Getting Started with the Chainguard Istio Images

Tutorial on how to get started with the Istio Chainguard Images

Istio extends Kubernetes to establish a programmable, application-aware network using the powerful Envoy service proxy. Working with both Kubernetes and traditional workloads, Istio brings standard, universal traffic management, telemetry, and security to complex deployments. Chainguard offers a set of minimal, security-hardened Istio images, built on top the Wolfi OS.

We will demonstrate how to get started with the Chainguard Istio images on an example kind cluster. To get started, you’ll need Docker, kind, kubectl, and istioctl installed. If you are missing any, you can follow the relevant link to get started.

What is Wolfi Wolfi is a community Linux undistro created specifically for containers. This brings distroless to a new level, including additional features targeted at securing the software supply chain of your application environment: comprehensive SBOMs, signatures, daily updates, and timely CVE fixes.
Chainguard Images Chainguard Images are a mix of distroless and development images based on Wolfi. Nightly builds make sure images are up-to-date with the latest package versions and patches from upstream Wolfi.

Start up a kind cluster

First, we’ll start up a kind cluster to install Istio.

kind create cluster

This will return output similar to the following:

Creating cluster "kind" ...
 ✓ Ensuring node image (kindest/node:v1.27.3) đŸ–ŧ 
 ✓ Preparing nodes đŸ“Ļ  
 ✓ Writing configuration 📜 
 ✓ Starting control-plane 🕹ī¸ 
 ✓ Installing CNI 🔌 
 ✓ Installing StorageClass 💾 
Set kubectl context to "kind-kind"
You can now use your cluster with:

kubectl cluster-info --context kind-kind

Thanks for using kind! 😊

Following that, you can install the Istio Chainguard Image with istioctl.

Install Istio using Chainguard Images

We will be using the istioctl command to install Istio. In order to use the Chainguard Images, we will need to set these following values:

  • hub = cgr.dev/chainguard
  • tag = latest
  • values.pilot.image = istio-pilot
  • values.global.proxy.image = istio-proxy
  • values.global.proxy_init.image = istio-proxy

We can set these values with the following istioctl command:

istioctl install --set tag=latest --set hub=cgr.dev/chainguard \
  --set values.pilot.image=istio-pilot \
  --set values.global.proxy.image=istio-proxy \
  --set values.global.proxy_init.image=istio-proxy

The Istio Chainguard Image is now running on the kind cluster you created previously. In the next section, you’ll set up an Istio gateway and a VirtualService to test out this image.

Stand up a Gateway and a VirtualService

To see the Istio installation in action, we will create two Istio resources:

  • An Istio gateway serving the “http://hello.example.com” domain
  • A VirtualService to always reply with “Hello, world!” to requests to the “http://hello.example.com” domain

Create a YAML manifest file with the following contents to define the Istio resources:

cat > example.yaml <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: sample-gateway
spec:
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "hello.example.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: sample-virtual-service
spec:
  gateways:
  - sample-gateway
  hosts:
  - "hello.example.com"
  http:
  - directResponse:
      status: 200
      body:
        string: "Hello, world!\n"
EOF

Apply the YAML file to the cluster:

kubectl apply -f example.yaml

Now, in one terminal, start a port-forward to the Istio Ingress Gateway:

kubectl port-forward svc/istio-ingressgateway -n istio-system 8080:80

In another terminal, send a request to the Istio Ingress Gateway:

curl -H "Host: hello.example.com" localhost:8080

This will return Hello, world! to the terminal output.

Clean up your kind cluster

Once you are done, you can delete your kind cluster:

kind delete cluster

This will delete the default cluster context, kind.

Advanced Usage

If your project requires a more specific set of packages that aren't included within the general-purpose Istio Chainguard Image, you'll first need to check if the package you want is already available on the wolfi-os repository.

Note: If you're building on top of an image other than the wolfi-base image, the image will run as a non-root user. Because of this, if you need to install packages with apk install you need to use the USER root directive.

If the package is available, you can use the wolfi-base image in a Dockerfile and install what you need with apk, then use the resulting image as base for your app. Check the "Using the wolfi-base Image" section of our images quickstart guide for more information.

If the packages you need are not available, you can build your own apks using melange. Please refer to this guide for more information.

Last updated: 2023-12-14 11:07