Please consider …
… My scenario:
- 10 application (and 10 namespaces, one app per ns) running on openshift 4x
- applications should be isolated, e.g. app-A not allowed to access app-B and vice verse
- all applications are accessible via external LB
- access via LB using sinlge wildcard *.myapps.example.com
- would like to use service mesh in order to enhance security, request tracking and resliance/stability
… My approach:
- started with a simple, single control plane
- shared control plane with single gateway to configure hosts: app1.myapps.example.com, app2…, app10.myapps.example.com
- using wildcard cert (*.myapps.example.com) on shared gateway (same as on external LB)
- individual virtuals services and dest rules in app ns
- suitable ingress and egress network policies for isolation of ns/pods
… My problems:
- I am unable to configure wildcard hosts on istio gateway due to openshift route limitation. E.g.
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*.myapps.example.com'
is not possible.
- segmentation of traffic is not possible, afaik, on istio service mesh layer. So in general each sidecar trusts each other sidecar because of same CA
- single point of failure: if ingress gateway or istiod has outage all applications are not accessible
I would be very glad if you comment on my setup and suggest any improvements, or ask questions I may have overlooked.
Thanks in advance