I'm trying to figure out whether I should still use TLS certificates for my service meshed Pods when I'm using Linkerd, which provides mTLS. For instance, the Valkey Helm chart has configuration options for TLS cert file names. If I add Valkey to a Linkerd service mesh that already provides mTLS, does it still make sense to create and mount additional certificates? It seems like it could be redundant, but I'm wondering if there's a security angle I'm missing. Any insights would be appreciated!
2 Answers
It really depends on the service. For example, with MongoDB or RabbitMQ, they can authenticate users with x.509 certificates, which means you might need a separate cert chain since Linkerd only exposes the certs to the proxy, not the pod. If you're just protecting against snooping, though, mTLS usually covers that base.
Yeah, I had a similar hassle with Redis. Redis Enterprise wanted us to take it out of the mesh and put the cert directly in the container. It was such a pain!
That sounds frustrating! Was leaving Redis unencrypted and just using the service mesh's mTLS something you considered?
Thanks for that clarification! Good to know Linkerd isn't going to expose the cert chain directly to the Pod. I'm just using these services for learning - Valkey, Redis, and Postgres. If Linkerd and Valkey share a common CA for their certs, I should be good for client authentication with the Linkerd proxy, right?