Build a Service Mesh (Envoy / Istio style) (13 scenes)
Scene 12 · Design canvas — configure the mesh
Four workloads, every knob from the prior scenes. Each verifier note cites the scene that earned it.
Previously
Every name we've introduced — sidecar, listener, route, cluster, retry budget, breaker, outlier detection, token bucket, mTLS, control plane, trace — becomes a knob on the canvas. Time to set them coherently for a concrete workload, and let the verifier cite the scene behind each choice.
Scene 13
Design canvas — configure the mesh
Diagram
Four workload cards (A latency-critical API, B public ingress, C batch ETL, D partner webhook) each show eight knobs as chips: Deploy (sidecar/edge), LB (rr/least/ring), Timeout, Retry budget, Breaker, Rate-limit scope, mTLS, Trace sample. The verifier panel on the upper right cites a scene number for every note (green check, amber warning). The fleet preview on the lower right re-renders the active card's mesh: ingress, two pods, padlocks on east-west arrows when mTLS is on, a ring-hash dot when LB is sticky.
← active workload card: A's preset (sidecar, ring-hash, strict mTLS)
verifier panel — every note cites a scene number →
fleet preview — the mesh A's settings actually build →
Four workloads, each with a sensible preset already loaded. Workload A — the latency-critical internal API — is highlighted. Read its chips, then the verifier panel: every note cites a scene. Continue when you've located all three regions.
Implementation
A — Latency-critical internal API
sticky LB + tight per-try timeout + strict mTLS east-west
1route:2 cluster: internal-api3 timeout: 200ms4 retry_policy:5 retries: 36 retry_budget: { budget_percent: 10% }7 per_try_timeout: 80ms # < timeout (scene 6)8cluster:9 lb_policy: RING_HASH # sticky for cache locality10peer_auth: STRICT_MTLS # SPIFFE east-west11trace_sample_rate: 1.0 # low volume, sample all
B — Public ingress gateway
edge-proxy + global rate limit + permissive mTLS migration
1listener: 0.0.0.0:443 # edge-proxy, NOT sidecar2route:3 timeout: 5s4 retry_policy:5 retries: 26 retry_budget: { budget_percent: 20% }7cluster:8 lb_policy: LEAST_REQUEST9rate_limit:10 scope: GLOBAL # fleet-wide token bucket11 descriptor: client_id12peer_auth: PERMISSIVE_MTLS # tighten to STRICT later13trace_sample_rate: 0.1 # high volume, sample for cost
C — Batch ETL job (NOTE: retries off)
uniform load, retries OFF — re-runs end-to-end on failure
1route:2 cluster: warehouse-loader3 timeout: 60s4 # NO retry_policy. Batch re-runs end-to-end on failure;5 # per-message retries cause double-processing of every6 # input row (scene 6).7cluster:8 lb_policy: ROUND_ROBIN # uniform load, no key locality9peer_auth: STRICT_MTLS # internal east-west10trace_sample_rate: 0.01 # batch volume, sample sparsely
D — Partner webhook receiver
edge-proxy + breaker OFF (prefer DLQ) + mTLS off for partners
1listener: 0.0.0.0:443 # edge-proxy2route:3 cluster: partner-webhooks4 timeout: 30s5 retry_policy:6 retries: 17 retry_budget: { budget_percent: 5% }8cluster:9 # NO circuit_breaker — partners cause sporadic 5xx;10 # tripping the breaker drops a window of partner11 # messages. Prefer DLQ (scene 7).12 lb_policy: LEAST_REQUEST13peer_auth: OFF # no SPIFFE for partners14rate_limit: { scope: LOCAL, descriptor: partner_id }