Setup TLS for gRPC across kubernetes clusters

I'm trying to figure out how to dynamicly provide SSL Certificates for gRPC Server and Client across Kubernetes clusters.

My current implementation asserts that the CA-certificate (for client), certificate and key for the server are provided inside the pod. The certs will be created inside kubernetes as secrets.

While using self-signed certificates is enough for development, I'd like to dynamicly create certificates for the client and server to use or find another way of providing encryption communication between them. My first thought was using a service-mesh like linkerD for this purpose, but I'm not quite sure if the communication would be encrypted all the way from cluster A to cluster B, since Client 2 would have to use an Ingress Gateway.

Communication across clusters

When using a service mesh, does gRPC have to be configured as insecure, since all traffic will be routed through the service proxy instead?

Would be great if you could help me on this one.

Regards, Hown3d


Solution 1:

When you say server running in K8s, it will be service and deployment.

If K8s internal app(client) connecting to the server it must be using service name as DNS, if you are using any service mesh mTLS traffic would be encrypted if enabled.

When you say ingress gateway, is it mean Nginx ingress gateway or Istio ingress gateway.

If you are using the Istio ingress gateway you can configure the mTLS also at the gateway level, something like

https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-mutual-tls-ingress-gateway

If you are planning to use the Multi clusters linkerd is good option, and you can encrypt the traffic with mTLS in east and west clusters.

https://linkerd.io/2.10/tasks/multicluster/

I'd like to dynamically create certificates for the client and server to use

You can use the cert-manager : https://cert-manager.io/docs/configuration/selfsigned/