Sucessful deployment of CockroachDB in istio-injected namespace

For anyone who might be struggling with this, I was able to deploy CockroachDB in secure mode with istio injection. I have elected to use CRDBs own internal TLS workflow, and have not enabled istio mTLS for the CRDB service, as this seems redundant.

I used a GKE hosted cluster, installed istio 1.2.2 from helm templates. Created the namespace: crdb and labeled it for istio injection.

Since cockroachDB is a statefulset, it is required to create a service entry resource for the MESH_INTERNAL hosts associated with its headless service. Mine looks like this:

kind: ServiceEntry
  name: crdb-stateful-service-entry
  namespace: crdb
  - "*.cockroachdb.crdb.svc.cluster.local"
  - "*.cockroachdb"
  location: MESH_INTERNAL
  - number: 26257
    name: crdbheadless1
    protocol: TCP
  - number: 8080
    name: crdbheadless2
    protocol: HTTP
  resolution: NONE

You can now follow the “orchestrated installation” instructions provided by cockroachDB documentation, however, the deployment manifests require alteration in port naming, and also should be labeled for creation inside the “crdb” namespace. Here are my altered versions of their provided deployment manifests:

Hope this is helpful for anyone looking into deploying this DB cluster with istio injection. Enjoy!


The protocol and port name must be changed to “TCP” on both this service entry, and also in the port name in the headless service and StatefulSet manifests.

For whatever reason, when it’s labeled GRPC it cannot make the TLS handshake, but does work when labeled TCP. The other port (8080) works fine as HTTP.

1 Like