Install NGINX Service Mesh using Helm

This topic explains how to deploy, upgrade, and remove NGINX Service Mesh using Helm.

Overview

This topic contains instructions for installing, upgrading, and uninstalling NGINX Service Mesh using Helm.

Prerequisites

Important:
Before installing NGINX Service Mesh, make sure you’ve completed the following steps.
  • You have Helm 3.5+ installed.
  • You have a working Kubernetes cluster, version 1.16 or newer.
  • You followed the Platform Setup guide to prepare your cluster to work with NGINX Service Mesh.
  • You reviewed the Configuration Options .

Getting the Chart Sources

This step is required if you’re installing the chart using its sources. Additionally, this step is required for upgrading/deleting the custom resource definitions (CRDs), which NGINX Service Mesh requires by default.

git clone https://github.com/nginxinc/nginx-service-mesh
cd nginx-service-mesh/helm-chart
git checkout v1.1.0

Adding the Helm Repository

This step is required if you’re installing the chart via the helm repository.

helm repo add nginx-stable https://helm.nginx.com/stable
helm repo update

Installing the Chart

NGINX Service Mesh requires a dedicated namespace for the control plane. You can create this namespace yourself, or allow Helm to create it for you via the --create-namespace flag when installing.

For information on the container images that NGINX Service Mesh uses, see this section on Images .

Note:

NGINX Service Mesh control plane Pods may take some time to become Ready once installed. Some Pods may display error logs during the startup process; this is normal as the Pods attempt to connect to each other.

Ensure all control plane Pods are in a Ready state before deploying your applications.

Install via Repository

To install the chart with the release name nsm and namespace nginx-mesh, run:

helm install nsm nginx-stable/nginx-service-mesh --namespace nginx-mesh --create-namespace

Install via Source

To install the chart with the release name nsm and namespace nginx-mesh, run:

helm install nsm . --namespace nginx-mesh --create-namespace

Upgrading the Chart

Upgrading the CRDs

Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, run the following command to upgrade the CRDs:

kubectl apply -f crds/
Note:
The following warning is expected and can be ignored: Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply.

Upgrading the Release

To upgrade the release nsm in the nginx-mesh namespace:

Upgrade via Repository

helm upgrade nsm nginx-stable/nginx-service-mesh  --namespace nginx-mesh

Upgrade via Source

helm upgrade nsm . --namespace nginx-mesh

Uninstalling the Chart

Uninstalling the Release

To uninstall/delete the release nsm in the nginx-mesh namespace:

helm uninstall nsm --namespace nginx-mesh

This command removes all of the Kubernetes components associated with the NGINX Service Mesh release. The namespace is not deleted.

Uninstalling the CRDs

Uninstalling the release does not remove the CRDs. To remove the CRDs, run the following command:

kubectl delete -f crds/

After uninstalling, remove the sidecar proxy from deployments .

Configuration Options

The values.yaml file within the nginx-service-mesh Helm chart contains the deployment configuration for NGINX Service Mesh. These configuration fields map directly to the nginx-meshctl deploy command-line options mentioned throughout our documentation. More details about these options can be found in the Configuration guide. You can update these fields directly in the values.yaml file, or by specifying the --set flag when running helm install.

The following table lists the configurable parameters of the NGINX Service Mesh chart and their default values.

Parameter Description Default
registry.server Hostname:port (if needed) for registry and path to images. Affects: nginx-mesh-api, nginx-mesh-metrics, nginx-mesh-sidecar, nginx-mesh-init, nginx-mesh-cert-reloader docker-registry.nginx.com/nsm
registry.imageTag Tag used for pulling images from registry. Affects: nginx-mesh-api, nginx-mesh-metrics, nginx-mesh-sidecar, nginx-mesh-init, nginx-mesh-cert-reloader 1.1.0
registry.key Contents of your Google Cloud JSON key file. Can be set via “–set-file registry.key=.json”. Cannot be used with username/password. ""
registry.username Username for accessing private registry. Cannot be used with key. ""
registry.password Password for accessing private registry. Cannot be used with key. ""
registry.disablePublicImages Do not pull third party images from public repositories. If true, registry.server is used for all images. false
registry.imagePullPolicy Image pull policy. IfNotPresent
accessControlMode Default access control mode for service-to-service communication. allow
deployGrafana Deploy Grafana as a part of the NGINX Service Mesh. true
nginxErrorLogLevel NGINX error log level. warn
nginxLogFormat NGINX log format. default
nginxLBMethod NGINX load balancing method. least_time
prometheusAddress The address of a Prometheus server deployed in your Kubernetes cluster. Address should be in the format .:. ""
autoInjection.disable Disable automatic sidecar injection upon resource creation. Use the “enabledNamespaces” flag to enable automatic injection in select namespaces. false
autoInjection.disabledNamespaces Disable automatic sidecar injection for specific namespaces. Cannot be used with “disable”. []
autoInjection.enabledNamespaces Enable automatic sidecar injection for specific namespaces. Must be used with “disable”. []
tracing.disable Disable tracing for all services. false
tracing.address The address of a tracing server deployed in your Kubernetes cluster. Address should be in the format .:<service_port>. ""
tracing.backend The tracing backend that you want to use. jaeger
tracing.sampleRate The sample rate to use for tracing. Float between 0 and 1. 0.01
mtls.mode mTLS mode for pod-to-pod communication. permissive
mtls.caTTL The CA/signing key TTL in hours(h) or minutes(m). 720h
mtls.svidTTL The trust domain of the NGINX Service Mesh. 1h
mtls.persistentStorage Use persistent storage; “on” assumes that a StorageClass exists. on
mtls.spireServerKeyManager Storage logic for Spire Server’s private keys. disk
mtls.upstreamAuthority Upstream authority settings. If left empty, SPIRE is used as the upstream authority. See values.yaml for how to configure. {}