Service Mesh — Notes

Build vs buy

• Istio — most features, biggest learning curve.
• Linkerd — simpler, Rust proxy, lower overhead.
• Consul Connect — ties into HashiCorp stack.
• AWS App Mesh / GCP Anthos / Azure ASM — managed flavours.
• Cilium Service Mesh — eBPF, sidecarless, newer.

Identity model

• SPIFFE / SPIRE issues short-lived X.509 certs or JWT-SVIDs per workload.
• Cert format spiffe://td/ns/<ns>/sa/<serviceaccount> makes "is service A allowed to call B?" a string match.

What stays in the app

• Business logic, validation, domain errors.
• Retry semantics for non-idempotent business operations (mesh-level retry is for transport faults only).
• Authn of the end-user (mesh authz is for service identity).

Refs

• Istio docs + "Istio in Action".
• Linkerd 2 architecture posts.
• SPIFFE specification.
• "The Sidecar Pattern" — Bilgin Ibryam.