we want to allow a public, but secured access to crdb. The problem is, tools like Power BI needs a supported certificate like from letsencrypt instead of kubernetes ca. We use TLS only for encryption and clients authenticates with username/password.
The idea is:
/--------\ /-------\ /------\ | client | <----> | Proxy | <----> | crdb | \--------/ \-------/ \------/
Client: trust LE CA, use username/password for authentication.
Proxy: offers LE Cert for client, trust kube CA.
CRDB: isn’t aware of the setup and use kube signed certs.
I read that such setup shouldn’t be possible, because of handshake on application level:
To initiate an SSL-encrypted connection, the frontend initially sends an SSLRequest message rather than a StartupMessage. The server then responds with a single byte containing S or N, indicating that it is willing or unwilling to perform SSL, respectively. The frontend might close the connection at this point if it is dissatisfied with the response. To continue after S, perform an SSL startup handshake (not described here, part of the SSL specification) with the server. If this is successful, continue with sending the usual StartupMessage. In this case the StartupMessage and all subsequent data will be SSL-encrypted.
While the protocol itself does not provide a way for the server to force SSL encryption […]
On the other hand I can ask crdb for certificate with:
openssl s_client -showcerts -connect domain:port
and it seems to me that I can skip handshake and terminate TLS on proxy. But ATM no success with stunnel or nginx.
Is such setup possible? Is there any way to solve it or any hint?