When using istio as a sidecar, doing this fails:
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 4E1B983C5B393194
Executing: /tmp/apt-key-gpghome.bQ0WOIngoL/gpg.1.sh --keyserver hkp://keyserver.ubuntu.com:80 --recv 4E1B983C5B393194
gpg: keyserver receive failed: No data
Doing a tcpdump, I can see a request to http://keyserver.ubuntu.com/pks/lookup?op=get&options=mr&search=0x4E1B983C5B393194, and response is:
HTTP/1.1 426 Upgrade Required
date: Wed, 15 Mar 2023 00:43:15 GMT
server: envoy
connection: close
content-length: 0
Now, the stranger part is: from the same pod, I can do a curl call, and it’s working fine:
curl -v 'http://keyserver.ubuntu.com/pks/lookup?op=get&options=mr&search=0x4E1B983C5B393194'
* Trying 162.213.33.9:80...
* TCP_NODELAY set
* Connected to keyserver.ubuntu.com (162.213.33.9) port 80 (#0)
> GET /pks/lookup?op=get&options=mr&search=0x4E1B983C5B393194 HTTP/1.1
> Host: keyserver.ubuntu.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< date: Wed, 15 Mar 2023 00:46:15 GMT
< server: envoy <==== NOTE THIS LINE
< content-type: text/plain
< content-length: 650
< vary: Accept-Encoding
< x-envoy-upstream-service-time: 563
<
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: Hostname:
Version: Hockeypuck 2.1.0-189-g15ebf24
xo0EUop2hAEEAKCxrxekSUFnvE7THmqtCAHjG8b8xXJQ4pqwecnWhm7kuVt4SrGv
2kSob1hDgAbLjkDfiK0CSAf6B+ofEw4LIobI+QyvbBKn8lMbJKYmBHP5ez+/qB4s
s3VrONIF4uN4+Zw/HCrgovpYwePuJIYwgpPaxT0LD4jUaa/AXF4MQFyvABEBAAHN
L0xhdW5jaHBhZCBQUEEgZm9yIENhbm9uaWNhbCBDaHJvbWl1bSBCdWlsZCBUZWFt
wrgEEwECACIFAlKKdoQCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEE4b
mDxbOTGUc2gD/2dFGqP3W7wxfm2PbCw0PMuOByWdR2wZ1I6pNQS1oqs4hJHVvzcx
LiyvKJWZo1aaPtJBDOXieJFS/5Eyir5PKNUaC7+3EHDVFKFj0Brie/aVSH2h3Mct
I9s0tt03EN+uMpCtwAMUQrteZIkIHOk4BDEnIyoThE/Nz+zEGXTLHqOK
=dcgw
-----END PGP PUBLIC KEY BLOCK-----
I created a new pod and added annotation:
traffic.sidecar.istio.io/excludeOutboundPorts: "80"
and both curl and apt-key work
I did compare tcpdumps from both pods, and they look exactly the same
question is: WHY ?
Note: anyway, I’m in the process of changing all those to use https which will fix the problem and make things better … but I’d still like to know why this is happening