k0rdent Istio simplifies the deployment and management of Istio across management and remote clusters, providing automatic inter-cluster connectivity and certificate management.
The reference architecture for this project is based on the Multi-Primary on Different Networks topology.
k0rdent Istio automates the setup of all key components required for a secure multi-cluster service mesh:
- Self-signed Root CA — deployed on the management cluster. See the reference architecture.
- Intermediate CA — automatically generated for each Istio cluster (labeled with
k0rdent.mirantis.com/istio-role: member) by the k0rdent-istio-operator. - Remote secrets — created for each Istio cluster by the k0rdent-istio-operator to enable cross-cluster endpoints discovery.
- Istio Gateway — deployed in each cluster to provide secure inter-cluster communication protected by mTLS
This architecture ensures automatic mesh connectivity, consistent CA hierarchy, and secure cross-cluster communication without manual configuration.
- k0rdent-istio — deploys the full Istio system and manages mesh connectivity. It can be installed on both management and remote clusters and is automatically applied by the MultiClusterService to any cluster labeled
k0rdent.mirantis.com/istio-role: member.
- Follow the Conventional Commits specification