DocsEmissary-ingressLinkerd 2 integration
Linkerd 2 integration
Linkerd 2 is a zero-config and ultra-lightweight service mesh. Emissary-ingress natively supports Linkerd 2 for service discovery, end-to-end TLS (including mTLS between services), and (with Linkerd 2.8) multicluster operation.
Architecture
Linkerd 2 is designed for simplicity, security, and performance. In the cluster, it runs a control plane in its own namespace and then injects sidecar proxy containers in every Pod that should be meshed.
Emissary-ingress itself also needs to be interwoven or "meshed" with Linkerd 2, and then configured to add special Linkerd headers to requests that tell Linkerd 2 where to forward them. This ie because mTLS between services is automatically handled by the control plane and the proxies. Istio and Consul allow Emissary-ingress to initiate mTLS connections to upstream services by grabbing a certificate from a Kubernetes Secret. However, Linkerd 2 does not work this way, so Emissary-ingress must rely on Linkerd 2 for mTLS connections to upstream services. This means we want Linkerd 2 to inject its sidecar into Emissary-ingress's pods, but not Istio and Consul.
Through that setup, Emissary-ingress terminates external TLS as the gateway and traffic is then immediately wrapped into mTLS by Linkerd 2 again. Thus we have a full end-to-end TLS encryption chain.
Getting started
In this guide, you will use Linkerd 2 Auto-Inject to mesh a service and use Emissary-ingress to dynamically route requests to that service based on Linkerd 2's service discovery data. If you already have Emissary-ingress installed, you will just need to install Linkerd 2 and deploy your service.
Setting up Linkerd 2 requires to install three components. The first is the CLI on your local machine, the second is the actual Linkerd 2 control plane in your Kubernetes Cluster. Finally, you have to inject your services' Pods with Linkerd Sidecars to mesh them.
Install and configure Linkerd 2 instructions. Follow the guide until Step 3. That should give you the CLI on your machine and all required pre-flight checks.
In a nutshell, these steps boil down to the following:
Now it is time to install Linkerd 2 itself. To do so execute the following command:
This will install Linkerd 2 in your cluster. For more details on installing Linkerd visit their docs.
Note that this simple command automatically enables mTLS by default and registers the AutoInject Webhook with your Kubernetes API Server. You now have a production-ready Linkerd 2 setup rolled out into your cluster!
Deploy Emissary-ingress if you have not already, by following the Emissary-ingress Getting Started guide.
Configure Emissary-ingress to add it to the Linkerd 2 service mesh.
This will tell Emissary-ingress to add additional headers to each request forwarded to Linkerd 2 with information about where to route this request to. This is a general setting. You can also set
add_linkerd_headers
per Mapping.
Routing to Linkerd 2 services
You'll now register a demo application with Linkerd 2, and show how Emissary-ingress can route to this application using endpoint data from Linkerd 2.
Enable AutoInjection on the Namespace you are about to deploy to:
Save the above to a file called
namespace.yaml
and runkubectl apply -f namespace.yaml
. This will enable the namespace to be handled by the AutoInjection Webhook of Linkerd 2. Every time something is deployed to that namespace, the deployment is passed to the AutoInject Controller and injected with the Linkerd 2 proxy sidecar automatically.Deploy the QOTM demo application.
Save the above to a file called
qotm.yaml
and deploy it with
Verify the QOTM pod has been registered with Linkerd 2. You can verify the QOTM pod is registered correctly by accessing the Linkerd 2 Dashboard.
Your browser should automatically open the correct URL. Otherwise, note the output from the above command and open that in a browser of your choice.
Create a
Mapping
for theqotm-Linkerd2
service.Save the above YAML to a file named
qotm-mapping.yaml
, and apply it with:to apply this configuration to your Kubernetes cluster. Note that in the above config there is nothing special to make it work with Linkerd 2. The general config for Emissary-ingress already adds Linkerd Headers when forwarding requests to the service mesh.
Send a request to the
qotm-Linkerd2
API.
Congratulations! You're successfully routing traffic to the QOTM application, the location of which is registered in Linkerd 2. The traffic to Emissary-ingress is not TLS secured, but from Emissary-ingress to the QOTM an automatic mTLS connection is being used.
If you now configure TLS termination in Emissary-ingress, you have an end-to-end secured connection.
Multicluster operation
Linkerd 2.8 can support multicluster operation, where the Linkerd mesh transparently bridges from one cluster to another, allowing seamless access between the two. This works using the Linkerd "service mirror controller" to discover services in the target cluster, and expose (mirror) them in the source cluster. Requests to mirrored services in the source cluster are transparently proxied via Emissary-ingress in the target cluster to the appropriate target service, using Linkerd's automatic mTLS to protect the requests in flight between clusters. By configuring Linkerd to use the existing Emissary-ingress as the ingress gateway between clusters, you eliminate the need to deploy and manage an additional ingress gateway.
Initial multicluster setup
Install Emissary-ingress and the Linkerd multicluster control plane. Make sure you've also linked the clusters.
Inject Emissary-ingress deployment with Linkerd (even if you have AutoInject enabled):
(It's important to require identity on the gateway port so that automatic mTLS works, but it's also important to let Emissary-ingress handle its own ports. AutoInject can't handle this on its own.)
Configure Emissary-ingress as normal for your application.
At this point, your Emissary-ingress installation should work fine with multicluster Linkerd as a source cluster: you can configure Linkerd to bridge to a target cluster, and all should be well.
Using the cluster as a target cluster
Allowing the Emissary-ingress installation to serve as a target cluster requires explicitly giving permission for Linkerd to mirror services from the cluster, and explicitly telling Linkerd to use Emissary-ingress as the target gateway.
Configure the target cluster Emissary-ingress to allow insecure routing.
When Emissary-ingress is running in a Linkerd mesh, Linkerd provides transport security, so connections coming in from the Linkerd in the source cluster will always be HTTP when they reach Emissary-ingress. Therefore, the
Host
CRDs corresponding to services that you'll be accessing from the source cluster must be configured toRoute
insecure requests. More information on this topic is available in theHost
documentation; an example might beConfigure the target cluster Emissary-ingress to support Linkerd health checks.
Multicluster Linkerd does its own health checks beyond what Kubernetes does, so a
Mapping
is needed to allow Linkerd's health checks to succeed:When configuring Emissary-ingress, Kubernetes is usually configured to run health checks directly against port 8877 -- however, that port is not meant to be exposed outside the cluster. The
Mapping
permits accessing the health check endpoint without directly exposing the port.(The actual prefix in the
Mapping
is not terribly important, but it needs to match the metadata supplied to the service mirror controller, below.)Configure the target cluster Emissary-ingress for the service mirror controller.
This requires changes to the Emissary-ingress's
deployment
andservice
. For all of these commands, you will need to make sure your Kubernetes context is set to talk to the target cluster.In the
deployment
, you need theconfig.linkerd.io/enable-gateway
annotation
:In the
service
, you need to provide appropriate namedport
definitions:mc-gateway
needs to be defined asport
4143mc-probe
needs to be defined asport
80,targetPort
8080 (or wherever Emissary-ingress is listening)
Finally, the
service
also needs its own set ofannotation
s:(Here, the value of
mirror.linkerd.io/probe-path
must match theprefix
using for the probeMapping
above.)Configure individual exported services. Adding the following annotations to a service will tell the service to use Emissary-ingress as the gateway:
This annotation will tell Linkerd that the given service can be reached via the Emissary-ingress in the
emissary
namespace.Verify that all is well from the source cluster.
For all of these commands, you'll need to set your Kubernetes context for the source cluster.
First, check to make that the clusters are correctly linked:
Next, make sure that the Emissary-ingress gateway shows up when listing active gateways:
At this point, all should be well!
More information
For more about Emissary-ingress's integration with Linkerd 2, read the service discovery configuration documentation. For further reading about Linkerd 2 multi-cluster, see the install documentation and introduction.