For anyone who might be struggling with this, I was able to deploy CockroachDB in secure mode with istio injection. I have elected to use CRDBs own internal TLS workflow, and have not enabled istio mTLS for the CRDB service, as this seems redundant.
I used a GKE hosted cluster, installed istio 1.2.2 from helm templates. Created the namespace: crdb and labeled it for istio injection.
Since cockroachDB is a statefulset, it is required to create a service entry resource for the MESH_INTERNAL hosts associated with its headless service. Mine looks like this:
You can now follow the “orchestrated installation” instructions provided by cockroachDB documentation, however, the deployment manifests require alteration in port naming, and also should be labeled for creation inside the “crdb” namespace. Here are my altered versions of their provided deployment manifests:
Hope this is helpful for anyone looking into deploying this DB cluster with istio injection. Enjoy!
The protocol and port name must be changed to “TCP” on both this service entry, and also in the port name in the headless service and StatefulSet manifests.
For whatever reason, when it’s labeled GRPC it cannot make the TLS handshake, but does work when labeled TCP. The other port (8080) works fine as HTTP.
I`m new to istio and trying to expose cocroachdb deployed in a rke2 cluster and can’t get it to work. I’m unable to connect to the database from outside. The loadbalancer part and control plane ports are fine.
The operator is configured as Daemonset and uses host ports. This works for many things but cockroachdb.
Does anyone see any misconfiguration in the following manifests? Any help would be appreciated.
Edit: The namespace with database has no sidecar injection activated