Cannot establish TLS connection over TCP for MongoDB

AVBee · June 21, 2019, 8:11am

Hi, we are trying to setup ingressgateway to receive TLS connection at our LoadBalancer and then connect to MongoDB using TLS termination but failed. The purpose is we want to let client access the DB with domain name.

We have tried to connect to MongoDB without TLS, just TCP and it works fine. And also we have tried the simple httpbin with secure gateway (HTTPS) https://istio.io/docs/tasks/traffic-management/ingress/secure-ingress-mount/
It works fine also.

Expectation: Client can establish connection to MongoDB using domain name.

What could be wrong from my configuration?

Gateway connection:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mongo-gateway
  namespace: mongo-test
spec:
  selector:
    istio: ingressgateway 
  servers:
  - port:
      number: 31402
      name: mgo2
      protocol: TLS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
     - "*.example.com"

Virtual Service

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: v1m2-mongodb
  namespace: mongo-test
spec:
  hosts:
  - "mongodb.example.com"
  gateways:
  - mongo-gateway
  tcp:
  - match:
    route:
    - destination:
        host: v1m2-mongodb
        port:
          number: 27018

AKS with kube v.1.12
Istio 1.2.0

Steven_Hespelt · March 10, 2020, 8:49pm

Did you ever get an answer to you post? I think the protocol := TLS means that SSL termination at the ingress edge does not take place, that the service is expected to handle the SSL/TLS negotiation (I’ve not verified this but I would expect the Envoy sidecar to pass the tcp traffic as is to the service’s endpoint - so Mongo would have to expect, handle TLS traffic.

I’m looking for what I guess is a similar question: is TLS termination handled at the ingress edge for non-http traffic? Eg. db connections, non-http services. Based on both tls_mode == PASSTHROUGH & AUTO_PASSTHROUGH using SNI, I strongly suspect not.
Hope it worked out for you.

Topic		Replies	Views
TLS termination at ingress edge for HTTPS only? Networking	1	2592	March 26, 2020
Istio Ingress Gateway TCP TLS Termination	3	3557	June 25, 2020
How To: Ingress Gateway + TLS Termination and Routing -> HTTPS Service Networking	1	1977	August 10, 2023
TLS termination at edge Envoy (with nginx pod)	0	617	February 26, 2019
I have a question regarding configuring the Istio proxy to connect to MongoDB without making any modifications to the client configuration	0	321	May 27, 2023

Cannot establish TLS connection over TCP for MongoDB

Related topics