We have a situation where workloads in a mesh with mTLS enabled are no longer able to communicate with an AWS RDS that has SSL enabled because Amazon seems to have just rotated their CA cert for RDS (2 days ago). I was able to find lots of documentation about Istio signing certs, but I couldn’t any clear guidance on how to make Istio trust a new certificate. Is this possible? What should we do in a situation like this?
@ad-tfs could you provide more information? Is your workload in a Istio managed cluster trying to talk to AWS RDS? Does egress-sds solve your issue? https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway-tls-origination-sds/, can you route egressing traffic to a egress gateway and deploy destinationrule with the new CA cert to do TLS handshake with AWS RDS?
I have attempted to get that working on 1.7. I cant get it to work - I can get MTLS in the mesh working outbound to the egreess gate and then on to RDS with out SSL, but when I try and add the SSL in the final hop (destination rule) it breaks the connection, the cert is correct as I have tested it. I detailed the problem here but no bytes yet.
one thing to note AWS RDS rotating a cert would only affect you if your using a ca cert in the first place to connect. SSL direct from sequalize or what ever source your using to an RDS instance that enforces SSL doesnt necessarily require you to pass a certificate in.