Feature Request
Implement mTLS for TCP traffic
What problem are you trying to solve?
Per the docs:
Non-HTTP traffic is not currently automatically TLS’d. This will be addressed in a future Linkerd release.
That's a major bummer, since I'd like to use this to meet encryption requirements for inside our k8s cluster.
How should the problem be solved?
Implement mTLS for TCP connections. This should work the same way as it would if I set up a tunnel: intercept dest:port, encrypt traffic and send to linkerd:dest:port, then linkerd:dest decrypts it and sent to dest:port. Same for anything coming back across. Real-world analog is VPN, where no matter what kind of traffic is sent everything gets wrapped for transport. You'll get the same metrics as you would have with regular non-TLS TCP, so there shouldn't be extra functionality required.
Any alternatives you've considered?
Right now I have to implement TLS wrapping for anything that isn't HTTP, so stunnel or similar. I could also use a CNI that supports encryption, but that seems like a waste if I'm already using a service mesh for visibility.
How would users interact with this feature?
Ideally you wouldn't interact with this - everything would Just Work™️ only with encryption instead of without it.
007
All 10 comments
This is also useful for several p2p headless services use cases that talk directly to peer pods for quorum (zookeeper, cassandra) or stateful workloads (services talking to thrift based services).
prasanthj
on 28 Sep 2019
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 27 Dec 2019
Need a label like #evergreen to keep these open.
007
on 27 Dec 2019
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
stale[bot]
on 26 Mar 2020
priority/P0 should trump stale, but @olix0r are y'all ever gonna do this?
007
on 26 Mar 2020
@007 I agree it should.. I think #pinned should work... Parts of this work have completed. I'm working on an RFC to scope the rest of the work that needs to be completed. Expect progress on this soon.
olix0r
on 26 Mar 2020
Ohhh same exact need for me. I should have read the doc entirely before making the design, but i thought it was possible out of the box.
Looks like it's already being worked on which is really awesome!! ❤️
@007 you mentioned you were able to solve it using stunnel. Could you say more about the implementation? I was thinking I could use envoy for any tcp connection. I want it to be transparent as much as possible. But I'm really not sure how to implement transparent pod to service.
tehmoon
on 26 May 2020
You can look at the rfc as well.
grampelberg
on 26 May 2020
This has landed on main and will be included in the upcoming edge release.
olix0r
on 11 Sep 2020
Holy cow, that's amazing! Thanks for the heads up.
On Thu, Sep 10, 2020, 7:15 PM Oliver Gould notifications@github.com wrote:
Closed #3207 https://github.com/linkerd/linkerd2/issues/3207.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/linkerd/linkerd2/issues/3207#event-3753550714, or
unsubscribe
https://github.com/notifications/unsubscribe-auth/AAJWSDFLR3B3WJO2F4QSQDTSFFMXRANCNFSM4IKEKPGQ
.
kylos101
on 11 Sep 2020
Related issues
ihcsim
·
4Comments
manimaul
·
3Comments
miklezzzz
·
3Comments
tustvold
·
4Comments
wmorgan
·
3Comments
Most helpful comment
This has landed on
mainand will be included in the upcoming edge release.