There are numerous implementations of a service mesh which integrate with Kubernetes such as Istio, Linkerd, and Conduit. This blog post explains what a service mesh is and why to use one.
This page details the customizations required to successfully deploy some of these service mesh implementations.
The steps below were validated using AKS Engine v0.53.0 and Kubernetes v1.17
To accomodate to the changes in Secret Discovery Service since Istio 1.3, please refer to sample apimodel istio.json
This sample shows the extra Kubernetes API server flags that are required to enable Service Account Token Volume Projectionas indicated
here.
You may have to adjust --service-account-api-audiences and --service-account-issuer to your specific use case.
{
"kubernetesConfig": {
"apiServerConfig": {
"--service-account-api-audiences": "api,istio-ca",
"--service-account-issuer": "kubernetes.default.svc",
"--service-account-signing-key-file": "/etc/kubernetes/certs/apiserver.key"
}
}
}