I currently have a CockroachDB cluster running in an Istio-enabled Kubernetes cluster, mostly with success.
I am trying to use SNI for routing from my ingress gateway, however it appears this doesn’t work. My guess is that it’s something do with the Postgres protocol (it’s a bit old, but see this post PostgreSQL: Re: Introducing SNI in TLS handshake for SSL connections) however I thought I’d check with the CockroachDB community to see if I’m right.
If I use the wildcard
* in my hosts for the Gateway and VirtualService, this disables SNI-based routing and configures a direct TCP proxy from my gateway to the cockroach pods. With this setup I can successfully connect to the cockroach cluster, however this means I can only run a single cluster per port.
With SNI-based routing configured in my cluster, I can run
openssl s_client -connect and I am served with the expected certificates, which confirms my Istio/Envoy configuration is correct. However when I use
cockroach sql ... (using combinations of explicit URL or CLI params), the connection fails and my gateway reports the connection as not TLS (confirmed by the Envoy stat
tls_inspector.tls_not_found). There’s nothing wrong with my CLI parameters because this works when not using SNI-based routing.
Does anyone have any knowledge of this kind of issue? Am I just doing something wrong or are my suspicions around it not being possible due to the postgres protocol correct?