Can external devices like F5 BIG-IP use MTLs certificates to talk to mTLS meshed pods?

Hello Everyone,

My question is Can external devices like F5 BIG-IP use MTLs certificates to talk to mTLS meshed pods?

The idea is that F5 BIG-IP uses CIS F5Networks/k8s-bigip-ctlr: Repository for F5 Container Ingress Services for Kubernetes & OpenShift. to work directly with the linkerd pods without the need of even an Ingress but traffic not arive not encrypted F5 BIG-IP needs to use client SSL Cert like the linkerd mesh that to be signed by the same CA Trust Identity Issuer like the one linkerd uses.

If F5 manages to get the mtls cert from k8s secret as CIS can then push it to the F5 what issues could happen ? I am just wondering if external devices can work with the linkerd mesh in a such a way ?

After a lot of and I mean a lot of investigation I think linkerd can’t mesh with external systems even if it is not mentioned because:

• Require the TLS/HTTP2 ALPN custom extension transport.l5d.io

• Uses not standard client/server certificates that are ECDSA with size 256 as they are changed very often and the secret for generating the certs is in thelinkerd namespace that tools like cert-manager can create the secret (Automatically Rotating Control Plane TLS Credentials | Linkerd and the issue I discovered Linkerd does not start when using Cert Manager and Trust manager to rotate the MTLS certs — Linkerd General Discussion — Linkerd Support Forum by Buoyant ) but this secret can’t be used in another cluserissuer to create other secrets that will have the certs for other external systems.

• Linkerd uses port 4143 for mTLS meshed traffic and the proxy internally knows to send it to the real backend app port.

Hey @Nikolayy1, I need to look more into this now that I’m back from KubeCon. You’ve landed on the “off-cluster Gateway” concept that’s coming up in Gateway API, and yeah, it’s a little odd.

I’d actually kind of like to chat a bit about your use case here, if possible? I’m “Flynn” on pretty much all the Slacks or you can email flynn@buoyant.io.

Hey Flynn , Will do thanks as yes the idea is to have external vendor appliance like F5 BIG-IP to mtls to the linkerd pods as F5 has a CIS pod that can push certs and keys stored in a secret to the device, so that part is easy and I copied the linkerd linkerd-identity-issuer secret to the cert-manager namespace as to be able to use cluster provider to create the certs for the external device signed with the same CA but it still got “foreign SNI“. I think with the new transport-header mode there are more things going on in the mTLS meshed traffic than just plain old mTLS.

F5 is a full proxy/load Balancer/ADC, so the linkerd mTLS will be just between F5 and the k8s cluster and not the user by the way.

I will ping you.