Best practices for running a bunch of application in service mesh

Please consider …

… My scenario:

  • 10 application (and 10 namespaces, one app per ns) running on openshift 4x
  • applications should be isolated, e.g. app-A not allowed to access app-B and vice verse
  • all applications are accessible via external LB
  • access via LB using sinlge wildcard *
  • would like to use service mesh in order to enhance security, request tracking and resliance/stability

… My approach:

  • started with a simple, single control plane
  • shared control plane with single gateway to configure hosts:, app2…,
  • using wildcard cert (* on shared gateway (same as on external LB)
  • individual virtuals services and dest rules in app ns
  • suitable ingress and egress network policies for isolation of ns/pods

… My problems:

  • I am unable to configure wildcard hosts on istio gateway due to openshift route limitation. E.g.
    istio: ingressgateway
  - hosts:
    - '*'

is not possible.

  • segmentation of traffic is not possible, afaik, on istio service mesh layer. So in general each sidecar trusts each other sidecar because of same CA
  • single point of failure: if ingress gateway or istiod has outage all applications are not accessible

I would be very glad if you comment on my setup and suggest any improvements, or ask questions I may have overlooked.
Thanks in advance