Running an SFTP Server on SAP Kyma
The last week I was in the need of an SFTP server just to make some tests for PoC I was working on.
The first thought that came to my mind was to get an account in a Hyperscaler so I can easily create a VM exposed to the public internet, running some linux distro and install ssh.
That could have definitely worked, but it was maybe too much for the need I had.
I started to explore options within SAP BTP, and found this great post from my colleague Gunter Albrecht about deploying SAP Cloud Connector in Kyma.
So, if SAP Cloud Connector can run on a Kyma cluster, why not an SFTP server ?.
It was simpler than expected, so let me share the steps to prove it.
This blog assumes that a Kyma runtime is already deployed in the SAP BTP account, if that’s not the case, please check this tutorial from SAP Developers
1) Create a Namespace
All the steps could be performed either by using the Kyma UI Dashboard or using the kubectl command line tool. For simplicity, I will use the Kyma UI Dashboard.
Go to Namespace and click on Create Namespace
Enter a name for the namespace, and be sure you let the Enable Sidecar Injection disabled
2) Create a Deployment
After the namespace is created, you are redirected into the namespace overview page. Go to Workloads -> Deployments and Create a new Deployment
3) Configure Deployment
I will deploy this public image from Docker Hub, that can be configured just by passing some env variables. You can also try running it locally with the below command *assuming that you already have docker installed
docker run -p 22:22 -d atmoz/sftp foo:pass:::upload
This will create a Container from the atmoz/sftp Image, and open the local 22 port mapping the same port in the container and create a user foo with password pass, that can upload files into the upload folder.
In the Create Deployment wizard, go to YAML option, so you can specify all the required parameters for the container, like below
apiVersion: apps/v1 kind: Deployment metadata: name: impassioned-quiet namespace: ns-sftp labels: app.kubernetes.io/name: impassioned-quiet spec: replicas: 1 selector: matchLabels: app: impassioned-quiet template: metadata: labels: app: impassioned-quiet sidecar.istio.io/inject: 'false' spec: imagePullSecrets:  containers: - name: impassioned-quiet image: atmoz/sftp ports: - containerPort: 22 env: - name: SFTP_USERS value: foo:pass:::upload resources: requests: memory: 64Mi cpu: 50m limits: memory: 128Mi cpu: 100m
After you deploy the image, you should get a running Pod with a single container running
4) (Optional) Connect to the Container and test the SFTP server
before exposing the container to internet, you can run a port-forward to open a tunnel from you local environment and the deployed container.
for this steps, you should have kubectl command line tool configured (with the kubeconfig file and oidc_login plugin )
- Run kubectl get pods -n ns-sftp
- Run kubectl port-forward impassioned-quiet-67f668974-vkddg -n ns-sftp 22:22 (replace the name of the pod with the name of the pod obtained in previous steps)
- Open another terminal, and connect to localhost:22 and try uploading some file
5) Expose the Container to Internet
You could either create a Service with annotations, as detailed in Gunter Albrecht post or you could create a Service + DNS Entry CR separately.
Go to Services and create a new Service
apiVersion: v1 kind: Service metadata: name: sftp-service namespace: ns-sftp spec: type: LoadBalancer selector: app: 'impassioned-quiet' ports: - protocol: TCP port: 2222 targetPort: 22
Notice here that type is set to Load Balancer and port and targetPort should be different.
Replace spec.select.app with the name used in the Deployment resource.
At this point you have the SFTP server exposed to Internet, and you could connect with the command like below
From the Service Overview, copy the External IP and connect to port 2222
6) (Optional) Create a DNS Entry to have a friendly host name
Go to Configuration -> DNS Entries and click on Create DNS Entry
The DNSName should be in the form <hostname>.<kyma_cluster_id>.kyma.ondemand.com
And the Target should be the External IP obtained in the Service creation
You can can find out your Kyma Cluster ID in the Cluster Overview
With just few steps, you can get your own SFTP Server running on a SAP Kyma cluster.
As stated in the beginning of this post, this SFTP server is just for testing purpose and not mean for production use as there is no Persistent Volumes created to store the files nor secured way for provision users.
Great explanation Martin...excellent
Very helpful. Especially the hint "Notice here that type is set to Load Balancer and port and targetPort should be different."