Which annotations for Nginx Ingress when using LinkerD

[dboyleitrs]

I am using LinkerD 2.10 to enable mTLS for all the services in my deployment. All traffic is correctly meshed other than the web traffic coming into the application over our master Nginx ingress.

We terminate TLS in our master ingress.

Q1 - Is it possible to mesh the traffic between the Ingress and the web server service with the correct annotations? aka "tls": "true" when I tap this traffic?

Q2 - If it's possible, which annotations are required?

In LinkerD 2.9, the instructions for enabling are this:

annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_set_header l5d-dst-override $service_name.$namespace.svc.cluster.local:$service_port;
      grpc_set_header l5d-dst-override $service_name.$namespace.svc.cluster.local:$service_port;

In LinkerD 2.10, the instructions are this:

annotations:
    nginx.ingress.kubernetes.io/service-upstream: true

I've tried both sets of annotations as well as all of them and the traffic always shows "tls": "no_tls_from_remote"

Any help is greatly appreciated!

[adleong]

All traffic from your ingress to your deployment should automatically get encrypted with mTLS assuming both the ingress and the web server are meshed and the relevant ports are not configured to be skipped.

With that said, for Nginx we recommend using linkerd.io/inject: enabled and nginx.ingress.kubernetes.io/service-upstream: true. More details about why can be found in the docs: https://linkerd.io/2.10/tasks/using-ingress/#ingress-details

[dboyleitrs]

Thanks for the response.
Just to be clear, I should "mesh" all my Ingress resources with linkerd.io/inject: enabled ?
For some reason, I thought that was only meant to be added to pods.

[adleong]

You need to add that annotation to the ingress controller's pod, not on the ingress resource itself.