Deprecate helm install (#5270)

* Deprecate helm install * fix lint * address review comments * correction
2019-10-29 09:37:34 -04:00 · 2019-10-29 09:37:34 -04:00 · f220f655a7
parent 0045ba590b
commit f220f655a7
42 changed files with 143 additions and 200 deletions
--- a/content/en/blog/2018/egress-https/index.md
+++ b/content/en/blog/2018/egress-https/index.md
@ -21,7 +21,7 @@ HTTPS traffic and describe the pros and cons of each of the options.
 ## Initial setting
-To demonstrate the scenario of consuming an external web service, I start with a Kubernetes cluster with [Istio installed](/docs/setup/install/kubernetes/#installation-steps). Then I deploy
+To demonstrate the scenario of consuming an external web service, I start with a Kubernetes cluster with [Istio installed](/docs/setup/install/kubernetes/). Then I deploy
 [Istio Bookinfo Sample Application](/docs/examples/bookinfo/). This application uses the _details_ microservice to fetch
 book details, such as the number of pages and the publisher. The original _details_ microservice provides the book
 details without consulting any external service.
--- a/content/en/blog/2018/egress-mongo/index.md
+++ b/content/en/blog/2018/egress-mongo/index.md
@ -94,7 +94,7 @@ For this task you set up an instance of [MongoDB](https://www.mongodb.com). You
 ### Initial setting of Bookinfo application
-To demonstrate the scenario of using an external database, you start with a Kubernetes cluster with [Istio installed](/docs/setup/install/kubernetes/#installation-steps). Then you deploy the
+To demonstrate the scenario of using an external database, you start with a Kubernetes cluster with [Istio installed](/docs/setup/install/kubernetes/). Then you deploy the
 [Istio Bookinfo sample application](/docs/examples/bookinfo/), [apply the default destination rules](/docs/examples/bookinfo/#apply-default-destination-rules), and
 [change Istio to the blocking-egress-by-default policy](/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy).
--- a/content/en/blog/2018/egress-tcp/index.md
+++ b/content/en/blog/2018/egress-tcp/index.md
@ -150,7 +150,7 @@ Now you are ready to deploy a version of the Bookinfo application that will use
 ### Initial setting of Bookinfo application
-To demonstrate the scenario of using an external database, you start with a Kubernetes cluster with [Istio installed](/docs/setup/install/kubernetes/#installation-steps). Then you deploy the
+To demonstrate the scenario of using an external database, you start with a Kubernetes cluster with [Istio installed](/docs/setup/install/kubernetes/). Then you deploy the
 [Istio Bookinfo sample application](/docs/examples/bookinfo/), [apply the default destination rules](/docs/examples/bookinfo/#apply-default-destination-rules), and [change Istio to the blocking-egress-by-default policy](/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy).
 This application uses the `ratings` microservice to fetch
--- a/content/en/docs/concepts/security/index.md
+++ b/content/en/docs/concepts/security/index.md
@ -220,7 +220,7 @@ From these three values, the decision process mirrors that of the [`Sidecar Inje
 - Otherwise, if a `ca.istio.io/env: "ns-foo"` label is defined in the service account's namespace, the Citadel instance in namespace `ns-foo` will be used for generating key/cert secrets for workloads in the `ServiceAccount`'s namespace.
- Otherwise, follow the `enableNamespacesByDefault` Helm flag. If it is `true`, the default Citadel instance will be used for generating key/cert secrets for workloads in the `ServiceAccount`'s namespace.
+- Otherwise, set `enableNamespacesByDefault` to `true` during installation. If it is `true`, the default Citadel instance will be used for generating key/cert secrets for workloads in the `ServiceAccount`'s namespace.
 - Otherwise, no secrets are created for the `ServiceAccount`'s namespace.
--- a/content/en/docs/examples/microservices-istio/setup-kubernetes-cluster/index.md
+++ b/content/en/docs/examples/microservices-istio/setup-kubernetes-cluster/index.md
@ -38,8 +38,7 @@ proceed to [setting up your local computer](/docs/examples/microservices-istio/s
    simultaneously by multiple participants.
    {{< /tip >}}
-1.  Install Istio with strict mutual TLS enabled by selecting the `strict mutual
+1.  Install Istio with strict mutual TLS enabled. TODO: add command or point to instructions.
    TLS` tab when you follow [the Kubernetes installation steps](/docs/setup/install/kubernetes/#installation-steps).
 1.  [Enable Envoy's access logging](/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging).
--- a/content/en/docs/ops/common-problems/validation/index.md
+++ b/content/en/docs/ops/common-problems/validation/index.md
@ -177,11 +177,9 @@ webhooks:
      (... snip ...)
 {{< /text >}}
-If the webhook array in `istio-galley-configuration` is empty and
+If the webhook array in `istio-galley-configuration` is empty, verify
-you're using `helm template` or `helm install`, verify `--set
+the `galley.enabled` and `global.configValidation` installation options are
-galley.enabled` and `--set global.configValidation=true` options are
+set.
 set. If you're not using helm, you'll need to find a generate
 YAML that includes the populated webhook array.
 The `istio-galley` validation configuration is fail-close. If
 configuration exists and is scoped properly, the webhook will be
--- a/content/en/docs/ops/diagnostic-tools/istioctl-analyze/index.md
+++ b/content/en/docs/ops/diagnostic-tools/istioctl-analyze/index.md
@ -169,13 +169,5 @@ status:
 You can enable this feature with:
 {{< text bash >}}
-$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
+$ istioctl manifest apply --set values.galley.enableAnalysis=true
    --set galley.enableAnalysis=true | kubectl apply -f -
 {{< /text >}}
 Or with:
 {{< text bash >}}
 $ helm install install/kubernetes/helm/istio --name istio --namespace istio-system \
    --set galley.enableAnalysis=true
 {{< /text >}}
--- a/content/en/docs/ops/diagnostic-tools/proxy-cmd/index.md
+++ b/content/en/docs/ops/diagnostic-tools/proxy-cmd/index.md
@ -18,7 +18,7 @@ to inspect Envoy configuration and diagnose the issue.
 If you want to try the commands described below, you can either:
 * Have a Kubernetes cluster with Istio and Bookinfo installed (e.g use `istio.yaml` as described in
-[installation steps](/docs/setup/install/kubernetes/#installation-steps) and
+[installation steps](/docs/setup/install/kubernetes/) and
 [Bookinfo installation steps](/docs/examples/bookinfo/#deploying-the-application)).
 OR
--- a/content/en/docs/ops/security/harden-docker-images/index.md
+++ b/content/en/docs/ops/security/harden-docker-images/index.md
@ -21,19 +21,8 @@ For ease of the installation, they are available with a `-distroless` suffix.
 ## Install distroless images
-You should follow the [Installation Steps](/docs/setup/install/helm/) to setup Istio. You can pass the following parameter to `helm` to use the *distroless images*
+Follow the [Installation Steps](/docs/setup/install/operator/) to setup Istio.
-
+Add the option `--set tag={{< istio_full_version >}}-distroless` to use the *distroless images*.
 For [Option 1](/docs/setup/install/helm/#option-1-install-with-helm-via-helm-template) use
 {{< text bash >}}
 $ helm template [...] --set global.tag={{< istio_full_version >}}-distroless
 {{< /text >}}
 For [Option 2](/docs/setup/install/helm/#option-2-install-with-helm-and-tiller-via-helm-install)
 {{< text bash >}} use
 $ helm install [...] --set global.tag={{< istio_full_version >}}-distroless
 {{< /text >}}
 ## Benefits
--- a/content/en/docs/ops/setup/app-health-check/index.md
+++ b/content/en/docs/ops/setup/app-health-check/index.md
@ -28,7 +28,7 @@ mutual TLS enabled.
 * Understand [Kubernetes liveness and readiness probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/), Istio
 [authentication policy](/docs/concepts/security/#authentication-policies) and [mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication) concepts.
-* Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled (meaning use `istio.yaml` as described in [installation steps](/docs/setup/install/kubernetes/#installation-steps), or set `global.mtls.enabled` to false using [Helm](/docs/setup/install/helm/)).
+* Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled.
 ## Liveness and readiness probes with command option
@ -99,10 +99,9 @@ request to application, and strips the response body only returning the response
 You have two ways to enable Istio to rewrite the liveness HTTP probes.
-#### Enable via Helm Option Globally
+#### Enable globally via install option
-[Install Istio](/docs/setup/install/helm/) with the `sidecarInjectorWebhook.rewriteAppHTTPProbe=true`
+[Install Istio](/docs/setup/install/operator/) with `--set values.sidecarInjectorWebhook.rewriteAppHTTPProbe=true`.
 [Helm installation option](/docs/reference/config/installation-options/#sidecarinjectorwebhook-options).
 **Alternatively**, update the configuration map of Istio sidecar injection:
@ -115,14 +114,14 @@ rewrite the Kubernetes pod's spec, so health checks are able to work under mutua
 spec by yourself.
 {{< warning >}}
-The configuration changes above (by Helm or by the configuration map) effect all Istio app deployments.
+The configuration changes above (by install or by the configuration map) effect all Istio app deployments.
 {{< /warning >}}
-#### Use Annotations on Pod
+#### Use annotations on pod
 <!-- Add samples YAML or kubectl patch? -->
-Rather than install Istio with different Helm options, you can [annotate the pod](/docs/reference/config/annotations/) with `sidecar.istio.io/rewriteAppHTTPProbers: "true"`. Make sure you add the annotation to the [pod resource](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) because it will be ignored anywhere else (for example, on an enclosing deployment resource).
+Rather than install Istio with different options, you can [annotate the pod](/docs/reference/config/annotations/) with `sidecar.istio.io/rewriteAppHTTPProbers: "true"`. Make sure you add the annotation to the [pod resource](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/) because it will be ignored anywhere else (for example, on an enclosing deployment resource).
 {{< text yaml >}}
 apiVersion: apps/v1
@ -155,7 +154,7 @@ This approach allows you to enable the health check prober rewrite gradually on
 #### Re-deploy the liveness health check app
-Instructions below assume you turn on the feature via Helm flag globally.
+Instructions below assume you turn on the feature globally via install option.
 Annotations works the same.
 {{< text bash >}}
--- a/content/en/docs/ops/telemetry/in-proxy-service-telemetry/index.md
+++ b/content/en/docs/ops/telemetry/in-proxy-service-telemetry/index.md
@ -24,7 +24,7 @@ To generate service-level metrics directly in the Envoy proxies, follow these st
 1.  To prevent duplicate telemetry generation, disable calls to `istio-telemetry` in the mesh:
    {{< text bash >}}
-    $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system --set mixer.telemetry.enabled=false --set mixer.policy.enabled=false
+    $ istioctl manifest apply --set values.mixer.telemetry.enabled=false,values.mixer.policy.enabled=false
    {{< /text >}}
    {{< tip >}}
--- a/content/en/docs/ops/traffic-management/locality-load-balancing/index.md
+++ b/content/en/docs/ops/traffic-management/locality-load-balancing/index.md
@ -72,7 +72,7 @@ Sometimes, you need to constrain the traffic fail-over to avoid sending traffic
 endpoints across the globe when there are not enough healthy endpoints in the
 same region. This behavior is useful when sending fail-over traffic across regions
 would not improve service health or many other reasons including regulatory controls.
-To constrain traffic to a region, configure the `localityLbSetting` option using Helm. See the
+To constrain traffic to a region, configure the `values.localityLbSetting` option during install. See the
 [Locality load balancing reference guide](/docs/reference/config/istio.mesh.v1alpha1/#LocalityLoadBalancerSetting)
 for options.
--- a/content/en/docs/ops/traffic-management/protocol-selection/index.md
+++ b/content/en/docs/ops/traffic-management/protocol-selection/index.md
@ -50,5 +50,5 @@ spec:
 Istio can automatically detect HTTP and HTTP/2 traffic. If the protocol cannot automatically be determined, traffic will be treated as plain TCP traffic.
-This feature is experimental and off by default. It can be turned on by providing the Helm value `--set pilot.enableProtocolSniffingForOutbound=true --set pilot.enableProtocolSniffingForInbound=true`.
+This feature is experimental and off by default. It can be turned on by providing the install options `--set values.pilot.enableProtocolSniffingForOutbound=true --set values.pilot.enableProtocolSniffingForInbound=true`.
--- a/content/en/docs/setup/additional-setup/config-profiles/index.md
+++ b/content/en/docs/setup/additional-setup/config-profiles/index.md
@ -8,7 +8,7 @@ keywords: [profiles,install,helm]
 ---
 This page describes the built-in configuration profiles that can be used when
-[installing Istio using helm](/docs/setup/install/helm/).
+[installing Istio](/docs/setup/install/operator/).
 The profiles provide customization of the Istio control plane and of the sidecars for the Istio data plane.
 You can start with one of Istio’s built-in configuration profiles and then further customize the configuration for
 your specific needs. The following built-in configuration profiles are currently available:
@ -27,14 +27,13 @@ your specific needs. The following built-in configuration profiles are currently
 1. **minimal**: the minimal set of components necessary to use Istio's [traffic management](/docs/tasks/traffic-management/) features.
-1. **sds-auth**: similar to the **default** profile, but also enables Istio's [SDS (secret discovery service)](/docs/tasks/security/auth-sds).
+1. **sds**: similar to the **default** profile, but also enables Istio's [SDS (secret discovery service)](/docs/tasks/security/auth-sds).
    This profile comes with additional authentication features enabled by default (Strict Mutual TLS).
 The components marked as **X** are installed within each profile:
 |     | default | demo | minimal | sds |
 | --- | --- | --- | --- | --- |
 | Profile filename | `values.yaml` | `values-istio-demo.yaml` | `values-istio-minimal.yaml` | `values-istio-sds-auth.yaml` |
 | Core components | | | | | |
 | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`istio-citadel` | X | X | | X |
 | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`istio-egressgateway` | | X | | |
@ -51,7 +50,10 @@ The components marked as **X** are installed within each profile:
 | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`kiali` | | X | | |
 | &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`prometheus` | X | X | | X |
-To further customize Istio and install addons, you can add one or more `--set <key>=<value>` options in the `helm template` or `helm install` command that you use when installing Istio. The [Installation Options](/docs/reference/config/installation-options/) lists the complete set of supported installation key and value pairs.
+To further customize Istio and install addons, you can add one or more `--set <key>=<value>` options in the
 `istioctl manifest` command that you use when installing Istio.
 The [Installation Options](/docs/reference/config/installation-options/) lists the complete set of supported
 installation key and value pairs.
 ## Multicluster profiles
@ -64,15 +66,14 @@ Istio provides two additional built-in configuration profiles that are used excl
 1. **multicluster-gateways**: used for configuring clusters of a
    multicluster mesh with replicated [control planes]/docs/setup/deployment-models/#control-plane-models).
-The **remote** profile is configured using the values file `values-istio-remote.yaml`. This profile installs only two
+The **remote** profile installs only two Istio core components:
 Istio core components:
 1. `istio-citadel`
 1. `istio-sidecar-injector`
-The **multicluster-gateways** profile is configured using the values file `values-istio-multicluster-gateways.yaml`.
+The **multicluster-gateways** profile installs the same components as the Istio **default** configuration
-This profile installs the same components as the Istio **default** configuration profile plus two additional components:
+profile plus two additional components:
 1. The `istio-egressgateway` core component.
--- a/content/en/docs/setup/install/helm/index.md
+++ b/content/en/docs/setup/install/helm/index.md
@ -19,6 +19,11 @@ window.onload = function(){
 }
 </script>
 {{< warning >}}
 The Helm installation approach has been deprecated.
 Please use [Installing with {{< istioctl >}}](/docs/setup/install/operator/), instead.
 {{< /warning >}}
 Follow this guide to install and configure an Istio mesh for in-depth evaluation or production use.
 This installation guide uses [Helm](https://github.com/helm/helm) charts that provide rich
--- a/content/en/docs/setup/install/kubernetes/index.md
+++ b/content/en/docs/setup/install/kubernetes/index.md
@ -1,17 +1,15 @@
 ---
 title: Quick Start Evaluation Install
 description: Instructions to install Istio in a Kubernetes cluster for evaluation.
-weight: 10
+weight: 5
 keywords: [kubernetes]
 aliases:
    - /docs/setup/kubernetes/quick-start/
    - /docs/setup/kubernetes/install/kubernetes/
 ---
-This guide installs Istio's built-in **demo** [configuration profile](/docs/setup/additional-setup/config-profiles/)
+This guide installs Istio's built-in **demo** [configuration profile](/docs/setup/additional-setup/config-profiles/).
-using basic Kubernetes commands without needing to download or install
+This installation lets you quickly evaluate Istio in a Kubernetes cluster on any platform.
 [Helm](https://github.com/helm/helm). This installation lets you quickly
 evaluate Istio in a Kubernetes cluster on any platform.
 {{< warning >}}
 The demo configuration profile is not suitable for performance evaluation. It
@ -20,7 +18,7 @@ access logging.
 {{< /warning >}}
 To install Istio for production use, we recommend using the
-[Helm Installation guide](/docs/setup/install/helm/)
+[Installing with {{< istioctl >}} guide](/docs/setup/install/operator/)
 instead, which provides many more options for selecting and managing the Istio
 configuration. This permits customization of Istio to operator specific
 requirements.
@ -33,21 +31,11 @@ requirements.
 1. Check the [Requirements for Pods and Services](/docs/setup/additional-setup/requirements/).
-## Installation steps
+## Install the demo profile
-1. Install all the Istio
+{{< text bash >}}
-    [Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions)
+$ istioctl manifest apply --set profile=demo
-    (CRDs) using `kubectl apply`, and wait a few seconds for the CRDs to be committed in the Kubernetes API-server:
+{{< /text >}}
    {{< text bash >}}
    $ for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done
    {{< /text >}}
 1. Install the **demo** profile:
    {{< text bash >}}
    $ kubectl apply -f install/kubernetes/istio-demo.yaml
    {{< /text >}}
 ## Verifying the installation
@ -139,14 +127,6 @@ The uninstall deletes the RBAC permissions, the `istio-system` namespace, and
 all resources hierarchically under it. It is safe to ignore errors for
 non-existent resources because they may have been deleted hierarchically.
-* Uninstall the **demo** profile:
+{{< text bash >}}
-
+$ istioctl manifest generate --set profile=demo | kubectl delete -f -
-    {{< text bash >}}
+{{< /text >}}
    $ kubectl delete -f install/kubernetes/istio-demo.yaml
    {{< /text >}}
 * If desired, delete the Istio CRDs:
    {{< text bash >}}
    $ for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl delete -f $i; done
    {{< /text >}}
--- a/content/en/docs/setup/install/multicluster/shared-vpn/index.md
+++ b/content/en/docs/setup/install/multicluster/shared-vpn/index.md
@ -46,7 +46,7 @@ manifests and Helm charts provided within the Istio repository.
 ## Deploy the local control plane
-Install the [Istio control plane](/docs/setup/install/kubernetes/#installation-steps)
+Install the [Istio control plane](/docs/setup/install/kubernetes/)
 on **one** Kubernetes cluster.
 ## Install the Istio remote
--- a/content/en/docs/setup/install/operator/index.md
+++ b/content/en/docs/setup/install/operator/index.md
@ -1,7 +1,7 @@
 ---
-title: Operator CLI-based Installation
+title: Installing with Istioctl
 description: Install and configure Istio using the Istio Operator CLI.
-weight: 25
+weight: 10
 keywords: [operator,kubernetes,helm]
 ---
--- a/content/en/docs/tasks/observability/distributed-tracing/jaeger/index.md
+++ b/content/en/docs/tasks/observability/distributed-tracing/jaeger/index.md
@ -16,23 +16,23 @@ To learn how Istio handles tracing, visit this task's [overview](../overview/).
 ## Before you begin
-1.  To set up Istio, follow the instructions in the [Installation guide](/docs/setup/install/helm)
+1.  To set up Istio, follow the instructions in the [Installation guide](/docs/setup/install/operator)
    and then configure:
-    a) a demo/test environment by setting the `--set tracing.enabled=true`  Helm install option to enable tracing "out of the box"
+    a) a demo/test environment by setting the `--set values.tracing.enabled=true` install option to enable tracing "out of the box"
-    b) a production environment by referencing an existing Jaeger instance, e.g. created with the [operator](https://github.com/jaegertracing/jaeger-operator), and then setting the `--set global.tracer.zipkin.address=<jaeger-collector-service>.<jaeger-collector-namespace>:9411` Helm install option.
+    b) a production environment by referencing an existing Jaeger instance, e.g. created with the [operator](https://github.com/jaegertracing/jaeger-operator), and then setting the `--set values.global.tracer.zipkin.address=<jaeger-collector-service>.<jaeger-collector-namespace>:9411` install option.
    {{< warning >}}
    When you enable tracing, you can set the sampling rate that Istio uses for tracing.
-    Use the `pilot.traceSampling` option to set the sampling rate. The default sampling rate is 1%.
+    Use the `values.pilot.traceSampling` option to set the sampling rate. The default sampling rate is 1%.
    {{< /warning >}}
 1.  Deploy the [Bookinfo](/docs/examples/bookinfo/#deploying-the-application) sample application.
 ## Accessing the dashboard
-[Remotely Accessing Telemetry Addons](/docs/tasks/observability/gateways) details how to configure access to the Istio       addons through a gateway. Alternatively, to use a Kubernetes ingress, specify the Helm chart option `--set tracing.ingress.enabled=true` during install.
+[Remotely Accessing Telemetry Addons](/docs/tasks/observability/gateways) details how to configure access to the Istio addons through a gateway. Alternatively, to use a Kubernetes ingress, specify the option `--set values.tracing.ingress.enabled=true` during install.
 For testing (and temporary access), you may also use port-forwarding. Use the following, assuming you've deployed Jaeger to the `istio-system` namespace:
--- a/content/en/docs/tasks/observability/distributed-tracing/lightstep/index.md
+++ b/content/en/docs/tasks/observability/distributed-tracing/lightstep/index.md
@ -39,21 +39,17 @@ This task uses the [Bookinfo](/docs/examples/bookinfo/) sample application as an
    - `global.tracer.lightstep.secure=true`
    - `global.tracer.lightstep.cacertPath="/etc/lightstep/cacert.pem"`
-    If you are installing via `helm template` you can set these parameters using the `--set key=value` syntax
+    You can set these parameters using the `--set key=value` syntax
-    when you run the `helm` command. For example:
+    when you run the install command. For example:
    {{< text bash >}}
-    $ helm template \
+    $ istioctl manifest apply \
-        --set pilot.traceSampling=100 \
+        --set values.pilot.traceSampling=100 \
-        --set global.proxy.tracer="lightstep" \
+        --set values.global.proxy.tracer="lightstep" \
-        --set global.tracer.lightstep.address="<satellite-address>" \
+        --set values.global.tracer.lightstep.address="<satellite-address>" \
-        --set global.tracer.lightstep.accessToken="<access-token>" \
+        --set values.global.tracer.lightstep.accessToken="<access-token>" \
-        --set global.tracer.lightstep.secure=true \
+        --set values.global.tracer.lightstep.secure=true \
-        --set global.tracer.lightstep.cacertPath="/etc/lightstep/cacert.pem" \
+        --set values.global.tracer.lightstep.cacertPath="/etc/lightstep/cacert.pem"
        install/kubernetes/helm/istio \
        --name istio --namespace istio-system > $HOME/istio.yaml
    $ kubectl create namespace istio-system
    $ kubectl apply -f $HOME/istio.yaml
    {{< /text >}}
 1.  Store your satellite pool's certificate authority certificate as a secret in the default namespace.
--- a/content/en/docs/tasks/observability/distributed-tracing/overview/index.md
+++ b/content/en/docs/tasks/observability/distributed-tracing/overview/index.md
@ -93,9 +93,9 @@ dashboard. This sampling rate is suitable for a test or low traffic
 mesh. For a high traffic mesh you can lower the trace sampling
 percentage in one of two ways:
-* During the mesh setup, use the Helm option `pilot.traceSampling` to
+* During the mesh setup, use the option `values.pilot.traceSampling` to
  set the percentage of trace sampling. See the
-  [Helm Install](/docs/setup/install/helm/) documentation for
+  [Installing with {{< istioctl >}}](/docs/setup/install/operator/) documentation for
  details on setting options.
 * In a running mesh, edit the `istio-pilot` deployment and
  change the environment variable with the following steps:
--- a/content/en/docs/tasks/observability/distributed-tracing/zipkin/index.md
+++ b/content/en/docs/tasks/observability/distributed-tracing/zipkin/index.md
@ -16,12 +16,12 @@ To learn how Istio handles tracing, visit this task's [overview](../overview/).
 ## Before you begin
-1.  To set up Istio, follow the instructions in the [Installation guide](/docs/setup/install/helm)
+1.  To set up Istio, follow the instructions in the [Installation guide](/docs/setup/install/operator)
    and then configure:
-    a) a demo/test environment by setting the `--set tracing.enabled=true` and `--set tracing.provider=zipkin` Helm install options to enable tracing "out of the box"
+    a) a demo/test environment by setting the `--set values.tracing.enabled=true` and `--set values.tracing.provider=zipkin` install options to enable tracing "out of the box"
-    b) a production environment by referencing an existing Zipkin instance and then setting the `--set global.tracer.zipkin.address=<zipkin-collector-service>.<zipkin-collector-namespace>:9411` Helm install option.
+    b) a production environment by referencing an existing Zipkin instance and then setting the `--set values.global.tracer.zipkin.address=<zipkin-collector-service>.<zipkin-collector-namespace>:9411` install option.
    {{< warning >}}
    When you enable tracing, you can set the sampling rate that Istio uses for tracing.
@ -32,7 +32,7 @@ To learn how Istio handles tracing, visit this task's [overview](../overview/).
 ## Accessing the dashboard
-[Remotely Accessing Telemetry Addons](/docs/tasks/observability/gateways) details how to configure access to the Istio       addons through a gateway. Alternatively, to use a Kubernetes ingress, specify the Helm chart option `--set tracing.ingress.enabled=true` during install.
+[Remotely Accessing Telemetry Addons](/docs/tasks/observability/gateways) details how to configure access to the Istio addons through a gateway. Alternatively, to use a Kubernetes ingress, specify the option `--set values.tracing.ingress.enabled=true` during install.
 For testing (and temporary access), you may also use port-forwarding. Use the following, assuming you've deployed Zipkin to the `istio-system` namespace:
--- a/content/en/docs/tasks/observability/gateways/index.md
+++ b/content/en/docs/tasks/observability/gateways/index.md
@ -33,21 +33,21 @@ addons to require authentication when exposing them externally.
 1. [Install cert-manager](https://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html) to manage certificates automatically.
-1. [Install Istio](/docs/setup) in your cluster and enable the `cert-manager` flag and configure `istio-ingressgateway` to use
+1. [Install Istio](/docs/setup/install/operator) in your cluster and enable the `cert-manager` flag and configure `istio-ingressgateway` to use
 the [Secret Discovery Service](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret#sds-configuration).
-    To install Istio accordingly, use the following Helm installation options:
+    To install Istio accordingly, use the following installation options:
-    * `--set gateways.enabled=true`
+    * `--set values.gateways.enabled=true`
-    * `--set gateways.istio-ingressgateway.enabled=true`
+    * `--set values.gateways.istio-ingressgateway.enabled=true`
-    * `--set gateways.istio-ingressgateway.sds.enabled=true`
+    * `--set values.gateways.istio-ingressgateway.sds.enabled=true`
-    To additionally install the telemetry addons, use the following Helm installation options:
+    To additionally install the telemetry addons, use the following installation options:
-    * Grafana: `--set grafana.enabled=true`
+    * Grafana: `--set values.grafana.enabled=true`
-    * Kiali: `--set kiali.enabled=true`
+    * Kiali: `--set values.kiali.enabled=true`
-    * Prometheus: `--set prometheus.enabled=true`
+    * Prometheus: `--set values.prometheus.enabled=true`
-    * Tracing: `--set tracing.enabled=true`
+    * Tracing: `--set values.tracing.enabled=true`
 1. Configure the DNS records for your domain.
@ -370,14 +370,14 @@ the [Secret Discovery Service](https://www.envoyproxy.io/docs/envoy/latest/confi
 ### Option 2: Insecure access (HTTP)
-1. [Install Istio](/docs/setup/) in your cluster with your desired telemetry addons.
+1. [Install Istio](/docs/setup/install/operator) in your cluster with your desired telemetry addons.
-    To additionally install the telemetry addons, use the following Helm installation options:
+    To additionally install the telemetry addons, use the following installation options:
-    * Grafana: `--set grafana.enabled=true`
+    * Grafana: `--set values.grafana.enabled=true`
-    * Kiali: `--set kiali.enabled=true`
+    * Kiali: `--set values.kiali.enabled=true`
-    * Prometheus: `--set prometheus.enabled=true`
+    * Prometheus: `--set values.prometheus.enabled=true`
-    * Tracing: `--set tracing.enabled=true`
+    * Tracing: `--set values.tracing.enabled=true`
 1. Apply networking configuration for the telemetry addons.
--- a/content/en/docs/tasks/observability/kiali/index.md
+++ b/content/en/docs/tasks/observability/kiali/index.md
@ -26,7 +26,7 @@ To install Kiali without using Helm, follow the [Kiali installation instructions
 ### Create a secret
 {{< idea >}}
-If you plan on installing Kiali using the `istio-demo.yaml` file as described in the [Istio Quick Start Installation Steps](/docs/setup/install/kubernetes/#installation-steps) then a default secret will be created for you with a username of `admin` and passphrase of `admin`. You can therefore skip this section.
+If you plan on installing Kiali using the Istio demo profile as described in the [Istio Quick Start Installation Steps](/docs/setup/install/kubernetes/) then a default secret will be created for you with a username of `admin` and passphrase of `admin`. You can therefore skip this section.
 {{< /idea >}}
 Create a secret in your Istio namespace with the credentials that you use to
--- a/content/en/docs/tasks/observability/logs/access-log/index.md
+++ b/content/en/docs/tasks/observability/logs/access-log/index.md
@ -22,7 +22,7 @@ The standard output of Envoy's containers can then be printed by the `kubectl lo
 Edit the `istio` configuration map:
 {{< text bash >}}
-$ helm template install/kubernetes/helm/istio --namespace=istio-system -x templates/configmap.yaml --set global.proxy.accessLogFile="/dev/stdout" | kubectl replace -f -
+$ istioctl manifest apply --set values.global.proxy.accessLogFile="/dev/stdout"
 configmap "istio" replaced
 {{< /text >}}
@ -32,7 +32,7 @@ You may also want to customize the
 [format](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log#format-rules) of the access log by editing `accessLogFormat`.
 {{< tip >}}
-All three of these parameters may also be configured via [helm values](/docs/reference/config/installation-options/):
+All three of these parameters may also be configured via [install options](/docs/reference/config/installation-options/):
 {{< /tip >}}
 * `global.proxy.accessLogFile`
@ -97,6 +97,6 @@ $ kubectl delete -f @samples/httpbin/httpbin.yaml@
 Edit the `istio` configuration map and set `accessLogFile` to `""`.
 {{< text bash >}}
-$ helm template install/kubernetes/helm/istio --namespace=istio-system -x templates/configmap.yaml | kubectl replace -f -
+$ istioctl manifest apply
 configmap "istio" replaced
 {{< /text >}}
--- a/content/en/docs/tasks/observability/metrics/using-istio-dashboard/index.md
+++ b/content/en/docs/tasks/observability/metrics/using-istio-dashboard/index.md
@ -17,7 +17,7 @@ the example application throughout this task.
 ## Before you begin
-* [Install Istio](/docs/setup) in your cluster. If you are installing using Helm, enable the Grafana add-on `--set grafana.enabled=true` [option](/docs/reference/config/installation-options/).
+* [Install Istio](/docs/setup) in your cluster. If not enabled in your chosen configuration profile, enable the Grafana add-on `--set values.grafana.enabled=true` [option](/docs/reference/config/installation-options/).
 * Deploy [Bookinfo](/docs/examples/bookinfo/) application.
 ## Viewing the Istio Dashboard
--- a/content/en/docs/tasks/policy-enforcement/enabling-policy/index.md
+++ b/content/en/docs/tasks/policy-enforcement/enabling-policy/index.md
@ -10,7 +10,7 @@ This task shows you how to enable Istio policy enforcement.
 ## At install time
 In the default Istio installation profile, policy enforcement is disabled. To install Istio
-with policy enforcement on, use the `--set global.disablePolicyChecks=false` Helm install option.
+with policy enforcement on, use the `--set values.global.disablePolicyChecks=false` install option.
 Alternatively, you may [install Istio using the demo profile](/docs/setup/install/kubernetes/),
 which enables policy checks by default.
@ -31,7 +31,7 @@ which enables policy checks by default.
    Execute the following command from the root Istio directory:
    {{< text bash >}}
-    $ helm template install/kubernetes/helm/istio --namespace=istio-system -x templates/configmap.yaml --set global.disablePolicyChecks=false | kubectl -n istio-system replace -f -
+    $ istioctl manifest apply --set values.global.disablePolicyChecks=false
    configmap "istio" replaced
    {{< /text >}}
--- a/content/en/docs/tasks/security/auth-sds/index.md
+++ b/content/en/docs/tasks/security/auth-sds/index.md
@ -47,9 +47,8 @@ This approach has the following benefits:
 ## Before you begin
-* Set up Istio by following the instructions using
+* Follow the [install instructions](/docs/setup/install/operator/)
-  [Helm](/docs/setup/install/helm/) with SDS setup and global mutual
+  to set up Istio with SDS and global mutual TLS enabled.
  TLS enabled.
 ## Service-to-service mutual TLS using key/certificate provisioned through SDS
--- a/content/en/docs/tasks/security/authn-policy/index.md
+++ b/content/en/docs/tasks/security/authn-policy/index.md
@ -15,9 +15,8 @@ the underlying concepts in the [authentication overview](/docs/concepts/security
 * Understand Istio [authentication policy](/docs/concepts/security/#authentication-policies) and related
 [mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication) concepts.
-* Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled (e.g use `install/kubernetes/istio-demo.yaml` as described in
+* Install Istio on a Kubernetes cluster with global mutual TLS disabled (e.g, use the demo configuration profile, as described in
-[installation steps](/docs/setup/install/kubernetes/#installation-steps), or set `global.mtls.enabled` to false using
+[installation steps](/docs/setup/install/kubernetes), or set the `global.mtls.enabled` installation option to false).
 [Helm](/docs/setup/install/helm/)).
 ### Setup
--- a/content/en/docs/tasks/security/ca-namespace-targeting/index.md
+++ b/content/en/docs/tasks/security/ca-namespace-targeting/index.md
@ -60,7 +60,7 @@ You can observe that no new `istio.io/key-and-cert` secret was generated for the
 ### Opt-in Service Account secret generation
-To make `ServiceAcount` secret generation opt-in (i.e. to disable generating secrets unless otherwise specified)., set the `enableNamespacesByDefault` Helm value to `false`:
+Set the `enableNamespacesByDefault` installation option to `false` to make `ServiceAcount` secret generation opt-in (i.e., to disable generating secrets unless otherwise specified):
 {{< text yaml >}}
 ...
--- a/content/en/docs/tasks/security/health-check/index.md
+++ b/content/en/docs/tasks/security/health-check/index.md
@ -24,7 +24,7 @@ this feature is not needed if the production setup is not using the
 ## Before you begin
-To complete this task, you can install Istio using [Helm](/docs/setup/install/helm/) to setup Istio by setting the `global.mtls.enabled` flag to `true`.
+To complete this task, you can [install Istio](/docs/setup/install/operator/) with the `global.mtls.enabled` option set to `true`.
 {{< tip >}}
 Use an [authentication policy](/docs/concepts/security/#authentication-policies) to configure mutual TLS for
@ -34,12 +34,10 @@ See the [authentication policy task](/docs/tasks/security/authn-policy/) for det
 ## Deploying Citadel with health checking
-To enable health checking, redeploy Citadel with helm:
+To enable health checking, redeploy Citadel:
 {{< text bash >}}
-$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
+$ istioctl manifest generate --set values.global.mtls.enabled=true,values.security.citadelHealthCheck=true > citadel-health-check.yaml
 -x charts/security/templates/deployment.yaml \
 --set global.mtls.enabled=true --set security.citadelHealthCheck=true > citadel-health-check.yaml
 $ kubectl apply -f citadel-health-check.yaml
 {{< /text >}}
@ -104,8 +102,6 @@ continuously failed health checks.
 *   To disable health checking on Citadel:
    {{< text bash >}}
-    $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
+    $ istioctl manifest apply --set values.global.mtls.enabled=true
    -x charts/security/templates/deployment.yaml \
    --set global.mtls.enabled=true | kubectl apply -f -
    {{< /text >}}
--- a/content/en/docs/tasks/security/https-overlay/index.md
+++ b/content/en/docs/tasks/security/https-overlay/index.md
@ -22,7 +22,7 @@ original HTTPS traffic. And this is the reason Istio can work on HTTPS services.
 Set up Istio by following the instructions in the
 [quick start](/docs/setup/install/kubernetes/).
 Note that default mutual TLS authentication should be **disabled** when installing Istio; e.g. option 1 in the
-[quick start](/docs/setup/install/kubernetes/#installation-steps).
+[quick start](/docs/setup/install/kubernetes/).
 The demo is also assumed to be running in a namespace where automatic sidecar injection is
 disabled, and Istio sidecars are instead manually injected with [`istioctl`](/docs/reference/commands/istioctl).
@ -161,12 +161,10 @@ $ kubectl get pod -n istio-system
 No resources found.
 {{< /text >}}
 Follow the [installation instructions](/docs/setup/install/kubernetes/#installation-steps) install CRDs.
 Install Istio with the **strict mutual TLS mode** enabled:
 {{< text bash >}}
-$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system --values install/kubernetes/helm/istio/values-istio-demo.yaml --set global.controlPlaneSecurityEnabled=true --set global.mtls.enabled=true | kubectl delete -f -
+$ istioctl manifest apply --set profile=demo,values.global.controlPlaneSecurityEnabled=true,values.global.mtls.enabled=true
 {{< /text >}}
 Make sure everything is up and running:
--- a/content/en/docs/tasks/security/mtls-migration/index.md
+++ b/content/en/docs/tasks/security/mtls-migration/index.md
@ -28,7 +28,8 @@ down once the migration is done.
 * Understand Istio [authentication policy](/docs/concepts/security/#authentication-policies) and related [mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication) concepts.
-* Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled (e.g use `install/kubernetes/istio-demo.yaml` as described in [installation steps](/docs/setup/install/kubernetes/#installation-steps), or set `global.mtls.enabled` to false using [Helm](/docs/setup/install/helm/)).
+* Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled (e.g use the demo configuration profile as described in
 [installation steps](/docs/setup/install/kubernetes), or set the `global.mtls.enabled` installation option to false).
 * For demo
    * Create the following namespaces and deploy [httpbin]({{< github_tree >}}/samples/httpbin) and [sleep]({{< github_tree >}}/samples/sleep) with sidecar on both of them.
--- a/content/en/docs/tasks/security/plugin-ca-cert/index.md
+++ b/content/en/docs/tasks/security/plugin-ca-cert/index.md
@ -50,13 +50,11 @@ The following steps enable plugging in the certificates and key into Citadel:
        --from-file=samples/certs/cert-chain.pem
    {{< /text >}}
-1.  Redeploy Citadel using Helm with `global.mtls.enabled` set to `true` and `security.selfSigned` to `false`.
+1.  Redeploy Citadel with `global.mtls.enabled` set to `true` and `security.selfSigned` to `false`.
    Citadel will read certificates and key from the secret-mount files.
    {{< text bash >}}
-    $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system -x charts/security/templates/deployment.yaml \
+    $ istioctl manifest apply --set values.global.mtls.enabled=true,values.security.selfSigned=false
    --set global.mtls.enabled=true --set security.selfSigned=false > $HOME/citadel-plugin-cert.yaml
    $ kubectl apply -f $HOME/citadel-plugin-cert.yaml
    {{< /text >}}
 1.  To make sure the workloads obtain the new certificates promptly,
--- a/content/en/docs/tasks/security/rbac-groups/index.md
+++ b/content/en/docs/tasks/security/rbac-groups/index.md
@ -22,7 +22,7 @@ concepts.
 * Create a Kubernetes cluster with Istio installed and mutual TLS enabled.
 To fulfill this prerequisite you can follow the Kubernetes
-[installation instructions](/docs/setup/install/kubernetes/#installation-steps).
+[installation instructions](/docs/setup/install/kubernetes/).
 ## Setup the required namespace and services
--- a/content/en/docs/tasks/traffic-management/egress/egress-control/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-control/index.md
@ -404,12 +404,11 @@ Update your `istio-sidecar-injector` configuration map using the IP ranges speci
 For example, if the range is 10.0.0.1&#47;24, use the following command:
 {{< text bash >}}
-$ helm template install/kubernetes/helm/istio <the flags you used to install Istio> --set global.proxy.includeIPRanges="10.0.0.1/24" -x templates/sidecar-injector-configmap.yaml | kubectl apply -f -
+$ istioctl manifest apply <the flags you used to install Istio> --set values.global.proxy.includeIPRanges="10.0.0.1/24"
 {{< /text >}}
-Use the same Helm command that you used to [install Istio](/docs/setup/install/helm),
+Use the same command that you used to [install Istio](/docs/setup/install/operator) and
-specifically, ensure you use the same value for the `--namespace` flag and
+add `--set values.global.proxy.includeIPRanges="10.0.0.1/24"`.
 add these flags: `--set global.proxy.includeIPRanges="10.0.0.1/24" -x templates/sidecar-injector-configmap.yaml`.
 ### Access the external services
@ -444,7 +443,7 @@ Update the `istio-sidecar-injector.configmap.yaml` configuration map to redirect
 proxies:
 {{< text bash >}}
-$ helm template install/kubernetes/helm/istio <the flags you used to install Istio> -x templates/sidecar-injector-configmap.yaml | kubectl apply -f -
+$ istioctl manifest apply <the flags you used to install Istio>
 {{< /text >}}
 ## Understanding what happened
--- a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md
@ -635,20 +635,20 @@ to hold the configuration of the NGINX server:
    you used for generating your `istio.yaml`:
    {{< text bash >}}
-    $ helm template install/kubernetes/helm/istio/ --name istio --namespace istio-system -x charts/gateways/templates/deployment.yaml --set gateways.istio-ingressgateway.enabled=false \
+    $ istioctl manifest generate --set values.gateways.istio-ingressgateway.enabled=false \
-    --set gateways.istio-egressgateway.enabled=true \
+    --set values.gateways.istio-egressgateway.enabled=true \
-    --set 'gateways.istio-egressgateway.secretVolumes[0].name'=egressgateway-certs \
+    --set 'values.gateways.istio-egressgateway.secretVolumes[0].name'=egressgateway-certs \
-    --set 'gateways.istio-egressgateway.secretVolumes[0].secretName'=istio-egressgateway-certs \
+    --set 'values.gateways.istio-egressgateway.secretVolumes[0].secretName'=istio-egressgateway-certs \
-    --set 'gateways.istio-egressgateway.secretVolumes[0].mountPath'=/etc/istio/egressgateway-certs \
+    --set 'values.gateways.istio-egressgateway.secretVolumes[0].mountPath'=/etc/istio/egressgateway-certs \
-    --set 'gateways.istio-egressgateway.secretVolumes[1].name'=egressgateway-ca-certs \
+    --set 'values.gateways.istio-egressgateway.secretVolumes[1].name'=egressgateway-ca-certs \
-    --set 'gateways.istio-egressgateway.secretVolumes[1].secretName'=istio-egressgateway-ca-certs \
+    --set 'values.gateways.istio-egressgateway.secretVolumes[1].secretName'=istio-egressgateway-ca-certs \
-    --set 'gateways.istio-egressgateway.secretVolumes[1].mountPath'=/etc/istio/egressgateway-ca-certs \
+    --set 'values.gateways.istio-egressgateway.secretVolumes[1].mountPath'=/etc/istio/egressgateway-ca-certs \
-    --set 'gateways.istio-egressgateway.secretVolumes[2].name'=nginx-client-certs \
+    --set 'values.gateways.istio-egressgateway.secretVolumes[2].name'=nginx-client-certs \
-    --set 'gateways.istio-egressgateway.secretVolumes[2].secretName'=nginx-client-certs \
+    --set 'values.gateways.istio-egressgateway.secretVolumes[2].secretName'=nginx-client-certs \
-    --set 'gateways.istio-egressgateway.secretVolumes[2].mountPath'=/etc/nginx-client-certs \
+    --set 'values.gateways.istio-egressgateway.secretVolumes[2].mountPath'=/etc/nginx-client-certs \
-    --set 'gateways.istio-egressgateway.secretVolumes[3].name'=nginx-ca-certs \
+    --set 'values.gateways.istio-egressgateway.secretVolumes[3].name'=nginx-ca-certs \
-    --set 'gateways.istio-egressgateway.secretVolumes[3].secretName'=nginx-ca-certs \
+    --set 'values.gateways.istio-egressgateway.secretVolumes[3].secretName'=nginx-ca-certs \
-    --set 'gateways.istio-egressgateway.secretVolumes[3].mountPath'=/etc/nginx-ca-certs > \
+    --set 'values.gateways.istio-egressgateway.secretVolumes[3].mountPath'=/etc/nginx-ca-certs > \
    ./istio-egressgateway.yaml
    {{< /text >}}
--- a/content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway/index.md
@ -49,15 +49,12 @@ controlled way.
    If no pods are returned, deploy the Istio egress gateway by performing the next step.
-1.  Use `helm template` (or `helm install` with the corresponding flags):
+1.  Run the following command:
    {{< text bash >}}
-    $ helm template install/kubernetes/helm/istio --name istio-egressgateway --namespace istio-system \
+    $ istioctl manifest apply --set values.global.istioNamespace=istio-system \
-        -x charts/gateways/templates/deployment.yaml -x charts/gateways/templates/service.yaml \
+        --set values.gateways.istio-ingressgateway.enabled=false \
-        -x charts/gateways/templates/serviceaccount.yaml -x charts/gateways/templates/autoscale.yaml \
+        --set values.gateways.istio-egressgateway.enabled=true
        -x charts/gateways/templates/role.yaml -x charts/gateways/templates/rolebindings.yaml \
        --set global.istioNamespace=istio-system --set gateways.istio-ingressgateway.enabled=false \
        --set gateways.istio-egressgateway.enabled=true | kubectl apply -f -
    {{< /text >}}
 {{< warning >}}
--- a/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/index.md
@ -299,7 +299,7 @@ The SNI proxy will forward the traffic to port `443`.
 1.  The following command will generate `istio-egressgateway-with-sni-proxy.yaml` which you can optionally edit and then deploy.
    {{< text bash >}}
-    $ cat <<EOF | helm template install/kubernetes/helm/istio/ --name istio-egressgateway-with-sni-proxy --namespace istio-system -x charts/gateways/templates/deployment.yaml -x charts/gateways/templates/service.yaml -x charts/gateways/templates/serviceaccount.yaml -x charts/gateways/templates/autoscale.yaml -x charts/gateways/templates/role.yaml -x charts/gateways/templates/rolebindings.yaml --set global.istioNamespace=istio-system -f - > ./istio-egressgateway-with-sni-proxy.yaml
+    $ cat <<EOF | istioctl manifest generate --set values.global.istioNamespace=istio-system -f - > ./istio-egressgateway-with-sni-proxy.yaml
    gateways:
      enabled: true
      istio-ingressgateway:
--- a/content/en/docs/tasks/traffic-management/ingress/ingress-certmgr/index.md
+++ b/content/en/docs/tasks/traffic-management/ingress/ingress-certmgr/index.md
@ -13,16 +13,14 @@ You will start with a clean Istio installation, create an example service, expos
 ## Before you begin
-1. [Install Istio](/docs/setup/) making sure to enable ingress [gateway](/docs/reference/config/networking/gateway) with Kubernetes Ingress support, [SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret). Here's an example of how to do this for the [helm template](/docs/setup/install/helm/#option-1-install-with-helm-via-helm-template) installation path:
+1. [Install Istio](/docs/setup/) making sure to enable ingress [gateway](/docs/reference/config/networking/gateway) with Kubernetes Ingress support, [SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret). Here's an example of how to do it:
    {{< text bash >}}
-    $ helm template $HOME/istio-fetch/istio \
+    $ istioctl manifest apply \
-      --namespace=istio-system \
+      --set values.gateways.istio-ingressgateway.sds.enabled=true \
-      --set gateways.istio-ingressgateway.sds.enabled=true \
+      --set values.global.k8sIngress.enabled=true \
-      --set global.k8sIngress.enabled=true \
+      --set values.global.k8sIngress.enableHttps=true \
-      --set global.k8sIngress.enableHttps=true \
+      --set values.global.k8sIngress.gatewayName=ingressgateway
      --set global.k8sIngress.gatewayName=ingressgateway \
      > $HOME/istio-fetch/istio.yaml
    {{< /text >}}
    {{< tip >}}
--- a/content/en/docs/tasks/traffic-management/ingress/secure-ingress-sds/index.md
+++ b/content/en/docs/tasks/traffic-management/ingress/secure-ingress-sds/index.md
@ -103,14 +103,12 @@ need to create secrets for multiple hosts and update the gateway definitions.
 1.  Enable SDS at ingress gateway and deploy the ingress gateway agent.
    Since this feature is disabled by default, you need to enable the
-    [`istio-ingressgateway.sds.enabled` flag]({{<github_blob>}}/install/kubernetes/helm/istio/charts/gateways/values.yaml) in helm,
+    `istio-ingressgateway.sds.enabled` installation option and generate the `istio-ingressgateway.yaml` file:
    and then generate the `istio-ingressgateway.yaml` file:
    {{< text bash >}}
-    $ helm template install/kubernetes/helm/istio/ --name istio \
+    $ istioctl manifest generate \
-    --namespace istio-system -x charts/gateways/templates/deployment.yaml \
+    --set values.gateways.istio-egressgateway.enabled=false \
-    --set gateways.istio-egressgateway.enabled=false \
+    --set values.gateways.istio-ingressgateway.sds.enabled=true > \
    --set gateways.istio-ingressgateway.sds.enabled=true > \
    $HOME/istio-ingressgateway.yaml
    $ kubectl apply -f $HOME/istio-ingressgateway.yaml
    {{< /text >}}
--- a/layouts/shortcodes/istioctl.html
+++ b/layouts/shortcodes/istioctl.html
@ -0,0 +1 @@
 istioctl
`@ -50,5 +50,5 @@ spec:`

	`Istio can automatically detect HTTP and HTTP/2 traffic. If the protocol cannot automatically be determined, traffic will be treated as plain TCP traffic.`	`Istio can automatically detect HTTP and HTTP/2 traffic. If the protocol cannot automatically be determined, traffic will be treated as plain TCP traffic.`

	This feature is experimental and off by default. It can be turned on by providing the Helm value `--set pilot.enableProtocolSniffingForOutbound=true --set pilot.enableProtocolSniffingForInbound=true`.	This feature is experimental and off by default. It can be turned on by providing the install options `--set values.pilot.enableProtocolSniffingForOutbound=true --set values.pilot.enableProtocolSniffingForInbound=true`.