feat: Service mesh integration (Istio/Linkerd)

## Summary

Add support for service mesh integration to enable mTLS, traffic policies, and enhanced observability.

## Parent Epic

Part of #1 - Production Kubernetes & Container Support

## Motivation

Service meshes provide:
- **mTLS**: Automatic encryption between services
- **Traffic management**: Retries, timeouts, circuit breaking
- **Observability**: Distributed tracing, golden metrics
- **Security**: Authorization policies

## Istio Integration

### Sidecar Injection
```yaml
# Helm values for Istio
podAnnotations:
  sidecar.istio.io/inject: "true"
```

### Virtual Service
```yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: mcp-gateway
spec:
  hosts:
    - mcp-gateway
  http:
    - route:
        - destination:
            host: mcp-gateway
      timeout: 30s
      retries:
        attempts: 3
        perTryTimeout: 10s
```

### Authorization Policy
```yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: mcp-gateway
spec:
  selector:
    matchLabels:
      app: mcp-gateway
  rules:
    - from:
        - source:
            principals: ["cluster.local/ns/ai-platform/sa/claude-agent"]
```

## Linkerd Integration

### Annotation for injection
```yaml
podAnnotations:
  linkerd.io/inject: enabled
```

### Service Profile
```yaml
apiVersion: linkerd.io/v1alpha2
kind: ServiceProfile
metadata:
  name: mcp-gateway.default.svc.cluster.local
spec:
  routes:
    - name: mcp-endpoint
      condition:
        pathRegex: /servers/[^/]+/mcp
      responseClasses:
        - condition:
            status:
              min: 500
          isRetryable: true
```

## Features Required

- [ ] Documentation for Istio integration
- [ ] Documentation for Linkerd integration
- [ ] Helm chart options for mesh annotations
- [ ] Virtual Service / Service Profile templates
- [ ] mTLS configuration options
- [ ] Distributed tracing headers support (x-request-id, etc.)

## Acceptance Criteria

- [ ] Gateway works with Istio sidecar
- [ ] Gateway works with Linkerd proxy
- [ ] mTLS enabled between services
- [ ] Traces appear in Jaeger/Zipkin
- [ ] Authorization policies work correctly
- [ ] Documentation covers both meshes

## References

- [Istio documentation](https://istio.io/latest/docs/)
- [Linkerd documentation](https://linkerd.io/docs/)
- [Service mesh comparison](https://servicemesh.io/)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Service mesh integration (Istio/Linkerd) #10

Summary

Parent Epic

Motivation

Istio Integration

Sidecar Injection

Virtual Service

Authorization Policy

Linkerd Integration

Annotation for injection

Service Profile

Features Required

Acceptance Criteria

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

feat: Service mesh integration (Istio/Linkerd) #10

Description

Summary

Parent Epic

Motivation

Istio Integration

Sidecar Injection

Virtual Service

Authorization Policy

Linkerd Integration

Annotation for injection

Service Profile

Features Required

Acceptance Criteria

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions