Hi,
I have an aurora rds cluster in AWS which doesnt allow me to connect when Im using a CNAME because I need to send a certificate on the authentication which is pointing to the cluster endpoint provided by AWS.
Can I use the istio SNI on TLS to create an static domain (Using a kubernetes service) and use istio a proxy to send connect to the real endpoint and send the certificate?
Im trying to do that implementation using the following yamls, but I get the following error:
admission webhook "validation.istio.io" denied the request: configuration is invalid: SNI host "myaurora-cluster.us-east-2.rds.amazonaws.com" is not a compatible subset of any of the virtual service hosts: [mysampledomain.dev.svc.cluster.local]
YAMLs used:
kind: Service
apiVersion: v1
metadata:
name: mysampledomain
spec:
type: ClusterIP
ports:
- name: postgres
port: 5432
targetPort: 5432
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: aws-rds-serviceentry
namespace: dev
spec:
hosts:
- myaurora-cluster.us-east-2.rds.amazonaws.com
ports:
- number: 5432
name: tls
protocol: TLS
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: aws-rds-virtualservice
namespace: dev
spec:
hosts:
- mysampledomain.dev.svc.cluster.local
tls:
- match:
- port: 5432
sniHosts:
- myaurora-cluster.us-east-2.rds.amazonaws.com
route:
- destination:
host: myaurora-cluster.us-east-2.rds.amazonaws.com
port:
number: 5432
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: aws-rds-destinationrule
namespace: dev
spec:
host: myaurora-cluster.us-east-2.rds.amazonaws.com
trafficPolicy:
tls:
mode: SIMPLE
sni: myaurora-cluster.us-east-2.rds.amazonaws.com
Do you know any other approach to achieve the aurora connection?