Connecting to mongodb on ssl via istio ingress gateway

Question

I have the following code in my istio ingress gateway

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-gateway
  namespace: staging
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - hosts:
    - "my.mongodb.com"
    port:
      number: 27018
      protocol: MONGO
      name: mongo

---      

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: myname
  namespace: staging
spec:
  hosts:
    - "my.mongodb.com"
  gateways:
  - my-gateway
  tcp:
  - match:
    - port: 27018
    route:
    - destination:
        host: my-service
        port:
          number: 27018

When I don't inject the sidecar, I can connect to this mongodb using my.mongodb.com:27018 --ssl

However, when I have the sidecar, I get the following error:

$ mongo my.mongodb.com:27018 --ssl
MongoDB shell version v4.0.2
connecting to: mongodb://my.mongodb.com:27018/test
2019-02-13T23:30:44.201+1100 E QUERY    [js] Error: couldn't connect to server proxy.provendb.com:27018, connection attempt failed: SocketException: Secure.Transport: handshake failure :
connect@src/mongo/shell/mongo.js:257:13
@(connect):1:6
exception: connect failed

What is the correct way to set up ssl enabled mongodb on istio ?

edit

I tried this

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-gateway
  namespace: staging
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - hosts:
    - "my.mongodb.com"
    port:
      number: 443
      protocol: TLS
      name: tls-mongo
    tls:
      mode: PASSTHROUGH  


apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: myvs
  namespace: staging
spec:
  hosts:
    - "my.mongodb.com"
  gateways:
  - my-gateway
  tcp:
  - match:
    - port: 443
    route:
    - destination:
        host: my-service
        port:
          number: 27018
          # name: proxy-port

I get host unreachable

2019-02-14T05:38:08.392+1100 E QUERY    [js] Error: couldn't connect to server my.mongodb.com:443, connection attempt failed: HostUnreachable: Connection was closed :
connect@src/mongo/shell/mongo.js:257:13
@(connect):1:6
exception: connect failed

did you get this working? @kosta – user2700022 Aug 09 '23 at 13:30 — user2700022, Aug 09 '23 at 13:30

score 3 · Answer 1 · answered Feb 13 '19 at 13:28

3

Use TLS as the protocol, see an example. Just replace HTTPS with TLS, and fix the ports and the hosts. Use port 443, and in the destination specify port 27018. Access it by mongo my.mongodb.com:443 --ssl.

answered Feb 13 '19 at 13:28

Vadim Eisenberg

3,337
1
18
14

You have to change the Virtual Service as well, as in the example. – Vadim Eisenberg Feb 14 '19 at 14:09
I have a similar requirement, but i do not have ssl on Mongo. I need to fwd the tcp connection via istio to the db deployed as stateful set. The problem I get is, when I call using the service name within the container the mongosh connects, but when using FQDN & connecting from outside the cluster gives me connection MongoServerSelectionError: connection to :25010 closed Any clue as to why? I checked the istio-proxy logs the request reaches the proxy but logs as 0 bytes sent & received. – user2700022 Aug 09 '23 at 13:42

Connecting to mongodb on ssl via istio ingress gateway

edit

1 Answers1