Mesh federation without automatic service discovery


I want to connect multiple meshes together. I currently manage 3 different AKS clusters (Operations, Staging and Production). I have Hashicorp Vault running on Operations, I’d like to be able to reach Postgres that’s running in Staging and Production using istio mTLS (for automatic secret rotation).

I don’t want to enable automatic service discovery by sharing secrets between clusters.

My question is: How to configure ServiceEntries in Operations to reach pods in different meshes (using an EastWestGateway), and tlsMode: AUTO_PASSTHROUGH?

The 3 clusters have different MeshIDs, different clusterNames, different trustDomains. They all share a common root CA.

I generated a tls certificate for Hashicorp Vault (it’s not running behind istio) with SAN URI:spiffe://operations-trust-domain/ns/vault/sa/vault So mTLS and AuthorizationPolicies should technically be able to be leveraged.