k0rdent Istio simplifies the deployment and management of Istio across management and remote clusters, providing automatic inter-cluster connectivity and certificate management.

The reference architecture for this project is based on the Multi-Primary on Different Networks topology.

k0rdent Istio automates the setup of all key components required for a secure multi-cluster service mesh:

• Self-signed Root CA — deployed on the management cluster. See the reference architecture.
• Intermediate CA — automatically generated for each Istio cluster (labeled with k0rdent.mirantis.com/istio-role: member) by the k0rdent-istio-operator.
• Remote secrets — created for each Istio cluster by the k0rdent-istio-operator to enable cross-cluster trust.
• Istio Gateway — deployed in each cluster to provide secure inter-cluster communication protected by mTLS

This architecture ensures automatic mesh connectivity, consistent CA hierarchy, and secure cross-cluster communication without manual configuration.

k0rdent Istio consists of two Helm charts that together enable automatic mesh creation and management:

• k0rdent-istio-base — provides the foundational templates for the multi-cluster system and should be installed only on a management cluster.

• k0rdent-istio — deploys the full Istio system and manages mesh connectivity. It can be installed on both management and remote clusters and is automatically applied by the MultiClusterService to any cluster labeled k0rdent.mirantis.com/istio-role: member.

• Follow the Conventional Commits specification