OpenShift Service Mesh (Istio)


Deployed projects designed and implemented with IBM Industry Solutions Workbench now support OpenShift Service Mesh (Istio). Istio makes it easy to create a network of deployed services with load balancing, service-to-service authentication, monitoring, and more, with few or no code changes in service code. Having Istio enabled the services can communicate secured by mutualTLS.


  • OpenShift Service Mesh (version 2.0.2 and above)

Enable OpenShift Service Mesh

The enablement of OpenShift Service Mesh can be set during the creation of a k5-project. The variation in setting up additional steps are described below.

  1. Create an OpenShift project (see Creating new Deployment Targets)

  2. Assign Permissions

  3. Create service mesh member roll for the new k5-project

    • Switch to istio-system project: Home > Projects > istio-system
    • Navigate to: Operators > Installed Operators > Red Hat OpenShift Service Mesh > Istio Service Mesh Member Roll
    • Replace your-project with the created OpenShift project/s as described below
    kind: ServiceMeshMemberRoll
        name: default
        namespace: openshift-operators
        members: - your-project - another-of-your-projects
  4. Create an instance of the custom resource k5-project

         enabled: true
         strictMtls: true

While creating a new k5-project using CRD, enable Istio (required) and strictMtls (optional). But we recommend enabling strictMtls mode for security reasons.

Update certificates for Istio Service Mesh

You can either update the certificates manually or use the Cert Manager. See descriptions below.

Using manual way

You need to have certificates for Istio. then using below the command you can apply those certificates:

oc create secret tls istio-ingressgateway-certs --key tls.key --cert tls.crt -n istio-system

Make sure the instance of Istio Service Mesh Control Plane is created and to update your certificates whenever they expire. Don't use certificates of OpenShift Ingress for Istio and use domain specific secrets instead of wildcard certificates.


Make sure to update the certificates once they expire.

Using Cert Manager


Cert Manager should be installed and configured

  1. Login to OpenShift Admin Console
  2. Navigate to: Administration > Custom Resource Definitions
  3. Search and select Certificate CRD
  4. Navigate to: Instances
  5. Click on Create Certificate
  6. Use following sample as template and save CRD

Sample Certificate CRD instance

kind: Certificate
name: <Some-Name>
namespace: istio-system
- <k5-project-name>.<your suffix URL>
    kind: ClusterIssuer
    name: letsencrypt-clusterissuer-prod
    secretName: istio-ingressgateway-certs


  1. Select istio-system project
  2. Navigate to: Workloads > Secrets
  3. Search and select the secret istio-ingressgateway-certs
  4. Check for tls.crt and tls.key

If there are certificates not reflecting the update, then delete istio-ingressgateway-<suffix> from istio-system namespace