Design canvas — configure the mesh — Build a Service Mesh (Envoy / Istio style)

Build a Service Mesh (Envoy / Istio style) (13 scenes)

Scene 12 · Design canvas — configure the mesh

Four workloads, every knob from the prior scenes. Each verifier note cites the scene that earned it.

Previously

Every name we've introduced — sidecar, listener, route, cluster, retry budget, breaker, outlier detection, token bucket, mTLS, control plane, trace — becomes a knob on the canvas. Time to set them coherently for a concrete workload, and let the verifier cite the scene behind each choice.

Scene 13

Design canvas — configure the mesh

Watch

Diagram

Four workload cards (A latency-critical API, B public ingress, C batch ETL, D partner webhook) each show eight knobs as chips: Deploy (sidecar/edge), LB (rr/least/ring), Timeout, Retry budget, Breaker, Rate-limit scope, mTLS, Trace sample. The verifier panel on the upper right cites a scene number for every note (green check, amber warning). The fleet preview on the lower right re-renders the active card's mesh: ingress, two pods, padlocks on east-west arrows when mTLS is on, a ring-hash dot when LB is sticky.

← active workload card: A's preset (sidecar, ring-hash, strict mTLS)

verifier panel — every note cites a scene number →

fleet preview — the mesh A's settings actually build →

Four workloads, each with a sensible preset already loaded. Workload A — the latency-critical internal API — is highlighted. Read its chips, then the verifier panel: every note cites a scene. Continue when you've located all three regions.

Implementation

A — Latency-critical internal API

sticky LB + tight per-try timeout + strict mTLS east-west

1route:
2  cluster: internal-api
3  timeout: 200ms
4  retry_policy:
5    retries: 3
6    retry_budget: { budget_percent: 10% }
7    per_try_timeout: 80ms     # < timeout (scene 6)
8cluster:
9  lb_policy: RING_HASH        # sticky for cache locality
10peer_auth: STRICT_MTLS        # SPIFFE east-west
11trace_sample_rate: 1.0        # low volume, sample all

B — Public ingress gateway

edge-proxy + global rate limit + permissive mTLS migration

1listener: 0.0.0.0:443         # edge-proxy, NOT sidecar
2route:
3  timeout: 5s
4  retry_policy:
5    retries: 2
6    retry_budget: { budget_percent: 20% }
7cluster:
8  lb_policy: LEAST_REQUEST
9rate_limit:
10  scope: GLOBAL               # fleet-wide token bucket
11  descriptor: client_id
12peer_auth: PERMISSIVE_MTLS    # tighten to STRICT later
13trace_sample_rate: 0.1        # high volume, sample for cost

C — Batch ETL job (NOTE: retries off)

uniform load, retries OFF — re-runs end-to-end on failure

1route:
2  cluster: warehouse-loader
3  timeout: 60s
4  # NO retry_policy. Batch re-runs end-to-end on failure;
5  # per-message retries cause double-processing of every
6  # input row (scene 6).
7cluster:
8  lb_policy: ROUND_ROBIN      # uniform load, no key locality
9peer_auth: STRICT_MTLS        # internal east-west
10trace_sample_rate: 0.01       # batch volume, sample sparsely

D — Partner webhook receiver

edge-proxy + breaker OFF (prefer DLQ) + mTLS off for partners

1listener: 0.0.0.0:443         # edge-proxy
2route:
3  cluster: partner-webhooks
4  timeout: 30s
5  retry_policy:
6    retries: 1
7    retry_budget: { budget_percent: 5% }
8cluster:
9  # NO circuit_breaker — partners cause sporadic 5xx;
10  # tripping the breaker drops a window of partner
11  # messages. Prefer DLQ (scene 7).
12  lb_policy: LEAST_REQUEST
13peer_auth: OFF                # no SPIFFE for partners
14rate_limit: { scope: LOCAL, descriptor: partner_id }

PreviousTrace and span — stitching one user request