Note: Be aware of the platform setup required for OpenShift when installing Istio.
To install with Helm, you must first create the namespace that you wish to install in if the namespace does not exist already. The default namespace used is dubbo-system
and can be created as follows:
kubectl create namespace dubbo-system
The installation process using the Helm charts is as follows:
base
chart creates cluster-wide CRDs, cluster bindings and cluster resources. It is possible to change the namespace from dubbo-system
but it is not recommended.helm install istio-base -n dubbo-system manifests/charts/base
istio-cni
chart installs the CNI plugin. This should be installed after the base
chart and prior to istiod
chart. Need to add --set istio_cni.enabled=true
to the istiod
install to enable its usage.helm install istio-cni -n kube-system manifests/charts/istio-cni --set cni.cniBinDir="/var/lib/cni/bin" --set cni.cniConfDir="/etc/cni/multus/net.d" --set cni.chained=false --set cni.cniConfFileName="istio-cni.conf" --set cni.excludeNamespaces[0]="dubbo-system" --set cni.excludeNamespaces[1]="kube-system" --set cni.repair.enabled=false --set cni.logLevel=info
istio-control/istio-discovery
chart installs a revision of istiod.helm install -n dubbo-system istio-17 manifests/charts/istio-control/istio-discovery --set istio_cni.enabled=true --set global.jwtPolicy=first-party-jwt --set sidecarInjectorWebhook.injectedAnnotations."k8s\.v1\.cni\.cncf\.io/networks"="istio-cni"
gateways
charts install a load balancer with ingress
and egress
.Ingress secrets and access should be separated from the control plane.
helm install -n dubbo-system istio-ingress manifests/charts/gateways/istio-ingress --set global.jwtPolicy=first-party-jwt
Egress secrets and access should be separated from the control plane.
helm install -n dubbo-system istio-egress manifests/charts/gateways/istio-egress --set global.jwtPolicy=first-party-jwt