Hooking into the mTLS certificates

At the moment the encryption between services happens opportunistically.

Now, let’s say we have Linkerd enabled with mTLS working all over, and we use our own CA, i.e. not one generated by Linkerd.

We have a service running somewhere (not K8s) which uses SSL authentication and the same CA, it has a valid cert, …

When my internal service connects with that external service I’m assuming it will not pass Linkerd, and it will not be proxied, as the target is not proxy-able.

Now, can we simplify these CA certificate deployments with Linkerd?

Or is this something we have to do ourselves next to having Linkerd doing the automatic proxy creation?

@El-Programador, thanks for your question.

When ask about simplifying the certificate deployments, how exactly do you mean? One option you can consider is to use the Linkerd integration with cert-manager: https://linkerd.io/2/tasks/use_external_certs/

You an specify your CA as the root for cert-manager and Linkerd will issue certificates from that chain. For the request to the external service, Linkerd will proxy that request “as-is”. So, if the service logic initiates the request using TLS, then it should be sent with your specified connection settings.

That is exactly the answer to my question! Thanks @cpretzer!

@El-Programador, glad that helped!

If you have more questions, you can always find us on Linkerd Slack. :grinning: