Cannot establish TLS connection over TCP for MongoDB

Hi, we are trying to setup ingressgateway to receive TLS connection at our LoadBalancer and then connect to MongoDB using TLS termination but failed. The purpose is we want to let client access the DB with domain name.

We have tried to connect to MongoDB without TLS, just TCP and it works fine. And also we have tried the simple httpbin with secure gateway (HTTPS) https://istio.io/docs/tasks/traffic-management/ingress/secure-ingress-mount/
It works fine also.

Expectation: Client can establish connection to MongoDB using domain name.

What could be wrong from my configuration?

Gateway connection:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mongo-gateway
  namespace: mongo-test
spec:
  selector:
    istio: ingressgateway 
  servers:
  - port:
      number: 31402
      name: mgo2
      protocol: TLS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
     - "*.example.com"

Virtual Service

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: v1m2-mongodb
  namespace: mongo-test
spec:
  hosts:
  - "mongodb.example.com"
  gateways:
  - mongo-gateway
  tcp:
  - match:
    route:
    - destination:
        host: v1m2-mongodb
        port:
          number: 27018

AKS with kube v.1.12
Istio 1.2.0

Did you ever get an answer to you post? I think the protocol := TLS means that SSL termination at the ingress edge does not take place, that the service is expected to handle the SSL/TLS negotiation (I’ve not verified this but I would expect the Envoy sidecar to pass the tcp traffic as is to the service’s endpoint - so Mongo would have to expect, handle TLS traffic.

I’m looking for what I guess is a similar question: is TLS termination handled at the ingress edge for non-http traffic? Eg. db connections, non-http services. Based on both tls_mode == PASSTHROUGH & AUTO_PASSTHROUGH using SNI, I strongly suspect not.
Hope it worked out for you.