Istio support

[verejoel]

I have got parca up and running in agent and server mode on my K8s cluster. We use Istio as a service mesh, which presents a set of unique challenges. The biggest challenge I found so far is setting the correct appProtocol for the parca port.

We basically need to do three things with one port:

• receive gRPC traffic (appProtocol: grpc)
• allow metrics scraping (appProtocol: http)
• allow ingress access (appProtocol: http)

I have not (yet) found a configuration that works for all three use cases! E.g. I can get the agents to ship data via gRPC, but the Prometheus scraper is blocked, or I can scrape metrics, but the agents start to be unable to ship data. There are ways to overcome this, by e.g. excluding the agents from the service mesh and configuring a PeerAuthentication policy, but this is technically not compliant for our productive workloads (where mTLS must be enabled for all workloads).

Therefore, while I recognize the efficiency of using one port for everything, I request a new feature where we could optionally enable a separate port for HTTP metrics scraping and the UI, and a separate port for the gRPC traffic from the agent.

I'll also accept anyone who works out how to configure Istio to play nicely with just the one port :)

Cheers!

[maxbrunet]

Hey @verejoel, have you tried appProtocol: http2? HTTP2 should work for everything, if not, could you share the errors you are seeing, please?