For anyone who might be struggling with this, I was able to deploy CockroachDB in secure mode with istio injection. I have elected to use CRDBs own internal TLS workflow, and have not enabled istio mTLS for the CRDB service, as this seems redundant.
I used a GKE hosted cluster, installed istio 1.2.2 from helm templates. Created the namespace: crdb and labeled it for istio injection.
Since cockroachDB is a statefulset, it is required to create a service entry resource for the MESH_INTERNAL hosts associated with its headless service. Mine looks like this:
apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: crdb-stateful-service-entry namespace: crdb spec: hosts: - "*.cockroachdb.crdb.svc.cluster.local" - "*.cockroachdb" location: MESH_INTERNAL ports: - number: 26257 name: crdbheadless1 protocol: TCP - number: 8080 name: crdbheadless2 protocol: HTTP resolution: NONE
You can now follow the “orchestrated installation” instructions provided by cockroachDB documentation, however, the deployment manifests require alteration in port naming, and also should be labeled for creation inside the “crdb” namespace. Here are my altered versions of their provided deployment manifests:
Hope this is helpful for anyone looking into deploying this DB cluster with istio injection. Enjoy!