I’m working on a project which requires a CockroachDB instance in multiple namespaces (prod/uat/dev), in an Isio-enabled Kubernetes cluster.
This is a companion discussion topic for the original entry at https://www.funkypenguin.co.nz/blog/istio-namespace-isolation-tricks/
Funny you should ask - just today, I’ve finished working through upgrading the platform from Istio 1.4.3 to 1.6…
- I don’t know. Istio is the king of the castle though, so for this project, we’re going with the top dog.
- It’s a PITA - we reverted back to PostgreSQL using Spilo, with the Zalando Postgres operator. I can’t remember exactly why cockroach didn’t fit, but IIRC it was to do with HA limitations.
- That’d depend on the enterprise, I guess. I’ve read about 1000-node clusters running many production workloads, and under those conditions it’s necessary to isolate traffic between namespaces. So I’d say yes, even if all your prod traffic is on a prod cluster, namespace isolation is important
- The apps consuming PostgreSQL (what was once CockroachDB) are all within the cluster, so developer access is not an issue in this case