Istio Support Added to Dgraph

I merged Istio pod label PR to Dgraph Helm chart. The PR looked pretty solid, thank you for the contribution.

I wanted to drop some general notes regarding security + Dgraph regarding Ratel (or any other application that should not have access to Dgraph):

For security best practices Ratel server should NEVER have access to Dgraph namespace, and should be installed in a separate namespace, e.g. ratel, which does not have direct access to Dgraph Alpha pods.

The reason is that the Ratel small web server whose only purpose is to host the the client React SPA (Single Page Application) that is used by the web as client-only app in the web browser, and thus Ratel would access a Dgraph Alpha pods through an endpoint through an ingress or gateway.

There are some methods that can be used to segregate Ratel (and other applications) to keep a limited list of applications that can access the Dgraph Alpha, not limited to Istio, but any service mesh:

  • Network Policies, such as Calico, to restrict access.
  • SMI Spec CRDs to restrict access for services on the mesh. Note that only HTTP (not gRPC) is supported with the current version of the spec. I am confident, at least in regards to Istio, it has richer support from its own CRDs.
  • Ratel (and other applications) can be denied access if they are outside of the mesh and the mesh is in strict mode, requiring strict mTLS. Note that this method may be a problem, if the ingress is integrated into the mesh; you would need to have a separate ingress that is not part of the mesh for non-mesh ingress traffic.