I am having real trouble setting up a sequalize node application to use the istio egress gateway for TLS & certificate connection to RDS postgres in AWS.
SSL is set to true i the application sequalize connection. (not sure it should be).
I have used the standard RDS AWS certificate bundle and tested the certificate bundle works with a psql connection. it does.
I use the following yaml resources to get the traffic out through the egress gateway and I do see the traffic traversing out the egress gateway.
– service entry –
apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: postgress spec: addresses: - RDS-IP-ADDRESS/32 endpoints: - address: RDS-IP-ADDRESS hosts: - RDS-HOSTNAME ports: - number: RDS-PORT name: tcp protocol: TCP resolution: STATIC
– gateway –
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: postgress-egressgateway spec: selector: istio: egressgateway servers: - port: number: 15443 name: tls protocol: TLS hosts: - RDS-HOSTNAME tls: mode: ISTIO_MUTUAL
–destination rule –
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: egressgateway-for-postgress spec: host: istio-egressgateway.istio-system.svc.cluster.local subsets: - name: postgress trafficPolicy: loadBalancer: simple: ROUND_ROBIN portLevelSettings: - port: number: 15443 tls: mode: ISTIO_MUTUAL sni: RDS-HOSTNAME
– virtual service –
apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: direct-postgress-through-postgressegress-gateway spec: hosts: - RDS-HOSTNAME gateways: - mesh - postgress-egressgateway tcp: - match: - gateways: - mesh port: RDS-PORT route: - destination: host: istio-egressgateway.istio-system.svc.cluster.local subset: postgress port: number: 15443 - match: - gateways: - postgress-egressgateway port: 15443 route: - destination: host: RDS-HOSTNAME port: number: RDS-PORT weight: 100
Once deployed everything looks great I see traffic going out the egress gateway and see successful RDS calls in my application pods. Next i want to add a destination rule to make the final hop from my egress gateway to RDS secured with the tested CA bundle in SIMPLE mode.
I create the secret with the correct name -cacert in istio-system
kubectl create secret generic postgress-credential-cacert --from-file=ca.crt=postgress.crt -n istio-system
apply the destination rule
– destination rule –
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: originate-tls-for-postgres spec: host: RDS-HOSTNAME trafficPolicy: loadBalancer: simple: ROUND_ROBIN portLevelSettings: - port: number: <RDS-PORT> tls: mode: SIMPLE credentialName: postgress-credential sni: RDS-HOSTNAME
However once I add this destination rule it breaks my connection. I know that the certificate is the right CA bundle. The istio egress gateway logs look good in that it is picking up the secret credentials. how ever I see no logs in the istio egress gateway indicating any issue I just get the application pod logs complaining about the sequalize connect error.
I have tried a million different combinations of TLS TCP and changes to all these 5 files applied - nothing works.
I am wondering if I am passing the wrong SNI in the final destination rule - or if its simply not supported to do this - I cant see any examples of it.
Has anyone actually done this before I see nothing online about it - I see something similar here but this doesnt help - Egress Gateways with TLS Origination AND TLS passthrough for egress chokepoint
Any help from the community would be much appreciated.