← Week 3: Service Mesh & mTLS

Day 21: Challenge — Istio mTLS and Traffic Shifting

Phase 3 · Jul 21, 2026

← Week 3: Service Mesh & mTLS

Challenge Overview

Configure Istio to enforce mTLS and perform a safe canary deployment.

Requirements:

  1. Deploy echo-v1 and echo-v2 services to a local Istio mesh
  2. Enforce STRICT mTLS in the deployment namespace
  3. Create a VirtualService that routes 90% to v1, 10% to v2
  4. Add a 5-second timeout and 2 retries to the VirtualService
  5. Inject 5% 503 faults on v1 to simulate failures
  6. Gradually shift traffic: 75/25, then 50/50, then 0/100 using kubectl patch
  7. Observe service graph in Kiali during each shift
← Week 3: Service Mesh & mTLS

Deployment Config

# echo-v1 and echo-v2 deployments with version label
apiVersion: apps/v1
kind: Deployment
metadata: { name: echo-v1 }
spec:
  selector: { matchLabels: { app: echo, version: v1 } }
  template:
    metadata: { labels: { app: echo, version: v1 } }
    spec:
      containers:
      - name: echo
        image: ealen/echo-server:latest
        ports: [{ containerPort: 80 }]
← Week 3: Service Mesh & mTLS

Required Resources

PeerAuthentication:   STRICT mTLS for namespace
DestinationRule:      Define v1 and v2 subsets + outlier detection
VirtualService:       90/10 split + timeout + retry + fault injection
AuthorizationPolicy:  Allow traffic only between labeled services
← Week 3: Service Mesh & mTLS

Traffic Shift Commands

# Shift to 75/25
kubectl patch virtualservice echo --type=merge -p '
{"spec":{"http":[{"route":[
  {"destination":{"host":"echo","subset":"v1"},"weight":75},
  {"destination":{"host":"echo","subset":"v2"},"weight":25}
]}]}}'

# Shift to 50/50
kubectl patch virtualservice echo --type=merge -p '...'

# Full cutover to v2
kubectl patch virtualservice echo --type=merge -p '
{"spec":{"http":[{"route":[
  {"destination":{"host":"echo","subset":"v2"},"weight":100}
]}]}}'
← Week 3: Service Mesh & mTLS

Phase 3 Complete

Phase 3 Topic Key skills
Week 1 Protobuf + gRPC proto3 encoding, prost, tonic server/client
Week 2 Binary protocols tokio-util codec, multiplexing, HMAC auth
Week 3 Service mesh Envoy xDS, Istio, SPIFFE/SPIRE, traffic management

You can now:

  • Design, implement, and version binary protocols
  • Build gRPC services with streaming, auth, and deadline propagation
  • Deploy services into an Istio mesh with automatic mTLS and traffic shaping

Phase 4 starts tomorrow: Reliability Patterns — circuit breakers, distributed transactions, event sourcing.