Bug description
Installation gets timeout errors and in kubectl get pods -n istio-system shows ImagePullBackOff.
kubectl describe pod istiod-xxx-xxx -n istio-system
Failed to pull image "our-registry:5000/pilot:1.10.3": rpc error: code = Unknown desc = Error response from daemon: Head https://our-registry:5000/v2/pilot/manifests/1.10.3: no basic auth credentials
Affected product area (please put an X in all that apply)
[x] Installation
Expected behavior
Successful installation with istioctl install --set profile=demo --set hub=our-registry:5000
Steps to reproduce the bug
Create istio-system namespace.
Set docker-registry user credentials for istio-system namespace.
istioctl manifest generate --set profile=demo --set hub=our-registry:5000 > new-generated-manifest.yaml
Verify it has proper images with our-registry:5000
Pull and push required images to our-registry:5000
istioctl install --set profile=demo --set hub=our-registry:5000
Version
Kubernetes : v1.21
Istio : 1.10.3 / 1.7.3
How was Istio installed?
istioctl install --set profile=demo --set hub=our-registry:5000
[References]
Tried to setup imagePullSecrets as described here, but it gives
Json object error
2. Here describe about using it in charts, but dont know how they applied it.
Originally posted as an issue.
There are two ways to cirumvent this issue.
If installing with istioctl install
Using istioctl install provide a secret with docker-registry auth details with --set values.global.imagePullSecrets. Like this
istioctl install [other options] --set values.global.imagePullSecrets[0]=<auth-secret>
Where <auth-secret> is the secret created prior on the cluster.
You can read more about using secrets with docker repository here
If installing using Istio operator
Installing Istio with operator, from private regostry, you have to pass proper YAML:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
...
spec:
profile: demo #as an example
values:
global:
imagePullSecrets:
- <auth-secret>
...
Again, <auth-secret> must be created prior.
Related
I'm unable to install the nginx ingress controller on AKS.Since I'm using userDefinedRouting as outboundType for egress when running
helm install nginx-ingress nginx-stable/nginx-ingress -n ingress --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-internal"='"true"' --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-internal-subnet"=x-x-x-aks-ingress-sub01 --set controller.service.loadBalancerIP="10.240.137.40" i can see that it failed to download the image because the root CA is not on the worker node and hence is unable to verify the SSL certificate. This is actually good and I've uploaded the nginx image to my ACR:
docker pull nginx docker tag nginx/nginx-ingress:2.2.2 nameofacr.azurecr.io/hub/nginx/nginx-ingress:2.2.2 and docker push nameofacr.azurecr.io/hub/nginx/nginx-ingress:2.2.2. If it look in the values.yaml file I see this:
values.yaml I've followed how to - helm install using private registry and think that I've added the tag as required but I can't figure out how to run the command now so that it will pull the image from my ACR.
What I've tried:
helm install nginx-ingress nameofacr.azurecr.io/hub/nginx/nginx-ingress -n ingress --set controller.service.annotations."service\.beta\ .kubernetes\.io/azure-load-balancer-internal"='"true"' --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-internal-subnet"=x-x-x-x-aks-ingress-sub01 --set contro ller.service.loadBalancerIP="10.240.137.40"
failed with Error: INSTALLATION FAILED: failed to download "nameofacr.azurecr.io/hub/nginx/nginx-ingress"
or
helm install nginx-ingress --set Image=nameofacr.azurecr.io nginx/nginx-ingress -n ingress --set controller.service.annotations."servi ce\.beta\.kubernetes\.io/azure-load-balancer-internal"='"true"' --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-internal-subnet"=x-x-x-x-aks-ingress-sub01 --s et controller.service.loadBalancerIP="10.240.137.40" resulted in Error: INSTALLATION FAILED: failed to download "nginx/nginx-ingress"
I can't get this to work. Any help please?
Use this chart : ingress-nginx/ingress-nginx. You have an official documentation that explain how to import images to private ACR.
You can use this commands to import images :
az acr import --name nameofacr --source k8s.gcr.io/ingress-nginx/controller:v1.2.1 --force
az acr import --name nameofacr --source k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1 --force
Also try to fix the helm chart version helm install nginx-ingress ingress-nginx/ingress-nginx --version 4.1.3, to be sure you use the images related to a specific values.yaml.
Say for example I have rendered all the manifests of a tool called cert-manager and I have deployed in kubernetes environment using kustomize, If I want to perform an upgrade version of cert-manager through helm, How do I do that??
You can just run the command
helm repo add jetstack https://charts.jetstack.io
update the variable or value you would like to change
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.7.1 \
# --set installCRDs=true
make sure you use the same name of deployment or stateful sets, so accordingly PODs or deployment will get rolled out.
i think, the cert-manager does not use the PVC or PV so nothing worry about the Read Write Many.
Ref doc : https://cert-manager.io/docs/installation/helm/
I have downloaded the latest stable release of istio i.e.1.11.4 and am executing the below command inside the root of the istio release folder:
helm install istio install/kubernetes/helm/istio --namespace istio-system --set grafana.enabled=True --set kiali.enabled=True
When I do, I get the error:
Error: INSTALLATION FAILED: failed to download "install/kubernetes/helm/istio"
My helm version: version.BuildInfo{Version:"v3.7.1"
How can I resolve this error?
You are using some old command to install Istio.
Check out the latest installation docs: https://istio.io/latest/docs/setup/install/helm/#installation-steps
Additionally, the addons (grafana, kiali, or prometheus) are not part of Istio anymore and need to be installed separately as shown here:
Prometheus:
https://istio.io/latest/docs/ops/integrations/prometheus/
Grafana: https://istio.io/latest/docs/ops/integrations/grafana/
Kiali: https://istio.io/latest/docs/ops/integrations/kiali/
I've created a kubernetes cluster on AWS using Kops, and I've correctly configured the cluster on Gitlab.
I've installed Helm Tiller and Ingress from Gitlab's panel, but I now wish to uninstall the Ingress chart.
I'm not sure how to uninstall the ingress chart. What I'm tring now is configuring my Helm CLI to delete the ingress release, but I'm not getting the Helm CLI correctly configured. The Tiller stuff is being deployed at the gitlab-managed-apps, so I'm trying the following command:
$ helm init --tiller-namespace gitlab-managed-apps --service-account tiller --upgrade
HELM_HOME has been configured at C:\Users\danie\.helm.
Tiller (the Helm server-side component) has been upgraded to the current version.
Happy Helming!
But then when I'm trying to issue the helm ls command I'm getting the following error:
$ helm ls
Error: could not find tiller
But the service account exists on the namespace:
$ kubectl get serviceAccounts -n gitlab-managed-apps
NAME SECRETS AGE
default 1 23h
ingress-nginx-ingress 1 23h
tiller 1 23h
Any ideas how to get the CLI correctly configured?
you have installed tiller to a namespace that is not the default namespace.
As per default the Helm CLI will assume tiller is installed in default and that this is the namespace you want to "get in touch with"
this can be fixed by using the tiller-namespace flag as for your example that'd be
helm list --tiller-namespace gitlab-managed-apps
Try using Helm version 3 onward. Helm versions 1 and 2 are actually composed of two pieces – the Helm CLI, and Tiller, the Helm server-side component. It is important to note that Helm 3 removes the Tiller component, and thus is more secure
I am trying to install istio. I can easily package the helm chart if I clone the repo from github but I am just wondering if there is a helm chart repo that I can use?
If you're looking for a way to install istio version higher than 1.8.0 then there is a good news.
According to documentation helm support is back, currently in alpha.
We’ve added support for installing Istio with Helm 3. This includes both in-place upgrades and canary deployment of new control planes, after installing 1.8 or later. Helm 3 support is currently Alpha, so please try it out and give your feedback.
There is istio documentation about installing Istio with Helm 3, Helm 2 is not supported for installing Istio.
There are the Prerequisites:
Download the Istio release
Perform any necessary platform-specific setup
Check the Requirements for Pods and Services
Install a Helm client with a version higher than 3.1.1
There are the installation steps for istio 1.8.1:
Note that the default chart configuration uses the secure third party tokens for the service account token projections used by Istio proxies to authenticate with the Istio control plane. Before proceeding to install any of the charts below, you should verify if third party tokens are enabled in your cluster by following the steps describe here. If third party tokens are not enabled, you should add the option --set global.jwtPolicy=first-party-jwt to the Helm install commands. If the jwtPolicy is not set correctly, pods associated with istiod, gateways or workloads with injected Envoy proxies will not get deployed due to the missing istio-token volume.
1.Download the Istio release and change directory to the root of the release package and then follow the instructions below.
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.8.1 sh -
cd istio-1.8.1
2.Create a namespace istio-system for Istio components:
kubectl create namespace istio-system
3.Install the Istio base chart which contains cluster-wide resources used by the Istio control plane:
helm install -n istio-system istio-base manifests/charts/base
4.Install the Istio discovery chart which deploys the istiod service:
helm install --namespace istio-system istiod manifests/charts/istio-control/istio-discovery \
--set global.hub="docker.io/istio" --set global.tag="1.8.1"
5.Install the Istio ingress gateway chart which contains the ingress gateway components:
helm install --namespace istio-system istio-ingress manifests/charts/gateways/istio-ingress \
--set global.hub="docker.io/istio" --set global.tag="1.8.1"
6.(Optional) Install the Istio egress gateway chart which contains the egress gateway components:
helm install --namespace istio-system istio-egress manifests/charts/gateways/istio-egress \
--set global.hub="docker.io/istio" --set global.tag="1.8.1"
7.Verify that all Kubernetes pods in istio-system namespace are deployed and have a STATUS of Running:
kubectl get pods -n istio-system
Yes there is. A quick google search turned this up: https://github.com/istio/istio/tree/master/install/kubernetes/helm/istio
It's a pain to find, and they don't really reference it properly in the documentation, but according to these two comments, the charts can be found in the following locations:
master: https://gcsweb.istio.io/gcs/istio-prerelease/daily-build/master-latest-daily/charts/
v1.1.x: https://gcsweb.istio.io/gcs/istio-prerelease/daily-build/release-1.1-latest-daily/charts/
For a more recent answer, you can now add helm repository for istio for a specific version with helm repo add istio.io https://storage.googleapis.com/istio-release/releases/{{< istio_full_version >}}/charts/ according to documentation here.
It seems that helm repo add istio.io https://storage.googleapis.com/istio-release/releases/charts work too but for older versions (up to 1.1.2). It is not yet documented but follow a more idiomatic versionning. An issue is open on istio : https://github.com/istio/istio/issues/15498
The official helm chart is coming now!
https://artifacthub.io/packages/helm/istio-official/gateway
Need to be careful the comment in issue #31275
Note: this is a 1.12 prerelease, so you need to pass --devel to all helm commands and should not run it in prod yet.
Because the chart is still in the alpha version, we need to pass --devel flag or specify a chart version to allow development versions.
Install steps:
helm repo add istio https://istio-release.storage.googleapis.com/charts
helm repo update
helm install --devel istio-ingressgateway istio/gateway
# or --version 1.12.0-alpha.1
helm repo add istio https://istio.io/charts works. I found it in this PR.