Hi there
I am having real trouble setting up a sequalize node application to use the istio egress gateway for TLS & certificate connection to RDS postgres in AWS.
notes
Istio 1.7
SSL is set to true i the application sequalize connection. (not sure it should be).
I have used the standard RDS AWS certificate bundle and tested the certificate bundle works with a psql connection. it does.
I use the following yaml resources to get the traffic out through the egress gateway and I do see the traffic traversing out the egress gateway.
– service entry –
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: postgress
spec:
addresses:
- RDS-IP-ADDRESS/32
endpoints:
- address: RDS-IP-ADDRESS
hosts:
- RDS-HOSTNAME
ports:
- number: RDS-PORT
name: tcp
protocol: TCP
resolution: STATIC
– gateway –
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: postgress-egressgateway
spec:
selector:
istio: egressgateway
servers:
- port:
number: 15443
name: tls
protocol: TLS
hosts:
- RDS-HOSTNAME
tls:
mode: ISTIO_MUTUAL
–destination rule –
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-postgress
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: postgress
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 15443
tls:
mode: ISTIO_MUTUAL
sni: RDS-HOSTNAME
– virtual service –
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-postgress-through-postgressegress-gateway
spec:
hosts:
- RDS-HOSTNAME
gateways:
- mesh
- postgress-egressgateway
tcp:
- match:
- gateways:
- mesh
port: RDS-PORT
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: postgress
port:
number: 15443
- match:
- gateways:
- postgress-egressgateway
port: 15443
route:
- destination:
host: RDS-HOSTNAME
port:
number: RDS-PORT
weight: 100
Once deployed everything looks great I see traffic going out the egress gateway and see successful RDS calls in my application pods. Next i want to add a destination rule to make the final hop from my egress gateway to RDS secured with the tested CA bundle in SIMPLE mode.
I create the secret with the correct name -cacert in istio-system
kubectl create secret generic postgress-credential-cacert --from-file=ca.crt=postgress.crt -n istio-system
apply the destination rule
– destination rule –
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: originate-tls-for-postgres
spec:
host: RDS-HOSTNAME
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: <RDS-PORT>
tls:
mode: SIMPLE
credentialName: postgress-credential
sni: RDS-HOSTNAME
However once I add this destination rule it breaks my connection. I know that the certificate is the right CA bundle. The istio egress gateway logs look good in that it is picking up the secret credentials. how ever I see no logs in the istio egress gateway indicating any issue I just get the application pod logs complaining about the sequalize connect error.
I have tried a million different combinations of TLS TCP and changes to all these 5 files applied - nothing works.
I am wondering if I am passing the wrong SNI in the final destination rule - or if its simply not supported to do this - I cant see any examples of it.
Has anyone actually done this before I see nothing online about it - I see something similar here but this doesnt help - Egress Gateways with TLS Origination AND TLS passthrough for egress chokepoint
Any help from the community would be much appreciated.