feat: Service mesh integration (Istio/Linkerd) #10
Description
Summary
Add support for service mesh integration to enable mTLS, traffic policies, and enhanced observability.
Parent Epic
Part of #1 - Production Kubernetes & Container Support
Motivation
Service meshes provide:
- mTLS: Automatic encryption between services
- Traffic management: Retries, timeouts, circuit breaking
- Observability: Distributed tracing, golden metrics
- Security: Authorization policies
Istio Integration
Sidecar Injection
# Helm values for Istio
podAnnotations:
sidecar.istio.io/inject: "true"Virtual Service
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: mcp-gateway
spec:
hosts:
- mcp-gateway
http:
- route:
- destination:
host: mcp-gateway
timeout: 30s
retries:
attempts: 3
perTryTimeout: 10sAuthorization Policy
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: mcp-gateway
spec:
selector:
matchLabels:
app: mcp-gateway
rules:
- from:
- source:
principals: ["cluster.local/ns/ai-platform/sa/claude-agent"]Linkerd Integration
Annotation for injection
podAnnotations:
linkerd.io/inject: enabledService Profile
apiVersion: linkerd.io/v1alpha2
kind: ServiceProfile
metadata:
name: mcp-gateway.default.svc.cluster.local
spec:
routes:
- name: mcp-endpoint
condition:
pathRegex: /servers/[^/]+/mcp
responseClasses:
- condition:
status:
min: 500
isRetryable: trueFeatures Required
- Documentation for Istio integration
- Documentation for Linkerd integration
- Helm chart options for mesh annotations
- Virtual Service / Service Profile templates
- mTLS configuration options
- Distributed tracing headers support (x-request-id, etc.)
Acceptance Criteria
- Gateway works with Istio sidecar
- Gateway works with Linkerd proxy
- mTLS enabled between services
- Traces appear in Jaeger/Zipkin
- Authorization policies work correctly
- Documentation covers both meshes