Istio API¶

The Istio API provides endpoints for detecting Istio installation, reading service mesh resources (VirtualServices, PeerAuthentications, AuthorizationPolicies), applying traffic weight changes, and fetching Istio telemetry metrics from Prometheus.

Base Path¶

/api/v1/istio

Prerequisites¶

• KUBECONFIG_PATH must point to a valid kubeconfig with permissions to read Istio CRDs (networking.istio.io, security.istio.io)
• For metrics endpoints: PROMETHEUS_URL must be set to a Prometheus instance scraping Istio telemetry
• All endpoints require JWT authentication

Endpoints¶

Check Istio Status¶

GET /api/v1/istio/status
Authorization: Bearer <token>

Query Parameters¶

Response (200)¶

{ "istioEnabled": true }

List VirtualServices¶

GET /api/v1/istio/virtual-services?namespace=default
Authorization: Bearer <token>

Query Parameters¶

Response (200)¶

[
  {
    "name": "payment-service",
    "namespace": "payments",
    "hosts": ["payment-service"],
    "http": [
      {
        "route": [
          { "destination": { "host": "payment-service", "subset": "stable" }, "weight": 90 },
          { "destination": { "host": "payment-service", "subset": "canary" }, "weight": 10 }
        ]
      }
    ]
  }
]

Get VirtualService¶

GET /api/v1/istio/virtual-services/:namespace/:name
Authorization: Bearer <token>

Path Parameters¶

Query Parameters¶

Response (200)¶

Returns a single IstioVirtualService object (same shape as list items above).

Patch Traffic Weights¶

Requires admin role.

PATCH /api/v1/istio/virtual-services/:namespace/:name/weights
Authorization: Bearer <token>
Content-Type: application/json

Path Parameters¶

Request Body¶

{
  "weights": [
    { "destination": "stable", "weight": 80 },
    { "destination": "canary", "weight": 20 }
  ],
  "kubeconfig": "<optional base64 kubeconfig>"
}

Weights must be whole numbers between 0–100 and must sum to 100.

Response (200)¶

Returns the updated IstioVirtualService object.

List PeerAuthentications¶

GET /api/v1/istio/peer-authentications?namespace=default
Authorization: Bearer <token>

Query Parameters¶

Response (200)¶

[
  {
    "name": "default",
    "namespace": "payments",
    "mtlsMode": "STRICT",
    "createdAt": "2025-01-15T10:00:00Z"
  }
]

mtlsMode values: STRICT, PERMISSIVE, DISABLE, UNSET.

List AuthorizationPolicies¶

GET /api/v1/istio/authorization-policies?namespace=default
Authorization: Bearer <token>

Query Parameters¶

Response (200)¶

[
  {
    "name": "allow-frontend",
    "namespace": "payments",
    "action": "ALLOW",
    "rules": [
      {
        "from": [{ "source": { "principals": ["cluster.local/ns/frontend/sa/frontend"] } }]
      }
    ],
    "createdAt": "2025-01-15T10:00:00Z"
  }
]

Traffic Metrics¶

All metrics endpoints share the same query parameters:

Requests Per Second¶

GET /api/v1/istio/metrics/rps?service=payment-service&namespace=payments
Authorization: Bearer <token>

Error Rate¶

GET /api/v1/istio/metrics/error-rate?service=payment-service&namespace=payments
Authorization: Bearer <token>

P99 Latency¶

GET /api/v1/istio/metrics/latency?service=payment-service&namespace=payments
Authorization: Bearer <token>

Metrics Response (200)¶

All three endpoints return the same shape:

{
  "metric": "rps",
  "service": "payment-service",
  "namespace": "payments",
  "timeseries": [
    { "timestamp": 1700000000, "value": 12.4 },
    { "timestamp": 1700000060, "value": 13.1 }
  ]
}

Service Topology¶

GET /api/v1/istio/topology?namespace=payments
Authorization: Bearer <token>

Returns the service dependency graph derived from Istio VirtualService routes.

Query Parameters¶

Response (200)¶

[
  { "source": "frontend", "destination": "payment-service", "weight": 100 },
  { "source": "payment-service", "destination": "database", "weight": 100 }
]

Error Responses¶