mTLS Without a Service Mesh: Patterns That Work

Service meshes deliver mTLS by default and sell complexity by default. For many teams, lighter patterns are the right answer.

When to skip the mesh

Service meshes deliver mTLS, but their value goes well beyond mTLS: traffic routing, observability, policy enforcement. If you only need mTLS, paying for a service mesh is paying for the wrong tool. Three lighter patterns deliver mTLS without the mesh footprint.

• What the mesh sells. Traffic routing, observability, policy, plus mTLS; mTLS is one feature among many.
• What you actually need. Workload identity, cert issuance, rotation, TLS termination; not the rest of the mesh.
• The cost of the mesh. Sidecars, control plane, learning curve; pays back only when you use the rest.
• The lighter options. SPIFFE/SPIRE for identity, library-based for in-process, sidecar-without-mesh for middle ground.

SPIFFE/SPIRE

SPIFFE/SPIRE is dedicated workload-identity infrastructure. Certs are issued and rotated automatically; CNCF-graduated; battle-tested. Excellent if you can afford the install plus ongoing operation; the operational tax is real but bounded.

• Workload-identity infrastructure. SPIRE issues SPIFFE-compatible identities; workloads get certs based on attested identity.
• Certs issued and rotated. Short-lived certs auto-rotated; the operator never touches a cert manually.
• CNCF-graduated. Battle-tested across many production deployments; the standard for workload identity.
• Trade. Install plus ongoing operation cost; the right call when you can afford the operational tax.

Library-based mTLS

Library-based: per-language SDK that handles cert request, rotation, and TLS termination in-process.

Good for polyglot environments where adding a sidecar is expensive.

Sidecar-without-mesh

Sidecar-without-mesh: Envoy or Linkerd2-proxy as a TLS sidecar without the control plane.

Mid-weight: more complex than library, less than full mesh.

Antipatterns

• Building mTLS yourself from scratch. Cert rotation, OCSP, etc. all rabbit holes.
• Self-signed certs forever. Rotation discipline rots.
• mTLS without an emergency revocation plan. Compromise needs a fast response path.

What to do this week

Three moves. (1) Pick one production system to apply this pattern to first. (2) Measure the security signal before/after. (3) Document the gap and write a follow-up ticket so the program stays alive between quarterly reviews.