAnalysis=true | kubectl apply -f - -{{< /text >}} - -Or with: - -{{< text bash >}} -$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system \ - --set galley.enableAnalysis=true +$ istioctl manifest apply --set values.galley.enableAnalysis=true {{< /text >}} diff --git a/content/en/docs/ops/diagnostic-tools/proxy-cmd/index.md b/content/en/docs/ops/diagnostic-tools/proxy-cmd/index.md index a68cfacfcd..97e95099b6 100644 --- a/content/en/docs/ops/diagnostic-tools/proxy-cmd/index.md +++ b/content/en/docs/ops/diagnostic-tools/proxy-cmd/index.md @@ -18,7 +18,7 @@ to inspect Envoy configuration and diagnose the issue. If you want to try the commands described below, you can either: * Have a Kubernetes cluster with Istio and Bookinfo installed (e.g use `istio.yaml` as described in -[installation steps](/docs/setup/install/kubernetes/#installation-steps) and +[installation steps](/docs/setup/install/kubernetes/) and [Bookinfo installation steps](/docs/examples/bookinfo/#deploying-the-application)). OR diff --git a/content/en/docs/ops/security/harden-docker-images/index.md b/content/en/docs/ops/security/harden-docker-images/index.md index 05b45f885e..63cfc1978f 100644 --- a/content/en/docs/ops/security/harden-docker-images/index.md +++ b/content/en/docs/ops/security/harden-docker-images/index.md @@ -21,19 +21,8 @@ For ease of the installation, they are available with a `-distroless` suffix. ## Install distroless images -You should follow the [Installation Steps](/docs/setup/install/helm/) to setup Istio. You can pass the following parameter to `helm` to use the *distroless images* - -For [Option 1](/docs/setup/install/helm/#option-1-install-with-helm-via-helm-template) use - -{{< text bash >}} -$ helm template [...] --set global.tag={{< istio_full_version >}}-distroless -{{< /text >}} - -For [Option 2](/docs/setup/install/helm/#option-2-install-with-helm-and-tiller-via-helm-install) - -{{< text bash >}} use -$ helm install [...] --set global.tag={{< istio_full_version >}}-distroless -{{< /text >}} +Follow the [Installation Steps](/docs/setup/install/operator/) to setup Istio. +Add the option `--set tag={{< istio_full_version >}}-distroless` to use the *distroless images*. ## Benefits diff --git a/content/en/docs/ops/setup/app-health-check/index.md b/content/en/docs/ops/setup/app-health-check/index.md index 35532a0490..070435b56f 100644 --- a/content/en/docs/ops/setup/app-health-check/index.md +++ b/content/en/docs/ops/setup/app-health-check/index.md @@ -28,7 +28,7 @@ mutual TLS enabled. * Understand [Kubernetes liveness and readiness probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/), Istio [authentication policy](/docs/concepts/security/#authentication-policies) and [mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication) concepts. -* Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled (meaning use `istio.yaml` as described in [installation steps](/docs/setup/install/kubernetes/#installation-steps), or set `global.mtls.enabled` to false using [Helm](/docs/setup/install/helm/)). +* Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled. ## Liveness and readiness probes with command option @@ -99,10 +99,9 @@ request to application, and strips the response body only returning the response You have two ways to enable Istio to rewrite the liveness HTTP probes. -#### Enable via Helm Option Globally +#### Enable globally via install option -[Install Istio](/docs/setup/install/helm/) with the `sidecarInjectorWebhook.rewriteAppHTTPProbe=true` -[Helm installation option](/docs/reference/config/installation-options/#sidecarinjectorwebhook-options). +[Install Istio](/docs/setup/install/operator/) with `--set values.sidecarInjectorWebhook.rewriteAppHTTPProbe=true`. **Alternatively**, update the configuration map of Istio sidecar injection: @@ -115,14 +114,14 @@ rewrite the Kubernetes pod's spec, so health checks are able to work under mutua spec by yourself. {{< warning >}} -The configuration changes above (by Helm or by the configuration map) effect all Istio app deployments. +The configuration changes above (by install or by the configuration map) effect all Istio app deployments. {{< /warning >}} -#### Use Annotations on Pod +#### Use annotations on pod -Rather than install Istio with different Helm options, you can [annotate the pod](/docs/reference/config/annotations/) with `sidecar.istio.io/rewriteAppHTTPProbers: "true"`. Make sure you add the annotation to the [pod resource](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) because it will be ignored anywhere else (for example, on an enclosing deployment resource). +Rather than install Istio with different options, you can [annotate the pod](/docs/reference/config/annotations/) with `sidecar.istio.io/rewriteAppHTTPProbers: "true"`. Make sure you add the annotation to the [pod resource](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) because it will be ignored anywhere else (for example, on an enclosing deployment resource). {{< text yaml >}} apiVersion: apps/v1 @@ -155,7 +154,7 @@ This approach allows you to enable the health check prober rewrite gradually on #### Re-deploy the liveness health check app -Instructions below assume you turn on the feature via Helm flag globally. +Instructions below assume you turn on the feature globally via install option. Annotations works the same. {{< text bash >}} diff --git a/content/en/docs/ops/telemetry/in-proxy-service-telemetry/index.md b/content/en/docs/ops/telemetry/in-proxy-service-telemetry/index.md index a1b1a3d159..02fb3a2ff5 100644 --- a/content/en/docs/ops/telemetry/in-proxy-service-telemetry/index.md +++ b/content/en/docs/ops/telemetry/in-proxy-service-telemetry/index.md @@ -24,7 +24,7 @@ To generate service-level metrics directly in the Envoy proxies, follow these st 1. To prevent duplicate telemetry generation, disable calls to `istio-telemetry` in the mesh: {{< text bash >}} - $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system --set mixer.telemetry.enabled=false --set mixer.policy.enabled=false + $ istioctl manifest apply --set values.mixer.telemetry.enabled=false,values.mixer.policy.enabled=false {{< /text >}} {{< tip >}} diff --git a/content/en/docs/ops/traffic-management/locality-load-balancing/index.md b/content/en/docs/ops/traffic-management/locality-load-balancing/index.md index d209279667..3ff2863144 100644 --- a/content/en/docs/ops/traffic-management/locality-load-balancing/index.md +++ b/content/en/docs/ops/traffic-management/locality-load-balancing/index.md @@ -72,7 +72,7 @@ Sometimes, you need to constrain the traffic fail-over to avoid sending traffic endpoints across the globe when there are not enough healthy endpoints in the same region. This behavior is useful when sending fail-over traffic across regions would not improve service health or many other reasons including regulatory controls. -To constrain traffic to a region, configure the `localityLbSetting` option using Helm. See the +To constrain traffic to a region, configure the `values.localityLbSetting` option during install. See the [Locality load balancing reference guide](/docs/reference/config/istio.mesh.v1alpha1/#LocalityLoadBalancerSetting) for options. diff --git a/content/en/docs/ops/traffic-management/protocol-selection/index.md b/content/en/docs/ops/traffic-management/protocol-selection/index.md index f0fd8dca39..33713afd05 100644 --- a/content/en/docs/ops/traffic-management/protocol-selection/index.md +++ b/content/en/docs/ops/traffic-management/protocol-selection/index.md @@ -50,5 +50,5 @@ spec: Istio can automatically detect HTTP and HTTP/2 traffic. If the protocol cannot automatically be determined, traffic will be treated as plain TCP traffic. -This feature is experimental and off by default. It can be turned on by providing the Helm value `--set pilot.enableProtocolSniffingForOutbound=true --set pilot.enableProtocolSniffingForInbound=true`. +This feature is experimental and off by default. It can be turned on by providing the install options `--set values.pilot.enableProtocolSniffingForOutbound=true --set values.pilot.enableProtocolSniffingForInbound=true`. diff --git a/content/en/docs/setup/additional-setup/config-profiles/index.md b/content/en/docs/setup/additional-setup/config-profiles/index.md index 41551025b4..bf4a4c3e45 100644 --- a/content/en/docs/setup/additional-setup/config-profiles/index.md +++ b/content/en/docs/setup/additional-setup/config-profiles/index.md @@ -8,7 +8,7 @@ keywords: [profiles,install,helm] --- This page describes the built-in configuration profiles that can be used when -[installing Istio using helm](/docs/setup/install/helm/). +[installing Istio](/docs/setup/install/operator/). The profiles provide customization of the Istio control plane and of the sidecars for the Istio data plane. You can start with one of Istio’s built-in configuration profiles and then further customize the configuration for your specific needs. The following built-in configuration profiles are currently available: @@ -27,14 +27,13 @@ your specific needs. The following built-in configuration profiles are currently 1. **minimal**: the minimal set of components necessary to use Istio's [traffic management](/docs/tasks/traffic-management/) features. -1. **sds-auth**: similar to the **default** profile, but also enables Istio's [SDS (secret discovery service)](/docs/tasks/security/auth-sds). +1. **sds**: similar to the **default** profile, but also enables Istio's [SDS (secret discovery service)](/docs/tasks/security/auth-sds). This profile comes with additional authentication features enabled by default (Strict Mutual TLS). The components marked as **X** are installed within each profile: | | default | demo | minimal | sds | | --- | --- | --- | --- | --- | -| Profile filename | `values.yaml` | `values-istio-demo.yaml` | `values-istio-minimal.yaml` | `values-istio-sds-auth.yaml` | | Core components | | | | | | |       `istio-citadel` | X | X | | X | |       `istio-egressgateway` | | X | | | @@ -51,7 +50,10 @@ The components marked as **X** are installed within each profile: |       `kiali` | | X | | | |       `prometheus` | X | X | | X | -To further customize Istio and install addons, you can add one or more `--set =` options in the `helm template` or `helm install` command that you use when installing Istio. The [Installation Options](/docs/reference/config/installation-options/) lists the complete set of supported installation key and value pairs. +To further customize Istio and install addons, you can add one or more `--set =` options in the +`istioctl manifest` command that you use when installing Istio. +The [Installation Options](/docs/reference/config/installation-options/) lists the complete set of supported +installation key and value pairs. ## Multicluster profiles @@ -64,15 +66,14 @@ Istio provides two additional built-in configuration profiles that are used excl 1. **multicluster-gateways**: used for configuring clusters of a multicluster mesh with replicated [control planes]/docs/setup/deployment-models/#control-plane-models). -The **remote** profile is configured using the values file `values-istio-remote.yaml`. This profile installs only two -Istio core components: +The **remote** profile installs only two Istio core components: 1. `istio-citadel` 1. `istio-sidecar-injector` -The **multicluster-gateways** profile is configured using the values file `values-istio-multicluster-gateways.yaml`. -This profile installs the same components as the Istio **default** configuration profile plus two additional components: +The **multicluster-gateways** profile installs the same components as the Istio **default** configuration +profile plus two additional components: 1. The `istio-egressgateway` core component. diff --git a/content/en/docs/setup/install/helm/index.md b/content/en/docs/setup/install/helm/index.md index 9e0726ae23..4e7aa0db99 100644 --- a/content/en/docs/setup/install/helm/index.md +++ b/content/en/docs/setup/install/helm/index.md @@ -19,6 +19,11 @@ window.onload = function(){ } +{{< warning >}} +The Helm installation approach has been deprecated. +Please use [Installing with {{< istioctl >}}](/docs/setup/install/operator/), instead. +{{< /warning >}} + Follow this guide to install and configure an Istio mesh for in-depth evaluation or production use. This installation guide uses [Helm](https://github.com/helm/helm) charts that provide rich diff --git a/content/en/docs/setup/install/kubernetes/index.md b/content/en/docs/setup/install/kubernetes/index.md index 495bf56b40..2eb3e967a0 100644 --- a/content/en/docs/setup/install/kubernetes/index.md +++ b/content/en/docs/setup/install/kubernetes/index.md @@ -1,17 +1,15 @@ --- title: Quick Start Evaluation Install description: Instructions to install Istio in a Kubernetes cluster for evaluation. -weight: 10 +weight: 5 keywords: [kubernetes] aliases: - /docs/setup/kubernetes/quick-start/ - /docs/setup/kubernetes/install/kubernetes/ --- -This guide installs Istio's built-in **demo** [configuration profile](/docs/setup/additional-setup/config-profiles/) -using basic Kubernetes commands without needing to download or install -[Helm](https://github.com/helm/helm). This installation lets you quickly -evaluate Istio in a Kubernetes cluster on any platform. +This guide installs Istio's built-in **demo** [configuration profile](/docs/setup/additional-setup/config-profiles/). +This installation lets you quickly evaluate Istio in a Kubernetes cluster on any platform. {{< warning >}} The demo configuration profile is not suitable for performance evaluation. It @@ -20,7 +18,7 @@ access logging. {{< /warning >}} To install Istio for production use, we recommend using the -[Helm Installation guide](/docs/setup/install/helm/) +[Installing with {{< istioctl >}} guide](/docs/setup/install/operator/) instead, which provides many more options for selecting and managing the Istio configuration. This permits customization of Istio to operator specific requirements. @@ -33,21 +31,11 @@ requirements. 1. Check the [Requirements for Pods and Services](/docs/setup/additional-setup/requirements/). -## Installation steps +## Install the demo profile -1. Install all the Istio - [Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions) - (CRDs) using `kubectl apply`, and wait a few seconds for the CRDs to be committed in the Kubernetes API-server: - - {{< text bash >}} - $ for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done - {{< /text >}} - -1. Install the **demo** profile: - - {{< text bash >}} - $ kubectl apply -f install/kubernetes/istio-demo.yaml - {{< /text >}} +{{< text bash >}} +$ istioctl manifest apply --set profile=demo +{{< /text >}} ## Verifying the installation @@ -139,14 +127,6 @@ The uninstall deletes the RBAC permissions, the `istio-system` namespace, and all resources hierarchically under it. It is safe to ignore errors for non-existent resources because they may have been deleted hierarchically. -* Uninstall the **demo** profile: - - {{< text bash >}} - $ kubectl delete -f install/kubernetes/istio-demo.yaml - {{< /text >}} - -* If desired, delete the Istio CRDs: - - {{< text bash >}} - $ for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl delete -f $i; done - {{< /text >}} +{{< text bash >}} +$ istioctl manifest generate --set profile=demo | kubectl delete -f - +{{< /text >}} diff --git a/content/en/docs/setup/install/multicluster/shared-vpn/index.md b/content/en/docs/setup/install/multicluster/shared-vpn/index.md index 951e1a5357..e909adfbb5 100644 --- a/content/en/docs/setup/install/multicluster/shared-vpn/index.md +++ b/content/en/docs/setup/install/multicluster/shared-vpn/index.md @@ -46,7 +46,7 @@ manifests and Helm charts provided within the Istio repository. ## Deploy the local control plane -Install the [Istio control plane](/docs/setup/install/kubernetes/#installation-steps) +Install the [Istio control plane](/docs/setup/install/kubernetes/) on **one** Kubernetes cluster. ## Install the Istio remote diff --git a/content/en/docs/setup/install/operator/index.md b/content/en/docs/setup/install/operator/index.md index 101c875596..a528ecb0cf 100644 --- a/content/en/docs/setup/install/operator/index.md +++ b/content/en/docs/setup/install/operator/index.md @@ -1,7 +1,7 @@ --- -title: Operator CLI-based Installation +title: Installing with Istioctl description: Install and configure Istio using the Istio Operator CLI. -weight: 25 +weight: 10 keywords: [operator,kubernetes,helm] --- diff --git a/content/en/docs/tasks/observability/distributed-tracing/jaeger/index.md b/content/en/docs/tasks/observability/distributed-tracing/jaeger/index.md index ebd7c1137f..8321c7c390 100644 --- a/content/en/docs/tasks/observability/distributed-tracing/jaeger/index.md +++ b/content/en/docs/tasks/observability/distributed-tracing/jaeger/index.md @@ -16,23 +16,23 @@ To learn how Istio handles tracing, visit this task's [overview](../overview/). ## Before you begin -1. To set up Istio, follow the instructions in the [Installation guide](/docs/setup/install/helm) +1. To set up Istio, follow the instructions in the [Installation guide](/docs/setup/install/operator) and then configure: - a) a demo/test environment by setting the `--set tracing.enabled=true` Helm install option to enable tracing "out of the box" + a) a demo/test environment by setting the `--set values.tracing.enabled=true` install option to enable tracing "out of the box" - b) a production environment by referencing an existing Jaeger instance, e.g. created with the [operator](https://github.com/jaegertracing/jaeger-operator), and then setting the `--set global.tracer.zipkin.address=.:9411` Helm install option. + b) a production environment by referencing an existing Jaeger instance, e.g. created with the [operator](https://github.com/jaegertracing/jaeger-operator), and then setting the `--set values.global.tracer.zipkin.address=.:9411` install option. {{< warning >}} When you enable tracing, you can set the sampling rate that Istio uses for tracing. - Use the `pilot.traceSampling` option to set the sampling rate. The default sampling rate is 1%. + Use the `values.pilot.traceSampling` option to set the sampling rate. The default sampling rate is 1%. {{< /warning >}} 1. Deploy the [Bookinfo](/docs/examples/bookinfo/#deploying-the-application) sample application. ## Accessing the dashboard -[Remotely Accessing Telemetry Addons](/docs/tasks/observability/gateways) details how to configure access to the Istio addons through a gateway. Alternatively, to use a Kubernetes ingress, specify the Helm chart option `--set tracing.ingress.enabled=true` during install. +[Remotely Accessing Telemetry Addons](/docs/tasks/observability/gateways) details how to configure access to the Istio addons through a gateway. Alternatively, to use a Kubernetes ingress, specify the option `--set values.tracing.ingress.enabled=true` during install. For testing (and temporary access), you may also use port-forwarding. Use the following, assuming you've deployed Jaeger to the `istio-system` namespace: diff --git a/content/en/docs/tasks/observability/distributed-tracing/lightstep/index.md b/content/en/docs/tasks/observability/distributed-tracing/lightstep/index.md index c62fc2359e..30e846cc13 100644 --- a/content/en/docs/tasks/observability/distributed-tracing/lightstep/index.md +++ b/content/en/docs/tasks/observability/distributed-tracing/lightstep/index.md @@ -39,21 +39,17 @@ This task uses the [Bookinfo](/docs/examples/bookinfo/) sample application as an - `global.tracer.lightstep.secure=true` - `global.tracer.lightstep.cacertPath="/etc/lightstep/cacert.pem"` - If you are installing via `helm template` you can set these parameters using the `--set key=value` syntax - when you run the `helm` command. For example: + You can set these parameters using the `--set key=value` syntax + when you run the install command. For example: {{< text bash >}} - $ helm template \ - --set pilot.traceSampling=100 \ - --set global.proxy.tracer="lightstep" \ - --set global.tracer.lightstep.address="" \ - --set global.tracer.lightstep.accessToken="" \ - --set global.tracer.lightstep.secure=true \ - --set global.tracer.lightstep.cacertPath="/etc/lightstep/cacert.pem" \ - install/kubernetes/helm/istio \ - --name istio --namespace istio-system > $HOME/istio.yaml - $ kubectl create namespace istio-system - $ kubectl apply -f $HOME/istio.yaml + $ istioctl manifest apply \ + --set values.pilot.traceSampling=100 \ + --set values.global.proxy.tracer="lightstep" \ + --set values.global.tracer.lightstep.address="" \ + --set values.global.tracer.lightstep.accessToken="" \ + --set values.global.tracer.lightstep.secure=true \ + --set values.global.tracer.lightstep.cacertPath="/etc/lightstep/cacert.pem" {{< /text >}} 1. Store your satellite pool's certificate authority certificate as a secret in the default namespace. diff --git a/content/en/docs/tasks/observability/distributed-tracing/overview/index.md b/content/en/docs/tasks/observability/distributed-tracing/overview/index.md index 9c1eda4534..08271c2ae6 100644 --- a/content/en/docs/tasks/observability/distributed-tracing/overview/index.md +++ b/content/en/docs/tasks/observability/distributed-tracing/overview/index.md @@ -93,9 +93,9 @@ dashboard. This sampling rate is suitable for a test or low traffic mesh. For a high traffic mesh you can lower the trace sampling percentage in one of two ways: -* During the mesh setup, use the Helm option `pilot.traceSampling` to +* During the mesh setup, use the option `values.pilot.traceSampling` to set the percentage of trace sampling. See the - [Helm Install](/docs/setup/install/helm/) documentation for + [Installing with {{< istioctl >}}](/docs/setup/install/operator/) documentation for details on setting options. * In a running mesh, edit the `istio-pilot` deployment and change the environment variable with the following steps: diff --git a/content/en/docs/tasks/observability/distributed-tracing/zipkin/index.md b/content/en/docs/tasks/observability/distributed-tracing/zipkin/index.md index 62c159549f..97e33826a5 100644 --- a/content/en/docs/tasks/observability/distributed-tracing/zipkin/index.md +++ b/content/en/docs/tasks/observability/distributed-tracing/zipkin/index.md @@ -16,12 +16,12 @@ To learn how Istio handles tracing, visit this task's [overview](../overview/). ## Before you begin -1. To set up Istio, follow the instructions in the [Installation guide](/docs/setup/install/helm) +1. To set up Istio, follow the instructions in the [Installation guide](/docs/setup/install/operator) and then configure: - a) a demo/test environment by setting the `--set tracing.enabled=true` and `--set tracing.provider=zipkin` Helm install options to enable tracing "out of the box" + a) a demo/test environment by setting the `--set values.tracing.enabled=true` and `--set values.tracing.provider=zipkin` install options to enable tracing "out of the box" - b) a production environment by referencing an existing Zipkin instance and then setting the `--set global.tracer.zipkin.address=.:9411` Helm install option. + b) a production environment by referencing an existing Zipkin instance and then setting the `--set values.global.tracer.zipkin.address=.:9411` install option. {{< warning >}} When you enable tracing, you can set the sampling rate that Istio uses for tracing. @@ -32,7 +32,7 @@ To learn how Istio handles tracing, visit this task's [overview](../overview/). ## Accessing the dashboard -[Remotely Accessing Telemetry Addons](/docs/tasks/observability/gateways) details how to configure access to the Istio addons through a gateway. Alternatively, to use a Kubernetes ingress, specify the Helm chart option `--set tracing.ingress.enabled=true` during install. +[Remotely Accessing Telemetry Addons](/docs/tasks/observability/gateways) details how to configure access to the Istio addons through a gateway. Alternatively, to use a Kubernetes ingress, specify the option `--set values.tracing.ingress.enabled=true` during install. For testing (and temporary access), you may also use port-forwarding. Use the following, assuming you've deployed Zipkin to the `istio-system` namespace: diff --git a/content/en/docs/tasks/observability/gateways/index.md b/content/en/docs/tasks/observability/gateways/index.md index 3e706cf2c8..2a2f206064 100644 --- a/content/en/docs/tasks/observability/gateways/index.md +++ b/content/en/docs/tasks/observability/gateways/index.md @@ -33,21 +33,21 @@ addons to require authentication when exposing them externally. 1. [Install cert-manager](https://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html) to manage certificates automatically. -1. [Install Istio](/docs/setup) in your cluster and enable the `cert-manager` flag and configure `istio-ingressgateway` to use +1. [Install Istio](/docs/setup/install/operator) in your cluster and enable the `cert-manager` flag and configure `istio-ingressgateway` to use the [Secret Discovery Service](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret#sds-configuration). - To install Istio accordingly, use the following Helm installation options: + To install Istio accordingly, use the following installation options: - * `--set gateways.enabled=true` - * `--set gateways.istio-ingressgateway.enabled=true` - * `--set gateways.istio-ingressgateway.sds.enabled=true` + * `--set values.gateways.enabled=true` + * `--set values.gateways.istio-ingressgateway.enabled=true` + * `--set values.gateways.istio-ingressgateway.sds.enabled=true` - To additionally install the telemetry addons, use the following Helm installation options: + To additionally install the telemetry addons, use the following installation options: - * Grafana: `--set grafana.enabled=true` - * Kiali: `--set kiali.enabled=true` - * Prometheus: `--set prometheus.enabled=true` - * Tracing: `--set tracing.enabled=true` + * Grafana: `--set values.grafana.enabled=true` + * Kiali: `--set values.kiali.enabled=true` + * Prometheus: `--set values.prometheus.enabled=true` + * Tracing: `--set values.tracing.enabled=true` 1. Configure the DNS records for your domain. @@ -370,14 +370,14 @@ the [Secret Discovery Service](https://www.envoyproxy.io/docs/envoy/latest/confi ### Option 2: Insecure access (HTTP) -1. [Install Istio](/docs/setup/) in your cluster with your desired telemetry addons. +1. [Install Istio](/docs/setup/install/operator) in your cluster with your desired telemetry addons. - To additionally install the telemetry addons, use the following Helm installation options: + To additionally install the telemetry addons, use the following installation options: - * Grafana: `--set grafana.enabled=true` - * Kiali: `--set kiali.enabled=true` - * Prometheus: `--set prometheus.enabled=true` - * Tracing: `--set tracing.enabled=true` + * Grafana: `--set values.grafana.enabled=true` + * Kiali: `--set values.kiali.enabled=true` + * Prometheus: `--set values.prometheus.enabled=true` + * Tracing: `--set values.tracing.enabled=true` 1. Apply networking configuration for the telemetry addons. diff --git a/content/en/docs/tasks/observability/kiali/index.md b/content/en/docs/tasks/observability/kiali/index.md index 2520682486..738277db4e 100644 --- a/content/en/docs/tasks/observability/kiali/index.md +++ b/content/en/docs/tasks/observability/kiali/index.md @@ -26,7 +26,7 @@ To install Kiali without using Helm, follow the [Kiali installation instructions ### Create a secret {{< idea >}} -If you plan on installing Kiali using the `istio-demo.yaml` file as described in the [Istio Quick Start Installation Steps](/docs/setup/install/kubernetes/#installation-steps) then a default secret will be created for you with a username of `admin` and passphrase of `admin`. You can therefore skip this section. +If you plan on installing Kiali using the Istio demo profile as described in the [Istio Quick Start Installation Steps](/docs/setup/install/kubernetes/) then a default secret will be created for you with a username of `admin` and passphrase of `admin`. You can therefore skip this section. {{< /idea >}} Create a secret in your Istio namespace with the credentials that you use to diff --git a/content/en/docs/tasks/observability/logs/access-log/index.md b/content/en/docs/tasks/observability/logs/access-log/index.md index 5c55ab63c6..b0ba613213 100644 --- a/content/en/docs/tasks/observability/logs/access-log/index.md +++ b/content/en/docs/tasks/observability/logs/access-log/index.md @@ -22,7 +22,7 @@ The standard output of Envoy's containers can then be printed by the `kubectl lo Edit the `istio` configuration map: {{< text bash >}} -$ helm template install/kubernetes/helm/istio --namespace=istio-system -x templates/configmap.yaml --set global.proxy.accessLogFile="/dev/stdout" | kubectl replace -f - +$ istioctl manifest apply --set values.global.proxy.accessLogFile="/dev/stdout" configmap "istio" replaced {{< /text >}} @@ -32,7 +32,7 @@ You may also want to customize the [format](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log#format-rules) of the access log by editing `accessLogFormat`. {{< tip >}} -All three of these parameters may also be configured via [helm values](/docs/reference/config/installation-options/): +All three of these parameters may also be configured via [install options](/docs/reference/config/installation-options/): {{< /tip >}} * `global.proxy.accessLogFile` @@ -97,6 +97,6 @@ $ kubectl delete -f @samples/httpbin/httpbin.yaml@ Edit the `istio` configuration map and set `accessLogFile` to `""`. {{< text bash >}} -$ helm template install/kubernetes/helm/istio --namespace=istio-system -x templates/configmap.yaml | kubectl replace -f - +$ istioctl manifest apply configmap "istio" replaced {{< /text >}} diff --git a/content/en/docs/tasks/observability/metrics/using-istio-dashboard/index.md b/content/en/docs/tasks/observability/metrics/using-istio-dashboard/index.md index d1f9201fad..6813e22b5d 100644 --- a/content/en/docs/tasks/observability/metrics/using-istio-dashboard/index.md +++ b/content/en/docs/tasks/observability/metrics/using-istio-dashboard/index.md @@ -17,7 +17,7 @@ the example application throughout this task. ## Before you begin -* [Install Istio](/docs/setup) in your cluster. If you are installing using Helm, enable the Grafana add-on `--set grafana.enabled=true` [option](/docs/reference/config/installation-options/). +* [Install Istio](/docs/setup) in your cluster. If not enabled in your chosen configuration profile, enable the Grafana add-on `--set values.grafana.enabled=true` [option](/docs/reference/config/installation-options/). * Deploy [Bookinfo](/docs/examples/bookinfo/) application. ## Viewing the Istio Dashboard diff --git a/content/en/docs/tasks/policy-enforcement/enabling-policy/index.md b/content/en/docs/tasks/policy-enforcement/enabling-policy/index.md index 1ff12ba389..86c526ebfe 100644 --- a/content/en/docs/tasks/policy-enforcement/enabling-policy/index.md +++ b/content/en/docs/tasks/policy-enforcement/enabling-policy/index.md @@ -10,7 +10,7 @@ This task shows you how to enable Istio policy enforcement. ## At install time In the default Istio installation profile, policy enforcement is disabled. To install Istio -with policy enforcement on, use the `--set global.disablePolicyChecks=false` Helm install option. +with policy enforcement on, use the `--set values.global.disablePolicyChecks=false` install option. Alternatively, you may [install Istio using the demo profile](/docs/setup/install/kubernetes/), which enables policy checks by default. @@ -31,7 +31,7 @@ which enables policy checks by default. Execute the following command from the root Istio directory: {{< text bash >}} - $ helm template install/kubernetes/helm/istio --namespace=istio-system -x templates/configmap.yaml --set global.disablePolicyChecks=false | kubectl -n istio-system replace -f - + $ istioctl manifest apply --set values.global.disablePolicyChecks=false configmap "istio" replaced {{< /text >}} diff --git a/content/en/docs/tasks/security/auth-sds/index.md b/content/en/docs/tasks/security/auth-sds/index.md index 60d2253692..29d7433f10 100644 --- a/content/en/docs/tasks/security/auth-sds/index.md +++ b/content/en/docs/tasks/security/auth-sds/index.md @@ -47,9 +47,8 @@ This approach has the following benefits: ## Before you begin -* Set up Istio by following the instructions using - [Helm](/docs/setup/install/helm/) with SDS setup and global mutual - TLS enabled. +* Follow the [install instructions](/docs/setup/install/operator/) + to set up Istio with SDS and global mutual TLS enabled. ## Service-to-service mutual TLS using key/certificate provisioned through SDS diff --git a/content/en/docs/tasks/security/authn-policy/index.md b/content/en/docs/tasks/security/authn-policy/index.md index 2d668f2c54..c27b28d6f2 100644 --- a/content/en/docs/tasks/security/authn-policy/index.md +++ b/content/en/docs/tasks/security/authn-policy/index.md @@ -15,9 +15,8 @@ the underlying concepts in the [authentication overview](/docs/concepts/security * Understand Istio [authentication policy](/docs/concepts/security/#authentication-policies) and related [mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication) concepts. -* Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled (e.g use `install/kubernetes/istio-demo.yaml` as described in -[installation steps](/docs/setup/install/kubernetes/#installation-steps), or set `global.mtls.enabled` to false using -[Helm](/docs/setup/install/helm/)). +* Install Istio on a Kubernetes cluster with global mutual TLS disabled (e.g, use the demo configuration profile, as described in +[installation steps](/docs/setup/install/kubernetes), or set the `global.mtls.enabled` installation option to false). ### Setup diff --git a/content/en/docs/tasks/security/ca-namespace-targeting/index.md b/content/en/docs/tasks/security/ca-namespace-targeting/index.md index 428c147af9..7a265bd293 100644 --- a/content/en/docs/tasks/security/ca-namespace-targeting/index.md +++ b/content/en/docs/tasks/security/ca-namespace-targeting/index.md @@ -60,7 +60,7 @@ You can observe that no new `istio.io/key-and-cert` secret was generated for the ### Opt-in Service Account secret generation -To make `ServiceAcount` secret generation opt-in (i.e. to disable generating secrets unless otherwise specified)., set the `enableNamespacesByDefault` Helm value to `false`: +Set the `enableNamespacesByDefault` installation option to `false` to make `ServiceAcount` secret generation opt-in (i.e., to disable generating secrets unless otherwise specified): {{< text yaml >}} ... diff --git a/content/en/docs/tasks/security/health-check/index.md b/content/en/docs/tasks/security/health-check/index.md index e587d5f5a2..8f6d41f055 100644 --- a/content/en/docs/tasks/security/health-check/index.md +++ b/content/en/docs/tasks/security/health-check/index.md @@ -24,7 +24,7 @@ this feature is not needed if the production setup is not using the ## Before you begin -To complete this task, you can install Istio using [Helm](/docs/setup/install/helm/) to setup Istio by setting the `global.mtls.enabled` flag to `true`. +To complete this task, you can [install Istio](/docs/setup/install/operator/) with the `global.mtls.enabled` option set to `true`. {{< tip >}} Use an [authentication policy](/docs/concepts/security/#authentication-policies) to configure mutual TLS for @@ -34,12 +34,10 @@ See the [authentication policy task](/docs/tasks/security/authn-policy/) for det ## Deploying Citadel with health checking -To enable health checking, redeploy Citadel with helm: +To enable health checking, redeploy Citadel: {{< text bash >}} -$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \ --x charts/security/templates/deployment.yaml \ ---set global.mtls.enabled=true --set security.citadelHealthCheck=true > citadel-health-check.yaml +$ istioctl manifest generate --set values.global.mtls.enabled=true,values.security.citadelHealthCheck=true > citadel-health-check.yaml $ kubectl apply -f citadel-health-check.yaml {{< /text >}} @@ -104,8 +102,6 @@ continuously failed health checks. * To disable health checking on Citadel: {{< text bash >}} - $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \ - -x charts/security/templates/deployment.yaml \ - --set global.mtls.enabled=true | kubectl apply -f - + $ istioctl manifest apply --set values.global.mtls.enabled=true {{< /text >}} diff --git a/content/en/docs/tasks/security/https-overlay/index.md b/content/en/docs/tasks/security/https-overlay/index.md index fd193bd8f0..39cfb772c7 100644 --- a/content/en/docs/tasks/security/https-overlay/index.md +++ b/content/en/docs/tasks/security/https-overlay/index.md @@ -22,7 +22,7 @@ original HTTPS traffic. And this is the reason Istio can work on HTTPS services. Set up Istio by following the instructions in the [quick start](/docs/setup/install/kubernetes/). Note that default mutual TLS authentication should be **disabled** when installing Istio; e.g. option 1 in the -[quick start](/docs/setup/install/kubernetes/#installation-steps). +[quick start](/docs/setup/install/kubernetes/). The demo is also assumed to be running in a namespace where automatic sidecar injection is disabled, and Istio sidecars are instead manually injected with [`istioctl`](/docs/reference/commands/istioctl). @@ -161,12 +161,10 @@ $ kubectl get pod -n istio-system No resources found. {{< /text >}} -Follow the [installation instructions](/docs/setup/install/kubernetes/#installation-steps) install CRDs. - Install Istio with the **strict mutual TLS mode** enabled: {{< text bash >}} -$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system --values install/kubernetes/helm/istio/values-istio-demo.yaml --set global.controlPlaneSecurityEnabled=true --set global.mtls.enabled=true | kubectl delete -f - +$ istioctl manifest apply --set profile=demo,values.global.controlPlaneSecurityEnabled=true,values.global.mtls.enabled=true {{< /text >}} Make sure everything is up and running: diff --git a/content/en/docs/tasks/security/mtls-migration/index.md b/content/en/docs/tasks/security/mtls-migration/index.md index ac123d21ea..78f6c77263 100644 --- a/content/en/docs/tasks/security/mtls-migration/index.md +++ b/content/en/docs/tasks/security/mtls-migration/index.md @@ -28,7 +28,8 @@ down once the migration is done. * Understand Istio [authentication policy](/docs/concepts/security/#authentication-policies) and related [mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication) concepts. -* Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled (e.g use `install/kubernetes/istio-demo.yaml` as described in [installation steps](/docs/setup/install/kubernetes/#installation-steps), or set `global.mtls.enabled` to false using [Helm](/docs/setup/install/helm/)). +* Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled (e.g use the demo configuration profile as described in +[installation steps](/docs/setup/install/kubernetes), or set the `global.mtls.enabled` installation option to false). * For demo * Create the following namespaces and deploy [httpbin]({{< github_tree >}}/samples/httpbin) and [sleep]({{< github_tree >}}/samples/sleep) with sidecar on both of them. diff --git a/content/en/docs/tasks/security/plugin-ca-cert/index.md b/content/en/docs/tasks/security/plugin-ca-cert/index.md index c26e4418be..9bdd5daf3c 100644 --- a/content/en/docs/tasks/security/plugin-ca-cert/index.md +++ b/content/en/docs/tasks/security/plugin-ca-cert/index.md @@ -50,13 +50,11 @@ The following steps enable plugging in the certificates and key into Citadel: --from-file=samples/certs/cert-chain.pem {{< /text >}} -1. Redeploy Citadel using Helm with `global.mtls.enabled` set to `true` and `security.selfSigned` to `false`. +1. Redeploy Citadel with `global.mtls.enabled` set to `true` and `security.selfSigned` to `false`. Citadel will read certificates and key from the secret-mount files. {{< text bash >}} - $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system -x charts/security/templates/deployment.yaml \ - --set global.mtls.enabled=true --set security.selfSigned=false > $HOME/citadel-plugin-cert.yaml - $ kubectl apply -f $HOME/citadel-plugin-cert.yaml + $ istioctl manifest apply --set values.global.mtls.enabled=true,values.security.selfSigned=false {{< /text >}} 1. To make sure the workloads obtain the new certificates promptly, diff --git a/content/en/docs/tasks/security/rbac-groups/index.md b/content/en/docs/tasks/security/rbac-groups/index.md index 8102a4d2fe..a2db9d1d4c 100644 --- a/content/en/docs/tasks/security/rbac-groups/index.md +++ b/content/en/docs/tasks/security/rbac-groups/index.md @@ -22,7 +22,7 @@ concepts. * Create a Kubernetes cluster with Istio installed and mutual TLS enabled. To fulfill this prerequisite you can follow the Kubernetes -[installation instructions](/docs/setup/install/kubernetes/#installation-steps). +[installation instructions](/docs/setup/install/kubernetes/). ## Setup the required namespace and services diff --git a/content/en/docs/tasks/traffic-management/egress/egress-control/index.md b/content/en/docs/tasks/traffic-management/egress/egress-control/index.md index 6464e83a32..f7ec52e1ac 100644 --- a/content/en/docs/tasks/traffic-management/egress/egress-control/index.md +++ b/content/en/docs/tasks/traffic-management/egress/egress-control/index.md @@ -404,12 +404,11 @@ Update your `istio-sidecar-injector` configuration map using the IP ranges speci For example, if the range is 10.0.0.1/24, use the following command: {{< text bash >}} -$ helm template install/kubernetes/helm/istio --set global.proxy.includeIPRanges="10.0.0.1/24" -x templates/sidecar-injector-configmap.yaml | kubectl apply -f - +$ istioctl manifest apply --set values.global.proxy.includeIPRanges="10.0.0.1/24" {{< /text >}} -Use the same Helm command that you used to [install Istio](/docs/setup/install/helm), -specifically, ensure you use the same value for the `--namespace` flag and -add these flags: `--set global.proxy.includeIPRanges="10.0.0.1/24" -x templates/sidecar-injector-configmap.yaml`. +Use the same command that you used to [install Istio](/docs/setup/install/operator) and +add `--set values.global.proxy.includeIPRanges="10.0.0.1/24"`. ### Access the external services @@ -444,7 +443,7 @@ Update the `istio-sidecar-injector.configmap.yaml` configuration map to redirect proxies: {{< text bash >}} -$ helm template install/kubernetes/helm/istio -x templates/sidecar-injector-configmap.yaml | kubectl apply -f - +$ istioctl manifest apply {{< /text >}} ## Understanding what happened diff --git a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md index d2a0c2e089..0613b2a4bf 100644 --- a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md +++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md @@ -635,20 +635,20 @@ to hold the configuration of the NGINX server: you used for generating your `istio.yaml`: {{< text bash >}} - $ helm template install/kubernetes/helm/istio/ --name istio --namespace istio-system -x charts/gateways/templates/deployment.yaml --set gateways.istio-ingressgateway.enabled=false \ - --set gateways.istio-egressgateway.enabled=true \ - --set 'gateways.istio-egressgateway.secretVolumes[0].name'=egressgateway-certs \ - --set 'gateways.istio-egressgateway.secretVolumes[0].secretName'=istio-egressgateway-certs \ - --set 'gateways.istio-egressgateway.secretVolumes[0].mountPath'=/etc/istio/egressgateway-certs \ - --set 'gateways.istio-egressgateway.secretVolumes[1].name'=egressgateway-ca-certs \ - --set 'gateways.istio-egressgateway.secretVolumes[1].secretName'=istio-egressgateway-ca-certs \ - --set 'gateways.istio-egressgateway.secretVolumes[1].mountPath'=/etc/istio/egressgateway-ca-certs \ - --set 'gateways.istio-egressgateway.secretVolumes[2].name'=nginx-client-certs \ - --set 'gateways.istio-egressgateway.secretVolumes[2].secretName'=nginx-client-certs \ - --set 'gateways.istio-egressgateway.secretVolumes[2].mountPath'=/etc/nginx-client-certs \ - --set 'gateways.istio-egressgateway.secretVolumes[3].name'=nginx-ca-certs \ - --set 'gateways.istio-egressgateway.secretVolumes[3].secretName'=nginx-ca-certs \ - --set 'gateways.istio-egressgateway.secretVolumes[3].mountPath'=/etc/nginx-ca-certs > \ + $ istioctl manifest generate --set values.gateways.istio-ingressgateway.enabled=false \ + --set values.gateways.istio-egressgateway.enabled=true \ + --set 'values.gateways.istio-egressgateway.secretVolumes[0].name'=egressgateway-certs \ + --set 'values.gateways.istio-egressgateway.secretVolumes[0].secretName'=istio-egressgateway-certs \ + --set 'values.gateways.istio-egressgateway.secretVolumes[0].mountPath'=/etc/istio/egressgateway-certs \ + --set 'values.gateways.istio-egressgateway.secretVolumes[1].name'=egressgateway-ca-certs \ + --set 'values.gateways.istio-egressgateway.secretVolumes[1].secretName'=istio-egressgateway-ca-certs \ + --set 'values.gateways.istio-egressgateway.secretVolumes[1].mountPath'=/etc/istio/egressgateway-ca-certs \ + --set 'values.gateways.istio-egressgateway.secretVolumes[2].name'=nginx-client-certs \ + --set 'values.gateways.istio-egressgateway.secretVolumes[2].secretName'=nginx-client-certs \ + --set 'values.gateways.istio-egressgateway.secretVolumes[2].mountPath'=/etc/nginx-client-certs \ + --set 'values.gateways.istio-egressgateway.secretVolumes[3].name'=nginx-ca-certs \ + --set 'values.gateways.istio-egressgateway.secretVolumes[3].secretName'=nginx-ca-certs \ + --set 'values.gateways.istio-egressgateway.secretVolumes[3].mountPath'=/etc/nginx-ca-certs > \ ./istio-egressgateway.yaml {{< /text >}} diff --git a/content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md b/content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md index 5b24fce0fd..6b7b6e855d 100644 --- a/content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md +++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md @@ -49,15 +49,12 @@ controlled way. If no pods are returned, deploy the Istio egress gateway by performing the next step. -1. Use `helm template` (or `helm install` with the corresponding flags): +1. Run the following command: {{< text bash >}} - $ helm template install/kubernetes/helm/istio --name istio-egressgateway --namespace istio-system \ - -x charts/gateways/templates/deployment.yaml -x charts/gateways/templates/service.yaml \ - -x charts/gateways/templates/serviceaccount.yaml -x charts/gateways/templates/autoscale.yaml \ - -x charts/gateways/templates/role.yaml -x charts/gateways/templates/rolebindings.yaml \ - --set global.istioNamespace=istio-system --set gateways.istio-ingressgateway.enabled=false \ - --set gateways.istio-egressgateway.enabled=true | kubectl apply -f - + $ istioctl manifest apply --set values.global.istioNamespace=istio-system \ + --set values.gateways.istio-ingressgateway.enabled=false \ + --set values.gateways.istio-egressgateway.enabled=true {{< /text >}} {{< warning >}} diff --git a/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/index.md b/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/index.md index ed9111f55b..2a67a589de 100644 --- a/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/index.md +++ b/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/index.md @@ -299,7 +299,7 @@ The SNI proxy will forward the traffic to port `443`. 1. The following command will generate `istio-egressgateway-with-sni-proxy.yaml` which you can optionally edit and then deploy. {{< text bash >}} - $ cat < ./istio-egressgateway-with-sni-proxy.yaml + $ cat < ./istio-egressgateway-with-sni-proxy.yaml gateways: enabled: true istio-ingressgateway: diff --git a/content/en/docs/tasks/traffic-management/ingress/ingress-certmgr/index.md b/content/en/docs/tasks/traffic-management/ingress/ingress-certmgr/index.md index b4fe9d5a7d..388f3f52f7 100644 --- a/content/en/docs/tasks/traffic-management/ingress/ingress-certmgr/index.md +++ b/content/en/docs/tasks/traffic-management/ingress/ingress-certmgr/index.md @@ -13,16 +13,14 @@ You will start with a clean Istio installation, create an example service, expos ## Before you begin -1. [Install Istio](/docs/setup/) making sure to enable ingress [gateway](/docs/reference/config/networking/gateway) with Kubernetes Ingress support, [SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret). Here's an example of how to do this for the [helm template](/docs/setup/install/helm/#option-1-install-with-helm-via-helm-template) installation path: +1. [Install Istio](/docs/setup/) making sure to enable ingress [gateway](/docs/reference/config/networking/gateway) with Kubernetes Ingress support, [SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret). Here's an example of how to do it: {{< text bash >}} - $ helm template $HOME/istio-fetch/istio \ - --namespace=istio-system \ - --set gateways.istio-ingressgateway.sds.enabled=true \ - --set global.k8sIngress.enabled=true \ - --set global.k8sIngress.enableHttps=true \ - --set global.k8sIngress.gatewayName=ingressgateway \ - > $HOME/istio-fetch/istio.yaml + $ istioctl manifest apply \ + --set values.gateways.istio-ingressgateway.sds.enabled=true \ + --set values.global.k8sIngress.enabled=true \ + --set values.global.k8sIngress.enableHttps=true \ + --set values.global.k8sIngress.gatewayName=ingressgateway {{< /text >}} {{< tip >}} diff --git a/content/en/docs/tasks/traffic-management/ingress/secure-ingress-sds/index.md b/content/en/docs/tasks/traffic-management/ingress/secure-ingress-sds/index.md index f7c411f65f..1baf53f2ed 100644 --- a/content/en/docs/tasks/traffic-management/ingress/secure-ingress-sds/index.md +++ b/content/en/docs/tasks/traffic-management/ingress/secure-ingress-sds/index.md @@ -103,14 +103,12 @@ need to create secrets for multiple hosts and update the gateway definitions. 1. Enable SDS at ingress gateway and deploy the ingress gateway agent. Since this feature is disabled by default, you need to enable the - [`istio-ingressgateway.sds.enabled` flag]({{}}/install/kubernetes/helm/istio/charts/gateways/values.yaml) in helm, - and then generate the `istio-ingressgateway.yaml` file: + `istio-ingressgateway.sds.enabled` installation option and generate the `istio-ingressgateway.yaml` file: {{< text bash >}} - $ helm template install/kubernetes/helm/istio/ --name istio \ - --namespace istio-system -x charts/gateways/templates/deployment.yaml \ - --set gateways.istio-egressgateway.enabled=false \ - --set gateways.istio-ingressgateway.sds.enabled=true > \ + $ istioctl manifest generate \ + --set values.gateways.istio-egressgateway.enabled=false \ + --set values.gateways.istio-ingressgateway.sds.enabled=true > \ $HOME/istio-ingressgateway.yaml $ kubectl apply -f $HOME/istio-ingressgateway.yaml {{< /text >}} diff --git a/layouts/shortcodes/istioctl.html b/layouts/shortcodes/istioctl.html new file mode 100644 index 0000000000..4dc4f3699f --- /dev/null +++ b/layouts/shortcodes/istioctl.html @@ -0,0 +1 @@ +istioctl \ No newline at end of file