linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linkerd2/doc/automatic-tls.md

2.7 KiB
Raw Blame History

+++ title = "Experimental: Automatic TLS" docpage = true [menu.docs] parent = "automatic-tls" +++

As of Conduit v0.5.0, Conduit can be configured to automatically negotiate Transport Layer Security (TLS) for application communication.

When TLS is enabled, Conduit automatically establishes and authenticates secure, private connections between Conduit proxies. This is done without breaking unencrypted communication with endpoints that are not configured with TLS-enabled Conduit proxies.

This feature is currently experimental and is designed to fail open so that it cannot easily break existing applications. As the feature matures, this policy will change in favor of stronger security guarantees.

Getting started with TLS

The TLS feature is currently disabled by default. To enable it, you must install the control plane with the --tls flag set to optional. This configures the mesh so that TLS is enabled opportunistically:

conduit install --tls=optional |kubectl apply -f -

This causes a Certificate Authority (CA) container to be run in the control-plane. The CA watches for the creation and updates of Conduit-enabled pods. For each Conduit-enabled pod, it generates a private key, issues a certificate, and distributes the certificate and private key to each pod as a Kubernetes Secret.

Once you've configured the control plane to support TLS, you may enable TLS for each application when it is injected with the Conduit proxy:

conduit inject  --tls=optional app.yml |kubectl apply -f -

Then, tools like conduit dashboard, conduit stat, and conduit tap will indicate the TLS status of traffic:

conduit stat authority -n emojivoto
NAME                        MESHED   SUCCESS      RPS   LATENCY_P50   LATENCY_P95   LATENCY_P99    TLS
emoji-svc.emojivoto:8080         -   100.00%   0.6rps           1ms           1ms           1ms   100%
emoji-svc.emojivoto:8888         -   100.00%   0.8rps           1ms           1ms           9ms   100%
voting-svc.emojivoto:8080        -    45.45%   0.6rps           4ms          10ms          18ms   100%
web-svc.emojivoto:80             -     0.00%   0.6rps           8ms          33ms          39ms   100%

Known issues

As this feature is experimental, we know that there's still a lot of work to do. We LOVE bug reports though, so please don't hesitate to file an issue if you run into any problems while testing automatic TLS.