Hey everyone,
I've been trying to set up a connection to PostgreSQL running in Kubernetes using Traefik as a proxy with HostSNI, but without TLS. Unfortunately, I've failed multiple times and can't seem to get it working.
How exactly should I configure Traefik and PostgreSQL for this setup? Can someone please provide a step-by-step guide or example configurations?
If you have managed to get this working, please share your knowledge—it would really help me and others struggling with the same issue!
Thanks in advance!
HostSNI is a feature of TLS. Without TLS only HostSNI(`*`) works as catch-all on the port.
Chatbot states that Postgres client does not use HostSNI. If that is true, you can only use catch-all. For different Postgres instances you then need different ports.
Hey! I've resolved the issue by developing a custom proxy using the hasirciogli/xdatabase-proxy repository. This Go-based proxy is tailored for Kubernetes environments and offers dynamic service discovery, deployment-based routing, and integration with tools like pgbouncer for connection pooling. I integrated Kubernetes service discovery to manage database connections effectively, eliminating the need for Traefik. To overcome the challenges with HostSNI, I implemented a solution that parses the username from the connection string, ensuring accurate routing without relying on HostSNI.
That was a quick turn-around 
It's always a risk to rely on a library from a random source on the Internet. People deploy a docker-socket-proxy container from unknown source to "increase security". Not sure if it does the opposite.
I high-level scanned over the go repository, found a mailru dependency for a json parser. That would be a perfect spot for a state actor to run a supply chain attack, reading config files with credentials or requests with all kind of data.
It’s great that you provide the solution, I just want others to be aware that there is a risk associated to it.