I have an aurora rds cluster in AWS which doesnt allow me to connect when Im using a CNAME because I need to send a certificate on the authentication which is pointing to the cluster endpoint provided by AWS.
Can I use the istio SNI on TLS to create an static domain (Using a kubernetes service) and use istio a proxy to send connect to the real endpoint and send the certificate?
Im trying to do that implementation using the following yamls, but I get the following error:
admission webhook "validation.istio.io" denied the request: configuration is invalid: SNI host "myaurora-cluster.us-east-2.rds.amazonaws.com" is not a compatible subset of any of the virtual service hosts: [mysampledomain.dev.svc.cluster.local]
kind: Service apiVersion: v1 metadata: name: mysampledomain spec: type: ClusterIP ports: - name: postgres port: 5432 targetPort: 5432 --- apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: aws-rds-serviceentry namespace: dev spec: hosts: - myaurora-cluster.us-east-2.rds.amazonaws.com ports: - number: 5432 name: tls protocol: TLS resolution: DNS --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: aws-rds-virtualservice namespace: dev spec: hosts: - mysampledomain.dev.svc.cluster.local tls: - match: - port: 5432 sniHosts: - myaurora-cluster.us-east-2.rds.amazonaws.com route: - destination: host: myaurora-cluster.us-east-2.rds.amazonaws.com port: number: 5432 --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: aws-rds-destinationrule namespace: dev spec: host: myaurora-cluster.us-east-2.rds.amazonaws.com trafficPolicy: tls: mode: SIMPLE sni: myaurora-cluster.us-east-2.rds.amazonaws.com
Do you know any other approach to achieve the aurora connection?