End to end TLS from Load Balancer to the PODs

Hello,
I am new to LinkerD and testing it out in our app to see if it can help us do end to end TLS without modifying our services.
This is how our setup looks like at present:

                            |-> Service A -> [PODS for Service A]
INTERNET --> ALB ( Ingress) |-> Service B -> [PODS for Service B]
                            |-> Service C -> [PODS for Service C]

Our pod are exposing a plain HTTP web server over port 80 and we do SSL termination at ALB level, so in effect, we have plain HTTP from ALB to the PODs.

Now our goal is to do end to end TLS from ALB to the POD, one option is to not do TLS termination at ALB and instead let each POD do the TLS termination.

I wanted to explore to see if there is an alternate solution using LinkerD which will help us achieve this without converting our services to handles TLS themselves.

Thanks,
B

Hi @bpat22!

Are you using Linkerd 1 or Linkerd 2?

For Linkerd 2, to get full end-to-end encryption, you’ll want to use a Kubernetes Ingress Controller that sends the appropriate headers for Linkerd and can be injected with the Linkerd proxy. Have a look at the ingress docs.

Thanks for your reply. We are using Linkerd 2.

So if I understand it correctly, what we want to achieve won’t be possible with our setup using AWS ALB Ingress Controller, as it doesn’t have any knobs to control headers and also I believe it can’t be injected with Linkerd proxy.

Found a relevant github issue on this topic here: https://github.com/kubernetes-sigs/aws-alb-ingress-controller/issues/1081

Thanks for your help.

@bpat22 thanks for sharing that github issue.

I don’t have any experience with the ALB Ingress Controller and a quick look at the docs confirms what you found about knobs for controlling headers. Given that it’s just a Deployment resource, you can inject it with the Linkerd proxy, but I suspect that it will just break.