(Copied from Slack)
Hello fellow Alex! Let me see if I can help.
- I can’t answer your first question with any authority, but I nominate @travis for that.
- With our Ingress Controller Pomerium’s proxy service can act as the load balancer, so services can connect to each other internally through Pomerium. You can configure Pomerium with mTLS, and you can also define client CA roots on a per route basis. With this, you could achieve the same (actually greater) level of security between internal services. My WIP update of our mTLS guide adds instructions for per-route mTLS CA definition (preview).
- You can use
tls_custom_ca
to define custom CAs for specific routes. (reference)
An instance of the ingress controller can only work against a single kubernetes API server so you’d be deploying one per cluster.
Additionally, you’d need to run a full Pomerium per cluster as we do not currently support running more than one instance of an ingress controller against a databroker.
This is up to you. If you want to proxy through Pomerium for all inter-service traffic, you’ll probably need the Enterprise product for service account support. There is no requirement for service mTLS to go through Pomerium, however. It depends on your operational and security requirements.
In case it is relevant, Pomerium also supports mTLS when communicating with upstreams though you may not need this if you’re running a mesh service for mTLS.
Pomerium can use a custom CA for upstream connections and this can be completely independent of downstream user facing certificate chains.