Enable Zero Trust and Encrypt traffic from client to service
This document describes how easily EnRoute OneStep integrates with Linkerd service-mesh. LinkerD is a CNCF graduated service mesh project which uses light-weight proxies to setup the mesh inside Kubernetes.
EnRoute integration with Linkerd can be achieved in One Step. Integrating EnRoute with Linkerd involves setting one flag
At a high level End-To-End encryption includes -
We mesh the workload and EnRoute by injecting linkerd proxy into their pods and then setup the client certificate.
We trace through each of the above steps while monitoring the cluster for linkerd proxy injection.
We also verify some of the above steps on the Bouyant cloud (with it’s free tier), that shows the above steps in different UI screens
This setup needs an Kubernetes cluster. We have a cluster setup with two nodes -
Use Helm To Install EnRoute
Meshing EnRoute with linkerd involves only setting one flag linkerd_enabled on the GlobalConfig
This gets EnRoute ready to run along with Linkerd in meshed mode. This is the only configuration required to run EnRoute with linkerd with end-to-end encryption globally for all services.
By default EnRoute integration adds headers to help linkerd with routing choices in addition to letting Linkerd select endpoints for service. To change this default behavior and further customize it, the flags linkerd_header_disabled and linkerd_servicemode_disabled can be set to either disable the header or have EnRoute perform endpoint selection.
The example workload wasn’t meshed into the linkerd mesh. To mesh it, we need to provide an annotation to the deployment to inject linkerd
This installs linkerd proxy along with the example application pods
Once EnRoute is ready to work with linkerd, we inject the linkerd proxy in the EnRoute pod
We use the Buoyant cloud to trace the status of linkerd injection and mesh formation. The picture below shows how the EnRoute deployment was mutated to add the linkerd proxy, it is captured a couple of screens on the bouyant cloud
The event screen also captures the linkerd proxy injection -
We can also use kubectl to check pods to see that linkerd got inserted in the pod
Send some traffic
Install a certificate for example workload emojivoto and setup GatewayHost. An example for this can be found in the docs
The browser to EnRoute connection is encrypted using the certificate we installed on emojivoto app -
We can also see the workload and EnRoute are meshed in the “Meshed” column below
We can also see that the incoming traffic shows up as Application TLS
The topology screen also displays the mTLS betwen services and direction of flow of traffic
EnRoute provides an extremely easy integration with linkerd.
EnRoute integrates easily with both linkerd and Istio service mesh. The integration with istio service mesh is covered in another article.
With an increased attack surface due to microservices, the need to secure and segment workloads using zero trust principles is paramount. EnRoute integrates with Service Meshes to enable zero-trust both at the cluster boundary and inside the cluster. Next steps to know more about Zero Trust, SPIFFE, Cryptographically Enforcable identities, identity based segmentation and integration with other service mesh can be found in articles below