Postgres AWS RDS connection using a certificate and egress gateway Istio 1.7

Hi there

I am having real trouble setting up a sequalize node application to use the istio egress gateway for TLS & certificate connection to RDS postgres in AWS.

notes
Istio 1.7
SSL is set to true i the application sequalize connection. (not sure it should be).
I have used the standard RDS AWS certificate bundle and tested the certificate bundle works with a psql connection. it does.

I use the following yaml resources to get the traffic out through the egress gateway and I do see the traffic traversing out the egress gateway.

– service entry –

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: postgress
spec:
  addresses:
 - RDS-IP-ADDRESS/32
  endpoints:
  - address: RDS-IP-ADDRESS
  hosts:
  - RDS-HOSTNAME
  ports:
  - number: RDS-PORT
    name: tcp
    protocol: TCP
  resolution: STATIC

– gateway –

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: postgress-egressgateway
spec:
  selector:
    istio: egressgateway
  servers:
  - port:
      number: 15443
      name: tls
      protocol: TLS
    hosts:
    -  RDS-HOSTNAME
    tls:
      mode: ISTIO_MUTUAL

–destination rule –

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: egressgateway-for-postgress
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  subsets:
  - name: postgress
    trafficPolicy:
      loadBalancer:
        simple: ROUND_ROBIN
      portLevelSettings:
      - port:
          number: 15443
        tls:
          mode: ISTIO_MUTUAL
          sni: RDS-HOSTNAME

– virtual service –

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: direct-postgress-through-postgressegress-gateway
spec:
  hosts:
  - RDS-HOSTNAME
  gateways:
  - mesh
  - postgress-egressgateway
  tcp:
  - match:
    - gateways:
      - mesh
      port: RDS-PORT
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        subset: postgress
        port:
          number: 15443
  - match:
    - gateways:
      - postgress-egressgateway
      port: 15443
    route:
    - destination:
        host: RDS-HOSTNAME
        port:
          number: RDS-PORT
      weight: 100

Once deployed everything looks great I see traffic going out the egress gateway and see successful RDS calls in my application pods. Next i want to add a destination rule to make the final hop from my egress gateway to RDS secured with the tested CA bundle in SIMPLE mode.

I create the secret with the correct name -cacert in istio-system

kubectl create secret generic postgress-credential-cacert --from-file=ca.crt=postgress.crt -n istio-system

apply the destination rule

– destination rule –

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: originate-tls-for-postgres
spec:
  host: RDS-HOSTNAME
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    portLevelSettings:
    - port:
        number: <RDS-PORT>
      tls:
        mode: SIMPLE
        credentialName: postgress-credential
        sni: RDS-HOSTNAME

However once I add this destination rule it breaks my connection. I know that the certificate is the right CA bundle. The istio egress gateway logs look good in that it is picking up the secret credentials. how ever I see no logs in the istio egress gateway indicating any issue I just get the application pod logs complaining about the sequalize connect error.

I have tried a million different combinations of TLS TCP and changes to all these 5 files applied - nothing works.

I am wondering if I am passing the wrong SNI in the final destination rule - or if its simply not supported to do this - I cant see any examples of it.

Has anyone actually done this before I see nothing online about it - I see something similar here but this doesnt help - Egress Gateways with TLS Origination AND TLS passthrough for egress chokepoint

Any help from the community would be much appreciated.