Enable STARTTLS for origin Postgres server in TLSRoute of Kubernetes Gateway API

[hmoazzem]

Welcome!

• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you expect to see?

First, thanks all the contributors for the wonderful PR #9377. I've connected to Postgres with PGSSLMODE=require. It works like a charm!

Now, how can we enable STARTTLS (essentially use PGSSLMODE=require) while forwarding the request to the origin server?

Envoy apparently allows to set upstream sslmode https://github.com/envoyproxy/envoy/blob/af915efe430a670a9eed89bd57778657374acd4e/api/contrib/envoy/extensions/filters/network/postgres_proxy/v3alpha/postgres_proxy.proto#L24 but I couldn't get envoy/istio to work.

If you'd like to reproduce the scenario with traefik (for non-STARTTLS Postgres),

• Enable Gateway API and experimentalChannel (for TCPRoute and TLSRoute)

--entrypoints.postgres.address=:5432/tcp
--providers.kubernetesgateway=true
--providers.kubernetesgateway.experimentalchannel=true

• Ensure a similar section in Gateway definition

  - allowedRoutes:
      namespaces:
        from: All
    hostname: 'postgres.example.org'
    name: tls-postgres-terminate
    port: 5432
    protocol: TLS
    tls:
      certificateRefs:
      - group: ""
        kind: Secret
        name: postgres.example.org-tls-keypair
        namespace: traefik
      mode: Terminate

• Create a TLSRoute

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
  name: postgres.example.org
spec:
  hostnames:
  - postgres.example.org
  parentRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: traefik-default
    namespace: traefik
    sectionName: tls-postgres-terminate
  rules:
  - backendRefs:
    - group: ""
      kind: Service
      name: db-postgresql
      port: 5432
      weight: 1

[nmengin]

Hey @hmoazzem,

Thanks for your suggestion.

We are interested in this issue, but we’re unsure about the use case and the traction it will receive. We are going to leave the status as kind/proposal to give the community time to let us know if they would like this idea.
We will reevaluate as people respond.

Conversation is time-boxed to 6 months.

[hmoazzem]

Thanks @nmengin for clarification! Indeed, traefik also allows Passthrough, eliminating the need to re-encrypt traffic. Anyway, here's our (very niche) use-case:

We're running traefik at the edge of our network with a wildcard certificate issued by a publicly trusted CA, but each of the Postgres servers (behind traefik) is running with a self-signed certificate issued exclusively for that server. I guess we shouldn't give ONE wildcard cert to ALL the Postgres servers (and we cant allow plaintext traffic)? To make the usecase more discernible, imagine Cloudflare proxying Postgres.