Currently I am using Cloud proxy to connect to a Postgres Cloud SQL database as a sidecar. When using Istio, however it introduces its own sidecar, which lead to the result that there are two proxies in the pod. So I thougth, can the encrypted connection not also established using Istio?
Basically, it is possible to connect to an external IP using Istio.
It should also be possible to configure a DestinationRule which configures TLS.
And it also be possible to create Client certificates for Cloud SQL.
EDIT: might be the same problem: NGINX TLS termination for PostgreSQL
So I ended up with something like
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-db
spec:
hosts:
- external-db
ports:
- number: 5432
name: postgres
protocol: TLS
location: MESH_EXTERNAL
resolution: STATIC
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: external-db
spec:
host: external-db
trafficPolicy:
tls:
mode: MUTUAL
clientCertificate: /etc/certs/client-cert.pem
privateKey: /etc/certs/client-key.pem
caCertificates: /etc/certs/server-ca.pem
---
apiVersion: v1
kind: Service
metadata:
name: external-db
spec:
clusterIP: None
ports:
- protocol: TCP
port: 5432
---
apiVersion: v1
kind: Endpoints
metadata:
name: external-db
subsets:
- addresses:
- ip: 10.171.48.3
ports:
- port: 5432
and in the pod with
sidecar.istio.io/userVolumeMount: '[{"name":"cert", "mountPath":"/etc/certs", "readonly":true}]'
sidecar.istio.io/userVolume: '[{"name":"cert", "secret":{"secretName":"cert"}}]'
However, the server rejects the connection. So the question is, can this setup possibly work? And does it even make any sense?
It seems that Postgres uses application-level protocol negotation, so Istio/Envoy cannot be used in that case:
https://github.com/envoyproxy/envoy/issues/10942 https://github.com/envoyproxy/envoy/issues/9577#issuecomment-606943362