kubernetesistioistio-gateway

Istio: Exposing SFTP Server Deployment on port 22


I am having a following working SFTP Deployment in my Kubernetes:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: sftp-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sftp
  template:
    metadata:
      labels:
        app: sftp
    spec:
      volumes:
      - name: sftp-storage
        persistentVolumeClaim:
          claimName: sftp-pvc
      containers:
      - name: sftp
        image: atmoz/sftp
        ports:
        - containerPort: 22
        env:
        - name: SFTP_USERS
          value: "user1:password:::user-directory"
        volumeMounts:
        - name: ftm-sftp-storage
          mountPath: "/home/user1/user-directory"
        resources:
          requests:
            memory: "64Mi"
            cpu: "250m"
          limits:
            memory: "128Mi"
            cpu: "500m"

I know that the Deployment is working fine because if I port-forward the deployment I can easily access the directories on port 22 using any FTP Client, like FileZilla.

Of course, what I want to achieve is to expose this deployment to the public using Istio. I have tried to do it by exposing the port 22 in a custom gateway:

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: sftp-gw
spec:
  selector:
    istio: ingressgateway
  servers:
    - hosts:
        - '*.example.com'
      port:
        name: sftp-gw-server
        number: 22
        protocol: TCP
        targetPort: 22

And then creating the Virtual Service for it:

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: sftp-vs
spec:
  gateways:
    - sftp-gw.default.svc.cluster.local
  hosts:
    - my-host.example.com
  tcp:
    - match:
        - port: 22
      route:
        - destination:
            host: sftp-service.default.svc.cluster.local
            port:
              number: 22

The Service for the Deployment looks as such:

kind: Service
apiVersion: v1
metadata:
  name: sftp-service
spec:
  ports:
    - protocol: TCP
      port: 22
      targetPort: 22
  selector:
    app: sftp-deployment

This configuration does not work for me. Does anybody know how to configure properly the Istio to expose the port 22 of the Service/Deployment so it can be accessed via for example FTP Client? Thanks in advance.


Solution

  • Please do below changes in application gateway, virtual service and istio ingress gateway. As the ports in objects arent matching the requests wont get routed properly. Below changes are mentioned based on nodeport if LB is used kindly adjust it accordingly.

    Gateway:

    apiVersion: networking.istio.io/v1beta1
    kind: Gateway
    metadata:
      name: sftp-gw
    spec:
      selector:
        istio: ingressgateway
      servers:
        - hosts:
          - '*.example.com'
          port:
            name: tcp
            number: <mention nodeport number of tcp service ingwservice>
            protocol: TCP
    

    Virtual Service:

    apiVersion: networking.istio.io/v1beta1
    kind: VirtualService
    metadata:
      name: sftp-vs
    spec:
      gateways:
        - sftp-gw.default.svc.cluster.local
      hosts:
        - my-host.example.com
      tcp:
        - match:
          - port: <mention nodeport number of tcp service ingwservice>
          route:
          - destination:
              host: sftp-service.default.svc.cluster.local
              port:
                number: 22
    

    Istio Ingress Gateway Service: Please declare new tcp service which will be listening for sftp requests. The below information has to match the application gateway definition. Please provide the nodePort, port and targetPort numbers accordingly

    - name: tcp
      nodePort: 30009
      port: 30009
      protocol: TCP
      targetPort: 30009