Istio Version : 1.5.2
kubernetes version: 1.17.4
We are not able to sftp file into docker via istio ingress. But we are able to do it via node port.
Following error is printed in client side.
-bash-4.2$ sftp -v -P 31400 sftp@<A.B.C.D> OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 58: Applying options for * debug1: Connecting to <A.B.C.D> [<A.B.C.D>] port 31400. debug1: Connection established. debug1: identity file /u/user/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /u/user/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /u/user/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /u/user/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /u/user/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /u/user/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /u/user/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /u/user/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4 **ssh_exchange_identification: read: Connection reset by peer** ** Couldn't read packet: Connection reset by peer** -bash-4.2$
Following is the debug logs at server side
bash-4.2# debug3: fd 5 is not O_NONBLOCK
debug1: Forked child 143.
debug3: send_rexec_state: entering fd = 8 config len 216
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug3: oom_adjust_restore
debug1: Set /proc/self/oom_score_adj to 984
debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from **<A.B.C.D2>** port 37052 on <A.B.C.D2> port 22
**Bad protocol version identification '\026\003\001' from <A.B.C.D2> port 37052**
SFTP is working for same docker via node port & Following is debug logs of at server
bash-4.2# debug3: fd 5 is not O_NONBLOCK
debug1: Forked child 146.
debug3: send_rexec_state: entering fd = 8 config len 216
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug3: oom_adjust_restore
debug1: Set /proc/self/oom_score_adj to 984
debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from **<A.B.C.D>** port 28840 on <A.B.C.D2> port 22
debug1: Client protocol version 2.0; client software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Enabling compatibility mode for protocol 2.0
<A.B.C.D> => kubernetes edge node IP
<A.B.C.D2> => istio-ingressgateway pod IP
One difference which I can see that connection is established from edge node IP in case of node port whereas in case on istio ingress it is from istio ingres gateway
Following are kubernetes resource details.
kubectl get gw -A -o yaml
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
labels:
app: test
chart: test-2.7.2
component: comp1
heritage: Tiller
release: test
name: single-gateway-in-istio-system
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- ‘*’
port:
name: http
number: 80
protocol: HTTP
tls:
httpsRedirect: true- hosts:
- ‘*’
port:
name: https_alert
number: 443
protocol: HTTPS
tls:
credentialName: am-gateway
mode: SIMPLE- hosts:
- ‘*’
port:
name: sftp
number: 22
protocol: TCPkubectl get vs -ntest application-vs -o yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
labels:
app: test-gen3gppxml
chart: test-gen3gppxml-1.3.0
heritage: Tiller
release: bmsgenistio
name: application-vs
namespace: test
spec:
gateways:
- istio-system/single-gateway-in-istio-system
hosts:- ‘*’
http:- route:
- destination:
host: application
port:
number: 8080
tcp:- match:
- port: 22
route:- destination:
host: application
port:
number: 22