I would like to enable mTLS between services in one K8S namespace. I wonder if I can do it without using service mesh? I considered cert-manager but all the examples I've seen involved Ingress resource which I do not need as my services are not exposed outside of the cluster.Thanks
Asked
Active
Viewed 574 times
2 Answers
1
Using Service Mesh like Istio or Linkerd for this is currently the only general solution for this.
It should be possible to do this using a library for you app as well, the library typically would need to support certificate management. Service Meshes typically use EnvoyProxy as a sidecar, it has implemented novel "control plane" APIs for management, called xDS protocols - this is something that your library typically would need to implement. In addition you need a control plane interface to manage services.
A drawback with doing this in a library is that it will be language-dependent. But the pro is that it will be better performant.
Google has recently taking this route with Traffic Director - proxyless service mesh
Jonas
- 121,568
- 97
- 310
- 388
-
Thanks! does cert-manager will work with internal services? – Revital Eres Dec 03 '20 at 19:52
-
I don't think cert-manager is designed for mTLS, no. – Jonas Dec 03 '20 at 23:17
0
You need something like SPIRE together with SPIRE integration operator. Together, they can create mTLS keys and certificates for use within a cluster, where the only configuration you need is pod annotations. The mTLS keypairs are provided as secrets, which you mount into your pods. SPIRE & the operator automatically handle keypair and CA rotation and update the Secrets accordingly.
orisho
- 41
- 4