Review the following information about the Istio control plane setup in this guide:

Set up tools

Set up the following tools and environment variables.

  1. Set environment variables for the Solo distribution of Istio that you want to install. You can find these values in the Istio images built by Solo.io support article. For more information, see the Solo distribution of Istio overview.

      # Solo distrubution of Istio patch version
    # in the format 1.x.x, with no tags
    export ISTIO_VERSION=1.24.2
    # Repo key for the minor version of the Solo distribution of Istio
    # This is the 12-character hash at the end of the repo URL: 'us-docker.pkg.dev/gloo-mesh/istio-<repo-key>'
    export REPO_KEY=<repo_key>
    
    # Solo distrubution of Istio patch version and Solo tag
    # Optionally append other Solo tags as needed
    export ISTIO_IMAGE=${ISTIO_VERSION}-solo
    # Solo distribution of Istio image repo
    export REPO=us-docker.pkg.dev/gloo-mesh/istio-${REPO_KEY}
      

    Be sure to review the following known Istio version restrictions.

  2. Install istioctl, the Istio CLI tool.

      curl -L https://istio.io/downloadIstio | ISTIO_VERSION=${ISTIO_VERSION} sh -
    cd istio-${ISTIO_VERSION}
    export PATH=$PWD/bin:$PATH
      
  3. Add and update the Helm repository for Istio.

      helm repo add istio https://istio-release.storage.googleapis.com/charts
    helm repo update
      

Deploy an Istio service mesh with Helm

Deploy the Istio CRDs and a sidecar control plane to your cluster.

  1. Save the name and kubeconfig context of a workload cluster in the following environment variables. Each time you repeat the steps in this guide, you change these variables to the next workload cluster’s name and context.

      export CLUSTER_NAME=<cluster-name>
    export CLUSTER_CONTEXT=<cluster-context>
      
  2. Install the Istio CRDs.

      helm upgrade --install istio-base istio/base \
      -n istio-system \
      --create-namespace \
      --kube-context ${CLUSTER_CONTEXT} \
      --version ${ISTIO_VERSION} \
      --set defaultRevision=main
      
  3. Create the istio-config namespace. This namespace serves as the administrative root namespace for Istio configuration.

      kubectl create namespace istio-config --context ${CLUSTER_CONTEXT}
      
  4. OpenShift only: Install the CNI plug-in, which is required for using Istio in OpenShift.

      helm install istio-cni istio/cni \
    --namespace kube-system \
    --kube-context ${CLUSTER_CONTEXT} \
    --version ${ISTIO_VERSION} \
    --set cni.cniBinDir=/var/lib/cni/bin \
    --set cni.cniConfDir=/etc/cni/multus/net.d \
    --set cni.cniConfFileName="istio-cni.conf" \
    --set cni.chained=false \
    --set cni.privileged=true
      
  5. Prepare a Helm values file for the istiod control plane. You can further edit the file to provide your own details for production-level settings.

    1. Download an example file, istiod.yaml, and update the environment variables with the values that you previously set. The provided Helm values files are configured with production-level settings; however, depending on your environment, you might need to edit settings to achieve specific Istio functionality.

        curl -0L https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/gloo-mesh/istio-install/manual-helm/istiod-1.24+.yaml > istiod.yaml
      envsubst < istiod.yaml > istiod-values.yaml
      open istiod-values.yaml
        
    2. Optional: Trust domain validation is disabled by default in the profile that you downloaded in the previous step. If you have a multicluster mesh setup and you want to enable trust domain validation, add all the clusters that are part of your mesh in the meshConfig.trustDomainAliases field, excluding the cluster that you currently prepare for the istiod installation. For example, let’s say you have 3 clusters that belong to your mesh: cluster1, cluster2, and cluster3. When you install istiod in cluster1, you set the following values for your trust domain:

        ...
      meshConfig:
        trustDomain: cluster1
        trustDomainAliases: ["cluster2","cluster3"]
        

      Then, when you move on to install istiod in cluster2, you set trustDomain: cluster2 and trustDomainAliases: ["cluster1","cluster3"]. You repeat this step for all the clusters that belong to your service mesh. Note that as you add or delete clusters from your service mesh, you must make sure that you update the trustDomainAliases field for all of the clusters.

  6. Create the istiod control plane in your cluster.

  7. After the installation is complete, verify that the Istio control plane pods are running.

      kubectl get pods -n istio-system --context ${CLUSTER_CONTEXT}
      

    Example output:

      NAME                          READY   STATUS    RESTARTS   AGE
    istiod-main-bb86b959f-msrg7   1/1     Running   0          2m45s
    istiod-main-bb86b959f-w29cm   1/1     Running   0          3m
      
  8. Multicluster setups: Repeat steps 1 - 7 for each cluster where you want to install Istio. Be sure to change the values of the $CLUSTER_NAME and $CLUSTER_CONTEXT environment variables for each cluster.

Next

Add apps to the service mesh.