Skip to content

DOCS-2798: Deploy Istio Ambient Mode on your cluster #2431

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ctauchen merged 1 commit into from
Dec 19, 2025
Merged

DOCS-2798: Deploy Istio Ambient Mode on your cluster #2431

ctauchen merged 1 commit into from
Dec 19, 2025

Conversation

@ctauchen
Copy link
Collaborator

@ctauchen ctauchen commented Dec 16, 2025
edited
Loading

Product Version(s):

Issue:

Link to docs preview:

https://deploy-preview-2431--tigera.netlify.app/calico-enterprise/3.22/compliance/istio/about-istio-ambient

SME review:

  • An SME has approved this change.

DOCS review:

  • A member of the docs team has approved this change.

Additional information:

Merge checklist:

  • Deploy preview inspected wherever changes were made
  • Build completed successfully
  • Test have passed

Copilot AI review requested due to automatic review settings December 16, 2025 12:18
@ctauchen ctauchen requested a review from a team as a code owner December 16, 2025 12:18
@netlify
Copy link

netlify bot commented Dec 16, 2025
edited
Loading

Deploy Preview for calico-docs-preview-next ready!

Name Link
🔨 Latest commit 72aa35e
🔍 Latest deploy log https://app.netlify.com/projects/calico-docs-preview-next/deploys/69453270a8c16a0008273616
😎 Deploy Preview https://deploy-preview-2431--calico-docs-preview-next.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify
Copy link

netlify bot commented Dec 16, 2025
edited
Loading

Deploy Preview succeeded!

Built without sensitive environment variables

Name Link
🔨 Latest commit 72aa35e
🔍 Latest deploy log https://app.netlify.com/projects/tigera/deploys/69453270b124790008231e7d
😎 Deploy Preview https://deploy-preview-2431--tigera.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
Lighthouse
Lighthouse		 1 paths audited
Performance: 70 (🔴 down 3 from production)
Accessibility: 90 (no change from production)
Best Practices: 92 (no change from production)
SEO: 92 (no change from production)
PWA: -
View the detailed breakdown and full score reports

To edit notification comments on pull requests, go to your Netlify project configuration.

@ctauchen ctauchen marked this pull request as draft December 16, 2025 12:19

This comment was marked as outdated.

Sign in to view

@ctauchen ctauchen changed the title DRAFT: Deploy Istio Ambient Mode on your cluter DRAFT: Deploy Istio Ambient Mode on your cluster Dec 16, 2025
@ctauchen ctauchen changed the title DRAFT: Deploy Istio Ambient Mode on your cluster DOCS-2798: Deploy Istio Ambient Mode on your cluster Dec 16, 2025
@ctauchen ctauchen requested a review from Copilot December 16, 2025 14:45
@ctauchen ctauchen marked this pull request as ready for review December 16, 2025 14:45
@ctauchen
Copy link
Collaborator Author

ctauchen commented Dec 16, 2025

PTAL @radixo @davselliTigera @BatoulSarvi

Copilot AI reviewed Dec 16, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

radixo
radixo suggested changes Dec 17, 2025
View reviewed changes
Copy link
Contributor

@radixo radixo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lovely material, just one waypoint concept to fix.

calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/about-istio-ambient.mdx Outdated
This modification allows existing Calico and Kubernetes network policies to continue functioning exactly as they did before, without needing any rewrites, even though the traffic is now encrypted with mTLS.

These zTunnel enhancements are not compatible with Istio's application-layer Waypoint proxy.
If you deploy Waypoint, the reported destination ports will follow the original behavior (always port 15008), and you will need to modify existing network policies.
Copy link
Contributor

@radixo radixo Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
If you deploy Waypoint, the reported destination ports will follow the original behavior (always port 15008), and you will need to modify existing network policies.
If you deploy Waypoint, the reported destination ports will follow the original behavior (always port 15008), and you will need to allow the traffic to/from waypoint with the destination port 15008.

probably the way I suggested here is not the best, but the idea is. The network policies needs to have to include the port 15008 for traffic coming from the waypoint (L7 filtered only).

Copy link
Collaborator Author

@ctauchen ctauchen Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I've changed the language here.

calico-enterprise_versioned_docs/version-3.22-2/compliance/istio/deploy-istio-ambient.mdx Outdated
* Istio Ambient Mode does not work together with [workload-based web application firewalls](../../threat/web-application-firewall.mdx).
* The service mesh is not supported for use on clusters that are also part of a [cluster mesh](../../multicluster/index.mdx).
* Destination ports are preserved only when Istio is deployed without Waypoint.
If you deploy Waypoint, all traffic in the mesh will show port 15008 as its destination port.
Copy link
Contributor

@radixo radixo Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
If you deploy Waypoint, all traffic in the mesh will show port 15008 as its destination port.
If you deploy Waypoint, all traffic through waypoints will show port 15008 as its destination port.

Copy link
Collaborator Author

@ctauchen ctauchen Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@electricjesus electricjesus mentioned this pull request Dec 18, 2025
Open
5 tasks
@ctauchen ctauchen changed the base branch from main to publish/ce-3.22.1 December 19, 2025 12:52
@ctauchen ctauchen merged commit e8a7e51 into tigera:publish/ce-3.22.1 Dec 19, 2025
10 of 11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@radixo radixo radixo requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ctauchen @radixo