Disable mTLS

[sbellary]

What is the issue?

I want to run a mesh with no mTLS. I've followed the documentation and trying to disable identity as outlined below. I use helm based deployment...and my linkerd version is stable-2.11.1

1. Install with a cert having 10 mins expiry

2. Let it expire

3. ssh into one of the POD having linkerd proxy and try to hit another POD

4. As expected, the communication fails due to expired cert

5. Uninstall linkerd and reinstall with following override in the values.yaml

proxy configuration

proxy:
disableIdentity: true

helm upgrade --install linkerd2 --set-file identityTrustAnchorsPEM=ca.crt \ --set-file identity.issuer.tls.crtPEM=issuer.crt \ --set-file identity.issuer.tls.keyPEM=issuer.key \ linkerd2 -f linkerd2/values.yaml
I get the below error

Error: UPGRADE FAILED: template: linkerd2/templates/proxy-injector.yaml:8:3: executing "linkerd2/templates/proxy-injector.yaml" at <include "linkerd.proxy.validation" .Values.proxy>: error calling include: template: linkerd2/charts/partials/templates/_validate.tpl:3:4: executing "linkerd.proxy.validation" at <fail (printf "Can't disable identity mTLS for %s. Set '.Values.proxy.disableIdentity' to 'false'" .component)>: error calling fail: Can't disable identity mTLS for %!s(). Set '.Values.proxy.disableIdentity' to 'false'

My deployment is within a secure corporate network and instead of having to rotate certs, i would like to disable and have mesh with no TLS. Is it not possible to disable mTLS ?

How can it be reproduced?

Please see above in the What's the issue section

Logs, error output, etc

Error: UPGRADE FAILED: template: linkerd2/templates/proxy-injector.yaml:8:3: executing "linkerd2/templates/proxy-injector.yaml" at <include "linkerd.proxy.validation" .Values.proxy>: error calling include: template: linkerd2/charts/partials/templates/_validate.tpl:3:4: executing "linkerd.proxy.validation" at <fail (printf "Can't disable identity mTLS for %s. Set '.Values.proxy.disableIdentity' to 'false'" .component)>: error calling fail: Can't disable identity mTLS for %!s(). Set '.Values.proxy.disableIdentity' to 'false'

output of linkerd check -o short

linkerd check -o short
Linkerd core checks

linkerd-identity

× issuer cert is within its validity period
issuer certificate is not valid anymore. Expired on 2022-02-26T04:18:18Z
see https://linkerd.io/2.11/checks/#l5d-identity-issuer-cert-is-time-valid for hints

Status check results are ×

Environment

k8s version: 1.19.15
Env: AWS EKS

Possible solution

No response

Additional context

No response

Would you like to work on fixing this bug?

No response

[olix0r]

It is not possible to disable Linkerd's mTLS functionality in recent Linkerd versions. This additional configuration introduces complexity that we do not wish to support.

Older versions of Linkerd included configuration options to disable identity/mTLS; but these configurations were untested, so your mileage may vary.

[munger1985]

but there is an issue, if we dont disable mtls, when control plane is down, other ns meshed pod is not able to ping the meshed pod. we tested, same ns, even control is down, it is fine. but cross ns, it was somehow blocked, as i checked the packet is mtls-ed.

It is not possible to disable Linkerd's mTLS functionality in recent Linkerd versions. This additional configuration introduces complexity that we do not wish to support.

Older versions of Linkerd included configuration options to disable identity/mTLS; but these configurations were untested, so your mileage may vary.

[munger1985]

yes, both 2.11 and edge is the same

[mateiidavid]

If the control plane is down, it's likely a number of other things will prevent connections between meshed pods from being established, e.g service discovery. Have you tried running in HA mode to avoid control plane downtime?

[jmtt89]

Oh, I didn't know that the mTLS functionality is mandatory to use LinkerD, that is something very important that maybe they should include in the docs...

for me, I really not interested in adding mTLS encryption to the internal communications of my pods, it seems extremely unnecessary for me since all internal traffic of pods is public exposed, it adds a maintenance cost in addition to communication latency that is extremely unnecessary...

I was really only interested in adding LinkerD (or whatever service mesh) to improve observability and tracing of my cluster...

well, maybe some other mesh solution fix better on my requirements.

[loyd]

https://linkerd.io/2.14/features/automatic-mtls/index.html:

Linkerd does not require mTLS unless authorization policies are configured.

How should it be interpreted if there is no way to disable mTLS at all?