Unable to configure TLS origination with postgres

[samos123]

Bug description
I'm trying to use Aiven Postgres which provides managed postgres that uses TLS only. I want Istio to do the TLS origination using the side car proxy instead of using egress gateway. Note that Aiven is outside of the mesh.

[X] Docs
[ ] Installation
[X] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[X] User Experience
[ ] Developer Infrastructure
[ ] Upgrade

Expected behavior
Ability to connect to postgres using plain TCP from the application pod and have the sidecar do the TLS to postgres itself.

Steps to reproduce the bug
DestinationRule:

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: external-aiven-postgres
spec:
  host: x.aivencloud.com
  trafficPolicy:
    tls:
      mode: SIMPLE
      caCertificates: /etc/certs/aiven-ca.crt

ServiceEntry:

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: external-aiven-postgres
spec:
  hosts:
  - x.aivencloud.com
  addresses:
  - x.x.x.x/32
  location: MESH_EXTERNAL
  resolution: NONE
  ports:
  - number: 16221
    name: tcp-postgres
    protocol: TCP

Pgadmin deployment for testing:

apiVersion: apps/v1                                                                                                                    [1/59]
kind: Deployment
metadata:
  name: pgadmin4-deployment
  namespace: postgres
  labels:
    app: pgadmin4
spec:
  replicas: 1
  selector:
    matchLabels:
      app: pgadmin4
  template:
    metadata:
      labels:
        app: pgadmin4
      annotations:
        sidecar.istio.io/userVolume: '[{"name": "aiven-ca", "configMap": {"name": "aiven-ca"}}]'
        sidecar.istio.io/userVolumeMount: '[{"name": "aiven-ca", "mountPath": "/etc/certs/aiven-ca.crt", "subPath": "aiven-ca.crt", "readonly
":true}]'
        sidecar.istio.io/logLevel: debug
    spec:
      containers:
          # This is the official pgAdmin 4 container
        - image: dpage/pgadmin4
          name: pgadmin4
          ports:
            - containerPort: 80
              name: pgadmin4
          env:
          - name: PGADMIN_DEFAULT_PASSWORD
            value: bladieblabla
          - name: PGADMIN_DEFAULT_EMAIL
            value: a@a.com

Version (include the output of istioctl version --remote and kubectl version --short and helm version --short if you used Helm)

istioctl version --remote
client version: 1.6.7
control plane version: 1.7.3-asm.6
data plane version: 1.7.3-asm.6 (17 proxies)

kubectl version --short
Client Version: v1.18.3
Server Version: v1.17.13-gke.2001

Logs on istio-proxy:

2020-12-23T17:25:36.986952Z     debug   envoy filter    original_dst: New connection accepted                                      [95/66945]
2020-12-23T17:25:36.987208Z     debug   envoy filter    [C22070] new tcp proxy session
2020-12-23T17:25:36.987263Z     debug   envoy filter    [C22070] Creating connection to cluster outbound|16221||x.aiven
cloud.com
2020-12-23T17:25:36.987304Z     debug   envoy upstream  transport socket match, socket default selected for host with address x.x.x.x:1
6221
2020-12-23T17:25:36.987316Z     debug   envoy upstream  Created host x.x.x.x:1
6221.
2020-12-23T17:25:36.987355Z     debug   envoy pool      creating a new connection
2020-12-23T17:25:36.987401Z     debug   envoy upstream  addHost() adding x.x.x.x:1
6221
2020-12-23T17:25:36.987413Z     debug   envoy pool      [C22071] connecting
2020-12-23T17:25:36.987496Z     debug   envoy connection        [C22071] connecting to x.x.x.x:1
6221
2020-12-23T17:25:36.987514Z     debug   envoy upstream  membership update for TLS cluster outbound|16221||x.aivencloud.
com added 1 removed 0
2020-12-23T17:25:36.987525Z     debug   envoy upstream  re-creating local LB for TLS cluster outbound|16221||x.aivenclo
ud.com
2020-12-23T17:25:36.987550Z     debug   envoy upstream  membership update for TLS cluster outbound|16221||x.aivencloud.
com added 1 removed 0
2020-12-23T17:25:36.987568Z     debug   envoy upstream  re-creating local LB for TLS cluster outbound|16221||x.aivenclo
ud.com
2020-12-23T17:25:36.987633Z     debug   envoy connection        [C22071] connection in progress
2020-12-23T17:25:36.987666Z     debug   envoy pool      queueing request due to no available connections
2020-12-23T17:25:36.987673Z     debug   envoy conn_handler      [C22070] new connection
2020-12-23T17:25:36.987702Z     debug   envoy upstream  membership update for TLS cluster outbound|16221||x.aivencloud.
com added 1 removed 0
2020-12-23T17:25:36.987849Z     debug   envoy upstream  re-creating local LB for TLS cluster outbound|16221||x.aivenclo
ud.com
2020-12-23T17:25:36.989903Z     debug   envoy connection        [C22071] connected
2020-12-23T17:25:36.990095Z     debug   envoy connection        [C22071] handshake expecting read
2020-12-23T17:25:36.993936Z     debug   envoy connection        [C22071] handshake error: 5
2020-12-23T17:25:36.993977Z     debug   envoy connection        [C22071]
2020-12-23T17:25:36.993983Z     debug   envoy connection        [C22071] closing socket: 0
2020-12-23T17:25:36.994055Z     debug   envoy pool      [C22071] client disconnected
2020-12-23T17:25:36.994083Z     debug   envoy filter    [C22070] Creating connection to cluster outbound|16221||x.aiven
cloud.com
2020-12-23T17:25:36.994095Z     debug   envoy connection        [C22070] closing data_to_write=0 type=1
2020-12-23T17:25:36.994104Z     debug   envoy connection        [C22070] closing socket: 1

How was Istio installed?
ASM install using install_asm script

Environment where the bug was observed (cloud vendor, OS, etc)
GKE on GCP

Additionally, please consider running istioctl bug-report and attach the generated cluster-state tarball to this issue.
Refer cluster state archive for more details.

[hzxuzhonghu]

@samos123 Can you dump the cluster config? And make sure the certificate is valid

[samos123]

I did double-check by getting a shell to the istio-proxy and doing cat /etc/certs/aiven-ca.crt. The cert is valid and I can use it to connect over TLS using pgadmin when istio isn't configured to do TLS origination.

I did find some more interesting logs while trying with postgresql cli client instead of pgadmin:

2020-12-24T06:52:55.751064Z     debug   envoy connection        [C44] connecting to 35.224.33.199:16221
2020-12-24T06:52:55.751220Z     debug   envoy connection        [C44] connection in progress
2020-12-24T06:52:55.751238Z     debug   envoy pool      queueing request due to no available connections
2020-12-24T06:52:55.751243Z     debug   envoy upstream  addHost() adding 35.224.33.199:16221
2020-12-24T06:52:55.751244Z     debug   envoy conn_handler      [C43] new connection
2020-12-24T06:52:55.751495Z     debug   envoy upstream  membership update for TLS cluster outbound|16221||pg-2dbb5e59-google-bc39.aivencloud.
com added 1 removed 0
2020-12-24T06:52:55.751505Z     debug   envoy upstream  re-creating local LB for TLS cluster outbound|16221||pg-2dbb5e59-google-bc39.aivenclo
ud.com
2020-12-24T06:52:55.751524Z     debug   envoy upstream  membership update for TLS cluster outbound|16221||pg-2dbb5e59-google-bc39.aivencloud.
com added 1 removed 0
2020-12-24T06:52:55.751533Z     debug   envoy upstream  membership update for TLS cluster outbound|16221||pg-2dbb5e59-google-bc39.aivencloud.
com added 1 removed 0
2020-12-24T06:52:55.751539Z     debug   envoy upstream  re-creating local LB for TLS cluster outbound|16221||pg-2dbb5e59-google-bc39.aivenclo
ud.com
2020-12-24T06:52:55.751561Z     debug   envoy upstream  re-creating local LB for TLS cluster outbound|16221||pg-2dbb5e59-google-bc39.aivenclo
ud.com
2020-12-24T06:52:55.753644Z     debug   envoy connection        [C44] connected
2020-12-24T06:52:55.753729Z     debug   envoy connection        [C44] handshake expecting read
2020-12-24T06:52:55.757881Z     debug   envoy connection        [C44] handshake error: 5
2020-12-24T06:52:55.757923Z     debug   envoy connection        [C44]
2020-12-24T06:52:55.757932Z     debug   envoy connection        [C44] closing socket: 0
2020-12-24T06:52:55.757986Z     debug   envoy pool      [C44] client disconnected
2020-12-24T06:52:55.758015Z     debug   envoy filter    [C43] Creating connection to cluster outbound|16221||pg-2dbb5e59-google-bc39.aivenclo
ud.com
2020-12-24T06:52:55.758026Z     debug   envoy connection        [C43] closing data_to_write=0 type=1
2020-12-24T06:52:55.758030Z     debug   envoy connection        [C43] closing socket: 1
2020-12-24T06:52:55.758323Z     debug   envoy conn_handler      [C43] adding to cleanup list
2020-12-24T06:52:55.758372Z     debug   envoy pool      [C44] connection destroyed
2020-12-24T06:52:57.127977Z     debug   envoy conn_handler      [C45] new connection
2020-12-24T06:52:57.128417Z     debug   envoy http      [C45] new stream
2020-12-24T06:52:57.128501Z     debug   envoy http      [C45][S6783634445402140886] request headers complete (end_stream=true):
... snip...
2020-12-24T06:53:00.404114Z     debug   envoy main      flushing stats
2020-12-24T06:53:00.545141Z     debug   envoy upstream  DNS refresh rate reset for zipkin.istio-system, (failure) refresh rate 5000 ms
2020-12-24T06:53:00.761185Z     debug   envoy upstream  membership update for TLS cluster outbound|16221||pg-2dbb5e59-google-bc39.aivencloud.
com added 0 removed 1
2020-12-24T06:53:00.761231Z     debug   envoy upstream  re-creating local LB for TLS cluster outbound|16221||pg-2dbb5e59-google-bc39.aivenclo
ud.com
2020-12-24T06:53:00.761245Z     debug   envoy upstream  removing hosts for TLS cluster outbound|16221||pg-2dbb5e59-google-bc39.aivencloud.com
 removed 1
2020-12-24T06:53:00.761273Z     debug   envoy upstream  membership update for TLS cluster outbound|16221||pg-2dbb5e59-google-bc39.aivencloud.
com added 0 removed 1
2020-12-24T06:53:00.761280Z     debug   envoy upstream  re-creating local LB for TLS cluster outbound|16221||pg-2dbb5e59-google-bc39.aivenclo
ud.com
2020-12-24T06:53:00.761285Z     debug   envoy upstream  removing hosts for TLS cluster outbound|16221||pg-2dbb5e59-google-bc39.aivencloud.com
 removed 1
2020-12-24T06:53:00.761306Z     debug   envoy upstream  membership update for TLS cluster outbound|16221||pg-2dbb5e59-google-bc39.aivencloud.
com added 0 removed 1
2020-12-24T06:53:00.761312Z     debug   envoy upstream  re-creating local LB for TLS cluster outbound|16221||pg-2dbb5e59-google-bc39.aivenclo
ud.com
2020-12-24T06:53:00.761318Z     debug   envoy upstream  removing hosts for TLS cluster outbound|16221||pg-2dbb5e59-google-bc39.aivencloud.com
 removed 1
2020-12-24T06:53:01.128075Z     debug   envoy conn_handler      [C47] new connection
2020-12-24T06:53:01.128225Z     debug   envoy http      [C47] new stream
2020-12-24T06:53:01.128298Z     debug   envoy http      [C47][S10985873069485205013] request headers complete (end_stream=true):

Here is the cluster config:

istioctl proxy-config clusters debug-pod-7845496cfd-t42vj
SERVICE FQDN                                                                          PORT      SUBSET     DIRECTION     TYPE             DES
TINATION RULE
BlackHoleCluster                                                                      -         -          -             STATIC
InboundPassthroughClusterIpv4                                                         -         -          -             ORIGINAL_DST        PassthroughCluster                                                                    -         -          -             ORIGINAL_DST
adservice.hipster.svc.cluster.local                                                   9555      -          outbound      EDS
agent                                                                                 -         -          -             STATIC
calico-typha.kube-system.svc.cluster.local                                            5473      -          outbound      EDS
canonical-service-controller-manager-metrics-service.asm-system.svc.cluster.local     8443      -          outbound      EDS
cartservice.hipster.svc.cluster.local                                                 7070      -          outbound      EDS                 checkoutservice.hipster.svc.cluster.local                                             5050      -          outbound      EDS
currencyservice.hipster.svc.cluster.local                                             7000      -          outbound      EDS
default-http-backend.kube-system.svc.cluster.local                                    80        -          outbound      EDS
emailservice.hipster.svc.cluster.local                                                5000      -          outbound      EDS
frontend-external.hipster.svc.cluster.local                                           80        -          outbound      EDS
frontend.hipster.svc.cluster.local                                                    80        -          outbound      EDS
git-importer.config-management-system.svc.cluster.local                               8675      -          outbound      EDS
gke-connect-monitoring.gke-connect.svc.cluster.local                                  8080      -          outbound      EDS
helloworld.sample.svc.cluster.local                                                   5000      -          outbound      EDS
istio-ingressgateway.istio-system.svc.cluster.local                                   80        -          outbound      EDS
istio-ingressgateway.istio-system.svc.cluster.local                                   443       -          outbound      EDS
istio-ingressgateway.istio-system.svc.cluster.local                                   15021     -          outbound      EDS
istio-ingressgateway.istio-system.svc.cluster.local                                   15443     -          outbound      EDS
istiod-asm-173-6.istio-system.svc.cluster.local                                       443       -          outbound      EDS
istiod-asm-173-6.istio-system.svc.cluster.local                                       853       -          outbound      EDS
istiod-asm-173-6.istio-system.svc.cluster.local                                       15010     -          outbound      EDS
istiod-asm-173-6.istio-system.svc.cluster.local                                       15012     -          outbound      EDS
istiod-asm-173-6.istio-system.svc.cluster.local                                       15014     -          outbound      EDS
istiod.istio-system.svc.cluster.local                                                 443       -          outbound      EDS
istiod.istio-system.svc.cluster.local                                                 15010     -          outbound      EDS
istiod.istio-system.svc.cluster.local                                                 15012     -          outbound      EDS
istiod.istio-system.svc.cluster.local                                                 15014     -          outbound      EDS
kube-dns.kube-system.svc.cluster.local                                                53        -          outbound      EDS
kubernetes.default.svc.cluster.local                                                  443       -          outbound      EDS
metrics-server.kube-system.svc.cluster.local                                          443       -          outbound      EDS                 monitor.config-management-system.svc.cluster.local                                    8675      -          outbound      EDS
paymentservice.hipster.svc.cluster.local                                              50051     -          outbound      EDS
pg-2dbb5e59-google-bc39.aivencloud.com                                                16221     -          outbound      ORIGINAL_DST     ext
ernal-aiven-postgres.postgres
pgadmin4.postgres.svc.cluster.local                                                   80        -          outbound      EDS
productcatalogservice.hipster.svc.cluster.local                                       3550      -          outbound      EDS                 prometheus_stats                                                                      -         -          -             STATIC
recommendationservice.hipster.svc.cluster.local                                       8080      -          outbound      EDS
redis-1425a1d9-google-bc39.aivencloud.com                                             16222     -          outbound      ORIGINAL_DST     ext
ernal-aiven-redis.redis
redis-cart.hipster.svc.cluster.local                                                  6379      -          outbound      EDS
sds-grpc                                                                              -         -          -             STATIC
shippingservice.hipster.svc.cluster.local                                             50051     -          outbound      EDS
sleep.sample.svc.cluster.local                                                        80        -          outbound      EDS
xds-grpc                                                                              -         -          -             STRICT_DNS
zipkin                                                                                -         -          -             STRICT_DNS

Does that help?

[samos123]

I also saw the following log which seems to indicate the cert was found and picked up after destinationrule was updated:

2020-12-24T07:05:43.675434Z     debug   envoy config    Received gRPC message for type.googleapis.com/envoy.extensions.transport_sockets.tls.
v3.Secret at version 2020-12-24 07:05:43.673602829 +0000 UTC m=+833.673056132
2020-12-24T07:05:43.675549Z     debug   envoy config    Secret is updated.                                                                   2020-12-24T07:05:43.675865Z     debug   envoy init      target SdsApi file-root:/etc/certs/aiven-ca.crt initialized, notifying init manager C
luster outbound|16221||pg-2dbb5e59-google-bc39.aivencloud.com
2020-12-24T07:05:43.675903Z     debug   envoy init      init manager Cluster outbound|16221||pg-2dbb5e59-google-bc39.aivencloud.com initializ
ed, notifying ClusterImplBase
2020-12-24T07:05:43.675925Z     debug   envoy upstream  warming cluster outbound|16221||pg-2dbb5e59-google-bc39.aivencloud.com complete
2020-12-24T07:05:43.675954Z     debug   envoy upstream  updating TLS cluster outbound|16221||pg-2dbb5e59-google-bc39.aivencloud.com
2020-12-24T07:05:43.676049Z     debug   envoy upstream  updating TLS cluster outbound|16221||pg-2dbb5e59-google-bc39.aivencloud.com
2020-12-24T07:05:43.676094Z     debug   envoy config    Resuming discovery requests for type.googleapis.com/envoy.config.cluster.v3.Cluster
2020-12-24T07:05:43.676140Z     debug   envoy upstream  updating TLS cluster outbound|16221||pg-2dbb5e59-google-bc39.aivencloud.com
2020-12-24T07:05:43.676309Z     debug   envoy init      ClusterImplBase destroyed
2020-12-24T07:05:43.676318Z     debug   envoy init      init manager Cluster outbound|16221||pg-2dbb5e59-google-bc39.aivencloud.com destroyed
2020-12-24T07:05:43.676746Z     debug   envoy config    Resuming discovery requests for type.googleapis.com/envoy.api.v2.Cluster
2020-12-24T07:05:43.676776Z     debug   envoy config    gRPC config for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret
accepted with 1 resources with version 2020-12-24 07:05:43.673602829 +0000 UTC m=+833.673056132
2020-12-24T07:05:45.128013Z     debug   envoy conn_handler      [C438] new connection
2020-12-24T07:05:45.128090Z     debug   envoy http      [C438] new stream
2020-12-24T07:05:45.128211Z     debug   envoy http      [C438][S272226217196815686] request headers complete (end_stream=true):

[hzxuzhonghu]

I mean adding -o json to dump th cluster details

[samos123]

Did you mean this? istioctl proxy-config clusters debug-pod-7845496cfd-t42vj -o json

If so here is the output of that: https://pastebin.com/sf5wEcqL

[hzxuzhonghu]

it looks good

[samos123]

Any ideas on what to try next?

[samos123]

It seems others are having similar issues with postgres [1][2]. Note that I was able to get it working with Redis succesfully so something special is happening with postgres. Here is how I did Redis TLS origination successfully: https://samos-it.com/posts/securing-redis-istio-tls-origniation-termination.html

It's quite easy to reproduce for me. Let me know if you want access to the Postgres TLS database so you can reproduce it too.

[1] https://discuss.istio.io/t/egress-gateways-with-tls-origination-and-tls-passthrough-for-egress-chokepoint/6536/2
[2] https://discuss.istio.io/t/postgres-aws-rds-connection-using-a-certificate-and-egress-gateway-istio-1-7/8275

[mandarjog]

https://istio.io/v1.8/docs/ops/deployment/requirements/#server-first-protocols Just to make sure this is searchable.
mysql, postgres are server first protocols and need special treatment.

[samos123]

I already have the port defined as TCP in the service entry see my final manifests below:

Final desitionationrule:

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: external-aiven-postgres
  namespace: postgres
spec:
  host: pg-2dbb5e59-google-bc39.aivencloud.com
  trafficPolicy:
    tls:
      mode: SIMPLE
      caCertificates: /etc/certs/aiven-ca.crt
      sni: pg-2dbb5e59-google-bc39.aivencloud.com

ServiceEntry:

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: external-aiven-postgres
spec:
  hosts:
  - pg-2dbb5e59-google-bc39.aivencloud.com
  location: MESH_EXTERNAL
  resolution: DNS
  ports:
  - number: 16221
    name: tcp-postgres
    protocol: TCP

The pod that's trying to connect:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: debug-pod
  namespace: postgres
  labels:
    app: debug-pod
spec:
  replicas: 1
  selector:
    matchLabels:
      app: debug-pod
  template:
    metadata:
      labels:
        app: debug-pod
      annotations:
        sidecar.istio.io/logLevel: debug
        sidecar.istio.io/userVolume: '[{"name": "aiven-ca", "configMap": {"name": "aiven-ca"}}]'
        sidecar.istio.io/userVolumeMount: '[{"name": "aiven-ca", "mountPath": "/etc/certs/aiven-ca.crt", "subPath": "aiven-ca.crt", "readonly":true}]'
    spec:
      containers:
        - image: samos123/docker-toolbox
          name: debug-pod
          command: [ "/bin/bash", "-c", "--" ]
          args: [ "while true; do sleep 30; done;" ]

However it doesn't solve the issue. Any other recommendations?

[samos123]

This was discussed on chat with @howardjohn, @mandarjog and others . Summary of our discussion, postgres uses starttls and this is causing issues with TLS origination. Istio would need a postgres filter for TLS origination to work with postgres.

In addition, there are no known benefits of doing TLS origination for postgres today. There is no improved security or improved visibility. As a result, it's recommended to simply start TLS from the application container directly. This way Istio at least sees the SNI.

[samos123]

How to re-open? The wiki page doesn't have clear instructions.

[iprasla]

Can this be re-open?

[hobbytp]

@samos123 is it possible that postgres disable starttls and only accept mTLS? Then the client only launch plain text and sidecar help to do TLS origination?

[cpakulski]

@hobbytp This is not possible. Before TLS negotiation takes place, there is postgres specific protocol message exchange which determines whether to continue in cleartext or start TLS handshake. All this happens within one TCP session, so it is not vanilla TLS and requires starttls as upstream transport socket and support from Envoy postgres filter to drive that transport socket.

[remansour]

Any ETA on a fix?

[iprasla]

The issue need to be addressed as this issue is linked to #33345

[istio-policy-bot]

🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2021-12-24. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions.

Created by the issue and PR lifecycle manager.

[madduci]

is there any new activity or solution to this problem?