Open
Description
Proposal
Currently the operator creates a database headless-service with roughly these configs:
apiVersion: v1
kind: Service
metadata:
name: database-pxc-db-pxc
spec:
ports:
- name: mysql
protocol: TCP
port: 3306
targetPort: 3306
- name: mysql-admin
protocol: TCP
port: 33062
targetPort: 33062
- name: mysqlx
protocol: TCP
port: 33060
targetPort: 33060
...Like in percona/percona-server-mongodb-operator#1393 when using Istio and mTLS, istio cannot correctly interpret the protocol, hence Istio's mTLS does not work.
The following service works with Istio's mTLS enabled:
apiVersion: v1
kind: Service
metadata:
name: database-pxc-db-pxc
spec:
ports:
- name: mysql
protocol: TCP
port: 3306
targetPort: 3306
- name: mysql-admin
protocol: TCP
port: 33062
targetPort: 33062
- name: mysqlx
protocol: TCP
port: 33060
targetPort: 33060
- name: sst
protocol: TCP
appProtocol: tcp
port: 4444
targetPort: 4444
- name: write-set
protocol: TCP
appProtocol: tcp
port: 4567
targetPort: 4567
- name: ist
protocol: TCP
appProtocol: tcp
port: 4568
targetPort: 4568
...Compared to the mongo implementation, we would need to set appProtocol: tcp.
Use-Case
Istio with mTLS enabled.
Is this a feature you are interested in implementing yourself?
No
Anything else?
Thank you for considering to implement it 👍
Metadata
Metadata
Assignees
Labels
No labels