Feature Request

Outbound linkerd-proxy running in ingress mode should transparently forward TLS traffic.

What problem are you trying to solve?

We face a problem with linkerd (edge-21.9.4) running in ingress mode on our gloo-edge ingress gateways. Whenever the gloo-edge ingress gateway tries to connect to an upstream service via TLS, its outbound linkerd-proxy will not forward that request and it fails (without any log messages).

Note, this behavior is documented in https://linkerd.io/2.11/tasks/using-ingress/, where it states:

You should annotate the pod spec with config.linkerd.io/skip-outbound-ports: 8001. The Envoy pod will try to connect to the Contour pod at port 8001 through TLS, which is not supported under this ingress mode, so you need to have the proxy skip that outbound port.

However, this behavior prevents us from using gloo-edge to forward traffic to upstreams (backends) which use TLS (and thus have no need for linkerd's mTLS feature).

How should the problem be solved?

The outbound linkerd-proxy should use protocol detection and if traffic is already TLS encrypted, simply forward it to the original target (IP address & port). No mTLS must be applied and neither load-balancing nor ServiceProfile support is needed if traffic is already TLS encrypted.

Any alternatives you've considered?

For now, we use the config.linkerd.io/skip-outbound-ports annotation on our gloo-edge ingress gateways to work-around this problem. However, config.linkerd.io/skip-outbound-ports is not a proper solution to this problem as it completely by-passes linkerd (no golden metrics) and as it will not work if there are multiple upstreams with the same port number and at least one of them not using TLS.

How would users interact with this feature?

Nothing special here, I would even argue that the requested (new) behavior is what a user would intuitively expect.