feat: Add Istio profile for E2E testing framework

Implements a new Istio profile to test Semantic Router integration with
Istio service mesh, addressing issue #656.

## Changes

### Istio Profile Implementation (e2e/profiles/istio/profile.go)
- Implements Profile interface for Istio integration
- 5-stage deployment:
  1. Install Istio control plane via Helm (base, istiod, gateway)
  2. Configure namespace with istio-injection label
  3. Deploy Semantic Router with automatic sidecar injection
  4. Create Istio Gateway, VirtualService, and DestinationRule
  5. Verify environment (istiod, gateway, sidecar, service health)
- Helm-based installation (no istioctl required)
- Configurable Istio version via ISTIO_VERSION env var (default: 1.28.0)
- Comprehensive error handling and partial cleanup on failure

### Test Cases (e2e/testcases/istio_*.go)
- istio-sidecar-health-check: Verify Envoy sidecar injection and health
- istio-traffic-routing: Test routing through Istio ingress gateway
- istio-mtls-verification: Verify ISTIO_MUTUAL TLS configuration
- istio-tracing-observability: Check metrics and tracing headers

### Helper Function Refactoring (e2e/pkg/helpers/kubernetes.go)
- Created GetServiceByLabelInNamespace() for generic service lookup
- Maintained GetEnvoyServiceName() as backward-compatible wrapper
- Zero changes required to existing profiles (ai-gateway, aibrix, dynamic-config)

### CI Integration (.github/workflows/integration-test-k8s.yml)
- Added 'istio' to test matrix (runs in parallel with ai-gateway, aibrix)
- No additional dependencies required (Helm-based installation)

### Documentation (e2e/README.md)
- Added Istio profile section with prerequisites, setup steps, and usage
- Documented Helm-based installation approach
- Included troubleshooting guidance

## Design Decisions

**Helm vs istioctl:**
- Chose Helm-based installation for consistency with ai-gateway/aibrix profiles
- No CI dependencies required (istioctl not needed)
- Uses official Istio Helm charts from istio-release.storage.googleapis.com

**LoadBalancer Wait Flag:**
- Disabled Helm --wait for gateway to avoid LoadBalancer timeout in Kind
- Explicit deployment verification via waitForDeployment() instead

**Test Scope:**
- Focused on Istio-specific functionality (sidecar, gateway, mTLS, observability)
- Signal-decision tests intentionally excluded (can be added in follow-up PR)

## Testing

- ✅ Code compiles successfully
- ✅ Helm chart URLs verified accessible (base, istiod, gateway)
- ✅ Istio control plane deploys and runs successfully
- ✅ Sidecar injection and pod health verified
- ✅ Backward compatibility maintained for existing profiles

Resolves #656

Signed-off-by: Asaad Balum <[email protected]>

Author: asaadbalum

.github/workflows/integration-test-k8s.yml

@@ -16,7 +16,7 @@ jobs:
     strategy:
       fail-fast: false  # Continue testing other profiles even if one fails
       matrix:
-        profile: [ai-gateway, aibrix]
+        profile: [ai-gateway, aibrix, istio]
 
     steps:
       - name: Check out the repo

e2e/README.md

@@ -14,7 +14,7 @@ The framework follows a **separation of concerns** design:
 
 - **ai-gateway**: Tests Semantic Router with Envoy AI Gateway integration
 - **aibrix**: Tests Semantic Router with vLLM AIBrix integration
-- **istio**: Tests Semantic Router with Istio Gateway (future)
+- **istio**: Tests Semantic Router with Istio service mesh integration
 - **production-stack**: Tests vLLM Production Stack configurations (future)
 - **llm-d**: Tests with LLM-D (future)
 - **dynamo**: Tests with Nvidia Dynamo (future)
@@ -517,3 +517,136 @@ func (p *Profile) GetServiceConfig() framework.ServiceConfig {
 ```
 
 See `profiles/ai-gateway/` for a complete example.
+
+## Profile Details
+
+### Istio Profile
+
+The Istio profile tests Semantic Router deployment and functionality in an Istio service mesh environment.
+
+**What it Tests:**
+
+- Istio sidecar injection and health
+- Traffic routing through Istio ingress gateway
+- Mutual TLS (mTLS) between services
+- Distributed tracing and observability
+
+**Prerequisites:**
+
+- Docker and Kind (managed by E2E framework)
+- Helm (for installing Istio components)
+
+**Components Deployed:**
+
+1. **Istio Control Plane** (`istio-system` namespace):
+   - `istiod` - Istio control plane
+   - `istio-ingressgateway` - Ingress gateway for external traffic
+
+2. **Semantic Router** (`semantic-router` namespace):
+   - Deployed via Helm with Istio sidecar injection enabled
+   - Namespace labeled with `istio-injection=enabled`
+
+3. **Istio Resources**:
+   - `Gateway` - Configures ingress gateway on port 80
+   - `VirtualService` - Routes traffic to Semantic Router service
+   - `DestinationRule` - Enables mTLS with `ISTIO_MUTUAL` mode
+
+**Test Cases:**
+
+| Test Case | Description | What it Validates |
+|-----------|-------------|-------------------|
+| `istio-sidecar-health-check` | Verify Envoy sidecar injection | - Istio-proxy container exists<br>- Sidecar is healthy and ready<br>- Namespace has `istio-injection=enabled` label |
+| `istio-traffic-routing` | Test routing through Istio gateway | - Gateway and VirtualService exist<br>- Requests route correctly to Semantic Router<br>- Istio/Envoy headers present in responses |
+| `istio-mtls-verification` | Verify mutual TLS configuration | - DestinationRule has `ISTIO_MUTUAL` mode<br>- mTLS certificates present in istio-proxy<br>- PeerAuthentication policy (if configured) |
+| `istio-tracing-observability` | Check distributed tracing and metrics | - Trace headers propagated<br>- Envoy metrics exposed<br>- Telemetry configuration<br>- Access logs enabled |
+
+**Usage:**
+
+```bash
+# Run all Istio tests
+make e2e-test E2E_PROFILE=istio
+
+# Run specific Istio tests
+make e2e-test-specific E2E_PROFILE=istio E2E_TESTS="istio-sidecar-health-check,istio-mtls-verification"
+
+# Run with verbose output
+./bin/e2e -profile istio -verbose
+
+# Keep cluster for debugging
+make e2e-test E2E_PROFILE=istio E2E_KEEP_CLUSTER=true
+```
+
+**Architecture:**
+
+```
+┌─────────────────────────────────────────┐
+│         Istio Ingress Gateway            │
+│      (istio-system namespace)            │
+│   Port 80 → semantic-router service      │
+└────────────┬────────────────────────────┘
+             │
+             ▼
+┌─────────────────────────────────────────┐
+│    Semantic Router Pod                   │
+│  (semantic-router namespace)             │
+│  ┌─────────────┐  ┌──────────────────┐  │
+│  │   Main      │  │  Istio-Proxy     │  │
+│  │ Container   │◄─┤  (Envoy Sidecar) │  │
+│  │             │  │                  │  │
+│  │  :8801      │  │  mTLS, Tracing   │  │
+│  └─────────────┘  └──────────────────┘  │
+└─────────────────────────────────────────┘
+             │
+             ▼
+┌─────────────────────────────────────────┐
+│         Istiod (Control Plane)           │
+│  - Config distribution                   │
+│  - Certificate management (mTLS)         │
+│  - Sidecar injection                     │
+└─────────────────────────────────────────┘
+```
+
+**Key Features Tested:**
+
+- ✅ **Automatic Sidecar Injection**: Istio automatically injects Envoy proxy sidecars into pods
+- ✅ **Traffic Management**: Requests route through Istio Gateway → VirtualService → Semantic Router
+- ✅ **Security (mTLS)**: Automatic mutual TLS encryption and authentication between services
+- ✅ **Observability**: Distributed tracing, metrics collection, and access logs
+- ✅ **Service Mesh Integration**: Semantic Router operates correctly within Istio mesh
+
+**Setup Steps (Automated by Profile):**
+
+1. Install Istio control plane using Helm (base, istiod, ingress gateway)
+2. Create namespace with `istio-injection=enabled` label
+3. Deploy Semantic Router via Helm (sidecar auto-injected)
+4. Create Istio Gateway and VirtualService for traffic routing
+5. Create DestinationRule for mTLS configuration
+6. Verify all components are ready
+
+**Troubleshooting:**
+
+If tests fail, check:
+
+```bash
+# Check Istio installation
+kubectl get pods -n istio-system
+
+# Check sidecar injection
+kubectl get pods -n semantic-router -o jsonpath='{.items[*].spec.containers[*].name}'
+
+# Check Istio resources
+kubectl get gateway,virtualservice,destinationrule -n semantic-router
+
+# Check mTLS configuration
+kubectl get destinationrule semantic-router -n semantic-router -o yaml
+
+# View Istio proxy logs
+kubectl logs -n semantic-router <pod-name> -c istio-proxy
+```
+
+**Related Resources:**
+
+- [Istio Documentation](https://istio.io/latest/docs/)
+- [Istio Traffic Management](https://istio.io/latest/docs/concepts/traffic-management/)
+- [Istio Security (mTLS)](https://istio.io/latest/docs/concepts/security/)
+- [Istio Observability](https://istio.io/latest/docs/concepts/observability/)

e2e/cmd/e2e/main.go

@@ -12,10 +12,12 @@ import (
 	aigateway "github.com/vllm-project/semantic-router/e2e/profiles/ai-gateway"
 	aibrix "github.com/vllm-project/semantic-router/e2e/profiles/aibrix"
 	dynamicconfig "github.com/vllm-project/semantic-router/e2e/profiles/dynamic-config"
+	istio "github.com/vllm-project/semantic-router/e2e/profiles/istio"
 
 	// Import profiles to register test cases
 	_ "github.com/vllm-project/semantic-router/e2e/profiles/ai-gateway"
 	_ "github.com/vllm-project/semantic-router/e2e/profiles/aibrix"
+	_ "github.com/vllm-project/semantic-router/e2e/profiles/istio"
 )
 
 const version = "v1.0.0"
@@ -103,9 +105,8 @@ func getProfile(name string) (framework.Profile, error) {
 		return dynamicconfig.NewProfile(), nil
 	case "aibrix":
 		return aibrix.NewProfile(), nil
-	// Add more profiles here as they are implemented
-	// case "istio":
-	//     return istio.NewProfile(), nil
+	case "istio":
+		return istio.NewProfile(), nil
 	default:
 		return nil, fmt.Errorf("unknown profile: %s", name)
 	}

e2e/pkg/helpers/kubernetes.go

@@ -38,22 +38,28 @@ func CheckDeployment(ctx context.Context, client *kubernetes.Clientset, namespac
 
 // GetEnvoyServiceName finds the Envoy service name in the envoy-gateway-system namespace
 // using label selectors to match the Gateway-owned service
+// Deprecated: Use GetServiceByLabelInNamespace for more flexibility
 func GetEnvoyServiceName(ctx context.Context, client *kubernetes.Clientset, labelSelector string, verbose bool) (string, error) {
-	services, err := client.CoreV1().Services("envoy-gateway-system").List(ctx, metav1.ListOptions{
+	return GetServiceByLabelInNamespace(ctx, client, "envoy-gateway-system", labelSelector, verbose)
+}
+
+// GetServiceByLabelInNamespace finds a service by label selector in a specific namespace
+func GetServiceByLabelInNamespace(ctx context.Context, client *kubernetes.Clientset, namespace string, labelSelector string, verbose bool) (string, error) {
+	services, err := client.CoreV1().Services(namespace).List(ctx, metav1.ListOptions{
 		LabelSelector: labelSelector,
 	})
 	if err != nil {
 		return "", fmt.Errorf("failed to list services with selector %s: %w", labelSelector, err)
 	}
 
 	if len(services.Items) == 0 {
-		return "", fmt.Errorf("no service found with selector %s in envoy-gateway-system namespace", labelSelector)
+		return "", fmt.Errorf("no service found with selector %s in %s namespace", labelSelector, namespace)
 	}
 
 	// Return the first matching service (should only be one)
 	serviceName := services.Items[0].Name
 	if verbose {
-		fmt.Printf("[Helper] Found Envoy service: %s (matched by labels: %s)\n", serviceName, labelSelector)
+		fmt.Printf("[Helper] Found service: %s (matched by labels: %s in namespace: %s)\n", serviceName, labelSelector, namespace)
 	}
 
 	return serviceName, nil