Getting Started with the Chainguard Istio Images
Istio extends Kubernetes to establish a programmable, application-aware network using the powerful Envoy service proxy. Working with both Kubernetes and traditional workloads, Istio brings standard, universal traffic management, telemetry, and security to complex deployments. Chainguard offers a set of minimal, security-hardened Istio images, built on top the Wolfi OS.
We will demonstrate how to get started with the Chainguard Istio images on an
example kind cluster. To get started, you’ll need Docker, kind, kubectl
, and istioctl
installed. If you are missing any, you can follow the relevant link to get started.
What is Wolfi
Wolfi is a community Linux undistro created specifically for containers. This brings distroless to a new level, including additional features targeted at securing the software supply chain of your application environment: comprehensive SBOMs, signatures, daily updates, and timely CVE fixes.Chainguard Images
Chainguard Images are a mix of distroless and development images based on Wolfi. Nightly builds make sure images are up-to-date with the latest package versions and patches from upstream Wolfi.Start up a kind cluster
First, we’ll start up a kind cluster to install Istio.
kind create cluster
This will return output similar to the following:
Creating cluster "kind" ...
â Ensuring node image (kindest/node:v1.27.3) đŧ
â Preparing nodes đĻ
â Writing configuration đ
â Starting control-plane đšī¸
â Installing CNI đ
â Installing StorageClass đž
Set kubectl context to "kind-kind"
You can now use your cluster with:
kubectl cluster-info --context kind-kind
Thanks for using kind! đ
Following that, you can install the Istio Chainguard Image with istioctl
.
Install Istio using Chainguard Images
We will be using the istioctl
command to install Istio. In order to use the
Chainguard Images, we will need to set these following values:
hub = cgr.dev/chainguard
tag = latest
values.pilot.image = istio-pilot
values.global.proxy.image = istio-proxy
values.global.proxy_init.image = istio-proxy
We can set these values with the following istioctl
command:
istioctl install --set tag=latest --set hub=cgr.dev/chainguard \
--set values.pilot.image=istio-pilot \
--set values.global.proxy.image=istio-proxy \
--set values.global.proxy_init.image=istio-proxy
The Istio Chainguard Image is now running on the kind cluster you created previously. In the next section, you’ll set up an Istio gateway and a VirtualService to test out this image.
Stand up a Gateway and a VirtualService
To see the Istio installation in action, we will create two Istio resources:
- An Istio gateway serving the “http://hello.example.com” domain
- A VirtualService to always reply with “Hello, world!” to requests to the “http://hello.example.com” domain
Create a YAML manifest file with the following contents to define the Istio resources:
cat > example.yaml <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: sample-gateway
spec:
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "hello.example.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: sample-virtual-service
spec:
gateways:
- sample-gateway
hosts:
- "hello.example.com"
http:
- directResponse:
status: 200
body:
string: "Hello, world!\n"
EOF
Apply the YAML file to the cluster:
kubectl apply -f example.yaml
Now, in one terminal, start a port-forward to the Istio Ingress Gateway:
kubectl port-forward svc/istio-ingressgateway -n istio-system 8080:80
In another terminal, send a request to the Istio Ingress Gateway:
curl -H "Host: hello.example.com" localhost:8080
This will return Hello, world!
to the terminal output.
Clean up your kind cluster
Once you are done, you can delete your kind cluster:
kind delete cluster
This will delete the default cluster context, kind
.
Advanced Usage
If your project requires a more specific set of packages that aren't included within the general-purpose Istio Chainguard Image, you'll first need to check if the package you want is already available on the wolfi-os repository.
Note: If you're building on top of an image other than the wolfi-base image, the image will run as a non-root user. Because of this, if you need to install packages with
apk install
you need to use theUSER root
directive.
If the package is available, you can use the wolfi-base image in a Dockerfile and install what you need with apk
, then use the resulting image as base for your app.
Check the "Using the wolfi-base Image" section of our images quickstart guide for more information.
If the packages you need are not available, you can build your own apks using melange. Please refer to this guide for more information.
Last updated: 2023-12-14 11:07