18 KiB
| title | description | weight | keywords | aliases | ||||
|---|---|---|---|---|---|---|---|---|
| Installation with Helm | Install Istio with the included Helm chart. | 30 |
|
|
Quick start instructions for the setup and configuration of Istio using Helm. This is the recommended install method for installing Istio to your production environment as it offers rich customization to the Istio control plane and the sidecars for the Istio data plane.
{{< warning_icon >}} Installation of Istio prior to version 0.8.0 with Helm is unstable and not recommended.
Prerequisites
-
Download the latest Istio release.
-
Istio by default uses LoadBalancer service object types. Some platforms do not support LoadBalancer service objects. For platforms lacking LoadBalancer support, install Istio with NodePort support instead with the flags
--set ingress.service.type=NodePort --set ingressgateway.service.type=NodePort --set egressgateway.service.type=NodePortappended to the end of the helm operation.
Option 1: Install with Helm via helm template
-
Render Istio's core components to a Kubernetes manifest called
istio.yaml:-
With automatic sidecar injection (requires Kubernetes >=1.9.0):
{{< text bash >}} $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system > $HOME/istio.yaml {{< /text >}}
-
Without the sidecar injection webhook:
{{< text bash >}} $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system --set sidecarInjectorWebhook.enabled=false > $HOME/istio.yaml {{< /text >}}
-
-
Install the components via the manifest:
{{< text bash >}} $ kubectl create namespace istio-system $ kubectl create -f $HOME/istio.yaml {{< /text >}}
Option 2: Install with Helm and Tiller via helm install
This option allows Helm and Tiller to manage the lifecycle of Istio.
{{< warning_icon >}} Upgrading Istio using Helm has not been fully tested.
-
If a service account has not already been installed for Tiller, install one:
{{< text bash >}} $ kubectl create -f @install/kubernetes/helm/helm-service-account.yaml@ {{< /text >}}
-
Install Tiller on your cluster with the service account:
{{< text bash >}} $ helm init --service-account tiller {{< /text >}}
-
Install Istio:
-
With automatic sidecar injection (requires Kubernetes >=1.9.0):
{{< text bash >}} $ helm install install/kubernetes/helm/istio --name istio --namespace istio-system {{< /text >}}
-
Without the sidecar injection webhook:
{{< text bash >}} $ helm install install/kubernetes/helm/istio --name istio --namespace istio-system --set sidecarInjectorWebhook.enabled=false {{< /text >}}
-
Customization with Helm
The Helm chart ships with reasonable defaults. There may be circumstances in which defaults require overrides.
To override Helm values, use --set key=value argument during the helm install command. Multiple --set operations
may be used in the same Helm operation.
Helm charts expose configuration options which are currently in alpha. The currently exposed options are explained in the following table:
| Parameter | Default | Description | Values |
|---|---|---|---|
global |
`` | `` | |
global.hub |
docker.io/istio |
Repository for Istio images | any valid container hub |
global.tag |
0.8.latest |
tag for Istio images | any valid container tag |
global.proxy |
`` | `` | |
global.proxy.image |
proxyv2 |
image used for the proxy sidecar | proxy or proxyv2 |
global.proxy.resources |
`` | `` | |
global.proxy.resources.requests |
`` | `` | |
global.proxy.resources.requests.cpu |
100m |
CPU required for sidecar | A valid cpu allocation |
global.proxy.resources.requests.memory |
128Mi |
Memory required for sidecar | A valid memory allocation |
global.proxy.enableCoreDump |
false |
Whether core dump generation is enabled | true or false |
global.proxy.serviceAccountName |
default |
Service account to use if RBAC is disabled | a valid service account |
global.proxy.replicaCount |
1 |
Replica Count | 1 or more |
global.proxy.includeIPRanges |
"*" |
`` | |
global.proxy.excludeIPRanges |
"" |
`` | |
global.proxy.includeInboundPorts |
"*" |
`` | |
global.proxy.excludeInboundPorts |
"" |
`` | |
global.proxy.policy |
enabled |
`` | |
global.proxy.envoyStatsd |
`` | `` | |
global.proxy.envoyStatsd.enabled |
true |
`` | |
global.proxy.envoyStatsd.host |
istio-statsd-prom-bridge |
`` | |
global.proxy.envoyStatsd.port |
9125 |
`` | |
global.proxy_init |
`` | `` | |
global.proxy_init.image |
proxy_init |
`` | |
global.imagePullPolicy |
IfNotPresent |
`` | |
global.hyperkube |
`` | `` | |
global.hyperkube.repository |
quay.io/coreos/hyperkube |
`` | |
global.hyperkube.tag |
v1.7.6_coreos.0 |
`` | |
global.controlPlaneSecurityEnabled |
false |
`` | |
global.mtls |
`` | `` | |
global.mtls.enabled |
false |
`` | |
global.rbacEnabled |
true |
`` | |
global.imagePullSecrets |
`` | `` | |
global.refreshInterval |
10s |
`` | |
global.arch |
`` | `` | |
global.arch.amd64 |
2 |
`` | |
global.arch.s390x |
2 |
`` | |
global.arch.ppc64le |
2 |
`` | |
global.oneNamespace |
false |
`` | |
istiotesting |
`` | `` | |
istiotesting.oneNameSpace |
false |
`` | |
ingress |
`` | `` | |
ingress.enabled |
true |
`` | |
ingress.serviceAccountName |
default |
`` | |
ingress.replicaCount |
1 |
`` | |
ingress.autoscaleMin |
1 |
`` | |
ingress.autoscaleMax |
1 |
`` | |
ingress.resources |
{} |
`` | |
ingress.service |
`` | `` | |
ingress.service.loadBalancerIP |
"" |
`` | |
ingress.service.type |
LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be |
`` | |
ingress.service.annotations |
{} |
`` | |
ingress.service.ports |
`` | `` | |
ingress.service.ports.name |
http |
`` | |
ingress.service.ports.nodePort |
32000 |
`` | |
ingress.service.ports.name |
https |
`` | |
ingress.service.selector |
`` | `` | |
ingress.service.selector.istio |
ingress |
`` | |
ingressgateway |
`` | `` | |
ingressgateway.enabled |
true |
`` | |
ingressgateway.serviceAccountName |
istio-ingressgateway-service-account |
`` | |
ingressgateway.replicaCount |
1 |
`` | |
ingressgateway.autoscaleMin |
1 |
`` | |
ingressgateway.autoscaleMax |
1 |
`` | |
ingressgateway.resources |
{} |
`` | |
ingressgateway.service |
`` | `` | |
ingressgateway.service.name |
istio-ingressgateway #DNS addressible |
`` | |
ingressgateway.service.labels |
`` | `` | |
ingressgateway.service.labels.istio |
ingressgateway |
`` | |
ingressgateway.service.annotations |
{} |
`` | |
ingressgateway.service.loadBalancerIP |
"" |
`` | |
ingressgateway.service.type |
LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be |
`` | |
ingressgateway.service.ports |
`` | `` | |
ingressgateway.service.ports.name |
http |
`` | |
ingressgateway.service.ports.nodePort |
31380 |
`` | |
ingressgateway.service.ports.name |
https |
`` | |
ingressgateway.service.ports.nodePort |
31390 |
`` | |
ingressgateway.service.ports.name |
tcp |
`` | |
ingressgateway.service.ports.nodePort |
31400 |
`` | |
ingressgateway.deployment |
`` | `` | |
ingressgateway.deployment.labels |
`` | `` | |
ingressgateway.deployment.labels.istio |
ingressgateway #will be added to pods and service |
`` | |
ingressgateway.deployment.ports |
`` | `` | |
ingressgateway.deployment.secretVolumes |
`` | `` | |
ingressgateway.deployment.secretVolumes.secretName |
istio-ingressgateway-certs |
`` | |
ingressgateway.deployment.secretVolumes.mountPath |
/etc/istio/ingressgateway-certs |
`` | |
ingressgateway.deployment.secretVolumes.secretName |
istio-ingressgateway-ca-certs |
`` | |
ingressgateway.deployment.secretVolumes.mountPath |
/etc/istio/ingressgateway-ca-certs |
`` | |
egressgateway |
`` | `` | |
egressgateway.enabled |
true |
`` | |
egressgateway.serviceAccountName |
istio-egressgateway-service-account |
`` | |
egressgateway.replicaCount |
1 |
`` | |
egressgateway.autoscaleMin |
1 |
`` | |
egressgateway.autoscaleMax |
1 |
`` | |
egressgateway.resources |
{} |
`` | |
egressgateway.service |
`` | `` | |
egressgateway.service.name |
istio-egressgateway #DNS addressible |
`` | |
egressgateway.service.labels |
`` | `` | |
egressgateway.service.labels.istio |
egressgateway |
`` | |
egressgateway.service.type |
ClusterIP #change to NodePort or LoadBalancer if need be |
`` | |
egressgateway.service.ports |
`` | `` | |
egressgateway.service.ports.name |
http |
`` | |
egressgateway.service.ports.name |
https |
`` | |
egressgateway.deployment |
`` | `` | |
egressgateway.deployment.labels |
`` | `` | |
egressgateway.deployment.labels.istio |
egressgateway #will be added to pods and service |
`` | |
egressgateway.deployment.ports |
`` | `` | |
egressgateway.deployment.secretVolumes |
`` | `` | |
egressgateway.deployment.secretVolumes.secretName |
istio-egressgateway-certs |
`` | |
egressgateway.deployment.secretVolumes.mountPath |
/etc/istio/egressgateway-certs |
`` | |
egressgateway.deployment.secretVolumes.secretName |
istio-egressgateway-ca-certs |
`` | |
egressgateway.deployment.secretVolumes.mountPath |
/etc/istio/egressgateway-ca-certs |
`` | |
sidecarInjectorWebhook |
`` | `` | |
sidecarInjectorWebhook.enabled |
true |
`` | |
sidecarInjectorWebhook.replicaCount |
1 |
`` | |
sidecarInjectorWebhook.image |
sidecar_injector |
`` | |
sidecarInjectorWebhook.resources |
{} |
`` | |
galley |
`` | `` | |
galley.enabled |
true |
`` | |
galley.serviceAccountName |
default |
`` | |
galley.replicaCount |
1 |
`` | |
galley.image |
galley |
`` | |
galley.resources |
{} |
`` | |
mixer |
`` | `` | |
mixer.enabled |
true |
`` | |
mixer.serviceAccountName |
default # used only if RBAC is not enabled |
`` | |
mixer.replicaCount |
1 |
`` | |
mixer.image |
mixer |
`` | |
mixer.resources |
{} |
`` | |
mixer.prometheusStatsdExporter |
`` | `` | |
mixer.prometheusStatsdExporter.repository |
prom/statsd-exporter |
`` | |
mixer.prometheusStatsdExporter.tag |
latest |
`` | |
mixer.prometheusStatsdExporter.resources |
{} |
`` | |
pilot |
`` | `` | |
pilot.enabled |
true |
`` | |
pilot.serviceAccountName |
default # used only if RBAC is not enabled |
`` | |
pilot.replicaCount |
1 |
`` | |
pilot.image |
pilot |
`` | |
pilot.resources |
{} |
`` | |
security |
`` | `` | |
security.serviceAccountName |
default # used only if RBAC is not enabled |
`` | |
security.replicaCount |
1 |
`` | |
security.image |
citadel |
`` | |
security.resources |
{} |
`` | |
security.selfSigned |
true # indicate if self-signed CA is used. |
`` | |
security.cleanUpOldCA |
true |
`` | |
grafana |
grafana.local |
`` | |
grafana.enabled |
false |
`` | |
grafana.replicaCount |
1 |
`` | |
grafana.image |
grafana |
`` | |
grafana.service |
`` | `` | |
grafana.service.name |
http |
`` | |
grafana.service.type |
ClusterIP |
`` | |
grafana.service.externalPort |
3000 |
`` | |
grafana.service.internalPort |
3000 |
`` | |
grafana.ingress |
grafana.local |
`` | |
grafana.ingress.enabled |
false |
`` | |
grafana.ingress.hosts |
grafana.local |
`` | |
grafana.ingress.annotations |
`` | `` | |
grafana.ingress.tls |
`` | `` | |
grafana.resources |
{} |
`` | |
prometheus |
`` | `` | |
prometheus.enabled |
true |
`` | |
prometheus.replicaCount |
1 |
`` | |
prometheus.image |
`` | `` | |
prometheus.image.repository |
docker.io/prom/prometheus |
`` | |
prometheus.image.tag |
latest |
`` | |
prometheus.ingress |
`` | `` | |
prometheus.ingress.enabled |
false |
`` | |
prometheus.ingress.annotations |
`` | `` | |
prometheus.ingress.tls |
`` | `` | |
prometheus.resources |
{} |
`` | |
prometheus.service |
`` | `` | |
prometheus.service.nodePort |
`` | `` | |
prometheus.service.nodePort.enabled |
false |
`` | |
prometheus.service.nodePort.port |
32090 |
`` | |
servicegraph |
servicegraph.local |
`` | |
servicegraph.enabled |
false |
`` | |
servicegraph.replicaCount |
1 |
`` | |
servicegraph.image |
servicegraph |
`` | |
servicegraph.service |
`` | `` | |
servicegraph.service.name |
http |
`` | |
servicegraph.service.type |
ClusterIP |
`` | |
servicegraph.service.externalPort |
8088 |
`` | |
servicegraph.service.internalPort |
8088 |
`` | |
servicegraph.ingress |
servicegraph.local |
`` | |
servicegraph.ingress.enabled |
false |
`` | |
servicegraph.ingress.hosts |
servicegraph.local |
`` | |
servicegraph.ingress.annotations |
`` | `` | |
servicegraph.ingress.tls |
`` | `` | |
servicegraph.resources |
{} |
`` | |
servicegraph.prometheusAddr |
http://prometheus:9090 |
`` | |
tracing |
zipkin.local |
`` | |
tracing.enabled |
false |
`` | |
tracing.jaeger |
`` | `` | |
tracing.jaeger.enabled |
false |
`` | |
tracing.jaeger.memory |
`` | `` | |
tracing.jaeger.memory.max_traces |
50000 |
`` | |
tracing.replicaCount |
1 |
`` | |
tracing.image |
`` | `` | |
tracing.image.repository |
jaegertracing/all-in-one |
`` | |
tracing.image.tag |
1.5 |
`` | |
tracing.service |
`` | `` | |
tracing.service.name |
http |
`` | |
tracing.service.type |
ClusterIP |
`` | |
tracing.service.externalPort |
9411 |
`` | |
tracing.service.internalPort |
9411 |
`` | |
tracing.service.uiPort |
16686 |
`` | |
tracing.ingress |
zipkin.local |
`` | |
tracing.ingress.enabled |
false |
`` | |
tracing.ingress.hosts |
zipkin.local |
`` | |
tracing.ingress.annotations |
`` | `` | |
tracing.ingress.tls |
`` | `` | |
tracing.resources |
{} |
`` | |
kiali |
`` | `` | |
kiali.enabled |
false |
`` | |
kiali.replicaCount |
1 |
`` | |
kiali.image |
`` | `` | |
kiali.image.repository |
kiali/kiali |
`` | |
kiali.image.tag |
0.3.1.Alpha |
`` | |
kiali.ingress |
`` | `` | |
kiali.ingress.enabled |
false |
`` | |
kiali.ingress.annotations |
`` | `` | |
kiali.ingress.tls |
`` | `` | |
kiali.resources |
{} |
`` | |
kiali.dashboard |
`` | `` | |
kiali.dashboard.username |
admin |
`` | |
kiali.dashboard.password |
admin |
`` |
The Helm chart also offers significant customization options per individual
service. Customize these per-service options at your own risk. The per-service options are exposed via
the [values.yaml]({{< github_file >}}/install/kubernetes/helm/istio/values.yaml) file.
Customization example: traffic management minimal set
Istio is equipped with a rich and powerful set of features and some users may need only subset of those. For instance, users might be interested only in installing the minimal set required to Istio's traffic management. Helm customization provides the option to install a subset by enabling those features of interest and disabling the ones that aren't required.
In this example we will install Istio with only a minimal set of components necessary to conduct traffic management.
Execute the following command to install the Pilot, Citadel, IngressGateway and Sidecar-Injector:
{{< text bash >}}
$ helm install install/kubernetes/helm/istio --name istio --namespace istio-system
--set ingress.enabled=false,gateways.istio-egressgateway.enabled=false,galley.enabled=false
--set mixer.enabled=false,prometheus.enabled=false,global.proxy.envoyStatsd.enabled=false
{{< /text >}}
Ensure the following Kubernetes pods are deployed and their containers are up and running: istio-pilot-*, istio-ingressgateway-*,
istio-citadel-* and istio-sidecar-injector-*.
{{< text bash >}} $ kubectl get pods -n istio-system NAME READY STATUS RESTARTS AGE istio-citadel-b48446f79-wd4tk 1/1 Running 0 1m istio-ingressgateway-7b77d995f7-t6ssx 1/1 Running 0 1m istio-pilot-58c65f74bc-2f5xn 2/2 Running 0 1m istio-sidecar-injector-86cc99578-4t58m 1/1 Running 0 1m {{< /text >}}
With this minimal set you can proceed to installing the sample Bookinfo application or install your own application and configure request routing for instance.
Of course that if no ingress is expected and sidecar is to be injected manually then you can reduce this minimal set even further and only have Pilot and Citadel. However, Pilot depends on Citadel therefore you can't install it without the other.
Uninstall
-
For option 1, uninstall using kubectl:
{{< text bash >}} $ kubectl delete -f $HOME/istio.yaml {{< /text >}}
-
For option 2, uninstall using Helm:
{{< text bash >}} $ helm delete --purge istio {{< /text >}}
If your helm version is less than 2.9.0, then you need to manually cleanup extra job resource before redeploy new version of Istio chart:
{{< text bash >}} $ kubectl -n istio-system delete job --all {{< /text >}}