Hi there. I’m pretty new to Linkerd and we’re currently just evaluating it, so please excuse my ignorance if this question has an obvious answer.
We want to control cluster egress through our service mesh, specifically we want to be able to restrict which paths of a public API (like Firebase) are accessible to our services. This would mean having a layer 7 http policy attached to the egress.
Since TLS streams are opaque, this is not possible when the application itself starts the TLS connection (at least not without basically doing an MitM attack).
Other service meshes seem to solve this by supporting TLS origination. By this I mean that the application uses HTTP on its end, and the service mesh wraps the outgoing request in TLS. This way it can introspect the HTTP request before wrapping it.
So far I haven’t found a way to do this in Linkerd. Is this possible, or would I need to use a separate Envoy proxy for Egress if I want this feature?