Installing Istio With a Helmfile
Intro
Istio is an open-source service-mesh platform for kubernetes. A service mesh is a tool for managing communication between services in a microservices architecture. It’s particularly useful because it provides security and configuration features, such as mutual TLS (mTLS) and TLS termination via Envoy sidecar proxies.
In this tutorial, we’ll use Helmfile to declaratively manage Istio installation on your Kubernetes cluster.
Istio helpfully provides some helm charts, but there are some additional settings to enable to ensure that helmfile installation goes smoothly.
Overview
The Istio Helm charts consist of two parts: istio/base and istio/istiod. istio/base installs the Custom Resource Definitions (CRDs) that Istio needs, and istio/istiod is the Istio control plane1.
We’ll break this tutorial into smaller sections that explain each step in more detail.
Step 1: Setup the Istio Helm repository
Before we can use Helm to install Istio, we need to add the Istio repository to our Helmfile. Add the following to your helmfile.yaml:
helmfile.yaml
repositories:
- name: istio
url: https://istio-release.storage.googleapis.com/charts
Step 2: Install istio/base
The first chart we need to install is istio/base, which installs the Istio CRDs. We’ll also set the createNamespace option to true to ensure the creation of the istio-system namespace:
helmfile.yaml
releases:
- name: istio-base
namespace: istio-system
version: 1.17.1
chart: istio/base
createNamespace: true
Kubernetes Gateway API
Istio has beta support for the Kubernetes Gateway API for ingress. If you plan on using it, you can ensure that the CRDs for it are installed to your cluster by adding the following pre-apply hook to istio-base. Learn more about helmfile hooks in the docs.
helmfile.yaml
hooks:
- events: ["preapply"]
showlogs: true
command: "/bin/bash"
args:
[
"-c",
'kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.6.1" | kubectl apply -f -; }',
]
Step 3: Install istio/istiod
The final chart we need to install is istio/istiod, which is the Istio control plane. This chart requires the Istio CRDs, so we’ll use the needs feature of Helmfile to ensure that istio/istiod is always installed after istio/base. We’ll also use the disableValidationOnInstall option to avoid errors due to missing CRDs on the first install:
helmfile.yaml
- name: istiod
namespace: istio-system
version: 1.17.1
chart: istio/istiod
disableValidationOnInstall: true
needs:
- istio-system/istio-base
Step 4: Apply the Helmfile
That’s it! You can now run helmfile apply --include-needs to install Istio on your cluster.
Our final helmfile.yaml:
repositories:
- name: istio
url: https://istio-release.storage.googleapis.com/charts
# These defaults are just helpful, feel free to omit them
helmDefaults:
atomic: true # Restores previous state in case of failed release
cleanupOnFail: true # Cleans up any new resources created during a failed release
releases:
- name: istio-base
namespace: istio-system
version: 1.17.1
chart: istio/base
createNamespace: true
hooks: # This hook is only needed if you're going to use the new k8s gateway API. This ensures CRDs for the k8s gateway API are installed
- events: ["preapply"]
showlogs: true
command: "/bin/bash"
args:
[
"-c",
'kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.6.1" | kubectl apply -f -; }',
]
- name: istiod
namespace: istio-system
version: 1.17.1
chart: istio/istiod
disableValidationOnInstall: true
needs:
- istio-system/istio-base