linkerd2 icon indicating copy to clipboard operation
linkerd2 copied to clipboard

Published 20 hours ago verified publisher icon linkerd

SPIFFE/SPIRE support

Open chris13524 opened this issue 3 years ago • 4 comments

Feature Request

Support using SPIFFE for identity and use this provide mTLS credentials to services.

Other service meshes such as Envoy, Istio and Consul support SPIFFE identities.

What problem are you trying to solve?

Unifying identify management between multiple systems, for example Linkerd and NATS identities could be managed together and for securing cross-cluster communications.

How should the problem be solved?

Installing Linkerd and SPIFFE to my cluster, Linkerd should get trust roots and/or certificates from SPIFFE/SPIRE directly so that I do not have to configure or provide keys to Linkerd at all.

Any alternatives you've considered?

Working around Linkerd's inability to natively utilize SPIFFE, not using SPIFFE, or using Envoy.

How would users interact with this feature?

Some modification to the default configuration of Linkerd so that it uses SPIFFE/SPIRE.

/ref https://github.com/linkerd/linkerd2/issues/768 /ref https://github.com/linkerd/linkerd2/issues/4667

chris13524 avatar Oct 05 '21 16:10 chris13524

Any news about the deadline of this feature?

f-lira avatar Nov 15 '22 17:11 f-lira

@f-lira No. This work is not currently prioritized.

olix0r avatar Nov 17 '22 17:11 olix0r

Seemingly this is implemented? https://linkerd.io/2024/02/21/announcing-linkerd-2.15/

elee avatar Feb 22 '24 00:02 elee

@elee Sort of. Linkerd does indeed support SPIFFE for non-Kubernetes services. I believe there is still a case to be made for it supporting SPIFFE within the cluster.

wmorgan avatar May 16 '24 16:05 wmorgan