Achieve Compliance, Zero Trust with Istio Ambient Mesh

READ THE WHITE PAPER

The 3 most common ways to install Istio

James Ilse | November 04, 2022

Since organizations often have their own ways of installing systems into their infrastructure, Istio offers multiple installation methods. This post covers the most common methods, giving analysis and guidance on why to pick one over another. 

It is a good idea to understand all of the installation options. For example, just because you installed Istio with Helm doesn’t mean you don’t have any use for Istioctl. Quite the opposite in fact! Istioctl has more capabilities past the rapid installation of Istio. The same is true for any Istioctl installation. 

You should also be aware of how to migrate to Helm charts if needed, as Helm charts mesh phenomenally well with GitOps and CI/CD pipelines.

Lay of the Land

The three most common ways of installing Istio right now are:

  1. Helm charts
  2. Istioctl binary
  3. IstioOperator

Helm Installation

This assumes you have Helm installed already.

#Add the istio Helm repo to your Helm installation and update Helm
helm repo add istio https://istio-release.storage.googleapis.com/charts
helm repo update
#manually create the namespace
kubectl create namespace istio-system
#install the base (CRDs)
helm install istio-base istio/base -n istio-system
#install IstioD (the control plane)
helm install istiod istio/istiod -n istio-system --wait

Optional ingress gateway installation after installing Base and Istiod.

#manually create the namespace
kubectl create namespace istio-ingress
#Apply sidecar injection via namespace labeling
kubectl label namespace istio-ingress istio-injection=enabled
#install ingress
helm install istio-ingress istio/gateway -n istio-ingress --wait

Best Practices when using Helm Istio installation:

  • Familiarize yourself with the values.yaml file for istiod and gateway. These variables are quite extensive and useful. You will be using this frequently for things like adding annotations for metrics collection, or scaling parameters
  • Keep all of your changes within values.yaml files as much as possible. Realistically you should have very few reasons to try and change or override charts and doing so will make future upgrades difficult
  • Familiarize yourself with revisions and how to upgrade with Helm. Understanding this before going to production can save you a lot of trouble later
  • Understand the interactions between your CI/CD pipeline and these Helm charts. Each system has its nuances around how it handles things like Helm values and secrets
  • Even though you have installed via Helm, Istioctl is still a great tool for analysis, problem detection, proxy-config, etc. See more about Istioctl commands here. Of special note are the analyze, proxy-config, and manifest generate command arguments.

Pros of Helm Installation

  • Installing via Helm is very common and a well-worn path that has a lot of the Istio community behind it.
  • Helm is a mature CNCF graduated project.
  • Helm’s integration with GitOps practices makes it very easy to use in production
  • Helm charts can be compared between versions. This is made even easier and more powerful by using Git.
  • Helm has the ability to produce templates and dry runs to analyze what will be applied without applying it to production.

Cons of Helm Installation

  • The time spent getting Helm set up means it’s not great for rapid prototyping.
  • Helm installations can produce large and confusing values.yaml files if not well cultivated.
  • Values.yaml file can be overwhelming at the start.

Istioctl installation 

#Download latest release:

curl -L https://istio.io/downloadIstio | sh -
#Copy the binary from the downloaded version 

# to your bin/ directory from the directory made
cd istio-X.XX.X
mv istioctl bin/
#add Istioctl client to your path
export PATH=$PWD/bin:$PATH

Install Istio with Istioctl and label the default namespace for injection

istioctl install --set profile=demo -y
kubectl label namespace default istio-injection=enabled

Best Practices when using Istioctl installation:

Pros of Istioctl installation

  • Very simple and easy way to stand up Istio quickly.
  • Great for POC work and quick analysis.
  • Istioctl is more than just an installation tool. It will be very helpful in debugging or even just getting a full breakdown of your Istio installation.

Cons of Istioctl installation

  • Not easily integrated into CI/CD pipelines.
  • Using Istioctl is not particularly GitOps friendly. While it is possible to use Istioctl-generated manifests and then patch in your desired changes, your code will become divergent over time and difficult to maintain and that route is not recommended. 
  • Can be dangerous in the hands of overprivileged users.

Istio Operator Installation

As of writing this in October 2022 the popular Open-Source Istio Operator is no longer being actively supported. If you want to continue using an operator, a pattern that is very common, Gloo Mesh has a supported Istio Operator developed by Solo.io. More information on Gloo Mesh Lifecycle management and using the Gloo Mesh operator can be found here.

Best Practices when using an Istio Operator installation:

  • Familiarize yourself with the logs being produced by the Istio-operator container. It is a good place to start debugging any component issues
  • Adding alerting around installStatus can be useful for the early detection of component issues

Pros of Istio Operator Installation:

  • Operators can manage the state of the application in a way that Helm charts cannot.
  • The complexity of installation is reduced by having a single management application to install.
  • Still works within GitOPs and CI/CD pipelines very well via changing values in a yaml file.

Cons of Istio Operator installation:

  • Debugging can be more complex as you will have to analyze not just Istio, but what the operator is applying.
  • Using an operator can abstract away fine-grained control.
  • Operators are more complex to maintain by contributors.
  • The OSS Istio Operator does not upgrade minor versions.

Gloo Mesh

Gloo Mesh Enterprise supports the above three methods of installation and greatly extends their ability to manage multiple clusters, their lifecycle, and even divergent Istio versions across clusters. The rough equivalents are as follows:

Further Reading

Hopefully, this has clarified the most common ways of installing Istio and helped you focus on the best fit for your organization. If you want to learn more about deploying Istio for production, Solo Academy has both an on-demand course Deploy Istio for Production as well as frequent instructor-led workshops where you can ask us questions.

BACK TO BLOG