Hi,
My goal is to prove that Istio could work for my application deployment so I’ve started with a simple webapp and postgres server running in my cluster.
Both the webapp and postgres servers are unsecured (no TLS). I’ve been able to expose the ports both externally through the istio ingress gateway to allow access.
I’ve also been able to configure the istio ingress gateway to terminate HTTPS traffic for my webapp. I’m now trying to do the same for postgres.
I’m running into issues though when I try to connect:
./psql "port=31320 host=135.228.149.159 user=user dbname=url_shortener_db sslcert=/opt/ssl/certs/cert.pem sslkey=/opt/ssl/ssl.key sslmode=require sslrootcert=/opt/ssl/ca_cert.pem"
psql: received invalid response to SSL negotiation:
openssl s_client -connect 135.228.149.159:31320
Shows the certificates presented properly so I know the gateway has bound the port and is presenting the correct certificates.
I’m guessing I’ve got some config problem here but I’m not sure where.
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: webapp-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 8080
name: webapp-http
protocol: HTTP
hosts:
- "*"
- port:
number: 9000
name: webapp-https
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- "*"
- port:
number: 5433
name: postgres-tls
protocol: TLS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- "*"
- port:
number: 5432
name: postgres
protocol: TCP
hosts:
- "*"
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: postgres
spec:
hosts:
- "*"
gateways:
- webapp-gateway
tcp:
- match:
- port: 5432
route:
- destination:
port:
number: 5432
host: postgres
- match:
- port: 5433
route:
- destination:
port:
number: 5432
host: postgres
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: postgres-istio-mtls
spec:
host: postgres
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
istioctl version
client version: 1.4.0
citadel version: 1.4.0
egressgateway version: 1.3.2
galley version: 1.4.0
ingressgateway version: 1.4.0
pilot version: 1.4.0
policy version: 1.4.0
sidecar-injector version: 1.4.0
telemetry version: 1.4.0
data plane version: 1.4.0 (3 proxies), 1.3.2 (1 proxies)
kubectl version
Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.0", GitCommit:"2bd9643cee5b3b3a5ecbd3af49d09018f0773c77", GitTreeState:"clean", BuildDate:"2019-09-18T14:36:53Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.4", GitCommit:"c27b913fddd1a6c480c229191a087698aa92f0b1", GitTreeState:"clean", BuildDate:"2019-02-28T13:30:26Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"}
I’ve also tried enabling envoy proxy logging but I only seem to get messaging on the completion of a connection session so that’s not helpful in this case.
Any ideas or things I could try?