Istio-based service mesh add-on for AKS, currently in public preview, is launching several new features that provide egress support, allow you to bring your own certificate authority, and make it easier to manage Istio upgrades:
- Minor version upgrade: Previously, AKS provided automatic weekly updates for patch versions of Istio. Now, you can explicitly upgrade from minor version/release of Istio to the next. You will be able to deploy a canary version of Istio control plane and control the rollover of sidecar proxies in data plane to point to this new version control plane of Istio. Once you have determined that your mesh is still functioning as intended, you can either complete/rollback the in-progress canary deployment of Istio.
- Bring your own certificate authority (CA): Previously the add-on only supported self-signed certificate authority. With this new feature, you can bring your own CA by providing inputs via Azure Key Vault and later be able to reference the same in the service mesh profile.
- Egress: Istio uses ingress and egress gateways to configure load balancers executing at the edge of a service mesh. An ingress gateway allows you to define entry points into the mesh that all incoming traffic flows through. Public and private ingresses are already supported with the mesh add-on. Istio add-on now supports egress gateways, which defines exit points from the mesh. Egress gateways allow you to apply Istio features, for example, monitoring and route rules, to traffic exiting the mesh
To learn more, visit: https://aka.ms/asm-aks-addon-docs