github.com/replicatedcom/ship@v0.50.0/integration/init/istio/expected/.ship/upstream/README.md (about) 1 # Istio 2 3 [Istio](https://istio.io/) is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. 4 5 ## Introduction 6 7 This chart bootstraps all istio [components](https://istio.io/docs/concepts/what-is-istio/overview.html) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. 8 9 ## Chart Details 10 11 This chart can install multiple istio components as subcharts: 12 - ingress 13 - ingressgateway 14 - egressgateway 15 - sidecarInjectorWebhook 16 - galley 17 - mixer 18 - pilot 19 - security(citadel) 20 - grafana 21 - prometheus 22 - servicegraph 23 - tracing(jaeger) 24 - kiali 25 26 To enable or disable each component, change the corresponding `enabled` flag. 27 28 ## Prerequisites 29 30 - Kubernetes 1.9 or newer cluster with RBAC (Role-Based Access Control) enabled is required 31 - Helm 2.7.2 or newer or alternately the ability to modify RBAC rules is also required 32 - If you want to enable automatic sidecar injection, Kubernetes 1.9+ with `admissionregistration` API is required, and `kube-apiserver` process must have the `admission-control` flag set with the `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook` admission controllers added and listed in the correct order. 33 34 ## Resources Required 35 36 The chart deploys pods that consume minimum resources as specified in the resources configuration parameter. 37 38 ## Installing the Chart 39 40 1. If a service account has not already been installed for Tiller, install one: 41 ``` 42 $ kubectl apply -f install/kubernetes/helm/helm-service-account.yaml 43 ``` 44 45 2. Install Tiller on your cluster with the service account: 46 ``` 47 $ helm init --service-account tiller 48 ``` 49 50 3. Set and create the namespace where Istio was installed: 51 ``` 52 $ NAMESPACE=istio-system 53 $ kubectl create ns $NAMESPACE 54 ``` 55 56 4. Install Istio’s [Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions) via `kubectl apply`, and wait a few seconds for the CRDs to be committed in the kube-apiserver: 57 ``` 58 $ kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml 59 ``` 60 **Note**: If you are enabling `certmanager`, you also need to install its CRDs and wait a few seconds for the CRDs to be committed in the kube-apiserver: 61 ``` 62 $ kubectl apply -f install/kubernetes/helm/istio/charts/certmanager/templates/crds.yaml 63 ``` 64 65 5. If you are enabling `kiali`, you need to create the secret that contains the username and passphrase for `kiali` dashboard: 66 ``` 67 $ echo -n 'admin' | base64 68 YWRtaW4= 69 $ echo -n '1f2d1e2e67df' | base64 70 MWYyZDFlMmU2N2Rm 71 $ cat <<EOF | kubectl apply -f - 72 apiVersion: v1 73 kind: Secret 74 metadata: 75 name: kiali 76 namespace: $NAMESPACE 77 labels: 78 app: kiali 79 type: Opaque 80 data: 81 username: YWRtaW4= 82 passphrase: MWYyZDFlMmU2N2Rm 83 EOF 84 ``` 85 86 6. If you are using security mode for Grafana, create the secret first as follows: 87 88 Encode username, you can change the username to the name as you want: 89 ``` 90 $ echo -n 'admin' | base64 91 YWRtaW4= 92 ``` 93 94 Encode passphrase, you can change the passphrase to the passphrase as you want: 95 ``` 96 $ echo -n '1f2d1e2e67df' | base64 97 MWYyZDFlMmU2N2Rm 98 ``` 99 100 Create secret for Grafana: 101 ``` 102 $ cat <<EOF | kubectl apply -f - 103 apiVersion: v1 104 kind: Secret 105 metadata: 106 name: grafana 107 namespace: $NAMESPACE 108 labels: 109 app: grafana 110 type: Opaque 111 data: 112 username: YWRtaW4= 113 passphrase: MWYyZDFlMmU2N2Rm 114 EOF 115 ``` 116 117 7. To install the chart with the release name `istio` in namespace $NAMESPACE you defined above: 118 - With [automatic sidecar injection](https://istio.io/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection) (requires Kubernetes >=1.9.0): 119 ``` 120 $ helm install install/kubernetes/helm/istio --name istio --namespace $NAMESPACE 121 ``` 122 123 - Without the sidecar injection webhook: 124 ``` 125 $ helm install install/kubernetes/helm/istio --name istio --namespace $NAMESPACE --set sidecarInjectorWebhook.enabled=false 126 ``` 127 128 ## Configuration 129 130 The Helm chart ships with reasonable defaults. There may be circumstances in which defaults require overrides. 131 To override Helm values, use `--set key=value` argument during the `helm install` command. Multiple `--set` operations may be used in the same Helm operation. 132 133 Helm charts expose configuration options which are currently in alpha. The currently exposed options are explained in the following table: 134 135 | Parameter | Description | Values | Default | 136 | --- | --- | --- | --- | 137 | `global.hub` | Specifies the HUB for most images used by Istio | registry/namespace | `docker.io/istio` | 138 | `global.tag` | Specifies the TAG for most images used by Istio | valid image tag | `0.8.latest` | 139 | `global.proxy.image` | Specifies the proxy image name | valid proxy name | `proxyv2` | 140 | `global.proxy.concurrency` | Specifies the number of proxy worker threads | number, 0 = auto | `0` | 141 | `global.imagePullPolicy` | Specifies the image pull policy | valid image pull policy | `IfNotPresent` | 142 | `global.controlPlaneSecurityEnabled` | Specifies whether control plane mTLS is enabled | true/false | `false` | 143 | `global.mtls.enabled` | Specifies whether mTLS is enabled by default between services | true/false | `false` | 144 | `global.rbacEnabled` | Specifies whether to create Istio RBAC rules or not | true/false | `true` | 145 | `global.refreshInterval` | Specifies the mesh discovery refresh interval | integer followed by s | `10s` | 146 | `global.arch.amd64` | Specifies the scheduling policy for `amd64` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` | 147 | `global.arch.s390x` | Specifies the scheduling policy for `s390x` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` | 148 | `global.arch.ppc64le` | Specifies the scheduling policy for `ppc64le` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` | 149 | `ingress.enabled` | Specifies whether Ingress should be installed | true/false | `true` | 150 | `gateways.istio-ingressgateway.enabled` | Specifies whether Ingress gateway should be installed | true/false | `true` | 151 | `gateways.istio-egressgateway.enabled` | Specifies whether Egress gateway should be installed | true/false | `true` | 152 | `sidecarInjectorWebhook.enabled` | Specifies whether automatic sidecar-injector should be installed | `true` | 153 | `galley.enabled` | Specifies whether Galley should be installed for server-side config validation | true/false | `true` | 154 | `mixer.enabled` | Specifies whether Mixer should be installed | true/false | `true` | 155 | `pilot.enabled` | Specifies whether Pilot should be installed | true/false | `true` | 156 | `grafana.enabled` | Specifies whether Grafana addon should be installed | true/false | `false` | 157 | `grafana.persist` | Specifies whether Grafana addon should persist config data | true/false | `false` | 158 | `grafana.storageClassName` | If `grafana.persist` is true, specifies the [`StorageClass`](https://kubernetes.io/docs/concepts/storage/storage-classes/) to use for the `PersistentVolumeClaim` | `StorageClass` | "" | 159 | `grafana.accessMode` | If `grafana.persist` is true, specifies the [`Access Mode`](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) to use for the `PersistentVolumeClaim` | RWO/ROX/RWX | `ReadWriteMany` | 160 | `prometheus.enabled` | Specifies whether Prometheus addon should be installed | true/false | `true` | 161 | `servicegraph.enabled` | Specifies whether Servicegraph addon should be installed | true/false | `false` | 162 | `tracing.enabled` | Specifies whether Tracing(jaeger) addon should be installed | true/false | `false` | 163 | `kiali.enabled` | Specifies whether Kiali addon should be installed | true/false | `false` | 164 165 ## Uninstalling the Chart 166 167 To uninstall/delete the `istio` release: 168 ``` 169 $ helm delete istio 170 ``` 171 The command removes all the Kubernetes components associated with the chart and deletes the release. 172 173 To uninstall/delete the `istio` release completely and make its name free for later use: 174 ``` 175 $ helm delete istio --purge 176 ```