Is it possible to replace Cloud SQL proxy with Istio proxy? - McMap

About

Is it possible to replace Cloud SQL proxy with Istio proxy?

Asked 24/11, 2020 at 10:49 Answered 24/11, 2020 at 18:53

postgresql kubernetes google-cloud-sql istio cloud-sql-proxy

R

1

1

Currently I am using Cloud proxy to connect to a Postgres Cloud SQL database as a sidecar. When using Istio, however it introduces its own sidecar, which lead to the result that there are two proxies in the pod. So I thougth, can the encrypted connection not also established using Istio?

Basically, it is possible to connect to an external IP using Istio.

It should also be possible to configure a DestinationRule which configures TLS.

And it also be possible to create Client certificates for Cloud SQL.

EDIT: might be the same problem: NGINX TLS termination for PostgreSQL

So I ended up with something like

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: external-db
spec:
  hosts:
    - external-db
  ports:
    - number: 5432
      name: postgres
      protocol: TLS
  location: MESH_EXTERNAL
  resolution: STATIC
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: external-db
spec:
  host: external-db
  trafficPolicy:
    tls:
      mode: MUTUAL
      clientCertificate: /etc/certs/client-cert.pem
      privateKey: /etc/certs/client-key.pem
      caCertificates: /etc/certs/server-ca.pem

---
apiVersion: v1
kind: Service
metadata:
  name: external-db
spec:
  clusterIP: None
  ports:
    - protocol: TCP
      port: 5432
---
apiVersion: v1
kind: Endpoints
metadata:
  name: external-db
subsets:
  - addresses:
      - ip: 10.171.48.3
    ports:
      - port: 5432

and in the pod with

sidecar.istio.io/userVolumeMount: '[{"name":"cert", "mountPath":"/etc/certs", "readonly":true}]'
sidecar.istio.io/userVolume: '[{"name":"cert", "secret":{"secretName":"cert"}}]'

However, the server rejects the connection. So the question is, can this setup possibly work? And does it even make any sense?

Raspings answered 24/11, 2020 at 10:49 Comment(2)

Hi @Raspings this seems to be a very specific configuration issue, as everything in theory, should work. For this reason, I would recommend you to reach out to Google's Support, so they can investigate deeper what might be affecting your instance. – Cheongsam 24/11, 2020 at 13:59

@Cheongsam in the meantime, I found this post: postgresql.org/message-id/… So maybe it is not possible to simply proxy this without taking in account the application-level protocol, although that is about replication. – Raspings 24/11, 2020 at 14:27

R

1

It seems that Postgres uses application-level protocol negotation, so Istio/Envoy cannot be used in that case:

https://github.com/envoyproxy/envoy/issues/10942 https://github.com/envoyproxy/envoy/issues/9577#issuecomment-606943362

Raspings answered 24/11, 2020 at 18:53 Comment(2)

Did you find any solution? I really prefer having nginx take care of the SSL business. So that I don't have to fiddle with server specific SSL config. Also, if I have to rotate the certs those servers need not be restarted. I don't know why Postgresql does not allow this usage pattern. – Calderon 10/12, 2020 at 14:35

@Calderon unfortunately I didnt. actually for GCP and Cloud SQL there is a Cloud SQL Proxy, which handles key management and rotation, so for me the issue was not that urgent. It would just be nice if I didn't need two sidecar proxies. – Raspings 10/12, 2020 at 15:24

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.