After a lot of and I mean a lot of investigation I think linkerd can’t mesh with external systems even if it is not mentioned because:
-
Require the TLS/HTTP2 ALPN custom extension
transport.l5d.io -
Uses not standard client/server certificates that are ECDSA with size 256 as they are changed very often and the secret for generating the certs is in thelinkerd namespace that tools like cert-manager can create the secret (Automatically Rotating Control Plane TLS Credentials | Linkerd and the issue I discovered Linkerd does not start when using Cert Manager and Trust manager to rotate the MTLS certs — Linkerd General Discussion — Linkerd Support Forum by Buoyant ) but this secret can’t be used in another cluserissuer to create other secrets that will have the certs for other external systems.
-
Linkerd uses port 4143 for mTLS meshed traffic and the proxy internally knows to send it to the real backend app port.