Istio apt-key failure

Jerome_Gournet · March 15, 2023, 12:57am

When using istio as a sidecar, doing this fails:

apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 4E1B983C5B393194
Executing: /tmp/apt-key-gpghome.bQ0WOIngoL/gpg.1.sh --keyserver hkp://keyserver.ubuntu.com:80 --recv 4E1B983C5B393194
gpg: keyserver receive failed: No data

Doing a tcpdump, I can see a request to http://keyserver.ubuntu.com/pks/lookup?op=get&options=mr&search=0x4E1B983C5B393194, and response is:

HTTP/1.1 426 Upgrade Required
date: Wed, 15 Mar 2023 00:43:15 GMT
server: envoy
connection: close
content-length: 0

Now, the stranger part is: from the same pod, I can do a curl call, and it’s working fine:

curl -v 'http://keyserver.ubuntu.com/pks/lookup?op=get&options=mr&search=0x4E1B983C5B393194'
*   Trying 162.213.33.9:80...
* TCP_NODELAY set
* Connected to keyserver.ubuntu.com (162.213.33.9) port 80 (#0)
> GET /pks/lookup?op=get&options=mr&search=0x4E1B983C5B393194 HTTP/1.1
> Host: keyserver.ubuntu.com
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< date: Wed, 15 Mar 2023 00:46:15 GMT
< server: envoy                                                    <==== NOTE THIS LINE 
< content-type: text/plain
< content-length: 650
< vary: Accept-Encoding
< x-envoy-upstream-service-time: 563
< 
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: Hostname: 
Version: Hockeypuck 2.1.0-189-g15ebf24

xo0EUop2hAEEAKCxrxekSUFnvE7THmqtCAHjG8b8xXJQ4pqwecnWhm7kuVt4SrGv
2kSob1hDgAbLjkDfiK0CSAf6B+ofEw4LIobI+QyvbBKn8lMbJKYmBHP5ez+/qB4s
s3VrONIF4uN4+Zw/HCrgovpYwePuJIYwgpPaxT0LD4jUaa/AXF4MQFyvABEBAAHN
L0xhdW5jaHBhZCBQUEEgZm9yIENhbm9uaWNhbCBDaHJvbWl1bSBCdWlsZCBUZWFt
wrgEEwECACIFAlKKdoQCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEE4b
mDxbOTGUc2gD/2dFGqP3W7wxfm2PbCw0PMuOByWdR2wZ1I6pNQS1oqs4hJHVvzcx
LiyvKJWZo1aaPtJBDOXieJFS/5Eyir5PKNUaC7+3EHDVFKFj0Brie/aVSH2h3Mct
I9s0tt03EN+uMpCtwAMUQrteZIkIHOk4BDEnIyoThE/Nz+zEGXTLHqOK
=dcgw
-----END PGP PUBLIC KEY BLOCK-----

I created a new pod and added annotation:

traffic.sidecar.istio.io/excludeOutboundPorts: "80"

and both curl and apt-key work

I did compare tcpdumps from both pods, and they look exactly the same

question is: WHY ?

Note: anyway, I’m in the process of changing all those to use https which will fix the problem and make things better … but I’d still like to know why this is happening

Topic		Replies	Views
Pod with Sidecar Fails SSL with External Service	4	1822	August 20, 2019
Connectivity Verification from side car to istio pilot for mTLS enabled policy fails Security	0	546	January 1, 2020
Istio sidecar auto injection failed Security openshift , security	0	392	February 22, 2023
The istio proxy container generating an error "pstream reset: reset reason: connection failure, transport failure reason: TLS error: Secret is not supplied by SDS" Config openshift	0	224	November 10, 2023
503 errors even with ISTIO_MUTUAL DestinationRule Networking	4	2226	September 10, 2019

Istio apt-key failure

Related Topics