The 3 most common ways to install Istio
Since organizations often have their own ways of installing systems into their infrastructure, Istio offers multiple installation methods. This post covers the most common methods, giving analysis and guidance on why to pick one over another.
It is a good idea to understand all of the installation options. For example, just because you installed Istio with Helm doesn’t mean you don’t have any use for Istioctl. Quite the opposite in fact! Istioctl has more capabilities past the rapid installation of Istio. The same is true for any Istioctl installation.
You should also be aware of how to migrate to Helm charts if needed, as Helm charts mesh phenomenally well with GitOps and CI/CD pipelines.
Lay of the Land
The three most common ways of installing Istio right now are:
Helm Installation
This assumes you have Helm installed already.
#Add the istio Helm repo to your Helm installation and update Helm helm repo add istio https://istio-release.storage.googleapis.com/charts helm repo update #manually create the namespace kubectl create namespace istio-system #install the base (CRDs) helm install istio-base istio/base -n istio-system #install IstioD (the control plane) helm install istiod istio/istiod -n istio-system --wait |
Optional ingress gateway installation after installing Base and Istiod.
#manually create the namespace kubectl create namespace istio-ingress #Apply sidecar injection via namespace labeling kubectl label namespace istio-ingress istio-injection=enabled #install ingress helm install istio-ingress istio/gateway -n istio-ingress --wait |
Best Practices when using Helm Istio installation:
- Familiarize yourself with the values.yaml file for istiod and gateway. These variables are quite extensive and useful. You will be using this frequently for things like adding annotations for metrics collection, or scaling parameters
- Keep all of your changes within values.yaml files as much as possible. Realistically you should have very few reasons to try and change or override charts and doing so will make future upgrades difficult
- Familiarize yourself with revisions and how to upgrade with Helm. Understanding this before going to production can save you a lot of trouble later
- Understand the interactions between your CI/CD pipeline and these Helm charts. Each system has its nuances around how it handles things like Helm values and secrets
- Even though you have installed via Helm, Istioctl is still a great tool for analysis, problem detection, proxy-config, etc. See more about Istioctl commands here. Of special note are the analyze, proxy-config, and manifest generate command arguments.
Pros of Helm Installation
- Installing via Helm is very common and a well-worn path that has a lot of the Istio community behind it.
- Helm is a mature CNCF graduated project.
- Helm’s integration with GitOps practices makes it very easy to use in production
- Helm charts can be compared between versions. This is made even easier and more powerful by using Git.
- Helm has the ability to produce templates and dry runs to analyze what will be applied without applying it to production.
Cons of Helm Installation
- The time spent getting Helm set up means it’s not great for rapid prototyping.
- Helm installations can produce large and confusing values.yaml files if not well cultivated.
- Values.yaml file can be overwhelming at the start.
Istioctl installation
#Download latest release: curl -L https://istio.io/downloadIstio | sh - #Copy the binary from the downloaded version # to your bin/ directory from the directory made cd istio-X.XX.X mv istioctl bin/ #add Istioctl client to your path export PATH=$PWD/bin:$PATH |
Install Istio with Istioctl and label the default namespace for injection
istioctl install --set profile=demo -y kubectl label namespace default istio-injection=enabled |
Best Practices when using Istioctl installation:
- Familiarize yourself with all the commands that Istioctl can do, especially analyze, proxy-config, and manifest. See the istioctl documentation.
- Understand how profiles work for different installations of Istio. See the Installation Configuration Profiles documentation.
- Use Istioctl’s manifest generate command to create a yaml file for your Istio installation for analysis and review. More information on generating a manifest before installation can be found here.
- Istioctl’s version is tightly coupled with the version of Istio you are installing. You will want to keep your versions of both in lockstep when upgrading or downgrading.
Pros of Istioctl installation
- Very simple and easy way to stand up Istio quickly.
- Great for POC work and quick analysis.
- Istioctl is more than just an installation tool. It will be very helpful in debugging or even just getting a full breakdown of your Istio installation.
Cons of Istioctl installation
- Not easily integrated into CI/CD pipelines.
- Using Istioctl is not particularly GitOps friendly. While it is possible to use Istioctl-generated manifests and then patch in your desired changes, your code will become divergent over time and difficult to maintain and that route is not recommended.
- Can be dangerous in the hands of overprivileged users.
Istio Operator Installation
As of writing this in October 2022 the popular Open-Source Istio Operator is no longer being actively supported. If you want to continue using an operator, a pattern that is very common, Gloo Mesh has a supported Istio Operator developed by Solo.io. More information on Gloo Mesh Lifecycle management and using the Gloo Mesh operator can be found here.
Best Practices when using an Istio Operator installation:
- Familiarize yourself with the logs being produced by the Istio-operator container. It is a good place to start debugging any component issues
- Adding alerting around installStatus can be useful for the early detection of component issues
Pros of Istio Operator Installation:
- Operators can manage the state of the application in a way that Helm charts cannot.
- The complexity of installation is reduced by having a single management application to install.
- Still works within GitOPs and CI/CD pipelines very well via changing values in a yaml file.
Cons of Istio Operator installation:
- Debugging can be more complex as you will have to analyze not just Istio, but what the operator is applying.
- Using an operator can abstract away fine-grained control.
- Operators are more complex to maintain by contributors.
- The OSS Istio Operator does not upgrade minor versions.
Gloo Mesh
Gloo Mesh Enterprise supports the above three methods of installation and greatly extends their ability to manage multiple clusters, their lifecycle, and even divergent Istio versions across clusters. The rough equivalents are as follows:
- Istioctl: Meshctl is used to install Gloo Mesh similar to Istioctl installing Istio, but adds in multi-cluster management, more in-depth debugging, etc. More on the Meshctl can be found here.
- Helm: Gloo Mesh has full production-ready Helm support.
- Istio Operator: Gloo Mesh also has Operator support for Lifecycle Management.
Further Reading
Hopefully, this has clarified the most common ways of installing Istio and helped you focus on the best fit for your organization. If you want to learn more about deploying Istio for production, Solo Academy has both an on-demand course Deploy Istio for Production as well as frequent instructor-led workshops where you can ask us questions.
