Routing calls transparently to Non TLS port

Let us assume our service is behind linkerd on plain text. The service is announced to service discovery system using plain text port. Now we want to upgrade this service to use TLS. We would like our clients to upgrade at their own pace.

Here are my questions

  1. I assume we can support both TLS and non TLS ports in linkerd
  2. Is there a way to detect the client request and depending on the request route it to non TLS port if the request is in plain text - may be by adding additional dtab that routes to non TLS port from TLS? If it is possible what would the configuration look like? Can you point me to any samples?

Good question! You can apply TLS settings per client by using the static client configs describe here:

https://linkerd.io/config/1.1.3/linkerd/index.html#static-client-config

The static client config does prefix matching based on the client ID that’s produced through dtab resolution, so you could apply TLS for some prefixes and not others. The example configs in the linkerd repo has an example of per-client TLS configuration, here::

Thanks for your reply. If I understand the example correctly, I think it is applying the prefix matching for outgoing connections and always expecting “encrypted” messages for incoming (assuming that this is applied to Service linkerd in Client->Service setup). What if I want to enable TLS based on client - for example client 1 and client2 , send requests to service and I want TLS to be enabled for Client1 and Client 2 should work in plain text. In such a case, I want this config for incoming as well - Can I use it like that?

Sorry If I have not understood your response correctly.

Ah, sorry for my confusion. I was confusing clients talking to linkerd with clients built by linkerd.

It should be no problem to have one router configured to accept both TLS and non-TLS requests. You would just need to configure the router to listen on multiple ports, and then have your TLS-enabled clients talk to one port, and your non-TLS-enabled clients talk to the other port. Something like this:

routers:
- protocol: http
  servers:
  - port: 8080
    ip: 0.0.0.0
  - port: 8081
    ip: 0.0.0.0
    tls:
      certPath: /foo/cert.pem
      keyPath: /foo/key.pem

Hope that helps!

Makes sense. Thanks for your response

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.