A common deployment model for linkerd is to run it in linker-to-linker mode, meaning that linkerd is on both the sending side and the receiving side of each network call. In this mode, linkerd can seamlessly upgrade the connection to add TLS to all service-to-service calls. By handling TLS in linkerd, rather than the application, it’s possible to encrypt communication across hosts without needing to modify application code.
To deploy linkerd in linker-to-linker mode with TLS enabled, we must configure it to use Client TLS when sending requests, and Server TLS when receiving requests, both of which are covered below.
In order for linkerd to send requests with TLS, it’s necessary to set the client TLS configuration parameter when configuring linkerd. There are three supported types of client TLS:
Static TLS: linkerd uses a single common name for all TLS requests. This assumes that all of the remote servers to which linkerd is connecting use the same TLS certificate (or all use certificates generated with the same common name).
TLS with Bound Path: linkerd determines the common name for the remote server based on routing information that is sent as part of the outbound request. This allows linkerd to use different certificates based on the destination service to which linkerd is connecting.
No Validation TLS: linkerd does not validate the remote server’s name before establishing a TLS connection. This results in an insecure connection that is unsafe. This configuration is not recommended.
In order for linkerd to receive requests with TLS, it’s necessary to set the server TLS configuration parameter when configuring linkerd. Unlike client TLS, there is only one options for configuring server TLS, and it requires providing both the TLS certificate and key files that linkerd uses to serve inbound TLS requests.
If you’d like to learn more about setting up TLS in your environment, check out Buoyant’s Transparent TLS with linkerd blog post on the topic, which provides a helpful walkthrough. If you’re running linkerd as a service mesh in Kubernetes, setting up TLS is even easier; see the Encrypting all the things blog post in the service mesh series.