Introduction
This article offers an overview of the Helm install process and the IngressController implementations for Istio. Upon completing this tutorial, you should be able to deploy a complete, working Istio IngressController via Helm as per the Istio getting started documentation. Note: This article assumes Istio 1.20.1. See also Istio issue 46791 ›
Tetrate offers an enterprise-ready, 100% upstream distribution of Istio, Tetrate Istio Subscription (TIS). TIS is the easiest way to get started with Istio for production use cases. TIS+, a hosted Day 2 operations solution for Istio, adds a global service registry, unified Istio metrics dashboard, and self-service troubleshooting.
Get access now ›
Install Istio
The following changes the default installation documentation here. The documented process installs the Istio Gateway into a different location than is expected by the configuration.
Add the Istio helm repository:
helm repo add istio https://istio-release.storage.googleapis.com/charts
Create the namespace and install the base chart:
kubectl create ns istio-system
helm install istio-base istio/base -n istio-system
Install and configure istiod:
helm upgrade --install istiod istio/istiod -n istio-system \
--set meshConfig.ingressSelector=istio-ingress \
--set meshConfig.ingressService=istio-ingress \
--set pilot.env.K8S_INGRESS_NS=istio-ingress
Note: The public documentation installs the gateway into a location that is not expected. Here we change those defaults to accommodate this. See the following:
Install the gateway as per the documentation:
kubectl create ns istio-ingress
helm install istio-ingress istio/gateway -n istio-ingress
Note:If the istiod installation has not been customized, the gateway should be installed as per below:
helm install istio-ingressgateway istio/gateway -n istio-system
IngressClass
The following defines the Istio IngressClass:
cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: istio
annotations:
ingressclass.kubernetes.io/is-default-class: "true"
spec:
controller: istio.io/ingress-controller
EOF
httpbin
The following installs the httpbin
application:
kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/httpbin/httpbin.yaml
And create the Ingress resource:
cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: httpbin
spec:
ingressClassName: istio
rules:
- host: httpbin.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: httpbin
port:
number: 8000
EOF
Validation
Check to see that the Helm values are correct:
$ helm get values istiod -n istio-system
USER-SUPPLIED VALUES:
meshConfig:
ingressSelector: istio-ingress
ingressService: istio-ingress
pilot:
env:
K8S_INGRESS_NS: istio-ingress
The Ingress resource should have an external IP address associated with it:
$ kubectl get ingress -A
NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE
default httpbin istio httpbin.example.com 192.168.0.21 80 7s
Note: If there is no external IP, the field is blank, then the Ingress resource has not been implemented upon a gateway.
Conclusion
As you can see from the above, the default Istio installation relies upon several distinct, default configuration values which are correct when deploying with the supplied istioctl profiles. When Helm is used to deploy, specific configuration away from those defaults is much easier. You should now have enough information to be able to find and alter those default values.
###
If you’re new to service mesh, Tetrate has a bunch of free online courses available at Tetrate Academy that will quickly get you up to speed with Istio and Envoy.
Are you using Kubernetes? Tetrate Enterprise Gateway for Envoy (TEG) is the easiest way to get started with Envoy Gateway for production use cases. Get the power of Envoy Proxy in an easy-to-consume package managed by the Kubernetes Gateway API. Learn more ›
Getting started with Istio? If you’re looking for the surest way to get to production with Istio, check out Tetrate Istio Subscription. Tetrate Istio Subscription has everything you need to run Istio and Envoy in highly regulated and mission-critical production environments. It includes Tetrate Istio Distro, a 100% upstream distribution of Istio and Envoy that is FIPS-verified and FedRAMP ready. For teams requiring open source Istio and Envoy without proprietary vendor dependencies, Tetrate offers the ONLY 100% upstream Istio enterprise support offering.
Need global visibility for Istio? TIS+ is a hosted Day 2 operations solution for Istio designed to simplify and enhance the workflows of platform and support teams. Key features include: a global service dashboard, multi-cluster visibility, service topology visualization, and workspace-based access control.
Get a Demo