{"id":16887058,"url":"https://github.com/ddymko/istio-helm","last_synced_at":"2025-10-13T13:36:21.546Z","repository":{"id":79921352,"uuid":"360003317","full_name":"ddymko/istio-helm","owner":"ddymko","description":null,"archived":false,"fork":false,"pushed_at":"2021-04-21T02:39:05.000Z","size":180,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-10-10T23:46:52.451Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Smarty","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ddymko.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2021-04-21T01:58:49.000Z","updated_at":"2021-04-21T02:11:20.000Z","dependencies_parsed_at":"2023-04-22T01:01:16.373Z","dependency_job_id":null,"html_url":"https://github.com/ddymko/istio-helm","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ddymko/istio-helm","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ddymko%2Fistio-helm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ddymko%2Fistio-helm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ddymko%2Fistio-helm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ddymko%2Fistio-helm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ddymko","download_url":"https://codeload.github.com/ddymko/istio-helm/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ddymko%2Fistio-helm/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279015352,"owners_count":26085684,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-13T02:00:06.723Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-13T16:42:36.542Z","updated_at":"2025-10-13T13:36:21.534Z","avatar_url":"https://github.com/ddymko.png","language":"Smarty","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Istio Installer\n\nNote: If making any changes to the charts or values.yaml in this dir, first read [UPDATING-CHARTS.md](UPDATING-CHARTS.md)\n\nIstio installer is a modular, 'a-la-carte' installer for Istio. It is based on a\nfork of the Istio helm templates, refactored to increase modularity and isolation.\n\nGoals:\n- Improve upgrade experience: users should be able to gradually roll upgrades, with proper\ncanary deployments for Istio components. It should be possible to deploy a new version while keeping the\nstable version in place and gradually migrate apps to the new version.\n\n- More flexibility: the new installer allows multiple 'environments', allowing applications to select\na set of control plane settings and components. While the entire mesh respects the same APIs and config,\napps may target different 'environments' which contain different instances and variants of Istio.\n\n- Better security: separate Istio components reside in different namespaces, allowing different teams or\nroles to manage different parts of Istio. For example, a security team would maintain the\nroot CA and policy, a telemetry team may only have access to Prometheus,\nand a different team may maintain the control plane components (which are highly security sensitive).\n\nThe install is organized in 'environments' - each environment consists of a set of components\nin different namespaces that are configured to work together. Regardless of 'environment',\nworkloads can talk with each other and obey the Istio configuration resources, but each environment\ncan use different Istio versions and different configuration defaults.\n\n`istioctl kube-inject` or the automatic sidecar injector are used to select the environment.\nIn the case of the sidecar injector, the namespace label `istio-env: \u003cNAME_OF_ENV\u003e` is used instead\nof the conventional `istio-injected: true`. The name of the environment is defined as the namespace\nwhere the corresponding control plane components (config, discovery, auto-injection) are running.\nIn the examples below, by default this is the `istio-control` namespace. Pod annotations can also\nbe used to select a different 'environment'.\n\n## Installing\n\nThe new installer is intended to be modular and very explicit about what is installed. It has\nfar more steps than the Istio installer - but each step is smaller and focused on a specific\nfeature, and can be performed by different people/teams at different times.\n\nIt is strongly recommended that different namespaces are used, with different service accounts.\nIn particular access to the security-critical production components (root CA, policy, control)\nshould be locked down and restricted.  The new installer allows multiple instances of\npolicy/control/telemetry - so testing/staging of new settings and versions can be performed\nby a different role than the prod version.\n\nThe intended users of this repo are users running Istio in production who want to select, tune\nand understand each binary that gets deployed, and select which combination to use.\n\nNote: each component can be installed in parallel with an existing Istio 1.0 or 1.1 install in\n`istio-system`. The new components will not interfere with existing apps, but can interoperate\nand it is possible to gradually move apps from Istio 1.0/1.1 to the new environments and\nacross environments ( for example canary -\u003e prod )\n\nNote: there are still some cluster roles that may need to be fixed, most likely cluster permissions\nwill need to move to the security component.\n\n## Everything is Optional\n\nEach component in the new installer is optional. Users can install the component defined in the new installer,\nuse the equivalent component in `istio-system`, configured with the official installer, or use a different\nversion or implementation.\n\nFor example you may use your own Prometheus and Grafana installs, or you may use a specialized/custom\ncertificate provisioning tool, or use components that are centrally managed and running in a different cluster.\n\nThis is a work in progress - building on top of the multi-cluster installer.\n\nAs an extreme, the goal is to be possible to run Istio workloads in a cluster without installing any Istio component\nin that cluster. Currently the minimum we require is the security provider (node agent or citadel).\n\n### Install Istio CRDs\n\nThis is the first step of the install. Please do not remove or edit any CRD - config currently requires\nall CRDs to be present. On each upgrade it is recommended to reapply the file, to make sure\nyou get all CRDs.  CRDs are separated by release and by component type in the CRD directory.\n\nIstio has strong integration with certmanager.  Some operators may want to keep their current certmanager\nCRDs in place and not have Istio modify them.  In this case, it is necessary to apply CRD files individually.\n\n```bash\nkubectl apply -k github.com/istio/installer/base\n```\n\nor\n\n```bash\nkubectl apply -f base/files\n```\n\n### Install Istio-CNI\n\nThis is an optional step - CNI must run in a dedicated namespace, it is a 'singleton' and extremely\nsecurity sensitive. Access to the CNI namespace must be highly restricted.\n\n**NOTE:** The environment variable `ISTIO_CLUSTER_ISGKE` is assumed to be set to `true` if the cluster\nis a GKE cluster.\n\n```bash\nISTIO_CNI_ARGS=\n# TODO: What k8s data can we use for this check for whether GKE?\nif [[ \"${ISTIO_CLUSTER_ISGKE}\" == \"true\" ]]; then\n    ISTIO_CNI_ARGS=\"--set cni.cniBinDir=/home/kubernetes/bin\"\nfi\niop kube-system istio-cni $IBASE/istio-cni/ ${ISTIO_CNI_ARGS}\n```\n\nTODO. It is possible to add Istio-CNI later, and gradually migrate.\n\n### Install Control plane\n\nThis can run in any cluster. A mesh should have at least one cluster should run Pilot or equivalent XDS server,\nand it is recommended to have Pilot running in each region and in multiple availability zones for multi cluster.\n\n```bash\niop istio-control istio-discovery $IBASE/istio-control/istio-discovery \\\n            --set global.istioNamespace=istio-system\n\n# Second istio-discovery, using master version of istio\nTAG=latest HUB=gcr.io/istio-testing iop istio-master istio-discovery-master $IBASE/istio-control/istio-discovery \\\n            --set policy.enable=false \\\n            --set global.istioNamespace=istio-master\n```\n\n### Gateways\n\nA cluster may use multiple Gateways, each with a different load balancer IP, domains and certificates.\n\nSince the domain certificates are stored in the gateway namespace, it is recommended to keep each\ngateway in a dedicated namespace and restrict access.\n\nFor large-scale gateways it is optionally possible to use a dedicated pilot in the gateway namespace.\n\n### Additional test templates\n\nA number of helm test setups are general-purpose and should be installable in any cluster, to confirm\nIstio works properly and allow testing the specific install.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fddymko%2Fistio-helm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fddymko%2Fistio-helm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fddymko%2Fistio-helm/lists"}