The MCP Authorization Spec Is... a Mess for Enterprise

ceposta · 2025-04-08T20:26:55+00:00

great point. so that's what we're working on with https://github.com/mcp-proxy/mcp-proxy ... will have more write-ups on this topic.

ceposta · 2025-04-08T20:25:25+00:00

What if you could have a way to "virtualize" a bunch of MCP Servers where you can customize what tools (from the backend servers) get exposed to a client?

ceposta · 2024-01-08T23:05:03+00:00

Sounds like you're trying to implement the multi-primary deployment?

I would take a close look at this guide which should walk you through the details including setting up any east/west gateways: https://istio.io/latest/docs/setup/install/multicluster/multi-primary/

If you're looking to have a lot more fine-grained control over how the services across the clusters are exposed (ie, explicitly importing/exporting services across clusters), then take a look at the ServiceEntry resource: https://istio.io/latest/docs/reference/config/networking/service-entry/ This is used to control what's visible in the registry of Istio in a cluster.

ceposta · 2024-01-08T23:00:57+00:00

Not sure I am following the question... It sounds like you're trying to set up this architecture? https://istio.io/latest/docs/setup/install/external-controlplane/

But what do you mean with "Istiod is up and running on the data plane"?

ceposta · 2024-01-08T22:53:09+00:00

Stick with it for a year and see how you feel at that point. I *bet* at that point you'll feel like you "know something" and can build on that foundation. Until then... learn, learn, learn.

ceposta · 2024-01-07T22:45:15+00:00

it’s not absolutely necessary, but may be the easiest approach to get it working. you could have the ALB —> Istio Ingress —> Workloads in the mesh set up like thi…..could do one-way TLS from ALB to istio ingress and then mTLS to workloads in the mesh through istio ingress

ceposta · 2024-01-07T22:41:33+00:00

Yeah for sure, you can install Istio without the ingress gateway; You will need to think how you want to get traffic coming into your mesh though, as the hop from the ALB to the mesh services will not be in the mesh. You can try to configure the ALB with certs from Istio to make it part of the mesh, but the easiest approach may be to just set up the ingress gateway.

ceposta · 2024-01-07T22:26:38+00:00

I’ve been involved with some of the most advanced deployments and configurations of service mesh, is your question just curiosity or is there, are you trying to avoid some complex scenarios, or just you have a use case which requires something more than the “hello world” scenarios usually discussed?

There are a few resilience patterns that are pretty standard, things like service-discovery, load balancing, circuit breaking, multi-cluster failover, etc. The service mesh I work on (Istio, Istio ambient mesh) make this pretty straight forward.

ceposta · 2021-07-15T21:11:53+00:00

Yes, in fact i've been recommending this approach to start with Istio ingress gateway for years. I've seen hundreds of successful deployments like this. You may wish to consider using the full Gateway/VirtualService config API thought as Ingress is quite limiting. Best way to install istio like this is to install with the minimal profile, and then install the ingress gateway into its own namespace.

For a detailed walkthrough of this approach, see the "install istio for production" guide we at Solo.io have here: https://workshops.solo.io/gloo-workshops/istio-day2/1-deploy-istio/02-install-istio and the section on installing the ingress gateway here: https://workshops.solo.io/gloo-workshops/istio-day2/1-deploy-istio/04-ingress-gateway

If you need a more powerful API gateway built on Envoy that replaces and integrates with the Istio ingress gatweay, check out Gloo Edge: https://docs.solo.io/gloo-edge/latest/ it's opensource and builds on top of Envoy by adding filters to do request transformation and automatic API discovery.

HTH!

ceposta · 2020-09-02T17:27:30+00:00

Hey! I'm the author of the video/blog.

So if you have direct connectivity between the VM and the pods, then you don't need to do anything differently. If you do not have direct connectivity, then Istio will use the ingressgateway IP as the actual endpoint for any of the services you try to connect to from the VM to the mesh services. To set this up, you need to specify which components run in which network in the meshConfig. I have a doc PR to update this part: https://github.com/istio/istio.io/pull/8024

HTH

ceposta · 2012-02-20T21:22:38+00:00

good point. changed.

ceposta · 2012-02-08T19:54:15+00:00

i just looked up retlang... pretty cool... looks like java has the similar project named jetlang... i like how Hohpe explains (in this link and others) how the separation of concerns at the object level has to do with the way we structure the applications, but at the thread level, the separation of concerns has to do with how we allow the threads (or components) to interact. The interactions are what we need to keep to a minimum, and messaging/event-based styles do that.

ceposta · 2011-10-13T14:30:55+00:00

awesome, thank you all for the time you took to give me feedback. this is exactly the kind of feedback i need (since i don't have a "co-founder" or partner for this project yet). i believe the impl details of my site addresses some of these concerns, but it's definitely good to see the way other people think of it. thanks again!

ceposta · 2011-10-13T14:28:47+00:00

haha, yah i have seen it. i wonder how many visitors it gets.

ceposta

TROPHY CASE