Experimental: Automatic TLS

When TLS is enabled, Linkerd automatically establishes and authenticatessecure, private connections between Linkerd proxies. This is done withoutbreaking unencrypted communication with endpoints that are not configuredwith TLS-enabled Linkerd proxies.

This feature is currently experimental and is designed to fail open sothat it cannot easily break existing applications. As the feature matures,this policy will change in favor of stronger security guarantees.

This causes a Certificate Authority (CA) container to be run in thecontrol-plane. The CA watches for the creation and updates of Linkerd-enabledpods. For each Linkerd-enabled pod, it generates a private key, issues acertificate, and distributes the certificate and private key to each pod as aKubernetes Secret.

Once you’ve configured the control plane to support TLS, you may enable TLSfor each application when it is injected with the Linkerd proxy:

As an example, the output might be:

Known issues

As this feature is experimental, we know that there’s still a lot of . We LOVE bug reports though, so please don’t hesitateto file an issue if you run into any problems while testingautomatic TLS.