我目前正在尝试在 kubernetes 服务器上部署的 pod 和外部 mariadb 服务器之间建立连接。
当我尝试从 pod 连接到服务器时,我遇到了这个错误:
ERROR 2013 (HY000): Lost connection to MySQL server at 'handshake: reading initial communication packet', system error: 11
据我了解,问题是由于mysql协议要求第一个连接数据包不是TLS,而出口网关只做TLS。
我不知道是否有解决方法或变量可以改变它的工作,或者它是否只是我的 istio 版本太低而无法支持这种类型的连接。
这是我的配置:
mariadb 服务器:
mariadb 服务器是一个启用了 TLS 的容器。
我创建了一个需要 X509 的没有密码的用户。
如果我尝试从带有证书的终端连接到 mariadb,它就成功了。
Kubernetes 集群:
istio:1.6.14
提供客户端证书
gateway:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: mariadb
namespace: istio-egress
spec:
selector:
istio: egressgateway
servers:
- hosts:
- mariadb.test.com
port:
name: tcp
number: 15443
protocol: TCP
virtual service:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: mariadb-through-egress-gateway
spec:
gateways:
- mesh
- mariadb
hosts:
- mariadb.test.com
tcp:
- match:
- gateways:
- mesh
port: 15443
route:
- destination:
host: istio-egressgateway.istio-egress.svc.cluster.local
port:
number: 15443
subset: mariadb
weight: 100
- match:
- gateways:
- mariadb
port: 15443
route:
- destination:
host: mariadb.test.com
port:
number: 3306
weight: 100
DestinationRule:
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: originate-mtls-for-mariadb
spec:
exportTo:
- .
host: mariadb.test.com
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 3306
tls:
caCertificates: /etc/istio/client/ca.crt
clientCertificate: /etc/istio/client/tls.crt
mode: MUTUAL
privateKey: /etc/istio/client/tls.key
sni: mariadb.test.com
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-mariadb
spec:
host: istio-egressgateway.istio-egress.svc.cluster.local
subsets:
- name: mariadb
Service entries:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: mariadb
spec:
hosts:
- mariadb.test.com
location: MESH_EXTERNAL
ports:
- name: tcp-mtls-origination
number: 15443
protocol: TCP
- name: tcp
number: 3306
protocol: TCP
resolution: DNS