kong icon indicating copy to clipboard operation
kong copied to clipboard
verified publisher icon Kong

Exposing MySQL

Open arezvani opened this issue 2 years ago • 13 comments

How can I expose mysql with TCPIngress? I use this yaml:

apiVersion: configuration.konghq.com/v1beta1
kind: TCPIngress
metadata:
  name: mysql
  namespace: default
spec:
  rules:
  - backend:
      serviceName: my-mysql
      servicePort: 3306
    host: tls9443.kong.example
    port: 9443
  tls:
  - hosts:
    - tls9443.kong.example
    secretName: tls9443.kong.example

I can't connect to my mysql.

arezvani avatar Apr 30 '23 19:04 arezvani

@arezvani, can you check if this is related to: https://github.com/Kong/kong/issues/10758

There is a workaround too.

bungle avatar May 01 '23 16:05 bungle

cc @Kong/team-k8s

hbagdi avatar May 01 '23 17:05 hbagdi

@arezvani, can you check if this is related to: #10758

There is a workaround too.

@bungle It uses exposing with diffrent ports, I want expose with SNI type

arezvani avatar May 01 '23 19:05 arezvani

@arezvani I meant about setting router_flavor=traditional as a workaround, can you test if it fixes your issue too? See: https://github.com/Kong/kong/issues/10758#issuecomment-1525457562

There seems to be an issue with router_flavor=traditional_compatible in 3.x series when stream routing. @arezvani I am just checking if that is the case with you as well.

@arezvani also, do you get any error message? Or any errors in logs?

bungle avatar May 02 '23 14:05 bungle

I use env KONG_ROUTER_FLAVOR=traditional. I get this error again:

[a.rezvani@master1 mysql]$ mysql -h tls9443.kong.example --port 30968
ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 0

image

arezvani avatar May 03 '23 07:05 arezvani

@arezvani can you share your Kong KONG_STREAM_LISTEN configuration?

bungle avatar May 03 '23 07:05 bungle

@arezvani can you share your Kong KONG_STREAM_LISTEN configuration?

        - name: KONG_STREAM_LISTEN
          value: 0.0.0.0:9000, 0.0.0.0:9443 ssl

arezvani avatar May 03 '23 08:05 arezvani

@arezvani, is that --port 30968 right, or should it be --port 9443?

bungle avatar May 03 '23 08:05 bungle

@arezvani, is that --port 30968 right, or should it be --port 9443?

I expose 9443 port with NodePort service on 30968 port that I can access from outside of cluster.

arezvani avatar May 03 '23 08:05 arezvani

Note 9443 is a TLS port, i think you would need the 9000 port for plain TCP without TLS termination. MySQL uses STARTTLS so even you are looking for a TLS termination at Kong side the TLS port won't work.

fffonion avatar May 04 '23 04:05 fffonion

@fffonion I will test that but I don't think it works because if I want use SNI, I should have tls.

arezvani avatar May 04 '23 09:05 arezvani

Note 9443 is a TLS port, i think you would need the 9000 port for plain TCP without TLS termination. MySQL uses STARTTLS so even you are looking for a TLS termination at Kong side the TLS port won't work.

9000 port is for exposing with port and for each user, you should use new port. I want to expose with different host so I should use expose with SNI and 9443 port.

arezvani avatar May 04 '23 12:05 arezvani

@arezvani Kong doesn't support terminating STARTTLS https://en.m.wikipedia.org/wiki/Opportunistic_TLS. On such request, Kong will not be able to decode SNI and thus your use case won't be supported. You can only treat it as a plain TCP request, or write plugins to support decoding this protocol.

fffonion avatar Jun 05 '23 03:06 fffonion

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jul 11 '23 23:07 stale[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jul 26 '23 01:07 stale[bot]