the-way-to-go_ZH_CN VS istio

unknwon/the-way-to-go_ZH_CN (Go): 《The Way to Go》中文译本，中文正式名《Go 入门指南》

End-to-end data encryption with a service mesh: Using an end-to-end data encryption mechanism with a service mesh like Istio, TLS can secure communication between different microservices within a Kubernetes cluster. This is a popular approach for modern, distributed microservice architectures.

From here, we can explore other developments and tutorials on Kubernetes, such as o11y or observability (PLG, ELK, ELF, TICK, Jaeger, Pyroscope), service mesh (Linkerd, Istio, NSM, Consul Connect, Cillium), and progressive delivery (ArgoCD, FluxCD, Spinnaker).

If something doesn't play nice try the Istio slack or file an issue on the main repo: https://github.com/istio/istio

Istio

Istio is an open-source service mesh that makes managing, securing, and shaping all traffic and communication between your microservices – and adding observability, too – possible, without ever writing code for any of this – no matter how your distributed architecture is deployed.

The closest I've come to finding a solution is Orchestrating GPU-accelerated streaming apps using WebRTC, their code is available on GitHub. I don't fully understand their approach, I believe it depends on Istio.

Istio is an Orchestration & Management / Service Mesh project. With a service mesh, traffic between services is handled at a platform level. This way, reliability, observability, and security features can be tackled here and provided uniformly across all services, instead of being delegated to developers to include in their code. Istio has become the second Incubating CNCF project with the most stars and with most contributors this year.

Tools in the DevOps ecosystem I have explored : Devtron, Spinnaker, Argo CD, Istio. Great UX: Devtron, Argo CD Bad UX : Istio , Spinnaker

Open source API Gateway (Apache APISIX and Traefik), Service Mesh (Istio and Linkerd) solutions are capable of doing traffic splitting and implementing functionalities like Canary Release and Blue-Green deployment. With canary testing, you can make a critical examination of a new release of an API by selecting only a small portion of your user base. We will cover the canary release next section.

OIDC OAuth for k8s authorization had nothing to do with AAA in your app.Nginx as an ingress or an API gateway is pretty much obsolete - you have to pick an API Gateway with an external Auth support, like Contour and it's auth server.More advanced service meshes, like istio has a built-in authz policies for JWT handling.Keep in mind that with the introduction of API Gateway spec, it's really important to pick the most mature solution out of the bunch. It's especially crucial, after 1.26 release, because current SIG can port the auth policies from service meshes directly into kubernetes admission, like it happened already with OPA & Kyverno policies.