DirectorySecurity AdvisoriesPricing
/
Sign in
Directory
istio-cni logoHELM

istio-cni

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Istio

Chainguard's redistribution of the Istio Helm charts, pre-configured with hardened Chainguard Images.

Prerequisites

Authentication is required to access these charts and their images. First, authenticate with Chainguard and configure your environment:

chainctl auth login
chainctl auth configure-docker --pull-token --save
helm registry login cgr.dev

Create an image pull secret for the cluster:

kubectl create secret docker-registry cgr-pull-secret \
  --docker-server=cgr.dev \
  --docker-username="$(echo cgr.dev | docker-credential-cgr get | jq -r '.Username')" \
  --docker-password="$(echo cgr.dev | docker-credential-cgr get | jq -r '.Secret')" \
  --namespace istio-system

Available Charts

ChartDescription

istio-base

Istio base chart (CRDs and cluster resources)

istio-istiod

Istio control plane

istio-gateway

Istio ingress/egress gateway

istio-cni

Istio CNI plugin

istio-ztunnel

Istio ztunnel for ambient mesh

Installation

Sidecar Mode

Install the components in order:

# 1. Base (CRDs and cluster resources)
helm install istio-base oci://cgr.dev/ORGANIZATION/charts/istio-base \
  --namespace istio-system \
  --create-namespace \
  --set defaultRevision=default \
  --set global.imagePullSecrets[0].name=cgr-pull-secret \
  --wait

# 2. Istiod (control plane)
helm install istiod oci://cgr.dev/ORGANIZATION/charts/istio-istiod \
  --namespace istio-system \
  --set global.imagePullSecrets[0].name=cgr-pull-secret \
  --wait

# 3. Gateway (optional)
kubectl create namespace istio-ingress
kubectl create secret docker-registry cgr-pull-secret \
  --docker-server=cgr.dev \
  --docker-username="$(echo cgr.dev | docker-credential-cgr get | jq -r '.Username')" \
  --docker-password="$(echo cgr.dev | docker-credential-cgr get | jq -r '.Secret')" \
  --namespace istio-ingress

helm install istio-gateway oci://cgr.dev/ORGANIZATION/charts/istio-gateway \
  --namespace istio-ingress \
  --set imagePullSecrets[0].name=cgr-pull-secret \
  --wait

Ambient Mode

For ambient mesh, install CNI and ztunnel:

# 1. Base
helm install istio-base oci://cgr.dev/ORGANIZATION/charts/istio-base \
  --namespace istio-system \
  --create-namespace \
  --set defaultRevision=default \
  --set global.imagePullSecrets[0].name=cgr-pull-secret \
  --wait

# 2. Istiod with ambient profile
helm install istiod oci://cgr.dev/ORGANIZATION/charts/istio-istiod \
  --namespace istio-system \
  --set profile=ambient \
  --set global.imagePullSecrets[0].name=cgr-pull-secret \
  --wait

# 3. CNI
helm install istio-cni oci://cgr.dev/ORGANIZATION/charts/istio-cni \
  --namespace istio-system \
  --set profile=ambient \
  --set global.imagePullSecrets[0].name=cgr-pull-secret \
  --wait

# 4. Ztunnel
helm install ztunnel oci://cgr.dev/ORGANIZATION/charts/istio-ztunnel \
  --namespace istio-system \
  --set imagePullSecrets[0].name=cgr-pull-secret \
  --wait

# 5. Gateway (optional)
kubectl create namespace istio-ingress
kubectl create secret docker-registry cgr-pull-secret \
  --docker-server=cgr.dev \
  --docker-username="$(echo cgr.dev | docker-credential-cgr get | jq -r '.Username')" \
  --docker-password="$(echo cgr.dev | docker-credential-cgr get | jq -r '.Secret')" \
  --namespace istio-ingress

helm install istio-gateway oci://cgr.dev/ORGANIZATION/charts/istio-gateway \
  --namespace istio-ingress \
  --set imagePullSecrets[0].name=cgr-pull-secret \
  --wait

About These Charts

These are redistributions of the upstream Istio Helm charts. All upstream configuration options and documentation apply.

For full documentation, see: https://istio.io/latest/docs/setup/install/helm/

Chart versions

  • 1.29.2

    Latest

  • 1.29.1

  • 1.29

  • 1.29.0

View all chart versions
Images

Helm charts contain references to Chainguard Container images. The following images are referenced in the chart:

istio-install-cni logo
istio-install-cni

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0SOC 2Golden ImagesCVE RemediationPublic SectorStartups

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogOpen Source LeadershipPartnersNewsroomCareersLegal
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.