mTLS Without a Service Mesh: Patterns That Work
Service meshes deliver mTLS by default and sell complexity by default. For many teams, lighter patterns are the right answer.
When to skip the mesh
Service meshes deliver mTLS, but their value goes way beyond, traffic routing, observability, policy. If you only need mTLS, you are paying for the wrong tool.
Three lighter patterns deliver mTLS without the mesh footprint.
SPIFFE/SPIRE
- SPIFFE/SPIRE: dedicated workload-identity infrastructure; certs issued and rotated.
- Excellent if you can afford the install + ongoing operation. CNCF-graduated.
Library-based mTLS
Library-based: per-language SDK that handles cert request, rotation, and TLS termination in-process.
Good for polyglot environments where adding a sidecar is expensive.
Sidecar-without-mesh
Sidecar-without-mesh: Envoy or Linkerd2-proxy as a TLS sidecar without the control plane.
Mid-weight: more complex than library, less than full mesh.
Antipatterns
- Building mTLS yourself from scratch. Cert rotation, OCSP, etc. all rabbit holes.
- Self-signed certs forever. Rotation discipline rots.
- mTLS without an emergency revocation plan. Compromise needs a fast response path.
What to do this week
Three moves. (1) Pick one production system to apply this pattern to first. (2) Measure the security signal before/after. (3) Document the gap and write a follow-up ticket so the program stays alive between quarterly reviews.