I'm diving into prototyping a replacement for our current chaotic system, which is a mix of bash scripts, manual FTP deployments, and Ansible configurations. I'm currently working with Kubernetes (using Talos for its simplicity and immutability) and have set up three clusters: one for management (including ArgoCD and observability tools), and one workload cluster in each data center.
Our workload is shared between a bare-metal provider and Hetzner Cloud, with plans to switch bare-metal providers next year. I need a service mesh that can securely and fairly seamlessly connect these data centers, particularly because I want to access several database clusters from within K8s. Previously, we've relied on HAProxy, but it's not set up for high availability. While I could deploy a replicated HAProxy configuration within K8s, I'm hoping for a more native solution.
Given that Cilium's Cluster Mesh is off the table, I've narrowed it down to Istio, Linkerd, and Kuma. I'm interested to know your experiences with these options. How straightforward is it to set up and maintain? Are there any crucial points I should consider? What about update processes? Also, is there another alternative I should check out? Thanks in advance!
5 Answers
Alternatively, you could flip the script and run your databases in Kubernetes while utilizing any multi-cluster mesh solution. This could streamline your setup.
While I haven't done external meshing myself, I'd definitely vote for Linkerd. The initial setup for production requires a bit of effort—especially to ensure your certificates rotate automatically—but once that's in place, mTLS becomes really easy to manage!
What specific features are you hoping to leverage from the service mesh? I suggest looking into using the Envoy gateway for egress to your databases. It enhances visibility and keeps everything contained within the cluster. We've had great success with Envoy-based clusters—they're super configurable and reliable. That’s why it’s popular in many top service meshes!
We've been using Istio for a while. It's got its quirks, like init containers not getting sidecars unless you toggle native sidecars on, but overall, it works well. That said, managing the configuration can be a headache, so I recommend adopting GitOps from the get-go. If linking cloud to on-prem is a goal, you might want to look into Konnnectivity as well.
As someone from HAProxy, I might be a bit biased, but I think our HAProxy Fusion Control Plane could be a great fit for your needs. It allows for seamless integration of Kubernetes workloads and external ones without needing them to run as pods in the cluster. If you’re seeking a free community solution, consider using the Dataplane API for building your own service mesh.
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically