Istio egress: mtls connexion to mariadb from kubernetes cluster

wurstmeister · August 13, 2021, 9:25am

I’m currently trying to setup a connexion between a pod deployed on a kubernetes server and an external mariadb server.

when i try to connect to the server from a pod i face this error:

ERROR 2013 (HY000): Lost connection to MySQL server at 'handshake: reading initial communication packet', system error: 11

from what i understand, the probleme is due to mysql protocol requiring the first connexion packet to be non TLS and the egress gateway only doing TLS.

i don’t know if there is a workaround or variables to change for it to work or if it’s juste my istio version that is to low to support this type of connexion.

here is my configurations:

mariadb server:

The mariadb server is a container launched with TLS enabled.

I create a user without password that require X509.

If i try to connect to mariadb from a terminal with certificate it succeeded.

Kubernetes cluster:

istio: 1.6.14 clients certificates are provisioned

gateway:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mariadb
  namespace: istio-egress
spec:
  selector:
    istio: egressgateway
  servers:
    - hosts:
        - mariadb.test.com
      port:
        name: tcp
        number: 15443
        protocol: TCP

virtual service:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: mariadb-through-egress-gateway
spec:
  gateways:
    - mesh
    - mariadb
  hosts:
    - mariadb.test.com
  tcp:
    - match:
        - gateways:
            - mesh
          port: 15443
      route:
        - destination:
            host: istio-egressgateway.istio-egress.svc.cluster.local
            port:
              number: 15443
            subset: mariadb
          weight: 100
    - match:
        - gateways:
            - mariadb
          port: 15443
      route:
        - destination:
            host: mariadb.test.com
            port:
              number: 3306
          weight: 100

DestinationRule:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: originate-mtls-for-mariadb
spec:
  exportTo:
    - .
  host: mariadb.test.com
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    portLevelSettings:
      - port:
          number: 3306
        tls:
          caCertificates: /etc/istio/client/ca.crt
          clientCertificate: /etc/istio/client/tls.crt
          mode: MUTUAL
          privateKey: /etc/istio/client/tls.key
          sni: mariadb.test.com

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: egressgateway-for-mariadb
spec:
  host: istio-egressgateway.istio-egress.svc.cluster.local
  subsets:
    - name: mariadb

Service entries:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: mariadb
spec:
  hosts:
    - mariadb.test.com
  location: MESH_EXTERNAL
  ports:
    - name: tcp-mtls-origination
      number: 15443
      protocol: TCP
    - name: tcp
      number: 3306
      protocol: TCP
  resolution: DNS

Topic		Replies	Views
Egress TLS with TCP Networking	9	3922	June 7, 2023
mTLS origination for egress traffic with custom mTLS between client istio-proxy and egress gateway Security	1	2853	June 9, 2021
MySQL/MariaDB + istio TLS Passthrough routing based on SNI Networking	10	1512	August 10, 2023
TLS terminated non HTTPS virtual service for egress Networking	0	183	September 9, 2023
Istio Gateway without mTLS	1	420	October 11, 2019

Istio egress: mtls connexion to mariadb from kubernetes cluster

Related Topics