This document describes how easily EnRoute OneStep integrates with Linkerd service-mesh. LinkerD is a CNCF graduated service mesh project which uses light-weight proxies to setup the mesh inside Kubernetes.
EnRoute integration with Linkerd can be achieved in One Step. Integrating EnRoute with Linkerd involves setting one flag
At a high level End-To-End encryption includes -
Encryption from Client to EnRoute and
Encryption from EnRoute to mTLS inside the Mesh
We mesh the workload and EnRoute by injecting linkerd proxy into their pods and then setup the client certificate.
We start by setting up the cluster, installing linkerd, adding an example workload emojivoto and meshing this workload by injecting linkerd
Next we install EnRoute, expose the emojivoto application without TLS, inject linkerd proxy in the EnRoute pod to add it to the mesh
As the last step, we use JetStack cert manager to generate, sign and install a let’s Encrypt certificate for the emojivoto app
We trace through each of the above steps while monitoring the cluster for linkerd proxy injection.
We also verify some of the above steps on the Bouyant cloud (with it’s free tier), that shows the above steps in different UI screens
Pre-Requisites
This setup needs an Kubernetes cluster. We have a cluster setup with two nodes -
Check Kubernetes Cluster
kubectl get nodes
Linkerd core checks
===================
kubernetes-api
--------------
√ can initialize the client
√ can query the Kubernetes API
kubernetes-version
------------------
√ is running the minimum Kubernetes API version
√ is running the minimum kubectl version
...
linkerd-control-plane-proxy
---------------------------
√ control plane proxies are healthy
√ control plane proxies are up-to-date
√ control plane proxies and cli versions match
Status check results are √
Linkerd core checks
namespace/emojivoto created
serviceaccount/emoji created
serviceaccount/voting created
serviceaccount/web created
service/emoji-svc created
service/voting-svc created
service/web-svc created
deployment.apps/emoji created
deployment.apps/vote-bot created
deployment.apps/voting created
deployment.apps/web created
NAME: enroute-linkerd-meshed
LAST DEPLOYED: Mon Mar 21 03:19:46 2022
NAMESPACE: demo
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
𝙴𝚗𝚁𝚘𝚞𝚝𝚎 Ingress API Gateway Community Edition Installed!
-------------------------------------------------------
Request a free evaluation license for enterprise version
by sending an email to contact@saaras.io
Slack Channel - https://slack.saaras.io
Getting Started Guide - https://getenroute.io/docs/getting-started-enroute-ingress-controller/
EnRoute Features - https://getenroute.io/features/
Configure EnRoute For Linkerd
Meshing EnRoute with linkerd involves only setting one flag linkerd_enabled on the GlobalConfig
This gets EnRoute ready to run along with Linkerd in meshed mode. This is the only configuration required to run EnRoute with linkerd with end-to-end encryption globally for all services.
By default EnRoute integration adds headers to help linkerd with routing choices in addition to letting Linkerd select endpoints for service. To change this default behavior and further customize it, the flags linkerd_header_disabled and linkerd_servicemode_disabled can be set to either disable the header or have EnRoute perform endpoint selection.
We use the Buoyant cloud to trace the status of linkerd injection and mesh formation. The picture below shows how the EnRoute deployment was mutated to add the linkerd proxy, it is captured a couple of screens on the bouyant cloud
The event screen also captures the linkerd proxy injection -
We can also use kubectl to check pods to see that linkerd got inserted in the pod
Enable End-To-End TLS By Enabling TLS For Downstream Client Connections
Install a certificate for example workload emojivoto and setup GatewayHost. An example for this can be found in the docs
The browser to EnRoute connection is encrypted using the certificate we installed on emojivoto app -
We can also see the workload and EnRoute are meshed in the “Meshed” column below
We can also see that the incoming traffic shows up as Application TLS
The topology screen also displays the mTLS betwen services and direction of flow of traffic
Conclusion
EnRoute provides an extremely easy integration with linkerd.
EnRoute integrates easily with both linkerd and Istio service mesh. The integration with istio service mesh is covered in another article.
With an increased attack surface due to microservices, the need to secure and segment workloads using zero trust principles is paramount. EnRoute integrates with Service Meshes to enable zero-trust both at the cluster boundary and inside the cluster. Next steps to know more about Zero Trust, SPIFFE, Cryptographically Enforcable identities, identity based segmentation and integration with other service mesh can be found in articles below